Download presentation
Presentation is loading. Please wait.
Published byGiles Morton Modified over 9 years ago
1
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008
2
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 2 David Groep – davidg@eugridpma.org EUGridPMA A word on its history Autonomous growth “Virtual Silk Road” PKI Plans and updates Auditing Identity Vetting processes, AuthZ, 1SCP, CP/CPS doc Repository issues CAOPSwg documents Grid Certificate Profile finally “Published”! RPDNC requirements …
3
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 3 David Groep – davidg@eugridpma.org Eight years of growth November 2000: Invitation to the DataGrid WP6 partners December 2000: First CA meeting at CERN March 2001: 5 CAs: CNRS, LIP, NIKHEF, CERN, INFN, UK-HEP First version of the minimum requirements December 2002: Inclusion of the CrossGrid CAs April 2004: Establishment of the EUGridPMA First formal charter and guidelines documents … April 2008: 77 accredited CAs in the IGTF
4
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 4 David Groep – davidg@eugridpma.org Minimum Requirements version 1 Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP. Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be: a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means...
5
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 5 David Groep – davidg@eugridpma.org The European Policy Management Authority for Grid Authentication in e-Science (hereafter called EUGridPMA) is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. As its main activity the EUGridPMA coordinates a Public Key Infrastructure (PKI) for use with Grid authentication middleware. The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter - the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines. The EUGridPMA “constitution”
6
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 6 David Groep – davidg@eugridpma.org The story so far … Foundation of the IGTF allows migration of CAs to Regional PMA
7
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 7 David Groep – davidg@eugridpma.org The IGTF TAGPMA APGridPMA improve trust building through better face-to-face contact better manageability of the PMA
8
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 8 David Groep – davidg@eugridpma.org Geographical coverage of the EUGridPMA 23 of 25 EU member states (all except LU, MT) +AM, CH, HR, IL, IS, MA, NO, PK, RO, RS, RU, TR, UA, ME, MK, SEE-GRID + CA, CERN (int), DoEGrids* Pending or in progress IR, SY, MD, LV
9
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 9 David Groep – davidg@eugridpma.org More growth expected Pending EUMedGrid countries: DZ, TN, LY, EG New initiative across the ‘silk road’ countries Established by Ara Grigoryan and ArmeSFo In collaboration with NATO Partnership for Peace programme
10
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 10 David Groep – davidg@eugridpma.org Auditing started Based on APGridPMA Auditing effort Self audits, peer-reviewed BEGrid, DoEGrids, IUCC, TR-Grid, ArmeSFo, HellasGrid, CyGrid Assessments were thorough Implementation of recommendations started Also external audit DutchGrid CA (thanks, Yoshio!)
11
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 11 David Groep – davidg@eugridpma.org Pending plans: ‘AuthZ op. policy WG’ Discussing extending to AA policy requirements authZ as important as AuthN, but operational AuthZ policies today are far less clear minimum requirements on running an AA server may be quite similar to running a CA ‘There is no other large group of experts out there waiting to take this on’ – we don’t need a parallel I*TF But: scaling the model is very, very different; … Dave Kelsey will sort this out … http://www.eugridpma.org/agenda/archive-a073/kelsey15jan08.ppt
12
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 12 David Groep – davidg@eugridpma.org More to-do items Repository of “good” and “bad” CP/CPS examples boilerplate text repository On software used Activity ‘owner’: Jens Jensen ‘profiling’ of various identity vetting options Traditional F2F Notary-public-supported verification ‘Time-shifted via implicit RA/Agent anointments’ or ‘TTP’ One-Statement Certificate Policies (1SCP) First 1SCPs should be there soon: ‘private key is held on a token’ ‘I am a Robot/automated client’
13
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 13 David Groep – davidg@eugridpma.org IGTF Release Process and Web Release Process Releases moved to (preferably) Monday or Tuesday Documentation of the process still needed Use: https://dist.eugridpma.info/distribution mirror:https://www.apgridpma.org/distribution Web server updated Room for some additional static services Input and suggestions are very welcome! Monitoring and alarms Nagios: http://signet-ca.ijs.si/nagios/ (guest/guest) (mirror at AIST) PMA Distribution Warnings by email 4 times/day
14
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 14 David Groep – davidg@eugridpma.org CAOPS-WG Grid Certificate Profile is now published as GFD-C.125 Relying Party Defined NS Constraints New draft out on GridForge Out to RPs for comments and new requirements Pending reactions (we got one from DavidCh already…) Authentication Profile Template Cleanup needed (ChristosT) Fork off glossary in a separate document
15
Some dates for you to remember and schedule May 26-28 2008 13 th EUGridPMA meeting, Copenhagen, DK (NBI) June 2-6, 2008: OGF23, Barcelona, ES September 15-19, 2008: OGF24, Singapore Oct 6-8 (tentative), 2008: 14 th meeting, Lisbon, PT January 2009: 15 th meeting, Nicosia, CY
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.