Notes from The October 15th, 2006 APGrid PMA F2F Meeting -------------------------------------------------------- Meeting commenced at 9:00am Present -------- Yoshio Tanaka - AIST - Japan Min-Hong Tsai - ASGC - Taiwan Jinny Chien - ASGC - Taiwan David Bannon - APAC - Australia Toshiyulci Kataoka - NAREGI - Japan Rumiko Masuko - NAREGI - Japan Jon Lan - National Grid Office - Singapore Suriya U-rukolan - NECTEC - Thailand Sornthep Vannarat - NECTEC - Thailand Supakit Prueksaaroon - NECTEC - Thailand Cindy Zheng - SDSC - USA Piyawut Srichaikul - NECTEC - Thailand Mason Katz - SDSC - USA Kejun Dong - CNIC - China Hao Xu - CNIC - China Kai Nan - CNIC - China Weicheng Huang - NCHC - Taiwan Nopparat Nopkuat - TNGC - Thailand Sugree Phatanapherom - TNGC - Thailand Eisaku Sakane - CMC Osaka U. - Japan Toyokazu Akiyama - Cybermedia Centre, Osaka U. - Japan Tsung-Ying Wu (alex) - NCHC - Taiwan Go Iwai - KEK - Japan Susumu Date - Osaka U. - Japan Shimji Shimojo - Osaka U. - Japan Sangwan Kim - KISTI - Korea Brief Updates from some member sites. ----------------------------------- APAC - David - 180Host Certs, 150User, eSecurity Project, GRIX A.SINICA - Jinny - A ticketing system, published CPS, established a FAQ CNIC - SDG-CA Morris, scientific data grid, 55User Certs, 3Host Certs, 2Service Certs CA Software Suite, based on openCA. 10y to 20y, Extensions removed. EUChina grid, intercontinental community, many partners NCHC Introduction - Alex Wu (actually update delivered in afternoon) Grid Operations Centre, under construction, architecture. Compute Grid, Data Grid, Sensor Network, eTeaching/eLearing. In 'temp' operation at present. KEK HEP, Go, Issues with LCG. 73Host Certs issued, 26User, 1Service, Audit later this year (thanks Yoshio). NARIGI - just getting going again. Toyokazu - Osaka University - update, will be issuing a lot of certificates ! SDSC - Cindy - setting up a CA, getting help from Naragi, testing and accepting advise from Yoshio. NGO - Singapore - Jon (actually delivered in afternoon). Using Nettrust, temp ca continues to issue test or trial certs. NECTEC - Almost online, Thailand, new offices in Jan. ------------------- Yoshio gave an outline of structure of ITGF members, history of movement, current status. APGridPMA launched June 1 2004. Experimental and production level. Production has strict standards. 13 Ex officio, 4 general members. 14 PMA meetings around world since Sept 2004 igtf-general@gridpma.org cross coupling issue with mailing lists, promises to fix... Auditing and procedures, logs. We are members of IGTF as well as APGrid PMA, responsibilities. Contributions are necessary! Question from Toyokazu - use web technology to authenticate for university. Does ITGF deal with such things ? Yoshio: the grid profile we use is perhaps not suited but you can draft other profile. ---------------------------- NECTEC-GOC CA - application for approval. Sornthep and Suriya Last minute changes, new version uploaded, very localised change to organisational structure. Current version 1.0 October2006, Yoshio - recommend remove email from DN and put in subjectAltName. Yoshio - host certs issued should be to a person responsible for that domain. Some discussion ... How can revoke ? - can I revoke my own certificate ? Yoshio - how many people know code to open safe ? - 2 Approved on a show of hands. NECTEC is now full member of APGRid PMA ---------------------------- Summary of KISTI CA - Yoshio Problems listed in Audit Report, there are a number of things that are inappropriate. They do not appear to comply with the classic profile ! Promlems include V3 extensions, items in certificate, number of operators, backup, audits, change (of cps) control, disaster recovery. No Face to Face, offline is not really offline, Logging. Sangwan Kim responded - Has issued to more that 50 users, more that 340 certificates. Q: Yoshio - Is off line machine really off line all the time ? A: No, sometimes connected temporarily. (Meeting noted that cannot be accepted.) Q: Yoshio - Face to face meetings ? A: Would like to do so but its difficult... Reference in presentation of a "download click" for downloading private key is a mistake, its not really like that. Certificate issuance seems more like MICS profile that the classic profile. Q: Morris - who checks identity, RAO or CAO ? A: There really is no difference between RAO and CAO in our model. Q: Yoshio - if one user becomes aware that another user's cert is compromised, can the first user request revocation ? A: No Q: David - RedHat 9 is very old, how do you keep it current ? A: Many items compiled from source and applied. Yoshio - use of shared HSM is probably not acceptable, better to implement real offline system. * Update CA certificate, renew CA Certificate using same private key but fixing problems. * Change CPS * Enhance system security * multiperson operation * backup. Yoshio - get approval for detailed plan before implementing please. Timeline for this process is currently unclear. Yoshio - advice from other PMA chairs is that KISTI CA should be removed from IGTF bundle until matters are fixed. If it was only one or two weeks we may be able to wait but this is not the case here. The meeting reluctantly agreed that KISTI be suspended. Yoshio advised a new CA would be better that trying to fix that one. --------------------------------- LUNCH --------------------------------- Presentation by Prof. Yasuo Okabe about UPKI, history of Grid Federation in Japan, consortium of (5) Universities in Kyoto, scaleability, OASIS SAML. Library Case Study. Details of various projects, NAGARI CA, APAN Middleware working group. ------------------------------- Review of OGF proposed Grid Certificate Profiles, 0.13 Note to David - subjectAltName in a service certificate MUST contain FQDN OR a list of FQDN, is this the solution to dangerous service certificates ? Put links to these profiles onto CA TWIKI page. --------------------------------- Incident Response What is a reasonable response time ? Meeting agreed that three days was a reasonable maximum response time in almost all circumstances. All production sites will ensure that they can respond within this time limit if necessary. Mailing list of 'emergency response' people derived from CA Bundles. Please check what address is being used for your site and ensure appropriate. If not, notify Yoshio immediately. Please ensure addresses nominated are unmoderated. --------------------------------- Reviw of classic profile, look for it in http://www.eugridpma.org/igtf/ Yoshio forecast that the one CA per country may be removed in near future. Definition of 'Should'. Who can ask for a host cert ? much better wording in new draft. Q: - Jon, how long should audit trail be kept ? A: Present rule is 3 years, seems OK. Jon: but a cert can be re-keyed for 3 or 5 years if based on hardware token, 2048 bits etc. Meeting agreed that three years of logs may not be enough if a cert is being re-keyed for 5 years. Implies users should present for a f2f at least every five years. Note that there is no suggestion that a particular certificate can have a like greater than 13 months. What happens if a change appears in the profile that requires CA to take extreme steps, ie reissue their Root CA ? This will depend on its impact. Yoshio - next PMA meeting is TAGPMA, it may finally approve this draft. ----------------------------------- CLCS/MICS profile review. Difference is in proposed max life time. Discussion is limited because of time restraints. Meeting finished at 5:20pm.