VTC meeting 7/3/07 -------------------- Note taker: David Bannon (APAC) The agenda is on website. Updates to new distribution, in last Jan YT attended UK euro PMA meeting. PGP signing session. Related to topic at OGF19, convenient to sign email, in order to do that, need to exchange keys. Would need f2f and photo id session to do that. 20 members exchanged keys at meeting. www.tacar.org distribution point for these things, we agree to ask them to host a repo for pgp keys. Useful for example when sending a significant request such as having a CA removed from ther bundle. So we encourage members to use this method. Y can now be a trusted 'introducer', if we, APGridPMA, exchange keys that trust can be extended. At OGF19 - brief proposal for draft authentication grid portals services, there are already grid portals that have different architecture and authentication means. Not easy to draft such a profile. For example earth system grid does not use strict A vetting, Y can send a request to them - only check is email address. Y's cert would be on web server, not managed by Y. All activities are hidden from user, user cannot see certificate. Another one uses email addresses as a source of identity, very difficult to find solution. Another security session about auditing document, latest version on PMA agenda web site, check list for auditing. Classic auth profile. Useful for self auditing, and a new CA to check against it. Recommend KISTI use it. Has been submitted to OGF, few months. New CA distribution, 1.12, new CA Nectec, included, and Naragi CRL address was changed from HTTPS to HTTP. **** Must change address for future VTC meetings - YT to advise **** AST - new requirement - clearly describe key change over, profile need to change, subject alt name set to host name. Using Naragi CA 1.1, muist modify, almost done, testing. Have six months, will be done by next VTC. APAC - new profile reviewed, believe that "don't use md5" means don't just use md5. Need to address issue of subjectAltName containing hostname for host cert. A. Sinica - new i/o modify ca web (difficult to hear, sorry), expect to finish this month. New request, from LCG provide CA services. (YT may visit) CNIC - new req modified profile for host and service, now planning modify program to support renew and rekey with hardware token. KEK - problems with new requirements, asked YT to come to KEK to look at schedule, will stop on March 16 due to power interruption. YT may visit in mid april. KISTI - not present. Yoshio visited Kisti, review CPS and spoke to people there. Comments - and then new cp/cps was published, need to be structured on rfp3647 not the rfp2*, Just an hour ago a email was sent saying its now based on 3647. Time tight, will look again. Must careful proceed to accreditation, many members very interested in how KISTI has been improved. YT hopes to talk to some one there at PRAGMA (?) to consult and instruct. Naragi - reviewed cps changed crl from https to http. Need clarification on several points. NCHC - not present. NecTec - not present. NGO - basic constraints - agree not to ask for exception. Have Ben from Net Trust here, can we change this requirement from 'must' to 'should'? YT - basic constraint, my impression is that there is no strict reason why its critical, orig req was drafted by EU data grid coordination group. They not sure why its currently 'critical'! Ben - check around 101 trusted root certs, only about half comply. Rest either do not have basic constrains or not marked as critical. David Gropp has written paper on subject, has emailed it and asked for comments. NGO will look for document, Y will forward. (Its Version 0.2). YT - please check profile. Some grid middleware uses an old version of openssl and has trouble with numbers in name. YT - Other PMA chairs are not necessarily comfortable with accepting exception. Some others do not comply in root cert but subservient ca does. (David inadvertently disconnected, notes are inconsistent) Thai - YT - will be in Bankock, will you be ready to audit ? Every one is working ahrd to clean up every thing. Reviewing CP/CPS. YT - is it based on RFC3547 ? Perhaps (David inadvertently disconnected, notes are inconsistent) YT in order to exchange critical emails, need to exchange PGP keys, does anyone have such a key - apparently no one. YT - Transition from 2* to 3* RFC, new minimum req says based on rfc3647. Ask new CAs to use new one, Question to new CA "should we modify all?" * AST - wondering if need at this stage. Probably. * APAC - doing some rewritting for new req, maybe adopt new rfc then * A. Sinica - David had difficulty hearing sorry..) * CNIC - planning to modify to new one, near future. * KEK - want to stay with 2527 * NARAGI - want to stay, maybe in future. * Nettrust will check. Place for face to face meeting - last in October, PRAGMA 12, this year, HPC Asia beginning of September in Soul, organisation not yet well established, chair has been changed and new chair not established. So don't know deadline. We may need to wait two or three months - must consider location, fee, John - Grid Asia in Singapore June, could provide room free, second week of June, 5-8. YT - need a month to confirm. YT will be attending PRAGMA12 @ Bangkok, March 20-21 and ISGC 2007 @ Taipei, March 27-29. Chance to exchange PGP keys Next meeting - middle of April, actual date to be determined. Hope this is useful. David