Presentation is loading. Please wait.

Presentation is loading. Please wait.

EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI.

Published byMargaretMargaret Irma Campbell Modified over 6 years ago

Similar presentations

Presentation on theme: "EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI."— Presentation transcript:

1 EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI

2 Geographical coverage of the EUGridPMA
25 of 27 EU member states (all except LU, MT) + AM, CH, DZ, HR, IL, IR, IS, JO, MA, MD, ME, MK, NO, PK, RO, RS, RU, SY, TR, UA, CERN (int), DoEGrids(US)* + TCS (EU) Pending or in progress ZA, SN, TN, EG, AE

3 Rome meeting results and issues
SHA-2 time line (sunset date is now October 2014) CA readiness for SHA-2 and bit keys OCSP support MICS Profile and Kantara LoA-2 Towards an LoA 1.x "light-weight" AP Security Token Service profile Private Key Protection Guidelines IGTF Test Suite On on-line CAs and FIPS level3 HSMs Public Relations IPv6 readiness Risk Assessment Team

4 SHA-2 readiness For SHA-2 there are still a few CAs not ready:
a few can do either SHA-2 OR SHA-1 but not both so they need to wait for software to be SHA-2-ready and then change everything at once A select few can do SHA-2 but their time line is not driven solely by us (i.e. the commercials). Their time line is driven by the largest customer base All can so SHA-2 (since non-grid customers do request SHA-2-only PKIs) it is because of these that RPs have to be ready, because when directives come from CABforum they will change, and do it irrespective of our time table! It should be kept in mind that old Alladin eTokens (32k) do not support SHA-2.

5 End of MD5 Some software stacks (NSS 3.14+, in RHEL6.4) are now disabling MD5! Will create a nice mess, with several large CA roots still MD5

6 OCSP support Two documents to guide its introduction
profile and guidance of RFC5019 light-weight OCSP for CAs CAs already deploying full RFC 2560 are not the audience 'best practices' guide for RPs and their software developers in using OCSP information Trade-off between pre-computation or on-demand signing depends on number of certs issues and number of requests (choice it not trivial ;-)

7 MICS and Kantara LoA2 "A primary authentication system that complies with the Kantara Identity Assurance Accreditation and Approval Program at at least assurance level 2 as defined in the Kantara IAF-1400-Service Assessment Criteria qualifies as adequate for the identity vetting requirements of this Authentication Profile.“ This clarifies the "should" mentioned several times in the second line of paragraph 3.1, as we have now interpreted it several times in this particular way (TCS eScience Personal, CILogon Silver).

8 PKP Guidelines v1.2 New text is now available at
structure is different, but the currently allowed use cases are covered by the new text companion document on how to secure key stores (be they run by NGIs, CAs, home organisations, or anyone) should also be written. We expect the key stores to be run securely!

9 IGTF Test Suite Actions decided
each CA to send a URL to or a sample of end-entity certs, at least personal cert and server cert, and depending on the CA also a robot cert and/or a 'service' ("blah/") cert each CA to indicate some edge cases for their CA (use of colons, dashes, weird characters) and parameter space of the subject naming known troublesome certs should be included developed on the Wiki now has some samples and conditions

10 HSMs at level 3 for on-line CAs
“Inspired by the idea of NIIF for buidling an on-line CA based on a low-power Raspberry Pi and a level-3 HSM in USB format, a discussion emerged on whether it is possible to have enough compensatory controls around a level-2 HSM to make the risk comparable to the current off-line CA or level-3. It is not entirely clear which elements of level-3 improve the risk resilience when compared to an off-line classic CA.” We think it is worthwhile doing the risk analysis compared to the off-line classic CA, and if the risk is comparable allow the use of L2 HSM or eTokens in conjunction with compensatory controls like a safe. We propose to discuss this with the TAGPMA and APGridPMA and have a discussion at the IGTF All Hands in La Plata (October 2013).

11 PR! For the world at large our work and progress are not necessarily clear. The article in ResearchMedia is not enough. In particular the wider scope and new direction should be emphasized. Papers (academic and PR) are encouraged so that we more clearly demonstrate usefulness and relevance -- and thus may get fewer questions on this issue!

12 IGTF RAT Ursula will be coordinating the communications challenges to the CAs and the internal (encrypted) mailing list

13 Live AP Dedicated discussion!

14 Agenda 28th PMA meeting Kyiv, UA, 13-15 May 2013
29th PMA meeting Bucharest, RO, 9-11 Sept 2013

Download ppt "EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI."

Similar presentations

Status of Auditing Guidelines Document Oct. 15 Yoshio Tanaka, AIST.

Status of Auditing Guidelines Document Oct. 15 Yoshio Tanaka, AIST.
© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.

© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Policy Issues for Identity Management (and other attributes) EGI Technical.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.
CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.

Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.

EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Updates from the EUGridPMA David Groep, July 16 st, 2007.

Updates from the EUGridPMA David Groep, July 16 st, 2007.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.

EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
Updates from the EUGridPMA David Groep, Nov 7 nd, 2008.

Updates from the EUGridPMA David Groep, Nov 7 nd, 2008.
EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa 2006 - 2 David Groep – Items  EUGridPMA.

EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.

European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.

SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.

Similar presentations

Ads by Google