APGrid PMA VTC Meeting, 15/12/2006 ---------------------------------- * IGTF released new bundle Oct17. * Classic 4.1 approved by all PMAs, is now effective. We should review cps in light of this profile. Act within 6 months. * Yoshio attends TagPMA. They accredited Chile and Argentina. Summary from PMAs website. Site Reports ------------ * AIST - 4 major issues and a number of minor ones, see email for more details. Reuse of old names for new entities. 4.3 of classic crl distribution point(s) required http access, but only AIST does https. Sect 8 of profile requires a privacy policy. RFC2527 addresses but ....Expect to address some or all in a month or so. David - is first item above realistic ? Especially wrt hosts. * APAC - Examining new profile and preparing statement. Have greatly developed GRIX, * ASGCC - (difficulty hearing) issuing certs for KISTI until they solve problems. Q- 3.2 keyinformation, more information in our certs. 4.4.2 - who revoke can be met. Uniqueness of subject, don't have mechanism to enforce. * CNIC - (echo problems) we have self audited CA, some problems. * KISTI - working on cp/cps, further review. ExtendedKeyUse, (Yoshio - additional requirement just now, its a 'should'). Yoshio - how do you control access to on-line web site ? How to you ensure person who is connecting is same person as RAO saw ? How do you upload CSR ? How to transfer csr between machines ? Audit ? Educate RA ? Still many unresolved items. Need to documents step by step processes for requesting signing, signing, revokion, crls, renew, more detail please. * NECTEC - preparing for production, collecting cert and profiles as per email. Expect to operate in January. Look at classic profile, 3 points, maybe more. Update CRL profile version, choose to violate in adding to DN, add addition info about person in SubjectAltName for host/service certs, Yoshio - can add email to subjectAltName, but must set FQDN as the primary value. * NGO - spokesperson from Nettrust, three issues: basic restraints, serial number, versions of cp/cps. Identity in section 3 of profile, one entity over full lifetime, put serial number in DN ! BasicConstraints still valid point, has to be declared. Statement in RFC is not for validation, as long as system can understand it, should observe. Editing not an option, a subordinate CA is hard, no ready solution. Yoshio : IGTF have established this rule, but I do want to encourage commercial (ie NetTrust) CA to participate, however, cannot make an exception, what to do ? NGO - what happens if classic profile changes and existing CAs are deemed not compliant. Yoshio - case by case, some cases we could use existing private key, would not need to revoke. Comment - Serial number - still losts of middleware that uses openssl that breaks with serial numbers and emailaddresses. (david disconnected for a couple of minutes, sorry) * Thai - Beginning of Feb ready for review. Yoshio March audit, no ! General Business ------------------ * Approve new version of Minium CA requirements based on version 4.1 Definition of 'should', have added some requirements. In previous version, it was not defined. All version must be available on web. Structured as RFC3647. Offline machine must be offline ! Protection means must be available to Auditor. eg describe secure environment. key point is that its not mandatory to describe in CP/CPS so don't expect (eg) Nettrust to describe in detail but they should be able to assure us in an appropriate way that it is secure, eg, they provided an audit report by Singapore Gov. At least 15 elements in CA passphrase. Must be in offline medium, in place only carefully authorised have access to. Transition between old and new key defined. CA should have extended key usage defined. CRS and CRL altered wrt IGTF rules. In previous version key must be generated by end user, now someone else can generate as long as on hardware token is used. Instruct end users on security needs, 12 character pass phrases etc. Cert extensions - reKey not renewed, on a hardware token, can be renewed for up to 5 years without re-identification. Records must be kept for equivalent time. List of CA and RA personal must be kept and presented to auditor. Provide trust anchor to appropriate authority. F2F meeting must be face to face. RA must ensure requester is appropriately authorised to use the FQDN. * Yoshio - can we approve this document ? David - I am worried that the 'uniqueness over the lifetime' clause should not be approved at this stage because its is, practically, unenforceable. Discussion - can we refer to the other PMS to see how they handle this problem ? Yoshio - can we agree to accept everything except the uniqueness requirement ? Meeting - yes, * Yoshio - proposal is to approve the document less the uniqueness clause. Approved. * AP for Grid Portals. Portals popping up that retain users private key and user access them via a user name and password. Key generation is, typically on remote server, CA server is fully online, "no so secure" hsm too expensive. For identity vetting, rely on email address, look for reliable address. Comments and suggestions about these profiles before next OGF please. Comment - e.g. myproxy. Yoshio - intention is to make something suitable for Gamma. Been speaking to geo and similar people, they don't want to use certificates, too hard. Would rather use portals to make it easy. David, while hard to do it properly, it is possible. Will post some notes. * MICS profile, likely to be used in a grid situation before very long. Send comment to PMA mailing list. Next Meeting will depend on progress of KISTI review, when cps is mature, schedule next meeting then, either before of after OGF meeting.