Presentation on theme: "International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2."— Presentation transcript:
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2
Agenda Updates from regional PMAs (15) –APGrid PMA (Yoshio) –EUGrid PMA (David) –TAGPMA (Darcy) Problems in compliance with the new Authentication Profile (20) Authentication Profiles (20) –Member Integrated Credential Services AP (Darcy?) –Portal-based Credential Services AP (Yoshio) Hardware Tokens (20) –Robots (Jens)
Updates of the APGrid PMA OGF20 IGTF Yoshio Tanaka
Updates Audited KEK Grid CA Date: April 13 th Used the new auditing document Found the following five major problems (but easy to solve). In some end entity certificates, the value of X509 v3 Certificate Policies extension is incorrect. It is 220.127.116.11.18.104.22.168.1.102 but it should be 22.214.171.124.126.96.36.199.1.10.2. Inconsistency of the certificate profile and the profile document. Neither exendedKeyUsage nor nsCertType is specified in end entity certificates. Email address was used in the subject name of end entity certificates. Inappropriate description about renew keys.
Updates Some CAs has modified / is modifying CP/CPS and/or profiles to comply with the new Classic AP. Done AIST Grid CA, APAC Grid CA, CNIC Grid CA, NAREGI CA Ongoing ASGC CA, IHEP CA, KEK Grid CA, NECTEC CA Details will be reported in the next F2F. APAC Grid CA will issue certificates for New Zealand.
Members (13 + 4) 9 Accredited CAs In operation AIST (Japan) APAC (Australia) ASGCC (Taiwan) CNIC (China) IHEP (China) KEK (Japan) NAREGI (Japan) NECTEC (Thailand) Will be in operation NCHC (Taiwan) 1 CA under review NGO (Singapore) Will be re-accredited KISTI (Korea)Planning PRAGMA (USA) ThaiGrid (Thailand) General membership Osaka U. (Japan) U. Hong Kong (China) U. Hyderabad (India) USM (Malaysia)
Next F2F Meeting Date: June 4 th (Mon) Venue: Biopolis, Singapore Co-located event: Grid Asia 2007 Agenda (tentative): Updates from CAs (esp. compliance with thew new Classic AP) Review of MICS profile Discussions on profile of Portal-based CS
Problems in compliance with the new Authentication Profile
AIST s experiences A) User certificates - Added Extended Key Usage x509 Ext Key Usage: 188.8.131.52.184.108.40.206.2 = PKIX-IDKP-ClientAuth B) Host certificates - Added Extended Key Usage x509 Ext Key Usage: 220.127.116.11.18.104.22.168.1 = PKIX-IDKP-ServerAuth 22.214.171.124.126.96.36.199.2 = PKIX-IDKP-ClientAuth - Added Subject Alt Name x509 Subject Alt Name:  FQDN of the host - Changed Key Usage removed nonRepudiation x509 Key Usage:[critical] digitalSignature, keyEncipherment, dataEncipherment, (0xb0)
Supposed problems Some CAs need to modify profiles of the Root CA Certificate to comply with the new Classic AP and the proposed Grid Certificate Profile. Marking keyUsage as critical was dropped from MUST to SHOULD, but some root CA certificates does not mark basicConstraints as critical. Some CA embed an email address in the subject name of end entity certificates. Probably more (as figured out through the auditing of KEK Grid CA).