7th APGridPMA meeting
Taipei, Monday 8th March 2010
Notes by David Kelsey.

1. Introductions
Eric welcomes everyone to Taipei. Followed by roundtable introductions.
The agenda is presented and agreed.

2. Update of EUGridPMA (David Groep)

Geographical coverage is increasing still. Map now all green! There are
now new federated MICS CAs. The TERENA MICS CA was accredited on 1st Feb
2010. Uses Comodo backend. A server CA for eScience will follow. 13
different CAs have gone through the self-audit. These are rigorous but
the implementation of recommendations takes some time. David reviews the
IGTF release process - now on Monday (or Tuesday). The response to the
automated warnings about CRL issuing is down again. Please do not ignore
them. New version of Fetch-CRL to cover more OS versions. Thanks to
Steve Traylen.

Turns to the problems caused by OpenSSL Version 1. This results in
changes to the trust anchor, with SHA1 hashes. EUGridPMA agreed a new
single distribution with files named after their alias, such that this
will work with all versions of OpenSSL. He presents the implementation
plan. Release 1.36 will have the new style as the default (not before
summer 2010). RPs have been asked to test the new dual-stack release and
provide feedback. Feedback here in APGridPMA also very welcome. Shows
the list of upcoming EUGridPMA meetings.

Sam: when will the OS's move to OpenSSL? Fedora 12 has already moved.
RHEL moving anyway to NSS.

3. TAGPMA update (Dave Kelsey)
Shows Roger Impey's slides from the Dublin EUGridPMA.

4. Bridging the Usability gap - David Groep

David G presents the IGTF history. The large IGTF CAs have up to ~20k
active users. This needs to scale to the ~1M members of academic
federations. So, David presents the ideas to address this. Build on the
national federations currently being deployed. For users with a
federated account could issue them a Grid certificate in less than 5
minutes. We will be the first service to ask for higher level of
assurance. Presents the TERENA eScience Personal CA.

Now moves to the private key protection guidelines. This was accepted in
IGTF all hands meeting - come back to this later today. The updated
version of the Classic AP (V4.3) is awaiting acceptance by other PMAs.
PKP guidelines also need to be included in the SLCS and MICS profiles.
Now considers Guideline on Approved Robots and use cases for robots,
e.g. portals. Robot certs are required for many of the VO portal
classes, so please start to support these. Romain points out that RP's
have great difficulty in enforcing user key protection. DavidG points
out that this does now allow the generation by the site of the private
keys. Hardware tokens would also improve things. Q: can the private key
be generated in unencrypted form? A: no. The profiles do not allow this.

---coffee-----

5. Accreditation of Mongolia CA (Unurkhaan Esbold)

SSSCA. CP/CPS is in first draft. See slides. SSS (www.sssmn.com)
established in 2007. They are the founder of the first Mongolian CSIRT.
A national data centre was established in Aug 2009. The CA is not
operational. Two reviewers (Jinny and Henry). Input from Morocco,
Austria and Pakistan CAs. Asks for guidance on the choice of OID - yet
to apply to IANA. (DavidG: can also get one from IGTF if IANA is too
slow). Goes through the content of the CP/CPS. Naming currently based on
/C=MN ... Yoshio reminds that should used domain components. Rekeying
must be every year. CA is currently offline, but they have an HSM so may
move to online signing later. David G suggests leaving out
nonRepudiation as this is not well understood in PKIX. Yoshio asks about
the RA identification process? A: will be in person with photo ID. At
the start will only have one RA, but can increase later. What about the
uniqueness of the name? Everyone has a unique ID number in Mongolia.
This will be used to map to another unique number. What software for the
CA? Still not yet decided, but advice welcome. No timeline defined yet,
but hopefully between 6-12 months. Comments on the CP/CPS are invited.
New version was received yesterday. The two reviewers will do their work
and progress can continue by e-mail and/or video.

6. APAC self-audit (Sam Morrison)

See slides. Classic CA accredited in Feb 2006. Number of user certs
decreasing because the federated SLCS CA is being used. Accreditation
for this will follow once the federation is in production. Goes through
the self-audit found issues: 2 B, 1 C, 1 D. V1.5 CPS produced to address
these issues and change from APAC to ARCS. Should send to the list and
ask for any objections. Yoshio asks more about the future SLCS
federation CA? It is running for ~12 Universities but only on a
best-effort basis. Accredition is still delayed. 

7. NECTEC self-audit (Sornthep Vannarat)

Classic CA was accredited in Oct 2006. A new RFC 3647 version of the
CP/CPS has been drafted but not seen by APGridPMA. Goes through the
self-audit issues, many of which are addressed in the new CP/CPS. Asks
for clarification on "retaining the same identity" over time. DavidG:
the important one is the last one in the list. Two different people with
the same name must always have different subject names. Summary: 6 B, 9
C. CP/CPS being changed to address these. Will be available in ~2
months. 

------------- lunch -------------------

8. Member updates:

Yoshio - AIST GRID CA
Shows staff involved. Number of issues certs.
No changes since last VTC in Dec 2009. Self-audit in April/May

Yoshio - PRAGMA-UCSD CA
Slides on behalf of CA manager.
Number of certs issued. No other changes.

ASGCCA - Jinny
Number of certs issued and RA details.
CP/CPS moved to RFC3647.
Want to survey SLCS CA and HSM. Self audit will be done this year.

IGCA - Santhosh (remote but problems with VTC 
so presented by representative in room)
New CP/CPS v1.1 (5Aug09) - profile of EE certs changed to include OID of
Classic profile. Number of certs issued and registered RAs. Shows photo
of the team. Self audit done - results still to be reported.

IHEP - Wei Zhu
Running since 2004. Shows status of current operations and staff
structure. Number of certs issued.

KEK - Takashi
Same CP/CPS and no changes. Shows statistics. External review last done
in 2007. Internal audit is ongoing.

KISTI - Sangwan Kim
Shows statistics and research community supported. Users want simple
cert handling. They plan to upgrade the CA system with an online
subscription form with local language documentation. The RA role needs
to be vitalised to cover larger communities. Want to upgrade the client
software for Windows 7. Self audit will happen after these upgrades.

NCHC - Hui-Shan Chen
Shows new staff structure (now reduced) and statistics.
Self audit will be done in 2010.

HKU Grid CA - Frankie
CA accredited last year. A few certs have been issued. This will increase when
the Grid point service formally starts. Shows staff - no changes.

NII/NAREGI - Kento
Started in 2006. No changes to CP/CPS. Shows statistics, staff and
number of RAs. Grid Pack is a package of a local user account and a user
certificate. Problem because most user accounts in computer centres are
renewed in March/April (academic year). Timing issues with renewal of
certs - want to do as a package.

9. CNIC and SDG Status and Self-Audit report (remotely by Kejun Dong)

SDG (Scientific Data Grid) is subordinate of the CNIC CA. Shows
statistics. CP/CPS updated to V1.9 as a result of audit. Summary: B 3, C
2. Goes through details. DavidG asks about the uniqueness of the name by
including the e-mail address. This could be re-used by someone else.
Need additional information to ensure persistence over the lifetime of
the CA, e.g. hand-written signature or ID card serial number.

Eric proposes that there should be two reviewers of today's self-audit
reports. David G reports how this is done in EUGridPMA, including a
light-weight operational review, e.g. CRL issuing done on time, and as a
way of pushing for document updates after the review. Yoshio asks if
each CA should send the self-audit spreadsheet report? He would prefer
to do an independent review of the CP/CPS and then compare with the
self-audit. There will be fewer new CAs, so the effort should be spent
on reviewing the existing ones. All agree that should use the current
audit template with clearly defined procedures before the next face to
face meeting.

10. Shows list of action items
Updates of primary CA contact are needed. Self-audit report expected at
next F2F meeting for AIST, IGCA, ASGCCA, NCHC. Need a host for the next
F2F meeting (2nd half of 2010). Eric would like a status matrix (like
TAGPMA) for Accreditation and Operation status. He will send a draft for
comment. 

------- coffee ----------


11. Authorisation Policy (David Kelsey)
Shows background to the activity and discussion at the Dublin EUGridPMA
meeting. Scope has been reduced to include just the technical details and
drop accreditation procedures. AAs can assess themselves against the
best practice guidelines. Aim is to produce good draft within 6 months to
finalise within a year. Volunteers welcome to join - talk to Dave.

12. Endorsement of Guidelines docs
No further discussion. Both the PKP and Robot Guidelines documents are
endorsed by APGridPMA.

13. Next F2F meeting
Agreed that one will be joint with ISGC 2011 (a year from now). This
could be the IGTF All Hands meeting. KEK (Japan) is a candidate for
Autumn 2010. Australia is another possible candidate (Conference on the
Gold Coast from 8-12 Nov). Both candidates will explore possible dates.

Meeting closed at ~ 16:30