Updates from the European Side of the Pond David Groep, November 2006

1
Updates from the European Side of the
PondDavid Groep, November 2006
2
Outline

• EUGridPMA constituency and status
• Classic secured X.509 Authentication Profile
• The TACAR Trusted Introducer
• Distribution site, the RPM repository, and
  fetch-crl

3
EUGridPMA members and applicants

• Green EMEA countries with an Accredited
  Authority
• 23 of 25 EU member states (all except LU, MT)
• AM, CH, HR, IL, IS, NO, PK, RU, TR
• Other Accredited Authorities
• DoEGrids (.us), GridCanada (.ca), CERN, SEE
  catch-all

4
The story so far
5
Membership by type

• Under Classic X.509 secured infrastructure
  authorities
• accredited 38 (recent additions CERN-IT/IS,
  SRCE)
• active applicants 4 (Serbia, Bulgaria, Romania,
  Morocco)
• Under SLCS
• accredited 0
• active applicants 1 (SWITCH-aai)
• Under MICS draft
• none yet of course, but actually CERN-IS would
  be a good match for MICS as well
• Major relying parties
• EGEE, DEISA, SEE-GRID, LCG, TERENA

6
Developments in Europe

• SWITCH-aai
• interfacing the national academic federation,
  based on Shibboleth, to the Grid world
• the SLCS CA is part of this effort (but just
  phase 1)is planned to be in production by Q1
  2007
• Confederation at the national level
• national federations are being, or have been,
  implemented
• codenamed EDUgain, confederation uses federation
  adaptersto translate identities when crossing
  federation boundaries
• policy coordination is now starting
• eduroam has by now an (almost) agreed policy
• Implements key e-IRG recommendations in AA area

7
Classic X.509 AP updates (v4.1 ß5)

• Major points addressed
• explicit definition of what we mean with should
• FQDN ownership
• time-shifted identity vetting migrated to MICS
  draft AP
• maximum 5 years without a form of identity
  verification
• reformulated on-line CA architectures
• includes explicitly the two pre-vetted
  architectures
• keyUsage SHOULD (was MUST) be critical in CA
  certs
• compliance with Grid Certificate Profile draft
  (in OGF)
• due diligence for subscribers made explicit
• and many grammar and spelling improvements

8
Classic v4.1b5 Updates (1)

• clearer definition of what we mean by should
• FQDN ownership

• A form of validation after at most five years
• this has been buried in very old minutes and has
  now been made explicit

9
Classic v4.1b5 Updates (2)

• On-line CA architectures

10
Classic v4.1b5 Updates (3)

• On-line CA models

11
Classic v4.1b5 Updates (4)

• keyUsage extensions SHOULD be critical in a CA
  cert
• this used to be a MUST, but that would
  unnecessarily exclude some commercial top-level
  CAs (e.g., NetTrust)
• Compliance with Grid Certificate Profile document
• document is now in draft in the OGF CAOPS-WG
• almost finished
• embodies lots and lots of community knowledge on
  what a certificate ought to look like
• read it before you setup a new CA, or regenerate
  a root cert, or think about an end-entity
  certificate profile
• Auditing if you re-issue without a new identity
  vetting, you MUST keep the original records for
  at least as long as there are certs based on this
  vetting plus the default grace period

12
Classic v4.1b5 Updates (5)

• Due diligence for subscribers
• Still pending for a next version
• some real insights in the necessary site security
  measures
• certificate/crl profile to be revised once the
  OGF document thereon is formally published
• move of section 3.3 on removal of a CA to
  architecture (sec 2)

13
Classic AP v4.1 status

• version 4.1 beta-4 approved by AP and EU GridPMAs
• version beta-5 expected to be accepted by both as
  well
• beta-5 had quite a few clarity improvements
• real content changes deferred to new version 4.2
  later
• Its ready and on the web, waiting for your
  go-ahead

14
TACAR

• the TERENA Academic CA Repository
• trusted and centralized place
• where root CA certs can be stored and safely
  retrieved
• which is policy-neutral (but IGTF-ready)
• for CAs
• directly managed by TERENA members
• belonging to a national academic PKI in member
  states
• for all CAs set-up to support not-for-profit
  research, in which the academic community is
  directly involved

15
TACAR Policy and Update

• TACAR has been operational since early 2004
• registration process is, rightfully, rigorous
• updates via signed electronic messages
• the new registration policy (v1.4.3) adds concept
  ofTrusted Introducers
• this should enable smoother and faster
  registration with TACAR
• proposed one per PMA or similar body
• Also new web site for an extended audience
• better support for end-users
• IGTF-ready
• download of PKCS7 bundles on a per-Profile basis
• Policy currently in last call in TF-EMC2 and IGTF

16
IGTF Distribution in Other Formats

• Apart from validation via TACAR, the IGTF manages
  a distribution of all accredited authorities
• formerly known as Anders RPM set, today also
  available as JKS, tar-gz, configure make,
• usually built by the EUGridPMA (me, actually)
• mirrored twice-daily to the apgridpma.org site
• copied and re-distributed by downstream software
  vendors (EGEE/LCG, VDT, )
• also contains the fetch-crl utility (now at
  version 2.6.3)
• up till now, has available from www.eu,apgridpm
  a.org/distribution

17
Planned Changes to the Repository

• migration to a separate (virtual) server and
  domain
• better resilience against download (better
  redundant hardware)
• separate it from more complex parts of the web
  site, like the CDS agenda, using dedicated
  (virtual) machines
• better resilience against registrar and TLD
  operator faults
• New planned location
• https//dist.eugridpma.info/distribution
• plus of course the mirror location at
  www.apgridpma.org
• more supported download interfaces rsync
• is operational already, but not yet announced
• will keep backward compatibility by deep
  redirection

18

• Some dates for you to remember and schedule
• December 13, 2006 Coseners accommodation
  deadline 9th EUGridPMA meeting
• January 15-17, 2007 9th EUGridPMA meeting,
  Abingdon, UK (hosted by RAL)
• January 29 Feb 2, 2007 OGF 19 CAOPS,
  IGTF, OGSA-AuthN-BoF, , Chapel Hill, NC, USA
• March 28-29, 2007 TF-EMC2, Florence, IT
• May 30-31 and June 1, 2007 10th EUGridPMA
  meeting, Istanbul, TR (hosted by ULAKBIM)