Presentation is loading. Please wait.

Presentation is loading. Please wait.

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

Published byAntony Atkinson Modified over 8 years ago

Similar presentations

Presentation on theme: "News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News."— Presentation transcript:

1 News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News

2 Recent EUGridPMA meeting 14-16 Jan 2013 hosted at GARR/CASPUR (Rome) http://agenda.nikhef.nl/conferenceDisplay.py?confId=2291 Apart from routine business, topics discussed included – SHA-2 time line – CA readiness for SHA-2 and 2048+ bit keys – OCSP support – MICS Profile and Kantara LoA-2 – Towards an LoA 1.x "light-weight" AP – Security Token Service profile – Private Key Protection Guidelines – IGTF Test Suite – On on-line CAs and FIPS 140-2 level3 HSMs – Public Relations – IPv6 readiness – Risk Assessment Team 22/01/20132EUGridPMA News

3 Milan Sova (CESNET) - RIP http://milansovacesnet.wordpress.com/ 22/01/2013EUGridPMA News3 1962 – 2012 A leader in global activities in Identity Management and many related areas An enormous loss to IGTF

4 SHA-2 timeline Was agreed at Sep 2012 EUGridPMA meeting – And subsequently discussed at OMB TAGPMA proposed some changes – Mainly clearer wording – But also extend the final sunset for SHA-1 by one month http://tagpma.es.net/wiki/bin/view/Main/SHA2Timeline Now also approved by EUGridPMA 22/01/2013EUGridPMA News4

5 SHA-2 – Agreed IGTF timeline October 2012: CA certificates in the IGTF distribution and CRLs at official distribution points should use SHA-1. CAs should issue SHA-1 end entity certificates on request. CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs. August 2013: CAs should begin to phase out issuance of SHA-1 end entity certificates. CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default. April 2014: New CA certificates should use SHA-2 (SHA-512). Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-512). Existing root CA certificates may continue to use SHA-1. September 2014: CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points. October 2014: All issued SHA-1 end entity certificates should be expired or revoked. In case of new SHA-1 vulnerabilities, the above schedule may be revised. 22/01/2013EUGridPMA News5

6 Issue both SHA-1 and SHA-2 certs? Users and developers need to prepare for SHA-2 Could issue 2 certificates per request – Same key pair – But one signed with SHA-1 and one with SHA-2 Agreed that this would in general just confuse users – So NOT recommended, but is allowed If doing this dual issue – both certificates need to be revoked if the key pair is compromised – two different serial numbers MUST be used – it is more useful for intermediate certs if both are available – again with different serial numbers (for transition period) 22/01/2013EUGridPMA News6

7 SHA-2 CA readiness Still a few CAs not yet ready A few others can do either SHA-2 OR SHA-1 – but not both – they wait for their software to support SHA-2 Note: old Alladin eTokens (32k) do not support SHA-2 22/01/2013EUGridPMA News7

8 OCSP Online Certificate Status Protocol timely revocation information available to the RPs Moving towards deployment of this technology The way to deploy and use OCSP effectively is not always clear Two new discussion documents were prepared during the meeting – OCSP Profile For IGTF CAs – OCSP Deployment Guidelines 22/01/2013EUGridPMA News8

9 Towards LoA 1.x – “light weight” IGTF authn profile Some relying parties and communities – perform significant identity data collection themselves Recognise the need for an IGTF authentication profile – which does not duplicate the collection of that vetting data Core requirements on the CA stay the same – secured infrastructure – global uniqueness of naming across the IGTF – no re-use of issued identifiers some other elements of traceability and vetting can be supplied by other registration processes run by the relying parties themselves – E.g. PRACE where the sites do the registration of users anyway, and associate a cert with each vetted account Level of Assurance less than LoA level-2 (classic AP) but more than level-1 (e.g. OpenID) Work in progress 22/01/2013EUGridPMA News9

10 New Security Token Service profile More work in progress Generalise the SLCS profile – To include STS services like the one from EMI Convert credentials on the fly – E.g. SAML to X.509 WLCG Federated Identity Management pilot project (as part of FIM4R activity) relates 22/01/2013EUGridPMA News10

Download ppt "News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News."

Similar presentations

© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.

© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.

IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.

David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.

LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.

Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

Similar presentations

Ads by Google