GGF14 CA Operations WG Meeting Tue Jun 28 2005 Chicago, IL Agenda: Reorganization - Dane Skow OCSP - Olle Mulmo Authentication Federations - Tony Genovese CA Auditing - Yoshio Tanaka XKMS - Ayako Komatsu One-statement Certificate Policies - Milan Sova Federal ID - John Volmer International Grid Trust Federation - Tony Genovese The Grid PMA Charter document is in public comment period. Please read and post comments at , even if just to say, "I've read and I approve." Especially for PMAs that are using this document. The GGF web pages have been updated according to the new working group organization. CAOPS has moved from the security standards area to the grid operations community area. CAOPS is an ongoing forum for discussions by CA operators. While GGF doesn't run grid infrastructures, GGF does recognize the need for an international forum for grid operators. CAOPS has been a successful group in this regard for years. Rather than trying to fit this group into the standards process, CAOPS fits better in the community operations area. Nominations for new area directors are being considered -- contact NOMCOM members with suggestions. Darcy is a NOMCOM member. We had a good discussion recently on the mailing list on the OCSP draft (https://forge.gridforum.org/projects/caops-wg/document/OCSP_Requirements_for_Grids). Olle will be giving us a new version soon. An implementation is available. Mike Helm said there are some outstanding issues: - How do we manage proxy certificates in relation to OCSP. How would OCSP reply to queries based on proxy certificates? - How does OCSP fit in with other revocation services? In what order are things done? What do you as a relying party want? What is more authoritative? - Assumptions about CRLs are implied by the OCSP document, essentially that they exist and they are useful. We don't have a best practices for CRLs except in EU Grid minimum requirements. We don't revoke proxy certificates in CRLs today. Olle referred to the OCSP Services Architecture diagram in the OCSP document. CRLs are published periodically. The relying party uses OCSP and/or CRLs. Inconsistencies are inevitable, but it's okay. CRL issuers and OCSP responders say, "to the best of my knowledge, this certificate is fine." Is this resolvable, or should the discussion be summarized in the document? We don't have enough experience with OCSP yet to document "best practices". The paper should just mention that there might be inconsistencies. Olle described the "fire and forget" policy of proxy certificates. We should put our energy into constraining proxy certificate policies. Short lifetime is the traditional argument for proxy certificates. The Site AAA document lists requirements on maximum proxy lifetimes, recommending that people re-check authorization each day. One method is to use MyProxy credential renewal. Another way is to use an authorization attribute, like a VOMS attribute, that can be refreshed. We have no clear answer for this; we need experience. The paper should leave it open and describe our discussion of the issues. Do we need a CRL profile for grids? The OCSP document has requirements for CRLs, including references to delta CRLs. Does anyone use anything other than "regular" CRLs? Use of "suspensions" has been discussed. Action item: Olle will add text about managing proxy certificates to the OCSP document. A document on Guidelines for Authentication Federations in Grids, to provide a consistent way for identifying authentication mechanisms, is available at . It discusses four characteristics of authentication mechanisms: - A governing board - Set of membership and accreditation procedures - Operational requirements - A publishing process Tony has received feedback from TAGPMA and the IGTF who are using this document. He reworked the governance section based on the feedback. The document can be used as a site document, federation document, or federation of federations. Is the document too terse or do we need more text? Feedback from TAGPMA, IGTF, and others would be helpful. DOEGrids CA is ready to follow this format. Please post your comments on the mailing list. The document could be expanded to address authorization issues. The PMA Charter covers section 12 in this document (governance). We can refer to CP/CPS and PMA charter documents from this format. Yoshio presented the experience of having the AIST CA audited by the NAREGI CA. Please see the powerpoint slides at and the Audit Checklist document at . The checklist document may be useful for auditing other CAs, for example, in the EU Grid PMA. NAREGI selected from the Web Trust checklist items based on the EU Grid PMA requirements document. It would be helpful to have documentation justifying the choices and why some items were verified by interview versus inspection. Web Trust provides additional items to check if desired. Perhaps this could become a working group community best practice document. Ayako Komatsu presented the Naregi XKMS service. The source for the NAREGI CA softare is available. The current deployment uses one central CA service. Milan Sova proposed one-statement certificate policies. The problem: - "Was this certificate issued to a host or to a person?" - "Is the private key stored on a hardware token or in software?" - "Is the private key encrypted?" - "Was the private key generated by the subscriber or by the issuer?" Proposed solution: the One Statement Certificate Policy. Assign a policy OID for each attribute (for example: host certificate). Then, each host certificate references that OID in the certificatePolicies extension (an OID for the issuer plus the OIDs for the different one-statement CPs). We could assign OIDs under GGF/IGTF OID space. The relying party can compare against the OIDs it knows about. This would motivate relying parties to deal with the certificatePolicies extension. We should also assign an OID for this working group's profiles. What will relying parties do with policy OIDs they don't understand? Could have a list of required OIDs. The certificatePolicies extension is generally not marked critical. John Volmer gave a presentation on FIPS 201, a U.S. government smartcard deployment effort. Tony led a discussion on the establishment of the International Grid Trust Federation (www.gridpma.org). The founding members of IGTF are: - EUGridPMA Chair David Groep (www.eugridpma.org) - APGridPMA Chair Yoshio Tanaka (www.apgridpma.org) - TAGPMA Chair Darcy Quesnel (www.tagpma.org) The purpose of IGTF is to coordinate policies across PMA regions. For example, establish minimum operating requirements. EUGridPMA manages the "classic CA" profile. Also under development is an experimental CA profile (Yoshio Tanaka) and a KCA profile (Dane Skow, Fermilab). The federation document and classic profile are available at . David led a discussion of the IGTF Federation Document. Each CA will produce certificates under its local policy, the IGTF profile (classic, KCA, etc.), and the one-statement certificate policies. Whether the CAs will be required to include the IGTF OIDs in all certificates they issue was tabled as a topic for later discussion. Whether RFC 3647 style documents are required for all OIDs was discussed. The document currently specifies behaviors of the IGTF and the member CAs and perhaps it could be split into multiple documents, but the general preference is to keep it as one document. Membership includes a CP/CPS audit and a committment to be audited by other members and to keep audit records for three years. It was suggested to include language on how member PMAs can be re-organized, though perhaps this is already covered by section 12.1 (change procedures). For voting, the quorum should be all 3 members. The founders will vote to approve the constitution on August 1. The first work item will be the coordination of policies at the next GGF meeting.