Precursor meeting: TAG PMA TAG PMA Attendees: Darcy Quesnel, Canarie (President) Robert Cowles, SLAC (Security Officer) Dane Skow, Fermilab Alan Sill, TTU (Secretary) Mike Helm, DOEGrids Dane presented the short-term / KCA profile. It was agreed that he would repost notice to the tagpma-general list. A two-week interval for comment, followed by a two-week interval for voting would ensue. Voting will be according to the quorum and decision rules according to the charter. Mike Helm mentioned that there is an organization (NERSC) that wants to join as a CA provider under a profile that would fit the short-term profile as above. Discussion ensued as to whether these processes are combined or separate; it was felt that although they could join as a relying party, in this case they appear to want to join as a CA provider. Alan, acting as Secreatary, reviewed current membership and determine that a quorum was present for the above, and so this counts as a TAG PMA meeting for which the minutes should be conveyed as notes and input to the next TAG PMA meeting. IGTF - Davig Groep Charter version 1.1 was presented and agreed to by acclamation. David Groep was elected chair by unanimous consent among the three voting members, represented by David Groep (EUGrid PMA), Yoshio Tanaks (APGrid PMA), and Darcy Quesnel (TAG PMA) A discussion then was conducted on accreditation guidelines, and the point was made that a work item for the future is comparing these among the PMAs to ensure all are mutually satisfied as to the workability of these guidelines for ensuring appropriate review and trust, even if the individual methods are different in detail. Common naming and packaging for certificate distributions: the question was raised as to what are the requirements from the deployment side regarding version distribution and numbering, as well as format. Appropriate metadata should be included to allow people to review the content for chagnes to the included information without having to read each certificate in detail. The packaging should be done on a timescale of weeks in a way that will improve manageability. Initially David is considering parallel distributions in two formats: the previous one, and a new one proposed to meet the above desires. Mike Helm raised the question as to whether RSS might be an appropriate technology for distributing changes and change updates. It was felt that announcements could certainly be handled in this way, and could be (for example) piped to the gridpma.org web page, as a starting point. An example might be to have the cvs changes automatically piped to the RSS feed for this purpose (i.e., announcements). Accreditation profiles: Do relying parties trust profiles that IGTF distributes, or simply select among the regional PMA profiles? In practice, the "classic PKI" profile is identical already among the 3 regional ones, but (for example) the short-term one being considered within TAG PMA is not yet refined or defined on that level. Some potential for disharmony clearly exists. The method for resolving these at present is as follows: a regional PMA may propose additional restrictions or alterations to the profile to the "owner" of that profile, but a common version of that profile should exist as published by the IGTF at any given time. Note that the minimum requirements are the ones that are operable at any given time. Dane Skow points out that in practice, the automated distribution will be the mechanism of obtaining the list of certified CA's, so the possibility of going out of synch is remote. Darcy points out that relying parties always have the option of deciding which profile or profiles it will accept. A lengthy discussion ensued, converging on the point that the real deliverable here is a set of production-level CAs that can be distributed as soon as possible that can be included into the VDT (for example). A reminder was made that the VDT (etc.) should not tie their release process to the certificate package versioning, but should allow for asynchronous distribution of updated certificate packages. Mike Helm raised the "version skew" question with respect to chagnes to requirements. David responded that there exists a stated 6-month grace period for compliance, specifically to allow CAs to conform to new requirements. Chairs of the regional PMAs should distribute the revised requirements and review CAs for conformance within this interval. In this spirit, David mentioned revisions to the minimum requirements for the classic PKI profile that will be distributed ASAP. Conclusion of meeting: the IGTF was declared launched, and champagne was opened.