EUGrid PMA Status and Current Trends and some
- Slides: 28
EUGrid. PMA Status and Current Trends and some IGTF topics March 2014 Taipei, TW David Groep, Nikhef & EUGrid. PMA
EUGrid. PMA Topics · · · EUGrid. PMA (membership) status Risk Assessment Team IPv 6 readiness and fetch-crl · · SHA-2 time line CA readiness for SHA-2 and 2048+ bit keys · · · OCSP support documents and guidelines GFD. 125 bis Private Key Protection Guidelines v 1. 2 IGTF Test Suite On on-line CAs and FIPS 140 -2 level 3 HSMs IOTA AP and RP Questionnaire David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 2
Geographical coverage of the EUGrid. PMA · 25 of 27 EU member states (all except LU, MT) · + AM, CH, DZ, EG, HR, IL, IR, IS, JO, MA, MD, ME, MK, NO, PK, RO, RS, RU, SY, TR, UA, CERN (int), Do. EGrids(US)* + TCS (EU) Pending or in progress · David Groep – davidg@eugridpma. org ZA, SN, TN, AE, GE APGrid. PMA Taipei 2013 meeting – 3
Membership and other changes · Responsiveness challenges for some members · JUNET CA – suspended · HIAST CA – keeps running! (albeit with some connectivity issues) · CA reduction · · More countries moved to TCS: IUCC IL, IE, … Do. EGrids & Esnet decommissioned (as of 1. 56 release) TCS tender ongoing, target start of overlap period summer 2014 New CA in Georgia (Tblisi), potentially a lot from Ubuntunet · Self-audit review · Kaspars Krampis as dedicated review process coordinator · Self-audits progressing on schedule for most CAs · biggest challenge in getting peer reviewers to actually review David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 4
SHA-2 Guideline document revision IPv 6, RAT IGTF – 10 years from now ONGOING WORK ITEMS David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 5
RAT challange · Ursula Epting to conduct early June against all CAs · Timeline taking into account time zones 4 th June, Announcement of the test 18 th June, 10. 20 h, Start of the test 20 th June, 14. 50 h, Reminder for not replying CA's 21 th June, 10. 20 h, End of the test · Request for · Acknowledge receipt · for each trust anchor David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 6
Results (2) Furthermore 4 CA's replied later, after the official deadline IGTF communication test holistic view no reply final received replies > 72 h no reply until official deadline received replies <72 h time received replies <48 h received replies <24 h 0 10 20 30 40 50 60 70 80 number So in the very end 13 % did not reply at all. This comes down to 11 CA's (with 'one CA' as 'one structure') 7 12. 09. 2021 Ursula. Epting@kit. edu Steinbuch Centre for Computing
Resulting actions proposed · 24% late (longer than 24 hr), 13% non-response · Some non-response reasons clarified quickly · Incorrect email address in distribution – fixed · Already in decommissioning mode · Being located in conflict areas, at times near FEBA · For others, it correlates with known behaviour · Re-challenge non- and late-responders again · After 1. 55 distribution release fixing mail contacts · ~ December 2013 · For some require in-person self-audit remediation David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 8
IPv 6 status · FZU runs a continuous v 6 CRL monitor http: //www. particle. cz/farm/admin/IPv 6 Eu. Grid. PMACrl. Checker/ · 23 CAs offer working v 6 CRL · but there also 4 CAs that give an AAAA record but where the GET fails … · Still 71 endpoints to go (but they go in bulk) · dist. eugridpma. info can act as v 6 source-of-last-resort · fetch-crlv 3 v 3. 0. 10+ has an explicit mode to force -enable IPv 6 also for older perl versions · Added option "--inet 6 glue" and "inet 6 glue" config setting to load the Net: : INET 6 Glue perl module (if it is available) to use IPv 6 connections in LWP to download CRLs David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 9
http: //www. particle. cz/farm/admin/IPv 6 Eu. Grid. PMACrl. Checker/ David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 10
SHA-2 readiness For SHA-2 there are still a few CAs not ready · a few can do either SHA-2 OR SHA-1 but not both · so they need to wait for software to be SHA-2 -ready and then change everything at once · A select few can do SHA-2 but their time line is not driven solely by us (i. e. some commercials) · Their time line is driven by the largest customer base · All can so SHA-2 (since non-grid customers do request SHA-2 -only PKIs) · it is because of these that RPs have to be ready, because when directives come from CABforum they will change, and do it irrespective of our time table! · Keep in mind hardware issues, e. g. the old Alladin e. Tokens (32 k) do not support SHA-2 David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 11
SHA-2 time line https: //www. eugridpma. org/documentation/hashrat/sha 2 -timeline · Now · · 1 st DECEMBER 2013 · · · CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points. 1 st February 2015 (‘sunset date’) · · New CA certificates should use SHA-2 (SHA-512) Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-512) Existing root CA certificates may continue to use SHA-1 1 st October 2014 · · CAs should begin to phase out issuance of SHA-1 end entity certificates CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default 1 st April 2014 · · CA certificates in the IGTF distribution and CRLs at official distribution points should use SHA-1 CAs should issue SHA-1 end entity certificates on request CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs All issued SHA-1 end entity certificates should be expired or revoked. In case of new SHA-1 vulnerabilities, the above schedule may be revised. David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 12
On-line CA architecture - guidelines EUGrid. PMA will (finally) draft the "On line CA Guidelines” · based on current wording in the Classic profile · keep the network separation (models A or B, where A with a private link between RA and signing system preferred) · Allow import of a key pair into a token (taking it out of FIPS L 3 mode) as long as there is a well-documented key generation and import ceremony · L 2 HSMs allowed if compensatory controls are in place Keeping tokens and their systems in a solid safe-box and in a closed and locked cabinet in a monitored machine room is considered adequate · Keys are permanently activated anyway, so L 3 mode (separate usage functions like generation or use) is not used for our purposes · Activation on boot should be manual (so the operator must be required to be present) David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 13
IOTA AP background Guideline document Distribution IDENTIFIER ONLY PROFILE David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 14
Why? New use cases · Data read-only access · Portals · Sharing between pre-trusted individuals or small groups · Pre-vetted infrastructures (XSEDE, w. LCG) The level is technology agnostic, and can be applied to X 509, OIC, Web. SSO federations, &c · X 509 specific stuff is minimal David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 15
Differentiated Lo. A - Collaborative identity vetting · Cater for those use cases where · the relying parties (VOs) already collect identity data · this relying party data is authoritative and provides traceability · the ‘identity’ component of the credential is not used · through an authentication service that provides only · persistent, non-reused identifiers · traceability only at time of issuance · naming be real, pseudonymous, or set by-the-user-andusually-OK · retains good security for issuance processes and systems · and where the RP will have to take care of · all ‘named’ identity vetting, naming and contact details David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 16
Shifting responsibilities: A new Identity Assurance Level Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications ‘rich’ attribute assertions correlating identifiers access control David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 17
IGTF and other assurance levels David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – my own personal classification of identity Lo. As 18
IOTA, a new Authentication Profile · The Identifier-Only TA endorsed at IGTF All Hands · https: //www. eugridpma. org/guidelines/IOTA/ · Unique persistent subjects, but naming can be a pseudonym or non-verified name · Targets federations: so home organisation is well known, verified and traceable, some traceability to the end-user · For human people and robots, not hosts or services · Distinct naming of entities (no ‘auto-upgrade’ to higher Lo. A unless the original Lo. A was already high) IOTA is the new name for the Light-weight ID Vetting profile David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 19
IGTF Distribution · Distribution would be through separate ‘bundle’ · Next to ‘classic’, ‘mics’, ‘slcs’, and ‘experimental’ · Note there never was an ‘all’ bundle for this very reason · RPs will have to make an explicit choice to accept this but unclear how to distinguish users on resources based on the incoming identity Lo. A level · Starts in 1. 56 with an empty bundle · Subject naming of IOTA must be different from your other CAs More end-user explanations on Wednesday in ISGC Ops & security track David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 20
IGTF BYLINE David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 21
IGTF in 10 years from now … Attributes and authorization becoming more important · mere identity authentication is likely to become commonplace in the years to come (academic federations, commercial ID providers, etc. ) · But authorization, (community) assured attributes, and attribute composition are unsolved for research: the IGTF can reposition itself to address these new challenges · anyway consolidation of federations in the research and academic space means that there need be less emphasis on the classical CA work David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 22
Already ongoing … · AA Operations Guideline · Guideline on Trusted Credential Stores · IOTA as a basis for community-provided assurance David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 23
Beyond the current framing: IGTF as a brand, not an acronym Proposal · IGTF be no longer considered an acronym, but be treated as a word where we can associate it with a more appropriate byline. · Based on an extensive discussion by those present, it was concluded that a proposal be circulated to the other PMAs with a new 'byline': IGTF: Interoperable Global Trust Federation supporting distributed IT infrastructures for research David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 24
If you concur … · Revise IGTF logo and its use on website and docs · Revise the IGTF web site – already scheduled · Encourage wider participation in the IGTF, in particular by relying parties and infrastructures, with an emphasis on those having operational (security) aspects and/or representing relying user communities · role to play for 'catch-all' cases as well? – many of the current organisations and authorities also work 'bottomup’ serving limited numbers of researchers across a large number of institutions (with a few people each) – this is not traditional use case for Refederations … but it is for commercial Id. Ps David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 25
IGTF Web Site Ongoing, some changes already done. Proposed · public-facing (RP, general public) function should be separated from any internal use · primary audience is RPs and 'general' public · it should include a section for 'our own' integral IGTF use with links, agenda, &c · add an introduction for 'humans' · links to interviews and (i. SGTW-like) articles about IGTF everyone to send these to <webmaster@igtf. net> · add a 'news' box with current information (to change monthly or so). · Make map more prominent · The mini-map should link to a PMA page with a clickable map or membership list · encourage TAGPMA and APGrid. PMA to maintain a list of their meeting that can be linked to David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 26
UPCOMING MEETINGS David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 27
EUGrid. PMA Agenda · 31 th PMA meeting Tartu, EE, 14 -15 May 2014 · TNC 2014: 19 -23 May 2014, Dublin, IE · 32 nd PMA meeting 8 -10 September 2014 (location tbd) · 33 rd PMA meeting 12 -14 January 2015, Berlin, DE (offered by DFN) David Groep – davidg@eugridpma. org APGrid. PMA Taipei 2013 meeting – 28
Pma status
Eugrid
Eugrid
Current and future trends of media and information essay
Trends in project portfolio management
New trends in strategic management
Current trends in communicative language teaching
Current trends in music
Current trends in athletic training
Current trends in medical education
Current trends in counseling
A balanced delta connected load having an impedance 20-j15
Power formula three phase
Drift current and diffusion current in semiconductor
Ac theory 3 lesson 4
Drift current and diffusion current in semiconductor
Drift current and diffusion current
Wye connection
Slideplayer
Drift current density unit
Dmti institute
Pma nedir psikoloji
Procreazione assistita versilia
Pma requirements
Pma dmti
Pmc + pma = 1
Perbedaan pma dan pmdn
Calculer la charge utile d'un porteur
Procration
