GGF14 CA Operations WG Meeting Thu Jun 30 2005 Chicago, IL Agenda: The America's Grid PMA (TAGPMA) Charter Revision and Discussion led by Tony Genovese See Tony's PowerPoint slides at . Founding members in attendance: Canarie (Quesnel), OSG (Cowles, Skow), TeraGrid (Rimovsky), Texas High Energy Grid (Sill), DOEGrids (Genovese, Helm), and Dartmouth (Franklin). For TeraGrid, Tony Rimovsky represents TeraGrid as a relying party. TeraGrid CAs should also join separately. UK E-Science and DOE Grids CAs are trusted by TeraGrid as a relying party. That straddles the boundary between EUGridPMA and TAGPMA. The purpose of the IGTF (International Grid Trust Federation) is to bridge these boundaries. The certificates for accredited CAs will be published at the IGTF level. Tony Genovese led a discussion of the TAGPMA charter. We have a hierarchy of PMAs, with IGTF at the top, the three regional PMAs (EU, AP, TAG), and then "local" PMAs. Could possibly split into separate North America and South America PMAs in the future if so desired. We have regional affiliations for reasons of convenience (timezone and travel), and it may make sense to reorganize the regions in the future as membership changes (for example, participation from Africa). There are multiple types of authentication services (PKI, Kerberos). An operational service provided by an organization. This is discussed in the Authentication Federation Guidelines document. It'd be useful to include a definition of authentication services in the charter. Should be an open definition. How does the Federal Bridge CA relate to this? Unlikely that the Federal Bridge will come to this group for accredidation. Our scope is restricted to grid authentication, though authentication providers can serve other needs outside of this scope. Also consider the Higher Education Bridge CA. TAGPMA could submit a new authentication service profile, in use, to IGTF for assignment of an OID. Each regional PMA produces its own trust matrix for its relying parties, which need not be accepted by other regional PMAs, but discussion between the regional PMAs will be encouraged through the IGTF. In charter, need to clarify use of "authentication service" versus "authentication profile". Dane has submitted KCA (online Kerberized CA) authentication profile. Work on a bridge profile is in progress. TAGPMA will mirror other regional PMA repositories. TAGPMA will accredit authentication service providers and document compliance to membership rules and authentication profile(s). TAGPMA doesn't audit, but members must be allowed to audit each other. What does accredit mean? EUGridPMA has an accredidation guidelines document. This is similar to "policy mapping" in the bridge CA sense. What is the "watchdog" function? How are TAGPMA members removed? This is covered in section 12.4.5 (Resignation/Expulsion) of the charter. Will TAGPMA investigate questions raised? Should be listed as an activity. We should have a disaccredidation process that doesn't require expulsion. Does TAGPMA have unaccredited members? Relying parties are not accredited to a profile. Experimental CAs would be accredited toward an experimental authentication profile. The TAGPMA will not run an authentication or authorization service. Won't exhaustively list all excluded activities in the charter. Will TAGPMA provide guidance to members who want to join? Can't help everyone set up their CA. Being a founding member doesn't mean automatic accredidation. Canarie and DOEGrids are already accredited by EUGridPMA. Do we need an additional face to face meeting to get this done? Need to set dates. Will have a phone call. TAGPMA will become active today and begin the accredidation/review process. OSG needs this. Will continue to fine-tune the charter until the founders are ready to vote. Set up TAGPMA members-only mailing list and repository immediately. All founding members in attendance agree on beginning operations. Darcy will be acting chair. Should add a glossary to the document. Please join the tagpma-general@tagpma.org mailing list for general discussion. Sign-up at www.tagpma.org.