Presentation is loading. Please wait.

Presentation is loading. Please wait.

EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.

Published byDeborah Walker Modified over 8 years ago

Similar presentations

Presentation on theme: "EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA."— Presentation transcript:

1 EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA

2 APGridPMA Taipei 2013 meeting – 2 David Groep – davidg@eugridpma.org EUGridPMA & ‘Rome Meeting’ Topics  EUGridPMA (membership) status  SHA-2 time line  CA readiness for SHA-2 and 2048+ bit keys  MICS Profile and Kantara LoA-2  OCSP support documents and guidelines  Private Key Protection Guidelines v1.2  IGTF Test Suite, IPv6  On on-line CAs and FIPS 140-2 level3 HSMs  Risk Assessment Team  Towards an LoA 1.x "light-weight identity vetting" AP https://www.eugridpma.org/meetings/2013-01/

3 APGridPMA Taipei 2013 meeting – 3 David Groep – davidg@eugridpma.org Milan Sova 1962-2012

4 APGridPMA Taipei 2013 meeting – 4 David Groep – davidg@eugridpma.org http://milansovacesnet.wordpress.com/

5 APGridPMA Taipei 2013 meeting – 5 David Groep – davidg@eugridpma.org Geographical coverage of the EUGridPMA  25 of 27 EU member states (all except LU, MT)  +AM, CH, DZ, EG, HR, IL, IR, IS, JO, MA, MD, ME, MK, NO, PK, RO, RS, RU, SY, TR, UA, CERN (int), DoEGrids(US)* + TCS (EU) Pending or in progress  ZA, SN, TN, AE

6 APGridPMA Taipei 2013 meeting – 6 David Groep – davidg@eugridpma.org Membership and other changes  Grid-Ireland  The Irish government suddenly withdraw all support for distributed computing by mid-2012,leading to the end of all ‘grid’ services run by Grid-Ireland and TCD  Grid-Ireland CA operations stopped December 2012  Remained of user community now served by TCS  TCS changes  Comodo has very ‘interesting’ view of CABforum requirements  ‘OV’ certs (which the TCS eScience SSL certs were) now require phone calls to numbers that Comodo collects in intractable ways  Introduced ‘DV’ certs to deal with this issue /DC=org/DC=terena/DC=tcs/OU=Domain Validated/CN=fqdn  Naming of OV certs still needs to be sorted, but will change  Lets hope we can leave eScience Personal unchanged  CAs are changing towards TCS (IUCC, BE, …)

7 APGridPMA Taipei 2013 meeting – 7 David Groep – davidg@eugridpma.org SHA-2 Time line Status

8 APGridPMA Taipei 2013 meeting – 8 David Groep – davidg@eugridpma.org SHA-2 time line (materially ~ the old one)  October 2012 (‘today’)  CA certificates in the IGTF distribution and CRLs at official distribution points should use SHA-1  CAs should issue SHA-1 end entity certificates on request  CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs  August 2013 (may need to move to ~ October 2013?)  CAs should begin to phase out issuance of SHA-1 end entity certificates  CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default  April 2014  New CA certificates should use SHA-2 (SHA-512)  Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-512)  Existing root CA certificates may continue to use SHA-1  September 2014  CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points.  October 2014 (‘sunset date’)  All issued SHA-1 end entity certificates should be expired or revoked.  In case of new SHA-1 vulnerabilities, the above schedule may be revised.

9 APGridPMA Taipei 2013 meeting – 9 David Groep – davidg@eugridpma.org SHA-2 readiness For SHA-2 there are still a few CAs not ready  a few can do either SHA-2 OR SHA-1 but not both  so they need to wait for software to be SHA-2-ready and then change everything at once  A select few can do SHA-2 but their time line is not driven solely by us (i.e. the commercials).  Their time line is driven by the largest customer base  All can so SHA-2 (since non-grid customers do request SHA-2-only PKIs)  it is because of these that RPs have to be ready, because when directives come from CABforum they will change, and do it irrespective of our time table!  Keep in mind hardware issues, e.g. the old Alladin eTokens (32k) do not support SHA-2

10 APGridPMA Taipei 2013 meeting – 10 David Groep – davidg@eugridpma.org A forward look: sudden end of MD5!  Some software stacks (Mozilla NSS 3.14+ distributed as part of e.g. RHEL6U4) are now disabling MD5!  Will create a nice mess, with several large CA roots still MD5 (even in EL6U4)  At this point, stuff will actually start breaking…

11 APGridPMA Taipei 2013 meeting – 11 David Groep – davidg@eugridpma.org ONGOING WORK ITEMS MICS Kantara LoA2 HSMs OCSP and OGF CAOPS-WG PKP Guidelines, Test Suite, IPv6, RAT

12 APGridPMA Taipei 2013 meeting – 12 David Groep – davidg@eugridpma.org MICS and Kantara LoA2  "A primary authentication system that complies with the Kantara Identity Assurance Accreditation and Approval Program at at least assurance level 2 as defined in the Kantara IAF-1400-Service Assessment Criteria qualifies as adequate for the identity vetting requirements of this Authentication Profile.“  This clarifies the "should" mentioned several times in the second line of paragraph 3.1, as we have now interpreted it several times in this particular way (TCS eScience Personal, CILogon Silver).

13 APGridPMA Taipei 2013 meeting – 13 David Groep – davidg@eugridpma.org HSMs at level 3 for on-line CAs “Inspired by the idea of NIIF for buidling an on-line CA based on a low-power Raspberry Pi and a level-3 HSM in USB format, a discussion emerged on whether it is possible to have enough compensatory controls around a level-2 HSM to make the risk comparable to the current off-line CA or level-3. It is not entirely clear which elements of level-3 improve the risk resilience when compared to an off-line classic CA.” We think it is worthwhile doing the risk analysis compared to the off-line classic CA, and if the risk is comparable allow the use of L2 HSM or eTokens in conjunction with compensatory controls like a safe. We propose to discuss this with the TAGPMA and APGridPMA and have a discussion at the IGTF All Hands in La Plata (October 2013).

14 APGridPMA Taipei 2013 meeting – 14 David Groep – davidg@eugridpma.org OCSP support: OGF & IGTF documents Two documents to guide its introduction  profile and guidance of RFC5019 light-weight OCSP for CAs  CAs already deploying full RFC 2560 are not the audience  https://wiki.eugridpma.org/Main/OCSPProfileForIGTFCAs  'best practices' guide for RPs and their software developers in using OCSP information  https://wiki.eugridpma.org/Main/OCSPDeploymentGuidelines  Trade-off between pre-computation or on-demand signing depends on number of certs issues and number of requests (choice it not trivial ;-)

15 APGridPMA Taipei 2013 meeting – 15 David Groep – davidg@eugridpma.org PKP Guidelines v1.2  New text is now available at  https://wiki.eugridpma.org/Main/PrivateKeyProtectionLifeCycle  https://wiki.eugridpma.org/Main/PrivateKeyProtectionRevised  structure is different, but the currently allowed use cases are covered by the new text  companion document on how to secure key stores (be they run by NGIs, CAs, home organisations, or anyone) should also be written. We expect the key stores to be run securely!

16 APGridPMA Taipei 2013 meeting – 16 David Groep – davidg@eugridpma.org IGTF Test Suite Software developers want to do real-life testing! Actions to get to a comprehensive suite  each CA to send a URL to or a sample of end- entity certs, at least personal cert and server cert, and depending on the CA also a robot cert and/or a 'service' ("blah/") cert  each CA to indicate some edge cases for their CA (use of colons, dashes, weird characters) and parameter space of the subject naming  known troublesome certs should be included  requirements developed on the Wiki  https://wiki.eugridpma.org/Main/IGTFTestSuite  now has some samples and conditions

17 APGridPMA Taipei 2013 meeting – 17 David Groep – davidg@eugridpma.org IPv6 status  FZU runs a continuous v6 CRL monitor http://www.particle.cz/farm/admin/IPv6EuGridPMACrlChecker/  22 CAs offer working v6 CRL  but there are also 4 CAs that give an AAAA record but where the GET fails …  Still 72 endpoints to go (but they go in bulk)  dist.eugridpma.info can act as v6 source-of-last-resort  fetch-crlv3 v3.0.10 has an explicit mode to force- enable IPv6 also for older perl versions  Added option "--inet6glue" and "inet6glue" config setting to load the Net::INET6Glue perl module (if it is available) to use IPv6 connections in LWP to download CRLs

18 APGridPMA Taipei 2013 meeting – 18 David Groep – davidg@eugridpma.org http://www.particle.cz/farm/admin/IPv6EuGridPMACrlChecker/

19 APGridPMA Taipei 2013 meeting – 19 David Groep – davidg@eugridpma.org IGTF RAT  Ursula Epting will be coordinating the communications challenges to the CAs and the internal (encrypted) mailing list  Please make sure the registered emergency contacts are up to date in the Distribution  Contact your PMA chair/TI to get this fixed if needed

20 APGridPMA Taipei 2013 meeting – 20 David Groep – davidg@eugridpma.org LIGHT-WEIGHT IDENTITY VETTING ENVIRONMENT AP

21 APGridPMA Taipei 2013 meeting – 21 David Groep – davidg@eugridpma.org Light-weight ID vetting environment AP  Cater for those use cases where  the RPs (VOs) already collect identity data  this RP (VO) data is authoritative and provides traceability  the ‘identity’ component of the credential is not used  through an AP where the authority provides only  persistent, non-reused identifiers  traceability only at time of issuance  naming be real or pseudonymous (discussion on going!)  good security for issuance processes and systems  and where the RP will have to take care of  subscribers changing name often (in case traceability at issuing authority is lost)  all ‘named’ identity vetting, naming and contact details

22 APGridPMA Taipei 2013 meeting – 22 David Groep – davidg@eugridpma.org Live AP use cases  Infrastructures where all users have a strong ‘home site’ that anyway has independent out-of- band vetting processes  PRACE RI, XSEDE,  Infra where the community does strong independent vetting  to be decided, mainly by the resource providers!  NOT useful for  Communities that rely on the name to enrol people  Communities that do not keep auditable records  RPs that support loosely organised communties  RPs that need independent authoritative names  LoA higher than Kantara 1, but much lower than 2

23 APGridPMA Taipei 2013 meeting – 23 David Groep – davidg@eugridpma.org https://wiki.eugridpma.org/Main/LiveAPSecuredInfra

24 APGridPMA Taipei 2013 meeting – 24 David Groep – davidg@eugridpma.org New Authentication Profile  The AP is currently being drafted  https://wiki.eugridpma.org/Main/LiveAPSecuredInfra  Many things to be decided  Need for HSM FIPS 140-2 level 3 or 2?  What audit requirements needed?  Real or pseudonymous naming  Distribution would be through separate ‘bundle’  Next to ‘classic’, ‘mics’, ‘slcs’, and ‘experimental’  Note there never was an ‘all’ bundle for this very reason  RPs will have to make an explicit choice to accept this

25 APGridPMA Taipei 2013 meeting – 25 David Groep – davidg@eugridpma.org UPCOMING MEETINGS

26 APGridPMA Taipei 2013 meeting – 26 David Groep – davidg@eugridpma.org EUGridPMA (IGTF) Agenda  TAGPMA + SCI meeting Boulder, CO, USA, 6-8 May 2013  28 th PMA meeting Kyiv, UA, 13-15 May 2013 http://www.eugridpma.org/meetings/2013-05/  29 th PMA meeting Bucharest, RO, 9-11 Sept 2013  APGridPMA meeting date t.b.d.  IGTF All Hands La Plata, Argentina November* 2013

Download ppt "EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA."

Similar presentations

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Policy Issues for Identity Management (and other attributes) EGI Technical.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.
CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.

Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.

LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
The CA Distribution Process David Groep, July 2007.

The CA Distribution Process David Groep, July 2007.
EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.

EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Updates from the EUGridPMA David Groep, July 16 st, 2007.

Updates from the EUGridPMA David Groep, July 16 st, 2007.

Similar presentations

Ads by Google