EUGridPMA meeting, NBI Copenhagen, 26-28 May 2008.

Notes by Jens.

Round table introductions.

New Polish CA for all science activities.  Nordic countries possible
new common SLCS, Jan Meijer involved.  Usman: new CP/CPS, key rolled
over.

ES-NET: want to clone the CA to make more resilient against natural
disasters.  Audit report written but not released.  John Volmer new
chair of the PMA, Bob Cowles moved on to other things.  Reviewing
RA/agent processes, depends on people being connected.

Yoshio: update from APGridPMA.  India new member, no accredited CA
yet.  Deputy chair to be appointed.

TAGPMA: SLCS CRLs and FIPS 140 Level 2 discussions.

Latvia: s/LatNET/SigmaNet/.  CALG: in pretty good shape.  Should
address how proof of possession of private key is made.  Need to issue
certificates so oprev can be completed.

=> Once updated, must issue some EE certs (all flavours), then needs
positive ack from reviewers including operational review, then
approved after two weeks.

Willy wants to use Java-based clients for generating keys for users,
asks whether it is OK to use bouncycastle.  Java 1.6 only because
access permissions can be set on the private key.  DFN use
bouncycastle with no bad experiences.  GrNet also had experience but
users had old versions of Java or no Java installed.  UK e-Science
also had applets.  BouncyCastle can now encrypt private keys.

How to check the quality of RNG, e.g. in FIPS.  Validating the primes
that come out is harder...  OpenCA stores and checks the public key,
whether it has been submitted before.  Even OpenSSL has been
certified.  We can run our own crypto tests.  What about browsers?

Valentin Pocotilenco presented RENAM CA (Moldova).  Recommendation to
switch to domain components.  Need quick update to CP/CPS to address
questions.  Reviewers haven't reviewed it yet.

Lidija Milosavlevic presented Montenegro.  Some of the same
suggestions such as switching to DC.  Decided to update, then
re-review, and usual two weeks after the acks from the reviewers.

Milan presented.  Needs full featured licence free system.  Chose
EJBCA, Open Source but with paid support.  Standard interface but
somehow each one lacks some functionality.  Using web services
(proprietary) to manage the whole interface, e.g. viewing requests.
What happens when a user moves to a different institution and talks to
the system via a different IdP?  Milan thinks it will be possible to
retain the identity.  In the US, small number of people move, but they
can be important.  Can local admins request revocation when an
incident happens, or when a person leaves?  Can be implemented by
policy.  Another unpublished authentication token?  Thinking about it,
NCSA have it.  Plan to have key in HSM with dedicated permanent link
to online machine.  Running several CAs in the same instance of
EJBCA/HSM.  How vulnerable is it to phishing?  This is why a second
factor could be used sometimes.  Legacy authentication service does
not typically have revocation.  Can you query whether an identity
still exists?  Probably different in different institutions.  Ditto
for the CA when CA is not notified when a person leaves (unless RAs
revoke them).

Self reviews: Israel currently with reviewers (who unfortunately were
busy with other things).  Not much response from Belgium who are
trying to outsource their CA provision - put the authentication
profile out to tender.  CyGrid and Slovak - need following up.
HellasGrid - "everything is fixed", working on new version of CP/CPS.

John Renner Hansen, head of NBI gave a welcome talk to NBI.

Incident discussion.
* What if it happens during a holiday?
* Assess severity of incident - inital reports of vulnerability did
  not make it clear how serious it was.  How much is affected.
* Need to identify single points of failure in processes.
* Other potential flaws that should be tracked?
* igtf "concerns" email address bounced.
* 90% had responded by close of Friday 16th.
* Text meant for PMAs, not for distribution to real users.
* OSG required a coordinated PMA response, not just single PMAs.
  Discuss at OGF.
* David checked EE certs from some non-responding CAs.  Getting EE
  certificates from certain CA types of software can be challenging.
* Revoking a web server certificate is pointless if browsers don't use
  the CRLs.  This puts more load on CAs.  Or use OCSP.
  Revoking without informing users (e.g. if email doesn't work) seems
  a bit rude.  Particularly VOMS servers are critical.
* In this case, vulnerability in ssh made the problem worse.  Thus, a
  response needs to be consistent: if a site is broken into, other
  sites can be wide open.
* In this case, we used GPG.
* A DoEGrids PMA established an incident response group described in
  an appendix.  Need to test it or it will go away.  Next incident
  will be different.
* For this event, would expect response by 1.5 business days.
  "Best effort" responses.  Incident response was not trivial in this
  case.

One CA did not respond before Friday 23rd.  A release was prepared not
containing that CA, mailed to internal discussion list, which prompted
the aforementioned CA to react.
* RPs started worrying before announcement sent out.
  Inform incident response team of (main) RPs.
  RP incident response team could be involved in assessing the
  severity of the incident.
* Define minimal time to respond to request from PMA.
* CAs should respond, announce, then investigate, fix, update.
* Informational lists not ideal for incident response.
* What to do without response?  PMAs responsible for their members'
  responses.
* Suggestion for subteam processing tickets.  Subteam to assess the
  risk and timescale for first ack (suggested at least first business
  day) and timescale for fix.
  Suggestion to have this team consisting of people from each PMA.
  What if they get it wrong?
* One large RP took four days to deploy the new release.
  Not our problem, but our concern.
* Need security challenges to test the process.
* Put a subject tag in announcement mail to identify incident
  announcements.  Also outline the CA's response procedures.
* Early announcment on web site and announce list: we're looking into
  the problem.
  OSG sent an announcement with a link to a page which would be
  updated.
* For incident, authentication of the sender needed: use Thawte or
  PGP.
* Should not be encrypted?  What information can be reported to whom?
  Maybe responses should be encrypted.  Particularly if the list is
  archived (particularly publicly).
* What if a helpdesk is not processed till next Monday morning?
  Maybe locate a helpdesk that can alert out of hours, or provide
  separate contact details.
* "REN-ISAC" incident response team (Mike), knows a lot but is an
  information sink.
  If it affects operations security, need to advise these response
  teams.
* Suggestion to have CAs prepare CRL for itself that revokes itself
  (or just an "expired" one of course) (central CRL repository), or a
  separate validation service?  Or common root?
* Or is communication more important than action?

=> Distill actions, implement, test with incident test, and review.

What to do with CAs that don't respond in time?  Distribution
suspension?  Compared to this case, what if the CA is not vulnerable?
Suspension would require new release, and RPs need to pick them up.
CAs can request reasonable extensions.  Suspension should include the
TACAR admin.

Need good processes before suspension.  E.g. a quorum with sufficient
numbers voting in favour.  Can use urgent phone conference.  Need
procedures to be able to act effectively - core team to decide whether
it goes public.  Core team should have RP and mix of experienced CAs.

.info email address should be responded to ASAP.  Should not be a
personal address, CAs must update.  Emergency contact details not in
.info files.  Some concerns about the private phone number - but
incident response team will have it, so they can contact the CA.  How
much 24x7 support do we - or can we - expect from CAs?

ROBABs (a RAL-word) and roles.  Anders is trusted committer.  Mike and
Yoshio should also have the signing key for the distribution.  Also
person to maintain mailing lists and domain.

Initial risk assessemnt team: Jim, Jens, Willy, David, Yoshio.  To
establish procedures.

Reimer's presentation: using portals to make certificate management
easier.  Eclipse plugin to manage credential.  Also able to use the
Shib AAI.  The SLCS is the SP - in the similar UK NGS project, the
portal is the SP.  Also vulnerable to phishing attacks?

Is it OK to log in via ssh to generate credentials?

** Jens to send details regarding SARoNGS

David presented work from the EGEE portals WG.  How are Grid resources
provided to biomed users.  Five levels of assurance of
authentication/naming.  David had a go mapping use cases to levels,
circulated to JSPG.

Jens gave a presentation on robots.

Milan talked about 1SCPs.

David presented an example 1SCP for private keys protected on a token.
Some editing was done.  How is the 1SCP used?  It should define the
policy, not practices.

Identity vetting process description, trusted third party (TTP), F2F.
See tagpma.es.net/wiki for TTP.  What is the opposite of warm and
fuzzy?  For documents, aim for correctness, then completeness (covers
all we (can) require), then minimalness.  LoA is orthogonal: e.g. use
cases for gov't id.  I can take gov't id to RA or to TTP.  Other id
vetting "blame the IdP"

DONM.  6-8 Oct, Lisbon, Portugal.  26-28 (tentatively) Jan 2009, in
Nicosia, Cyprus.  11-13 (also tbc) May 2009, Zurich, Switzerland.

Dave presented AuZ policy WG.  Mandate discussion summarised: best
practice, policy statements.  Start with draft profiles, and start
looking at accreditation.  Guidance and best practices for running
attribute authorities.  Link between AuC and AuZ.  Long term aim
should be general, but perhaps best to start with VOMS.  Accredit a
few major VOMS servers.  Upcoming NA4 meeting to discuss how new VOs
will be joined, Christos will be going.  Mike sent an attribute
certificate validation in OSG document to the AuZ group very recently,
will send to EuGridPMA list.  How to have attr system dealing with PII
(Personally Identifiable Information) - some things may not be
together for privacy issues.  Need F2F meeting?  We recognise VOMS
certificate (and suchlike) are special, if any special validation is
needed by CAs, proposals can come from AuZ working group.  Colocated
with NREN/Grids virtualisation meeting in Dublin, early Sept?
Proposal to have proposal before EGEE '08.

SLCS must issue CRLs.  nextUpdate may be 365 days in the future (or
not, it's not in the document?).  If you have certificates which are
compromised and live more than 24 hours, they should be revoked and
the CRL should be available for as long as the certificates are valid.
EE certs must have CDP.  Two updates since Amsterdam: apart from
CRL/CDP, also changed HSM requirements from Level 3 to Level 2.
Role based rather than operator based seems more appropriate,
particularly to get a service back online.  Physical security is often
there (tamper proof as opposed to evident).  Need for identity based
logging for key activation?  With this provision, and also provision
for feedback from Switch, approved.

A discussion re 2nd factor AuC.  NCSA uses something sent by mail,
which is number one complaint from users.

Jan re-preprented SigNet CA.  Heavily patched/branched OpenCA 0.9.2.

Szabolcs re-presented KFKI RMKI.  CA was expected to run for a year -
four years ago.  Self audit raised concerns about physical security.
How to deal with exceptions?  Document processes.  Make it
sufficiently painful to discourage people from doing it.

Majid gave a second presentation of the IRAN Grid CA.

Looking at self-audit.

Template CP/CPS: start from scratch?  Copyright issues - copyright is
usually owned by employer.
* Anders has volunteered to be the first person to implement the
  template policy - to be done by the end of 2008
* Get other new CAs in at EoI.
  Other existing CAs to revise theirs?  Does it make it shorter?
* Need to tie in the TAGPMA annotated CP/CPS
  (red colour in draft version) - subject to copyright agreement
* Needs to refer to the minimal requirements
  - minreq is authoritative but is has been suggested the template
  could replace the minreq.
* Needs to refer to the relevant AP profile(s)
* Technical stuff: XSLT translation from a "source" XML document with
  a validation schema to LaTeX, and Word, Docbook, HTML, PDF.
  XML, Schema -> output via XSLT.  Can be done via web service.
  Sub working group working group to look at technical options.
* Add example, common scenario
* Create IGTF CP.  CA manager should write compliant CPS.  Permit CA
  manager to create combined document.
* Videoconferencing?  Hosted by TAGPMA wiki or EUGridPMA wiki?  Set up
  mailing list.
