1 / 10

Updates from the EUGridPMA David Groep, July 16 st , 2007

Updates from the EUGridPMA David Groep, July 16 st , 2007. Outline. EUGridPMA: new CAs and profiles Istanbul discussions Re-reviewing process. EUGridPMA members and applicants. Green: EMEA countries with an Accredited Authority 24 of 27 EU member states (all except LU, MT, RO)

benjamin-barber
Download Presentation

Updates from the EUGridPMA David Groep, July 16 st , 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Updates from the EUGridPMADavid Groep, July 16st, 2007

  2. Outline • EUGridPMA: new CAs and profiles • Istanbul discussions • Re-reviewing process

  3. EUGridPMA members and applicants Green: EMEA countries with an Accredited Authority • 24 of 27 EU member states (all except LU, MT, RO) • + AM, CH, HR, IL, IS, NO, PK, RS, RU, TR Other Accredited Authorities: • DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all

  4. Membership by type • Under “Classic X.509 secured infrastructure” authorities • accredited: 40 (recent additions: Serbia in 1.14) • active applicants: 6 (Romania, Morocco, Ukraine, FYROM, Iran, Latvia) • Under “SLCS” • accredited: 1 (SWITCHaai) • Major relying parties • EGEE, DEISA, SEE-GRID, LCG, OSG, TERENA

  5. Developments in Europe • Robots or automated clients • have been proposed in 2002 by Mike Helm et al. • Introduced in the UK in 2006, in NL in 2007 • see http://ca.dutchgrid.nl/info/etokensfor examples for tokens • Why? • monitoring use case (classic one) for functional tests • portals and web sites with ‘canned’ jobs,just like the cgi-bin use case • automated tasks (data movers, &c) • use of automated clients needs quite some policy changes, but having secure hardware tokens is a good ingredient

  6. Other (non-) contentious issues discussed in TR • CRLs for compromised CAs • non-repudiation bit in keyUsage • and how that relates to email signing • the Meaning of Locality • and why to use O if you can • objectSigning bits • should we also address who is allowed to get this bit? • should the organisation be involved (Milan)? • or does it only asserts that the code was signed by this user, as is done in the UK, NL, AT and so better keep as is? • auditable traceability in ID vetting and alternative solutions • the meaning of SHOULD

  7. Self-Auditing • all members should do a self-audit at least once a year, based on the audit guidelines document, which reflects the latest state of the minimum requirements. • To aid in the self-review, the document will be complemented with some examples, and with input from the "Operational Review" spreadsheet that has been very successful in teh TAGPMA. We can work on this during the coming months. • at least once every two years, the results of the self-audit, together with all supporting documentation, should be submitted to two independent peer reviewers endorsed by the PMA • the reviewers should independently verify the self-audit, and rate the issues on the scale A to D, and iterate with the authority under review to reach a final conclusion. • This conclusion is open for the PMA. • the Authority should make a plan to address the issues found in the review, and correct all issues on which Advice ("D") was given. • the reviewers and the PMA verify that these changes are implemented in a 6-month time frame • if, after six (6) month, for some very unlikely reason, the issues are still not corrected, the PMA will discuss the issue in the next plenary meeting. This discussion will include considering withdrawing the CA certificate from the distribution. • The results of this entire process will be private to the PMA. Only in case that an authority is actually withdrawn would it be made public.

  8. Showing up • Also, please keep in mind that still we would like each CA to send representative to the plenary meeting at least once every 1-2 years. Otherwise, after two years, the PMA will similarly discuss this. And, of course, everyone should be willing to act as a reviewer at least once a year :-)

  9. Internal status table

  10. Some dates for you to remember and schedule • September 4-5, 2007 TF-EMC2 meeting, Prague, CZ • September 19-21, 2007 11th EUGridPMA meeting, Thessaloniki, GR • October 15-19 – OGF 21 CAOPS, IGTF, …, Seattle (WA), USA • November 29-30 NREN-Grid Workshop on Identity Federation, Malaga, ES • January 14-16, 2007 12th EUGridPMA meeting, Amsterdam, NL

More Related