CAOPS-WG and IGTF (APGridPMA meeting)
OGF24 - Singapore - 16 Sep 2008
Dave Kelsey


Session 1
----------

Christos welcomes all and presents the agenda for the day.
One session of CAOPS-WG, three of APGridPMA.

All need to sign IPR form.

1. Review charter (Christos)
This was discussed at OGF23. See slide. Details were discussed.
Group Summary. Discussion of last sentence related to conveying
authentication decisions. Change agreed.
Charter Focus and Scope. Small change agreed.
Exit Strategy. Small change agreed.
Working Documents. Two stalled documents. OCSP and Risk analysis for LoA.
Agree to decide on mailing list whether there is interest
in continuing. For LOA risks need interest from Relying Parties.
7 Questions. Agreed some changes.

2. Auditing Guidelines (Yoshio)
Yoshio presents new version including comments from earlier meetings.
Scott Rea has helped with the editing.
See V1.0-b6.
Scott added section on Auditor Qualification.
Mingchao asks whether this is internal or external audit?
Is it external to the Grid community? No - just external to the CA.
The list of requirements is very heavy, particularly the 
professional certification. Agree to discuss with Scott.
People wish to remove reference to specific version of AuthN profile.
Perhaps use words like "using V4.1 as a case study"
Should move asap to public comment.

3. Authentication Services Profile (Christos)
Christos reviews changes agreed earlier. Lots of text dropped.
Christos shows the sections remaining. Not ready for discussion yet.
There is a clear understanding of what needs to be there.
Work will continue on mail list. To be discussed at November 2008 TAGPMA meeting.

4. Use cases for RP name constraints (David G)
David shows current draft, dated June 4 2008.
Two issues remained from last time. Description of rationale (section 2).
David shows new foot note. Agreed the next text.
Second issue was section 3 - policy language and expression requirements.
email sent recently to RPs and so far no response.
Most important message of this document is that name space constraints are needed.
Details of the format are of less importance. Old Globus format had limits to line
length and the implementation of negatives and wild cards was incomplete or inconsistent.
Mike J reports he has seen a Java implementation in GT V4.2.
Christos reports that Jens J was going to add use cases.
Agree to give Jens a few days to do this if he wishes. Then will go out again to
WG final call.

5. David G on behalf of Jens - slides on IGTF CP/CPS Template Working Party
See slides. The idea is to streamline the process of producing a CP/CPS.
Shows process of CA applying for membership. The review and response process
can take years! Need to develop safe text for cloning rather than cloning bad text.
Template has been written by Jens in DocBook XML. He used Emacs with nxml as editor.
Mike J asks how hard it is for CA manager to insert info? David: depends on the section.
Balance between making it easy for a new CA and the new CA understanding the issues.
Rendering in MS Word is possible - but Milan points out that edits made in Word cannot
be fed back into DocBook. PDF is perhaps better.
Mike J: does this feed into the audit process? David G: mainly for accreditation
and the initial audit (done by the PMA).
Need to be careful about IPR and Copyright. Assign copyright to OGF/IGTF?
This is still an open issue. My need to write new text and then make available
under a re-usable license (e.g. Creative Commons).
Looking for volunteers to contribute new text.
Agree that if this works it will be an additonal output for CAOPS-WG.

--- coffee ---

Session 2

Continue with CAOPS agenda
6. Gap Analysis of current LoA - Mike J
See slides. Document status. This is now fairly advanced but there has been
little response from others.
4 parts. Introduction; Existing efforts in defining and using LoAs;
existing LoA middleware; Gap Analysis.
Shows some parts of the document. SP is more general than a Shib SP.
Most existing efforts seem to have decided to use 4 levels of assurance.
Someone else (other than the authors) needs to check the section on 
Grid Authentication.
Have not yet addressed the eduPersonAssurance document. Mike will do this.
Way forward. Some issues to be addressed in the document. Then will invite
comments. Will now use the CAOPS list rather than the old LoA mail list.
Vinod: Scott and he did an exercise on mapping levels to IGTF profiles.
DavidG: the biggest problem was lack of auditing for IGTF. This is now being addressed.
MikeJ: also lack of hardware tokens, proxy certificates well out of scope.
Christos: would be good to have next version before the November TAGPMA meeting.
DavidG will contact subscribers to LoA mail list (if they are not already on CAOPS)
and then close the list.

--- now start the APGridPMA meeting ----------

Agenda is on APGridPMA web site.
No need for introductions - all know each other

1. Yoshio gives update on APGridPMA. See slides.
There are currently 12 accredited CAs. 1 (Indian GridCA) under review.
ThaiGrid and HongKong planning.
Yoshio shows agenda for rest of today.
APGridPMA is looking at increasing frequency of meetings. Allow video conference
to facilitate participation.

2. David G EUGrid PMA update
see slides.
Map now redrawn to include South Africa. Iran now accredited.
Several countries pending from EUMedGrid.
New initative across silk road countries - in collaboration with NATO programme.
AuthZ WG update. New draft document on EUGridPMA wiki.
Will be discussed again in Lisbon meeting (October).
Mike J: does it have to be limited to X.509? DaveK: we decided to consider a
concrete use case, used today, and then perhaps make more general later.
Several open issues (see slides).
IGTF Risk Assessment Team. Now set up. Jim Basney ran a communications challenge.
CAs had problems when mail sent by bcc.
Solved mailbox problems with a small number of CAs.
CAs should look at sending automated response trouble ticket responses.
CA monitoring. Response to warnings about out of date CRLs is getting worse again.
Shows list of future meetings.
Christos: JimB did his test on 15th August which is a holiday in much of Southern Europe.
MikeJ: Is there a way of defining "service at risk"?
DavidG: Many responses (simple e-mail, revocation, ...) should be actioned within a day
or two. Should not be down for a week. EUGridPMA also has a team to assess removal of
a non-responding CA from the distribution.

3. TAGPMA update - Vinod
See slides.
Membership not changed much. Added a new Brazil Institute.
Several personnel changes have happened.
7 accredited, 5 pending, 3 more in the works.
Peru and Colombia joining soon.
Web site and mail lists now moved (moving) to ESnet.
Much recent work on incident response (Debian SSL vuln and others)
TAGPMA charter has been updated.
SLCS profile - see later. Lots of discussion about CRL lifetimes.
Membership is different from CA accreditation.
Looking at auditing. Yoshio's document and also other audit guidelines.
Templates: Brazil working on how to template min requirements (3647 based) to assist
in CP/CPS production - in portugese. Plan to feed this back in to Jens' CP/CPS template
work.
Next meeting in Argentina. 6-8 November. two weekly video confs too.

4. SLCS profile (Vinod)
V2.0 updates. Language update and then Policy update.
Recent security incidents led to requirement for CRLs.
Also lowered to HSM operating mode Level 2 (to allow easier service restarts).
New document went to EUGridPMA in Copenhagen. Switch have since provided more input.
There were some issues with maximum lifetime, but these are now solved.
No other points raised. APGridPMA has no problem approving this new SLCS profile.

5. Milan - demo of OpenSSL (version 0.9.8) dealing with policy OIDs.
Has all the funtionality required to do verification checks requiring particular OIDs
There is therefore a need for CAs to start adding policy OIDs to new certificates.
Push the developers now.
RPs could then switch on checking early in 2010.
DavidG: which OID do we install? Including version number or not? Or both (one with
and one without version)?
Agreed that we should include both OIDs (general and specific version).
Mingchao asks about Robot cert OIDs. DavidG: should include the Classic profile OIDs
and the Robot cert 1scp OID.

6. APGridPMA - new charter - Yoshio. (Version 1.3)
Removed reference to APGridPMA min requirements. Refers to IGTF profiles instead.
Add a Vice Chair.
No comments. Agreed. Officially approved.
Jinny Chien (ASGC) has been appointed Vice Chair.

---- lunch -----

Session 3

7. Accreditation of Indian Grid CA (IGCA)
Henry Sukumar S. (C-DAC)
See slides.
10 centers across India.
GARUDA Grid. NGI started 2005. 45 institutes in 17 cities.
Collaborates with EGEE and US Cancer Grid.
CA located in Bangalore.
RA verifies ID via face to face meeting.
Application form is faxed to IGCA manager and verifies RA signature.
CAO (operator) issues the certificate.
CP/CPS - 3647 style.
CA server is offline. RA server is online. Using OpenCA software.
Yoshio: how is certificate issued? CAO transfers CSR from RA server web repository
via a dedicated USB memory stick to CA server.
DavidG: how is CSR linked to identity of the applicant? Partly linked via 
proof of ownership of mailbox. DavidG suggests user writes a PIN on the form.
Yoshio: User certificate MUST not be shared (not SHOULD).
Yoshio: CRL distrib should be http: not https:
Milan: CRL link must be DER format, not PEM. Can also provide this if you wish.
Mingchao: e-mail in CN is not recommended. All agree that this is actually OK
DavidG: order of fields in the CA cert are in reverse order in ASN.1 structure.
End entity certs are in correct order (subject), but issuer is reversed.
DaveK: Number of RAs and users expected? ~45 RA and about 200-300 users. No problem
with contact between user and RA.
DaveK: should inform PMA when CA key is compromised.
DavidG: couple of technical issues in end entity certs not compliant with cert profile.
Yoshio: how many CAOs?  Three.
Yoshio: are there likely to be other CAs for India? This is the only one.

8. CA Status updates (alphabetical)

AIST: see slides. Revision of CP/CPS approved.

CNIC (remote presentation): see slides.

IHEP (remote presentation): see slides.
Yoshio: schedule for implementing new system? Not yet defined.

KEK: see slides. No complaints about proposed delay to the audit.
Vinod: why so many revoked certs? They are revoked by users to get new
certificate so not to have two certs with same name. Apply first, then revoke.
This is limitation of NAREGI CA software. Users must be unhappy!

KISTI (remote presentation): see slides.

NAREGI: see slides. Made major revision to CP/CPS for distributed RAs.
Yoshio has reviewed this. Does PMA approve? Yes... approved.

NCHC (remote presentation): problems with audio. Delay to next session?

--------- coffee ---------

Session 4

8. CA Status Update continued

ASGC: see slides.

NECTEC: see slides.
Yoshio: were there major changes when you moved to 3647 format? No just format.
Will send new CP/CPS to mail list.

PRAGMA-UCSD: Yoshio on their behalf. See slides.

HKU: Yoshio on their behalf. See slides.
DavidG: how do they run an offline server as a VM?

9. Heavy traffic for CRL downloading
This and the next issue raised by Nettrust. See linked plots.
Traffic has grown by factor 4 during August.
David G: sites with no web cache will download from all machines every 6 hours.
If there is a central cache then will be better, but can get the configuration of
the web cache wrong or the CRL is configured not to be cached. Should make CRL
as small as possible - DER format better. And don't need to revoke expired certs
for AuthN.
Milan: for checking signed e-mail, receiver as a minimum has to store copy of
the CRL at the time of checking e-mail.
Don't want to limit connections to the CRL server as this would affect everyone.
Milan: Sites need to be educated. Have proper caches and not download from all sites
at the same time. Distribution should take care of this.
DavidG: sometimes one host makes thousands of connections. If so CA can contact the
sysadmin.
Storing original downloaded file could help. Then a head request could check if
the CRL has actually changed.
DavidG: for poorly connected sites can relocate the CRL to a place with better
connectivity.
MikeJ: could download from someone else who already has it.
Christos: machine load is not the problem. It is network bandwidth.
Yoshio: we should reduce the unnecessary down loading? How to reduce the problem
for CAs with poor network connectivity - host CRL at another site.
Milan: If latter, CA should push the CRL to the alternate host.

10. Frequency of issuing CRLs
Nettrust issues CRL every day and lifetime is only 25 hours. But it revokes certs
every hour or so (to meet needs of Singapore Government). This is not compliant with
the profile.
Milan: we issue every day with lifetime of 8 days.
Mike J: if only a one hour overlap then RPs need to download every hour. Don't want that!
Mike J: Who wants 7 days? and Why?
Dave K: Sites want green boxes on Site Availability Monitoring. Expired CRLs go Red.
Sites want time to get problems fixed. 7 days was chosen to allow for weekends, holidays
etc and to give time to fix.
David G: CA may be worried about legal liability of very long "next update" times.
CP should make sure this does not represent a problem.
Should we reduce 7 days? David G: could be 7 days if an offline CA and 3 days if online
and automatic issue of CRL.
User question: How do I know I have to download a CRL?
Nettrust will look into issuing CRLs with longer lifetime.
Agreement that we should look into changing the Classic profile, noting that NIIF
and CERN already have shorter lifetimes. CAs should be compliant with the policy.
Agenda item for Lisbon EU Grid PMA meeting.

11. Frequency of F2F PMA meetings
Looking at possible dates 
PRAGMA16 Korea (end March)
ISGC Taipei (20-24 April)
Grid Asia (Singapore)
CCGrid Shangai (May 18-21)

Will choose one of these and then another in second half of meeting.