Updates from the EUGridPMA David Groep, July 16 st , 2007
-
Upload
benjamin-barber -
Category
Documents
-
view
25 -
download
1
description
Transcript of Updates from the EUGridPMA David Groep, July 16 st , 2007
Updates from the EUGridPMA
David Groep, July 16st, 2007
3rd TAGPMA ‘Austin’ meeting – Nov 2006 - 2David Groep – [email protected]
Outline
EUGridPMA: new CAs and profiles Istanbul discussions Re-reviewing process
3rd TAGPMA ‘Austin’ meeting – Nov 2006 - 3David Groep – [email protected]
Green: EMEA countries with an Accredited Authority
24 of 27 EU member states (all except LU, MT, RO) + AM, CH, HR, IL, IS, NO, PK, RS, RU, TR
Other Accredited Authorities: DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all
EUGridPMA members and applicants
3rd TAGPMA ‘Austin’ meeting – Nov 2006 - 4David Groep – [email protected]
Membership by type
Under “Classic X.509 secured infrastructure” authorities accredited: 40 (recent additions: Serbia in 1.14) active applicants: 6 (Romania, Morocco, Ukraine,
FYROM, Iran, Latvia)
Under “SLCS” accredited: 1 (SWITCHaai)
Major relying parties EGEE, DEISA, SEE-GRID, LCG, OSG, TERENA
3rd TAGPMA ‘Austin’ meeting – Nov 2006 - 5David Groep – [email protected]
Developments in Europe
Robots or automated clients have been proposed in 2002 by Mike Helm et al. Introduced in the UK in 2006, in NL in 2007 see http://ca.dutchgrid.nl/info/etokens for examples for
tokens
Why? monitoring use case (classic one) for functional tests portals and web sites with ‘canned’ jobs,
just like the cgi-bin use case automated tasks (data movers, &c) use of automated clients needs quite some policy
changes, but having secure hardware tokens is a good ingredient
3rd TAGPMA ‘Austin’ meeting – Nov 2006 - 6David Groep – [email protected]
Other (non-) contentious issues discussed in TR
CRLs for compromised CAs non-repudiation bit in keyUsage
and how that relates to email signing
the Meaning of Locality and why to use O if you can
objectSigning bits should we also address who is allowed to get this bit? should the organisation be involved (Milan)? or does it only asserts that the code was signed by this
user, as is done in the UK, NL, AT and so better keep as is?
auditable traceability in ID vetting and alternative solutions
the meaning of SHOULD
3rd TAGPMA ‘Austin’ meeting – Nov 2006 - 7David Groep – [email protected]
Self-Auditing
all members should do a self-audit at least once a year, based on the audit guidelines document, which reflects the latest state of the minimum requirements.
To aid in the self-review, the document will be complemented with some examples, and with input from the "Operational Review" spreadsheet that has been very successful in teh TAGPMA. We can work on this during the coming months.
at least once every two years, the results of the self-audit, together with all supporting documentation, should be submitted to two independent peer reviewers endorsed by the PMA
the reviewers should independently verify the self-audit, and rate the issues on the scale A to D, and iterate with the authority under review to reach a final conclusion. This conclusion is open for the PMA.
the Authority should make a plan to address the issues found in the review, and correct all issues on which Advice ("D") was given.
the reviewers and the PMA verify that these changes are implemented in a 6-month time frame
if, after six (6) month, for some very unlikely reason, the issues are still not corrected, the PMA will discuss the issue in the next plenary meeting. This discussion will include considering withdrawing the CA certificate from the distribution.
The results of this entire process will be private to the PMA. Only in case that an authority is actually withdrawn would it be made public.
3rd TAGPMA ‘Austin’ meeting – Nov 2006 - 8David Groep – [email protected]
Showing up
Also, please keep in mind that still we would like each CA to send representative to the plenary meeting at least once every 1-2 years. Otherwise, after two years, the PMA will similarly discuss this. And, of course, everyone should be willing to act as a reviewer at least once a year :-)
3rd TAGPMA ‘Austin’ meeting – Nov 2006 - 9David Groep – [email protected]
Internal status table
Some dates for you to remember and schedule September 4-5, 2007
TF-EMC2 meeting, Prague, CZ September 19-21, 2007
11th EUGridPMA meeting, Thessaloniki, GR October 15-19 – OGF 21
CAOPS, IGTF, …, Seattle (WA), USA November 29-30
NREN-Grid Workshop on Identity Federation, Malaga, ES January 14-16, 2007
12th EUGridPMA meeting, Amsterdam, NL