International Grid Trust Federation Session GGF 20 Manchester, UK

1
International Grid Trust Federation SessionGGF
20Manchester, UK

• Wednesday, May 9 2007
• CAOPS-WG session 2

2
IGTF Session Agenda _at_ OGF20

• Updates from regional PMAs
• Problems in compliance with the new
  Authentication Profile
• Recognized the importance of self
  assessments/auditing
• Agreed to encourage member CAs to use Auditing
  Documents for self-auditing
• Authentication Profiles
• Member Integrated Credential Services AP
• Will be reviewed EUGrid PMA F2F and APGrid PMA
  F2F
• Portal-based Credential Services AP (Yoshio)
• No progress
• Hardware Tokens
• Robot certificates (Jens)
• Experiences on eTokens in Netherland (David)

3
Updates of the APGrid PMA

• TAGPMA F2F _at_ Banff

Yoshio Tanaka
4
Members (13 4)

• 9 Accredited CAs
• In operation
• AIST (Japan)
• APAC (Australia)
• ASGCC (Taiwan)
• CNIC (China)
• IHEP (China)
• KEK (Japan)
• NAREGI (Japan)
• NECTEC (Thailand)
• Will be in operation
• NCHC (Taiwan)

• 3 CAs under review
• NGO (Singapore)
• KISTI (Korea)
• PRAGMA (USA)
• Planning
• ThaiGrid (Thailand)
• General membership
• Osaka U. (Japan)
• U. Hong Kong (China)
• U. Hyderabad (India)
• USM (Malaysia)

No new accredited CAs, but KISTI and PRAGMA have
entered the review process
5
Audit

• AIST (Yoshio) audited KEK Grid CA
• Date April 13th
• Used the new auditing document
• Found five major problems (must be revised), but
  they are not serious (easy to solve).
• KEK audited NAREGI CA
• Date July 2nd
• First external auditor except me ?
• Used the new auditing document
• Now, drafting report of the audit.

6
F2F Meeting _at_ Singapore

• Date June 4th (Mon)
• Venue Biopolis, Singapore
• Co-located event Grid Asia 2007
• Participants
• AIST, APAC, ASGC, KEK, KISTI, NAREGI, NECTED,
  NGO, PRAGMA
• Absent
• CNIC, IHEP, NCHC, Thai
• Agenda and results of the discussion
• Updates from CAs
• All accredited CAs reported the progress to
  comply with the new Classic AP
• Discussed on how to guarantee the name uniqueness
  entire lifetime of the CA.
• How should this requirement be for host/service
  certificates?
• Decided to continue discussions

7
F2F Meeting _at_ Singapore (Contd)

• Agenda and results of the discussion (contd)
• Live review of KISTI GRID CP/CPS
• Had a live review of KISTI GRID CP/CPS using the
  auditing document.
• Pointed out some issues need to be solved.
• Continue the review via email.
• Discussions on auditing
• We agreed to audit each other.
• Yoshio shouldnt be the only one auditor ?
• Review of MICS profile
• Agreed to approve the MICS profile ver.
• One comment
• The MICS profile describes that keyUsage of the
  MICS CA certificate must be marked as critical,
  but it should be dropped to should as in the
  Classic AP.
• Discussions on profile of Portal-based CS
• Yoshio presented some idea (as did in EUGrid PMA
  F2F).

8
Recent problems on ASGC CA

• Since ASGC CAs current root certificate will be
  expired next year, ASGC CA decided to create a
  new root CA certificate.
• problems
• Failed in downloading CRL.
• Incorrect link to the new crl_url.
• Trailing space in the issuers Subject DN.
• Action
• ASGC CA has decided to re-key the new ASGC root
  CA certificate.
• Temporary Withdraw ASGC-2007 in the latest IGTF
  CA distribution.