1. Summary of Poznan EUGridPMA32 September 2014

2. EUGridPMA Poznan 2014 meeting – 2 David Groep – davidg@eugridpma.org Welcome back at PSNC

3. EUGridPMA Poznan 2014 meeting – 3 David Groep – davidg@eugridpma.org Geographical coverage of the EUGridPMA  26 of 28 EU member states (all except LU, MT)  +AM, CH, DZ, EG, IL, IR, IS, JO, MA, MD, ME, MK, NO, PK, RO, RS, RU, SY, TR, UA, CERN (int), DoEGrids(US)* + TCS (EU) Pending or in progress  ZA, KE, TZ, SN, TN, AE, GE

4. EUGridPMA Poznan 2014 meeting – 4 David Groep – davidg@eugridpma.org Summary Topics  Update to naming in Approved Robot Guidelines  AARC and the pan-European AAI in the next two years  Generalized IGTF Levels of Authentication Assurance  On-line CA Architectures Guidelines document  Registration Practice Statement  xSIM - Identity Management for Virtual Organizations –  Auditing, accreditation, and compliance –  SWITCH/QuoVadis membership status change –  Miscellaneous topics

5. EUGridPMA Poznan 2014 meeting – 5 David Groep – davidg@eugridpma.org Robot naming  "the validated fully-qualified domain name of the system from which the robot shall be solely operating. The RA SHALL ensure that the requester is appropriately authorized by the owner of the associated FQDN or the responsible administrator of the machine to use the FQDN identifier asserted in the certificate. In this case the CA SHOULD have a facility to obtain at least the contact information contained in the public certificate about the owner of the FQDN based on the subject name of the certificate to any requester."

6. EUGridPMA Poznan 2014 meeting – 6 David Groep – davidg@eugridpma.org LoA extraction and generalisation  The LoA generalization process aims to extract those elements from the IGTF APs that are of general value to the community well beyond PKI. This has not always been clear from the AP document, since they have both LoA elements and PKI implementation requirements combined in a single document. But the APs, and now these LoAs, actually encode the consensus of acceptable levels for our major relying parties, and are designed such that they also balance the 'cost' or 'do-ability' of our identity providers.

7. EUGridPMA Poznan 2014 meeting – 7 David Groep – davidg@eugridpma.org LoA updates and the Classic AP  SLCS + MICS done in Lehi  The Classic AP profile was similarly analysed and the LoA generic elements extracted from it. These have been added to version 02 (IGTF-LoA-authN- set-20140908-v02) which is now available on the IGTF member Wiki https://wiki.eugridpma.org/Members/LoAandAPD ocumentLinks along with the set of differences compare the (merged) levels identified in Lehi. https://wiki.eugridpma.org/Members/LoAandAPD ocumentLinks

8. EUGridPMA Poznan 2014 meeting – 8 David Groep – davidg@eugridpma.org On-line CAs  The Guidelines for On-line PKI Certification Authorities was completed - and encodes the current requirements and best practices for operating and establishing an on-line CA architecture. It also addresses the best common practice found today in large-scale and publicly trusted CAs. http://wiki.eugridpma.org/Main/GuidelinesForOnLineCAs  It is by now good practice that the key generation is done in a documented ceremony (to prevent technology lock-in to a specific HSM), although generation inside the HSM is obviously allowed.

9. EUGridPMA Poznan 2014 meeting – 9 David Groep – davidg@eugridpma.org RPS  Communities in practice seem to have a life cycle longer than many of the (project or research- organisation funded) issuing authorities that they use. This has been the case for Open Science Grid, the Austrian community, and is likely to happen often. In practice, these communities seek a new issuing CA, but the underlying registration and identity vetting practices remain the same.  https://docs.google.com/document/d/1REvvAuU Q-J0-aYALDqGtBE_gkb0Ap8snWcsnTWPGnqI (this is the version before discussion in Poznan) https://docs.google.com/document/d/1REvvAuU Q-J0-aYALDqGtBE_gkb0Ap8snWcsnTWPGnqI

10. EUGridPMA Poznan 2014 meeting – 10 David Groep – davidg@eugridpma.org Misc topics  KENET revised the CA architecture and decided on the use of EJBCA. This should make it easier to deploy a secure CA (no longer VMs )  TCS  New provider  model (TERENA is the organisation representing and accrediting the CA) will stay the same.  The name space assigned to TCS will remain the same, so the change should be fully transparent to the end- users!  Additional details were kindly provided live by our new TCS issuing CA provider during the meeting  QV membership change

11. EUGridPMA Poznan 2014 meeting – 11 David Groep – davidg@eugridpma.org EUGridPMA Meeting Agenda  33 rd PMA meeting 12-14 January 2015, Berlin, DE (offered by DFN)  APGridPMA & ISGC: 16-20 March 2015 (Security Workshop on 15)  TNC2015: 15-18 June 2015, Porto, PT (REFEDS on 14 th )  34 th EUGridPMA, May 2015, Kopenhagen  Beyond open for co-location with AARC and others