APGridPMA meeting
Taipei
20 Apr 2009
(notes by David Kelsey)

0. Welcome from Simon Lin
Welcomes all to Taipei - pleased that APGridPMA is co-located with ISGC2009.

1. Yoshio - opening remarks
13 accredited CA's, 1 CA (Hong Kong) under review (later today).
Shows agenda.
Roundtable introductions of all.

2. David Groep - Updates from EUGridPMA
23 of 25 EU member states now covered. Moldova and Belarus recently accredited.
AuthZ Operations WG: Building on experience with running CAs - similar needs for VOMS
and other attribute and credential services. Also looking at scaling model for 
attribute authorities. People from APGridPMA welcome to join the activity.
Federations becoming more important. Most run by NRENs. Shibboleth, PAPI, A-Select,
Sun Federation Manager with interoperation through use of SAML 2.0.
Aim is to give certificates to federation end users (easily and quickly).
Useful for scaling to millions of users. Federated Grid CAs now being planned.
Issues related to persistent and unique names. Also 2nd factor authentication, 
revocation and the relatively high LoA (CA SP may be first high-level service).
MICS profile needs rewording section 4.4.
Talks about the pilot TERENA Grid CA - federated SLCS/MICS service.
New map for federated CA coverage.
Self audits making good progress (based on Yoshio and APGridPMA document and experience).
Peer review of the self audit happens in the PMA - self audits turn out to be
quite self-critical.
Robot certificates. Need growing rapidly. Required for portal policies in EGEE and
elsewhere. Action needed here. Policy OID defined.
Also other 1SCPs OIDs have been defined. CAs need to include these in certificates.
IGTF Release process, web and monitoring/alarms.
Shows dates for future meetings out to Jan 2011.
Q: Mingchao asks about CA audits - OSCT has been discussing this. Is there any other
approach except self audit. A: All CA can be audited by third parties 
(but at Auditor expense). The audit results are confidential but relying party
members have access.
Q: Eric asks about general Grid policy management and relationship to IGTF.
A: there are several grid bodies (OSCT, JSPG etc) - but not directly related to IGTF
(other than representation as RP on PMAs). People welcome to join these policy
activities.
Q: Sam. What are the requirements placed on federated IdPs?
A: Must comply with SLCS or MICS profile requirements. Requirements put on
IdPs, not on federation as a whole - the federations are then used
to ensure that IdPs honour their federation and service agreements.



3. Doug Olson - TAGPMA update (by phone)
(on behalf of Vinod Rebello)
Shows current membership. 22 members, 11 accredited, 3 pending and 4 interested.
Grid Canada moved over from EUGridPMA.
Shows current officers - elections due soon.
Shows web sites, twiki and mailing lists.
SLCS profile - V2.1b approved in Feb. Main changes: CRL required, HSM lowered to
level2 and language updates. There is now an evaluation spreadsheet for SLCS.
V4.2 of Classic profile now approved. MICS undergoing revision.
Next F2F meeting at Pittsburgh SC (April 30 to May 2). Together with federations
workshop day before - Video conf attendance possible.
Feel free to join fortnightly phone/video conferences.
Q: Yoshio. How many members attend F2F meetings. A: certainly more than half.
Two F2F meetings per year (to cut travel)

4. Lessons learned from Disaster recovery - Jinny.
ASGC had fire in Feb 2009. Looks at lessons learned.
All online services were shut down including the CA web server. All certificate
activities were down. CRL could not be published. Took 31 hours to move and 
bring back up. Total process time about 2 days.
Describes the required basic recovery process.
IGTF Risk Assessment Team (RAT) is responsible for assessing risks and setting times
and deadlines.
Conclusion: backup CA and web regularly and have written recovery plan.
Discussion topics: What happens if CA and web destroyed at same time?
Do we need incident response procedure? What time ranges are appropriate?
Q: DPK congratulated ASGC in their very quickly recovery service.
Q: David Groep: losing offline service is more difficult. Perhaps need help
from another CA.
Yoshio: each CA needs a recovery plan.
DavidG: Most relying parties can download CRLs from backup site. CAs could peer
to provide backup location for CRLS for each other.
Discussion about required timelines. New CRL should be issued before old one expires.
Q: Yoshio - what was cause of fire? A: UPS battery.

---- coffee break ----

5. HKU Grid CA - Frankie Cheung (Univ of Hong Kong)
See slides and CP/CPS on agenda page.
Presentation of CA for accreditation.
HKU has 12,300 undergrads and 9,900 postgrads
Computer Centre provides services for learning and research.
Member of CNGrid, PRAGMA and EGEE. Researchers want to use Grid resources.
There is no other suitable IGTF CA.
CP/CPS revised after review on 13 Feb 2009. Hardware delivered in March.
Production started 8 April.
CP/CPS reviewed by IGCA and CNIC. RFC 3647 structure.
Shows organisation of the HKU Grid PMA.
Q: Yoshio - what is difference between CA manager examining subscriber information
and RA operator checking subscriber info?
A: Primary check is the RA. The CA manager does a secondary check.
Offline signing machine and online web server. Use OpenCA V1.0.2.
Q: Yoshio - is backup located in same room?
A: currently yes, but it will move to another building soon.
Q: DavidG - the CP/CPS (section 5.6) says the private key will be changed periodically.
This is misleading. Suggests dropping this sentence. Agreed.
CA certificate is valid for 20 years.
Goes through Revocation.
Goes through end entity request, identity vetting, naming etc etc.
Q: Mingchao - with monthly backups - how do you manage so many copies of the private key?
A: All media kept in locked cabinet. Could reduce key backup to once per year.
Mingchao - but need to manage location of all the keys.
A: can treat key backup as a separate process. Agrees to change the procedure.
Will keep two copies - one on USB stick, one on DVD.
Q: DavidG - if logs are kept for only 3 years, how do you know that subscriber has to
re-identify after 5 years.
A: For this purpose will keep for 5 years.
Q: If student or researcher has validity less than 5 years - what then?
A: F2F check is only needed after 5 years.
Self audits will be done annually.
Goes through publication and repository. Also privacy and confidentiality.
Then compromise and disaster recovery.
Q: DPK asks about name space. DavidG says it is included in CP and is OK.
Q: Mingchao asks about use of e-mail address in CN. David G answers it is fine.
Only problem is exposure of e-mail addresses.
7.1.5 says cannot include bracket and @. The example above includes these.
DavidG also points out that the example cert includes DirName and serial in the AKI.
CP is correct, the config needs to be changed.
Agreed.
Q: Mingchao raises another issue about e-mail address in CN. Following security incident
operational security may have to release the DN. If e-mail address is there, then 
release of this is personal info - e.g. annoyed people may mail the user.
Yoshio asks reviewers for final comments. Main concern is that issues that came up today 
are fixed.
HKU CA is accredited. Congratulations.

6. Election of next chair.
Yoshio term expires in May. ASGC offers a candidate - Eric Yen. Eric confirms that he
would like to contribute more and is willing to stand. He thanks Yoshio for all his hard
work and hopes he will continue to be actively involved.
Eric is confirmed as new chair from 1st June 2009. The new chair will elect a vice chair.

---- lunch -----

7. Roundtable CA status reports

AIST - Yoshio
see slides. Shows organisational structure and 6 staff. F2F meeting with all subscribers.
CRL URL has changed, but no change in CRLDistributionPoint in EE certs.
They provide mirror of NGO/Nettrust CA.

APAC - Sam
See slides. Shows number of issued certs. Its tough covering Australia with RAs.
Moving towards a SLCS CA (see later).

ASGC - Jinny
See slides. Shows statistics. Replaced MD5 sig in root cert with SHA1.
Homegrown tool for monitoring web site. AGSC disaster prompted development of
recovery plan. Future work includes work on Database and moving CP/CPS to RFC3647.
(Will change the CP/CPS next month - draft already exists)

CNIC - Kevin
See slides. And Scientific DataGrid CA (SDG). Shows staff and statistics.
In future plan a new CA for CAS eScience project (sub-CA of CNIC - experimental)

IGCA - Santhosh
See slides. IGCA presented at last F2F meeting. Accredited on 5th Nov 2008.
Yoshio spoke at the IGCA inauguration event.
Shows statistics. 

IHEP - GongXing Sun
See slides. IHEP CA was established in 2004 and accredited also by EUGridPMA.
Shows example names and CRL policy. Physical access control to room.
Describes archive records. Shows staff structure. CA was unavailable for 2 days in
Nov 2008 because of power maintenance.

KEK - Takashi
see slides. Shows statistics. Upgraded CA hardware (reported earlier).
Shows staff organisation. New operation diagram. Will need new CP/CPS.
External audit planned for end May or June. Volunteers needed!

KISTI - Sangwan
See slides. Shows statistics. Audit made on 23 March 2009 by Yoshio (during PRAGMA16).
Document, equipment and process inspection. In general, all is OK, but problems with
e-mail sending from the web server and non-perfect backups and archiving of audit logs.
They may be able to get more staff.

NCHC - Wei-Yu
See slides. Accredited in June 2008. Shows CP/CPS and CRL details. Shows statistics.
And staff members.

NECTEC - Sornthep.
See slides. Accredited in Oct 2006. Shows statistics. New RFC3647 being worked on.

NGO/Nettrust - Yoshio shows their slides.
Completed CA upgrade at end of March - started issuing CRL with 3 day validity.
Will go back into IGTF release.

PRAGMA - Yoshio shows their slide.
One http cert issued to ca.pragma-grid.net.
One change to software guide - passphrase length.

NII/Naregi - Kento
See slides. CP/CPS V4.0 since Sep 2008. Now have distributed RA operators - 9 sites.
Shows process for issuing a certificate.
Minor revisions of CP/CPS related to re-key (less than 5 years). Shows CA staff.
They also need an external audit.

THAI - not here.

Yoshio notes that 9 minutes per CA is not needed in future for these status reports.
45 minutes total should be enough.

8. David Groep - Classic profile updates
See slides (not changed since presentation to other PMAs).
Improved wording. Robot Ready. Accomodate GFD.125.
Identity vetting rules updated to handle robots and requirement for keeping information
for identity over time.
Other improved wording.
Section 4.3 improved re GFD.125 now it is published by OGF.
New requirement to include OID of the profile as well as the CP/CPS version.
(6 months after approval all CAs must comply).
CRL limit reduced to 3 days for online CAs.
The 1CSP OIDs are on the EUGridPMA web site.
New profile approved by APGridsPMA. Approved by all 3 PMAs so 6-month clock starts now!

9. David Groep - proposal to change the IGTF charter.
Related to namespace management issues. 
This causes when an old CA rolls over to a new one or one organisation operating
both a classic and SLCS or MICS.
Would be useful to issue the same subject name to the same end entity (but issued by
more than one CA). Shows pros and cons of allowing this.
Proposal is to assign namespace to "PMA Member" rather than "Authorities".
Already approved by EUGridPMA in Jan 2009.
Will also present to TAGPMA next week.
If all agree, will be adopted in IGTF meeting at OGF in Chapel Hill - May 2009.
Q: Sam - this could be used by two redundant CAs. A: but then want the same signing
key so would have to use netHSMs.
In answer to question from Yoshio, the exact same DN can be issued by two different CAs
as long as the PMA Member can guarantee its the same end entity - and both CP/CPS need
to describe how this is controlled.

Yoshio asks if all understand the issue. Answer "Yes". Will come back to this again
later today to see if the PMA can agree to the proposed change.

------ coffee -----------

10. ARCS SLCS CA - Sam
Perhaps first SLCS in APGridPMA? Describes what it is.
Allow users to access HPC, Data etc via PKI without needing to know about certs.
Shibboleth Australian Access Federation.
Semi production service with 2 VMs - SLCS server (From SWITCH - Shib SP) and 
online CA (ejbca)
DN uniqueness uses auEduPersonSharedToken (unique and persistent - 27 char string)
Using DisplayName as CN.
Yoshio - would you like to share namespace between Classic and SLCS? Probably not.
Yoshio - how is auEduPersonSharedToken guaranteed to be unique?
A: Algorithm uses IdP info and identity.
Shows proposed Network Structure. Each IdP has agreement with the SLCS.
AAF policy ensures IdP is well managed. CP/CPS not complete yet.
Two LoA's. One high level online CA for IGTF. Another one for non-IGTF services.
(This aspect still being discussed).
Delegation of credential retrieval can be done to allow SP to retrieve credential
on behalf of user. Means a Grid Portal can generate the key-pair on behalf of the user.
Q: Kento: You assume IdP is correctly operated - is there a min requirement document?
A: Yes. This is important and why we have a separate agreement with them.
Q: Mingchao - how long is cert life? A: SLCS i.e. 1 Million sec.
Mingchao points out that UK eScience (SARONGS project - contact Jens Jensen)
is using MyProxy as a CA linked to Shib. DavidG notes that it is not IGTF accredited.
DavidG explains that proxy generation is not sufficient for all applications, e.g.
access to web-based services (e.g. VOMS Admin).

11. Yoshio asks for any other business
Change to IGTF federation charter - is it agreed? 
No objections. APGridsPMA approves the change.

Venue for next meeting? Two F2F meetings per year. One in Spring, one in Autumn.
Looking for location for Autumn meeting.
Should avoid EUGridPMA (14-16 Sep), EGEE'09 (21-25Sep), OGF (12-16 Oct)
and SuperComputing (14-20 Nov).
Could locate with some other suitable workshop - asks for proposals.
Also invites proposal for Spring 2010 too.

Yoshio thanks ASGC for hosting today's meeting.
Eric gives closing comments as new chair - thanks all for attending. Looks forward to
lots of help from Yoshio and all PMA members in future. 

End with group photo.