Updates from the EUGridPMA David Groep, July 16 st , 2007

Updates from the EUGridPMA

David Groep, July 16st, 2007

3rd TAGPMA ‘Austin’ meeting – Nov 2006 - 2David Groep – [email protected]

Outline

EUGridPMA: new CAs and profiles Istanbul discussions Re-reviewing process


Green: EMEA countries with an Accredited Authority

24 of 27 EU member states (all except LU, MT, RO) + AM, CH, HR, IL, IS, NO, PK, RS, RU, TR

Other Accredited Authorities: DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all

EUGridPMA members and applicants


Membership by type

Under “Classic X.509 secured infrastructure” authorities accredited: 40 (recent additions: Serbia in 1.14) active applicants: 6 (Romania, Morocco, Ukraine,

FYROM, Iran, Latvia)

Under “SLCS” accredited: 1 (SWITCHaai)

Major relying parties EGEE, DEISA, SEE-GRID, LCG, OSG, TERENA


Developments in Europe

Robots or automated clients have been proposed in 2002 by Mike Helm et al. Introduced in the UK in 2006, in NL in 2007 see http://ca.dutchgrid.nl/info/etokens for examples for

tokens

Why? monitoring use case (classic one) for functional tests portals and web sites with ‘canned’ jobs,

just like the cgi-bin use case automated tasks (data movers, &c) use of automated clients needs quite some policy

changes, but having secure hardware tokens is a good ingredient


Other (non-) contentious issues discussed in TR

CRLs for compromised CAs non-repudiation bit in keyUsage

and how that relates to email signing

the Meaning of Locality and why to use O if you can

objectSigning bits should we also address who is allowed to get this bit? should the organisation be involved (Milan)? or does it only asserts that the code was signed by this

user, as is done in the UK, NL, AT and so better keep as is?

auditable traceability in ID vetting and alternative solutions

the meaning of SHOULD


Self-Auditing

all members should do a self-audit at least once a year, based on the audit guidelines document, which reflects the latest state of the minimum requirements.

To aid in the self-review, the document will be complemented with some examples, and with input from the "Operational Review" spreadsheet that has been very successful in teh TAGPMA. We can work on this during the coming months.

at least once every two years, the results of the self-audit, together with all supporting documentation, should be submitted to two independent peer reviewers endorsed by the PMA

the reviewers should independently verify the self-audit, and rate the issues on the scale A to D, and iterate with the authority under review to reach a final conclusion. This conclusion is open for the PMA.

the Authority should make a plan to address the issues found in the review, and correct all issues on which Advice ("D") was given.

the reviewers and the PMA verify that these changes are implemented in a 6-month time frame

if, after six (6) month, for some very unlikely reason, the issues are still not corrected, the PMA will discuss the issue in the next plenary meeting. This discussion will include considering withdrawing the CA certificate from the distribution.

The results of this entire process will be private to the PMA. Only in case that an authority is actually withdrawn would it be made public.


Showing up

Also, please keep in mind that still we would like each CA to send representative to the plenary meeting at least once every 1-2 years. Otherwise, after two years, the PMA will similarly discuss this. And, of course, everyone should be willing to act as a reviewer at least once a year :-)


Internal status table

Some dates for you to remember and schedule September 4-5, 2007

TF-EMC2 meeting, Prague, CZ September 19-21, 2007

11th EUGridPMA meeting, Thessaloniki, GR October 15-19 – OGF 21

CAOPS, IGTF, …, Seattle (WA), USA November 29-30

NREN-Grid Workshop on Identity Federation, Malaga, ES January 14-16, 2007

12th EUGridPMA meeting, Amsterdam, NL

Updates from the EUGridPMA David Groep, July 16 st , 2007

Documents

Transcript of Updates from the EUGridPMA David Groep, July 16 st , 2007