GGF15 CAOPS-WG IGTF meeting October 5, 2005 2-3:30pm Agenda: TAGPMA issues: Online CA profile Fermilab KCA NERSC CA IGTF issues: Federation Document Accreditation Guidelines standardization Common Naming Foundation TeraGrid representatives were supposed to be here today to comment on the KCA profile, but they weren't. Dane wrote a profile for online CAs, to cover both KCA and MyProxy CA. He used the existing classic CA profile with minimal modifications. The profile has been available on the GridPMA site for about a year. There have been few commenters. Dane says it accurately describes Fermilab KCA operation, so it could be certified under that profile. TeraGrid CAs will also fall under this. Dane proposed moving forward with this as a TAGPMA profile. Darcy proposed a few weeks more discussion and a vote online. No objections were raised. We need to define process for accrediting the Fermilab KCA against this profile. Do it through discussion on the mailing list? A face-to-face meeting? The charter process must be initiated by Fermilab. They should submit a letter testifying that they meet the requirements of the profile. The next step after that is unclear. EUGridPMA typically does this on face-to-face meetings, then holds later discussions on the mailing list. KCA has been presented to the EUGridPMA already. No objections to proceeding on the mailing list. This is reasonable for a bootstrapping process. Next steps: Dane will send the profile to the list. Two weeks beginning Monday, a period to discuss and OK the online CA profile will begin. Two weeks after that a discussion period will be held to discuss Fermilab meeting the profile. Some enrolling process will be required for voting. EUGridPMA does voting by acclamation. DOEGrids does formal vote counting with s/mime email. We should look into using s/mime for future votes. Mike Helm raised another item of TAGPMA business. NERSC CA wants to join TAGPMA using a short-term certificate issuing system using the MyProxy CA. ESnet has signed a subordinate certificate for NERSC, and they want to become accredited in TAGPMA. They've been pointed to the profile document. Steve Chan is responsible for this project at NERSC. Joining the TAGPMA is separate from having a CA accredited by TAGPMA. Joining gives them a vote as a relying party. The two processes should be de-coupled. There was some confusion on this point. NERSC could qualify as a relying party, but this is a CA project that wants to join on the basis of being a CA. They want to focus on being a CA provider, rather than on being a relying party. Mike says they seem to meet the short-term certificate issuer profile. Next steps: Ask NERSC to prepare to present their CA service in a future TAGPMA meeting, in as soon as a month, if possible. 6 TAGPMA members in attendance at this meeting. An addition to the IGTF charter is that each PMA will provide a public announce list. Consensus on v1.0 of this document. David Groep was selected as the first IGTF chair by unanimous consent. The accreditation guidelines document still has some EU stuff hanging around. The document is very general. No technology-specific language in there. Could all of the IGTF members adopt these same accreditation guidelines? Take out all of the EU-specific stuff. The IGTF charter already defines this process. Does VTC qualify as a face-to-face meeting? The IGTF charter process doesn't involve a face-to-face meeting. The IGTF should have a clear procedure, to be discussed by the IGTF members. Relying parties have a say in this. IGTF should agree to minimum requirements for trust in the PMAs, and members can innovate on top of the minimum requirements. It doesn't exclude, for example, APGridPMA having more stringent requirements. Common naming is another IGTF issue. The current distribution is RPM and tar.gz. TAGPMA hasn't looked at building a common CA certificate distribution. If a CA doesn't change, why does the version number of its distribution change? It's confusing. Some want to have all CAs at the same version number, so if any CA changes, then all the versions are updated. Some other projects may require PKCS#7 packages and/or Java keystores. PKCS#7 can be very useful for end-users with browsers, but there are some cross-browser issues. What about using RSS to describe changes/revisions/versioning? What is the security of RSS feeds? What is the process for accrediting profiles? It's done by voting. Every PMA can come up with its own profiles. Which profiles are equivalent? Will relying parties blindly trust what IGTF feeds them? OSG, for example, will trust regional PMA decisions, not IGTF. OSG will want to select which profiles are acceptable. There's a single classic profile for all IGTF PMAs. Whether classic is equivalent to KCA, for example, is a regional PMA (or local) decision. The experimental profile shouldn't be part of the IGTF "super-package". How do we lump profiles together? IGTF will not just provide the bundle, but will provide different profiles. A meta-package of "production quality" profiles would be helpful. You can use yum or apt to keep the RPMs up-to-date. The definitions of the packages needs to be explicit. What is the definition of "production quality"? We need something that can be installed and updated by VDT! The IGTF document is at .