Asia Pacific Grid Policy Management Authority

Minimum CA Requirements
Presentation slides
CAs and Members
APGrid PMA Membership
CAs in Asia Pacific
Members only page
Members only page
Related Links
International Grid PMA
The Americas Grid PMA
Agenda and minutes of the VTC (2006/01/17)
  • Participants
    • Yoshio Tanaka (AIST)
    • David Bannon (APAC)
    • C.C.Chang (ASGCC)
    • Morrise Xu, Kevin Dong (CNIC)
    • Takashi Sasaki (KEK)
    • Masataka Kanamori (NAREGI)
    • Alex XU, Ming-Hsiao Lee (NCHC)
    • Supakit Prueksaaroon, Suriya U-ruekolan, Sirod Sirisup(NECTEC)
    • Jon Lau, Nigel Teow (NGO)
    • Mason Katz (SDSC)
  • Opening Remarks (Yoshio Tanaka)
  • Brief status reports of each CA
    • AIST: AIST GRID CA should be audited by the end of March. We are looking for auditors.
    • APAC: Still in the preparation of a new CA but it is expected to be public in this week. Yoshio will audit APAC CA (probably after) PRAGMA 10 which will be held in Marhch 26-28.
    • ASGCC CA: No updates
    • SDG/CNIC: Planning to deploy hierarchical CA.
      • Yoshio mentioned that he has found at least two problems; (1) should clarify how revocation information of the root CA will be propagated to relying parties of the sub CA, and (2) current CP/CPS of the root CA does not describe that it will issue certificate for sub CAs.
      • Yoshio will make detailed review and figure out the problems.
    • NAREGI CA: No updates
    • NECTEC: Setting up a new CA which is expected to be in operation in this June. CP/CPS is not yet available but should be sent to the PMA ML by the end of April.
    • NGO: Proposed to include Netrust members to the APGrid PMA ML and it was approved. Too frequent issuing of CRL was discussed. Current lifetime of the CRL is 24 hours but updates of CRL for everyday is a tough work since Globus does not provide OCSP and site admins need to update CRL manually. NGO updates CRL by cron. David mentioned that issueing CRL everyday is fine, but lifetime can be 30 days. We decided to continue discussion after including Netrust members to the APGrid PMA ML.
    • SDSC: Working on NAREGI CA in GAMA Roll. Planning to finalize by the mid of February.
  • Decisions
    • Accreditation
      • KEK CA
        • Questions and answers
          • How the RA verifies a request for host certificates that the request is sent by a user who has a valid host certificate?
            • KEK GRID CA provides a web interface and a pair of username/password for end entities. Requests for host certificates must be done via the web interface.
          • How the CA checks inappropriate request for user certificates by the other users?
            • manual checking
          • 5 years may be too short as a lifetime of the CA certificate.
            • KEK is planning to replace computer systems in 5 years.
          • How a revocation request should be sent if a user lost his private key/certificate?
            • In-person
        • Decision: KEK GRID CA was accredited as a production-level CA.
          • Need to confirm that the CPS describes the procedure for revocation request in case of a user lost his private key/certificate.
      • NCHC GRID CA
        • Questions and answers
          • What's the difference of user certificates for Globus, Access Grid, and Sensor Grid?
            • No difference. We are planning to unify them.
          • If so, you need to modify certificate and CRL profile.
          • How about server certificates?
            • Would like to differentiate.
          • According to the current Certificate and CRL profile, server certificates for Globus, Access Grid, and Sensor Grid have the same subject name. They must be differentiated.
          • Do you provide different base DN for foreign collaborators?
            • No
          • CP/CPS describes that the lifetime of your CA certificate is 5 years, but presentation slides say 10 years. Which is correct?
            • 10 years
        • NCHC GRID CA was not accredited at this VTC. Need to modify Certificate and CRL Profile.
          • Unify user certificate for Globus, Access Grid, and Sensor Grid.
          • Differentiate server certificates for Globus, Access Grid, and Sensor Grid.
          • Modify Certificate and CRL profile and send it to the PMA ML. Then, PMA will review the profile again and propose accreditation.
          • Lifetime of the CA certificate must be changed to 10 years.
  • Discussions
    • We agreed to invite Netrust/Singapore to the APGrid PMA ML
    • Audit
      • APAC: Will be audited in March (by Yoshio).
      • KISTI: Yoshio is planning to audit after improvements.
      • NAREGI: Looking for auditos.
      • AIST: Looking for auditors.
    • GGF16 @ Athens
      • Yoshio will give a presentation about our efforts at "Interoperability" workshop.
    • Other topics