Presentation is loading. Please wait.

Presentation is loading. Please wait.

EUGridPMA Status and Current Trends and some IGTF topics March 2016 Taipei, TW David Groep, Nikhef & EUGridPMA.

Published byKarin Freeman Modified over 5 years ago

Similar presentations

Presentation on theme: "EUGridPMA Status and Current Trends and some IGTF topics March 2016 Taipei, TW David Groep, Nikhef & EUGridPMA."— Presentation transcript:

1 EUGridPMA Status and Current Trends and some IGTF topics March 2016 Taipei, TW David Groep, Nikhef & EUGridPMA

2 EUGridPMA Topics EUGridPMA (membership) status New and updated CAs
IOTA CAs IPv6 readiness and fetch-crl Disaster Recovery WG RATCC AARC CILogon for Europe Also see the Bratislava summary at

3 Geographical coverage of the EUGridPMA
26 of 28 EU member states (all except LU, MT) + AM, CH, DZ, EG, GE, IL, IR, IS, JO, MA, MD, ME, MK, NO, PK, RS, RU, SY, TR, UA, CERN (int) + TCS (EU) Pending or in progress ZA, TZ, AE

4 Membership and other changes
Responsiveness challenges for some members JUNET CA – suspended HIAST CA – temporarily withdrawn for operational reasons Identity providers: both reduction and growth New CA in Kenya (by the NREN KENET) classic on-line CA New CA from CERN: IOTA (scoped) CA In progress: RCauth.eu IOTA CA Self-audit review Cosmin Nistor replaced Kaspars as review process coordinator Self-audits progressing on schedule for most CAs

5 * http://lcg-ca.web.cern.ch/lcg-ca/doc/WLCG-CERN-IOTA-statement-MB.pdf
CERN LCG IOTA CA Specific Identifier Only Trust Assurance CA – adds ‘VO membership’ constraints internally to fit with current state of e-Infrastructures and wLCG sites* *

6 We have also documented on-line CA Guidance now
The on-line CA guidelines document available at Codifies current requirements from Classic AP and current best practice – and permits more explicitly the key generation ceremony Follows AP structure: Operational requirements Network controls Key generation Key storage Key Activation Key Deactivation Key End of Life Procedural Controls Site Security Publication and repository responsibilities Audits Compromise and disaster recovery

7 Which one to pick if you want it ‘just done’
On-line CA architectures must ensure that only legitimate traffic related to certificate issuing operations will ever reach the on-line CA issuing system. This can be ensured in various ways: (A) an authentication/request server, suitably protected and connected to the public network, and a separate signing system, connected to the front-end via a private link, that only processes approved signing requests and logs all certificate issuance; (B) an authentication/request server containing also the HSM hardware, connected to a dedicated network that only carries traffic destined for the CA and is actively monitored for intrusions and is protected via a packet-inspecting stateful firewall; where it is noted that model A type designs are more readily secured and usually need less components and effort to maintain and operate and therefore preferred.

8 Best practice now documented
“To further protect the issuing CA and permit revocation thereof, it is strongly advised that all on-line issuing CAs be a subordinate of an off-line root or higher-level CA, where the off-line root may have a long-lived (one year or longer) CRL.” “Any on-line CA shall have a disaster recovery and business continuity plan. For CAs where the key material has been generated inside the HSM, this plan should include regular tests of the capability to recover the key in the HSM from archival material.” And a bit more, just read the doc …

9 IPv6 status FZU runs a continuous v6 CRL monitor 23 CAs offer working v6 CRL but there are also 4 CAs that give an AAAA record but where the GET fails … Still 71 endpoints to go (but they go in bulk) dist.eugridpma.info can act as v6 source-of-last-resort fetch-crlv3 v has an explicit mode to force-enable IPv6 also for older perl versions Added option "--inet6glue" and "inet6glue" config setting to load the Net::INET6Glue perl module (if it is available) to use IPv6 connections in LWP to download CRLs

10 http://www.particle.cz/farm/admin/IPv6EuGridPMACrlChecker/ … and moving to a new place …

11 Disaster Recovery WG Need for disaster recovery and business continuity reference text for CP/CPS section (and plans). various risks from (power) instability, earthquakes, to the sudden appearance in a CA managers' path of city buses that subsequently continue to run over said CA manager. not a large body of good reference texts for such a disaster recovery section in the CP/CPS. Some CAs do have it included, and periodically test the viability of the plans (such as CESNET), in others it is an ongoing concern of the operators (such as in the UK). set up a task force to come up with good reference texts and methods for disaster recovery. The group initially consists of Shahin, Jan Chvojka, Ursula, and Jens.

12 Upcoming meetings

13 ** pick this for the IGTF All Hands?
IGTF+ Meeting Agenda EUGridPMA 37: Ankara – May TNC REFEDS: June 2016, Prague EUGridPMA 38**, Sept 2016, Geneva EUGridPMA 39, Jan 2017, Florence EUGridPMA 40, May 2017, Ljubljana ** pick this for the IGTF All Hands?

Download ppt "EUGridPMA Status and Current Trends and some IGTF topics March 2016 Taipei, TW David Groep, Nikhef & EUGridPMA."

Similar presentations

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Policy Issues for Identity Management (and other attributes) EGI Technical.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.

Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.

EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Updates from the EUGridPMA David Groep, July 16 st, 2007.

Updates from the EUGridPMA David Groep, July 16 st, 2007.
AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561.

AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.

EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
Updates from the EUGridPMA David Groep, Nov 7 nd, 2008.

Updates from the EUGridPMA David Groep, Nov 7 nd, 2008.
EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa 2006 - 2 David Groep – Items  EUGridPMA.

EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.
European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.

European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.
SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.

SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.

EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.

IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
Updates from the EUGridPMA David Groep, May 9 st, 2007.

Updates from the EUGridPMA David Groep, May 9 st, 2007.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Similar presentations

Ads by Google