CAOPS Administrivia ------------------------------------------------------------------------------ - Several documents have been drafted but only few of them have made it to public documents. David Groep pointed out that one of the possible sources of the problem might be that the majority of the documents are already being used/adopted from their draft versions and thus not a lot of effort is put into finalizing them. - The terminology is not always consistent across documents. A glossary would be very helpful in this direction. - Document structure. As the number of documents rise it is important that the documents as a whole synthesize a clear picture of the requirements in providing Authentication Services for the Grids. It was proposed that there should be a core set of documents defining the general components of an Authentication Federation. - Guidelines for Authentication Federations - How to operate/manage and Authentication Federation (PMA Model Charter) - How to define Authentication Services (Authentication Service Profiles) - Guidelines for IdPs to model their policies (Certificate Policy Model) - Guidelines for Auditing IdPs (Auditing document) and on top of this set, there are documents which are more technology specific: - OCSP requirements for Grids - 1SCP Profile - Certificates for automated clients - Grid certificate extensions - Namespace policy - CAOPS meetings We have observed work in between GGFs has been low. In order to remedy this we should try to have a few telephone conferences in between the GGF events. The PMA meetings can be a nice opportunity to have a CAOPS session open to all both via f2f and via telecon. David Groep and Darcy Quesnel agreed to co host a CAOPS session at the next PMA meetings. After discussing with Yoshio Tanaka we concluded that since not a lot of people from APGrid are involved in CAOPS it might be better to start only with the euGridPMA and TAGPMA meetings. Auditing Document (Yoshio Tanaka) Document: https://forge.gridforum.org/projects/caops-wg/document/Audit_Guidelines/en/1 Presentation: https://forge.gridforum.org/projects/caops-wg/document/Audit_Guidelines_Presentation/en/1 ------------------------------------------------------------------------------ Need to check the copyright of the Web of Trust that was used as the basis for the draft. The document needs an update in order to capture the current minimum requirement of the classic profile. The document describes the rough procedures for auditing - score sheet - materials for auditing - pre examination phase - main examination phase - post examination phase Within the document there are references to explicit sections of RFC 2527. The question was raised what would happen if the CP/CPS does not follow RFC 2527 or RFC 3647? It is up to the CA to provide the necessary information to the auditor. During the conversation the question was raised on how we define an "archive". During the CA audit, should also the RAs be audited? Currently in APGridPMA the RAs are not being audited. It is very difficult to have the auditors visit the RAs. Matt Viljoen said that the UK E-Science CA has plans in auditing RAs and could contribute their experience in this document. Authentication Service Profiles https://forge.gridforum.org/projects/caops-wg/document/Authentication_Service_Profiles/en/4 ------------------------------------------------------------------------------ The purpose of this document is to offer guidelines for writing Authentication Service Profiles The ASPs currently in use are using the section 4 of this document. Within the current draft there is also an attempt to describe the notion of Authentication Federation, Identity Providers. This information should be included in the glossary or in separate documents and just referenced here. Milan raised the question whether there should be a clause about liabilities in the Authentication Service Profiles. The consensus of the discussion was that an ASP should have a section about liabilities even if it just mentions that there are no liabilities. OCSP https://forge.gridforum.org/projects/caops-wg/document/OCSP_Requirements_for_Grids/en/6 ------------------------------------------------------------------------------ Milan mentioned that the initial direction of document was changed during it's evolution. The issue about OCSP blacklisting was raised. The consensus was that blacklisting is an authorization decision and should take place at the VO level.