Presentation is loading. Please wait.

Presentation is loading. Please wait.

Updates from the European Side of the Pond David Groep, November 2006.

Published byNorma Clarke Modified over 9 years ago

Similar presentations

Presentation on theme: "Updates from the European Side of the Pond David Groep, November 2006."— Presentation transcript:

1 Updates from the European Side of the Pond David Groep, November 2006

2 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 2 David Groep – davidg@eugridpma.org Outline  EUGridPMA constituency and status  Classic secured X.509 Authentication Profile  The TACAR Trusted Introducer  Distribution site, the RPM repository, and fetch-crl

3 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 3 David Groep – davidg@eugridpma.org Green: EMEA countries with an Accredited Authority  23 of 25 EU member states (all except LU, MT)  + AM, CH, HR, IL, IS, NO, PK, RU, TR Other Accredited Authorities:  DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all EUGridPMA members and applicants

4 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 4 David Groep – davidg@eugridpma.org The story so far … Foundation of the IGTF allows migration of CAs to Regional PMA

5 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 5 David Groep – davidg@eugridpma.org Membership by type  Under “Classic X.509 secured infrastructure” authorities  accredited: 38 (recent additions: CERN-IT/IS, SRCE)  active applicants: 4 (Serbia, Bulgaria, Romania, Morocco)  Under “SLCS”  accredited: 0  active applicants: 1 (SWITCH-aai)  Under MICS draft  none yet of course, but actually CERN-IS would be a good match for MICS as well  Major relying parties  EGEE, DEISA, SEE-GRID, LCG, TERENA

6 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 6 David Groep – davidg@eugridpma.org Developments in Europe  SWITCH-aai  interfacing the national academic federation, based on Shibboleth, to the Grid world  the SLCS CA is part of this effort (but just phase 1) is planned to be in production by Q1 2007  Confederation at the national level  national federations are being, or have been, implemented  codenamed EDUgain, confederation uses ‘federation adapters’ to translate identities when crossing federation boundaries  policy coordination is now starting  eduroam has by now an (almost) agreed policy  Implements key e-IRG recommendations in AA area

7 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 7 David Groep – davidg@eugridpma.org Classic X.509 AP updates (v4.1 β 5) Major points addressed  explicit definition of what we mean with “should”  FQDN “ownership”  time-shifted identity vetting migrated to MICS draft AP  maximum 5 years without a form of identity verification  reformulated on-line CA architectures  includes explicitly the two pre-vetted architectures  keyUsage SHOULD (was MUST) be critical in CA certs  compliance with Grid Certificate Profile draft (in OGF)  due diligence for subscribers made explicit and many grammar and spelling improvements

8 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 8 David Groep – davidg@eugridpma.org Classic v4.1b5 Updates (1)  clearer definition of what we mean by should  FQDN ‘ownership’  A form of validation after at most five years this has been buried in very old minutes and has now been made explicit

9 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 9 David Groep – davidg@eugridpma.org Classic v4.1b5 Updates (2)  On-line CA architectures

10 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 10 David Groep – davidg@eugridpma.org Classic v4.1b5 Updates (3)  On-line CA models

11 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 11 David Groep – davidg@eugridpma.org Classic v4.1b5 Updates (4)  keyUsage extensions SHOULD be critical in a CA cert  this used to be a MUST, but that would unnecessarily exclude some commercial top-level CAs (e.g., NetTrust)  Compliance with Grid Certificate Profile document  document is now in draft in the OGF CAOPS-WG  almost finished  embodies lots and lots of community knowledge on what a certificate ought to look like  read it before you setup a new CA, or regenerate a root cert, or think about an end-entity certificate profile  Auditing: if you re-issue without a new identity vetting, you MUST keep the original records for at least as long as there are certs based on this vetting plus the default grace period

12 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 12 David Groep – davidg@eugridpma.org Classic v4.1b5 Updates (5)  Due diligence for subscribers  Still pending for a next version  some real insights in the necessary site security measures  certificate/crl profile to be revised once the OGF document thereon is formally published  move of section 3.3 on removal of a CA to architecture (sec 2)

13 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 13 David Groep – davidg@eugridpma.org Classic AP v4.1 status  version 4.1 beta-4 approved by AP and EU GridPMAs  version beta-5 expected to be accepted by both as well  beta-5 had quite a few clarity improvements  real content changes deferred to new version 4.2 later  It’s ready and on the web, waiting for your go- ahead

14 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 14 David Groep – davidg@eugridpma.org TACAR the TERENA Academic CA Repository  trusted and centralized place  where root CA certs can be stored and safely retrieved  which is policy-neutral (but ‘IGTF-ready’) for CAs  directly managed by TERENA members  belonging to a national academic PKI in member states  for all CAs set-up to support not-for-profit research, in which the academic community is directly involved

15 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 15 David Groep – davidg@eugridpma.org TACAR Policy and Update  TACAR has been operational since early 2004  registration process is, rightfully, rigorous  updates via signed electronic messages  the new registration policy (v1.4.3) adds concept of Trusted Introducers  this should enable smoother and faster registration with TACAR  proposed: one per PMA or similar body  Also new web site for an extended audience  better support for end-users  ‘IGTF-ready’  download of PKCS#7 bundles on a per-Profile basis  Policy currently in last call in TF-EMC2 and IGTF

16 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 16 David Groep – davidg@eugridpma.org IGTF Distribution in Other Formats  Apart from validation via TACAR, the IGTF manages a distribution of all accredited authorities  formerly known as Anders’ RPM set, today also available as: JKS, tar-gz, configure && make, …  usually built by the EUGridPMA (me, actually)  mirrored twice-daily to the apgridpma.org site  copied and re-distributed by downstream software vendors (EGEE/LCG, VDT, …)  also contains the fetch-crl utility (now at version 2.6.3)  up till now, has available from www.{eu,ap}gridpma.org/distribution

17 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 17 David Groep – davidg@eugridpma.org Planned Changes to the Repository  migration to a separate (virtual) server and domain  better resilience against download (better redundant hardware)  separate it from more ‘complex’ parts of the web site, like the CDS agenda, using dedicated (virtual) machines  better resilience against registrar and TLD operator faults  New planned location https://dist.eugridpma.info/distribution  plus of course the mirror location at www.apgridpma.org  more supported download interfaces: rsync  is operational already, but not yet announced  will keep backward compatibility by deep redirection

18 Some dates for you to remember and schedule  December 13, 2006 ‘Coseners’ accommodation deadline 9 th EUGridPMA meeting  January 15-17, 2007 9 th EUGridPMA meeting, Abingdon, UK (hosted by RAL)  January 29 – Feb 2, 2007 – OGF 19 CAOPS, IGTF, OGSA-AuthN-BoF, …, Chapel Hill, NC, USA  March 28-29, 2007: TF-EMC2, Florence, IT  May 30-31 and June 1, 2007 10 th EUGridPMA meeting, Istanbul, TR (hosted by ULAKBIM)

Download ppt "Updates from the European Side of the Pond David Groep, November 2006."

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2.

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
10 th EUGridPMA Meeting graciously hosted by ULAKBIM Istanbul, TR.

10 th EUGridPMA Meeting graciously hosted by ULAKBIM Istanbul, TR.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp://www.apgridpma.org/meetings/index.html Call for note takers!

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin

The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
The TERENA Academic CA Repository. eIRG Meeting. Dublin, 16/04/2004 Diego R. Lopez – TF-AACE  Task Force on Authentication and.

The TERENA Academic CA Repository. eIRG Meeting. Dublin, 16/04/2004 Diego R. Lopez – TF-AACE  Task Force on Authentication and.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.

Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
The CA Distribution Process David Groep, July 2007.

The CA Distribution Process David Groep, July 2007.

Similar presentations

Ads by Google