4th APGrid PMA F2F MeetingAcademia Sinica, Taipei, TaiwanAcademia Sinica, Taipei, Taiwan

April 8, 2008April 8, 2008

AgendaAgenda

http://www.apgridpma.org/meetings/http://www.apgridpma.org/meetings/index.htmlindex.html

Call for note takers!Call for note takers!

Updates of the APGrid PMAand recap of the IGTF

Yoshio TanakaYoshio Tanaka

Chair,APGrid PMA / AISTChair,APGrid PMA / AIST

Asia Pacific Grid PMAGeneral Policy Management Authority in Asia PacificGeneral Policy Management Authority in Asia Pacific

Not specific for ApGrid, Not specific for PRAGMA…

Launched on June 1Launched on June 1stst, 2004, 2004

Defines minimum CA requirementsDefines minimum CA requirements

Based on IGTF Classic AP maintained by EUGridPMA

APGrid PMA approved that we accept two levels of CA:APGrid PMA approved that we accept two levels of CA:

Experimental-level CAAlternative of the Globus CA

Can be trusted within A-P communities

Production-level CAStrict management is necessary

Expected to be trusted by international communities

MeetingsMeetings

Regular VTC (every 3~4 months)

F2F meeting (once or twice a year)

Members (13 + 4)

9 Accredited CAs9 Accredited CAs

In operationAIST (Japan)APAC (Australia)ASGCC (Taiwan)CNIC (China)IHEP (China)KEK (Japan)KISTI (Korea)NAREGI (Japan)NECTEC (Thailand)

3 CAs under review3 CAs under reviewNGO (Singapore)PRAGMA (USA)NCHC (Taiwan)

PlanningPlanningThaiGrid (Thailand)CDAC (India)

General membershipGeneral membershipOsaka U. (Japan)U. Hong Kong (China)U. Hyderabad (India)USM (Malaysia)

Scope of the APGrid PMA

Manage the PMA membershipManage the PMA membership

Define charter and minimum CA requirementsDefine charter and minimum CA requirements

Publish related documentsPublish related documents

Maintain and revise the documentsMaintain and revise the documents

Accredit authorities with respect to the Accredit authorities with respect to the minimum CA requirementsminimum CA requirements

Coordinate auditing and re-certification of Coordinate auditing and re-certification of accredited authoritiesaccredited authorities

Monitor member CA signing namespacesMonitor member CA signing namespaces

Operate a secure collection point for Operate a secure collection point for information about accredited CAsinformation about accredited CAs

Be primarily concerned with Grid communities Be primarily concerned with Grid communities in Asia Pacific, and their external partnersin Asia Pacific, and their external partners

APGrid PMA responsibilities

CP/CPSCP/CPSResponsible for supporting and auditing the development and maintenance of the CP/CPS for CAs in Asia Pacific.

Other documentsOther documentsCharterMinimum CA requirementsAuthentication Profiles

APGrid PMA responsibilities (cont’d)

AccreditationAccreditationAccredit authorities according to the procedure defined in the charter.

AuditAuditAPGrid PMA is doing external auditing

OperationOperationEvery CA must be responsible for its operation. The PMA is NOT an operation unit but a policy management authority.

ObligationObligationAll PMA members are understood to represent the best interest of their national/regional communities and expected active participation to activities of the PMA.

General Architecture of the IGTF

Member PMAs are responsible for accrediting Member PMAs are responsible for accrediting authoritiesauthorities

The IGTF maintains a set of authentication The IGTF maintains a set of authentication profiles (APs) that specify the policy and profiles (APs) that specify the policy and technical requirements for a class of identity technical requirements for a class of identity assertions and assertion providers.assertions and assertion providers.

Each AP is assigned by the IGTF to a specific Each AP is assigned by the IGTF to a specific member PMA.member PMA.

Classic AP (EUGrid PMA)Short Lived Credential Services (SLCS) AP (TAGPMA)Member Integrated Credential Services (MICS) AP (TAGPMA)

General Architecture of the IGTF (cont’d)

Proposed changes to an AP will be circulated Proposed changes to an AP will be circulated to all chairs of the IGTF member PMAs.to all chairs of the IGTF member PMAs.

All of the PMA chairs, after approval by their All of the PMA chairs, after approval by their PMA, are required to endorse the proposed PMA, are required to endorse the proposed changes before the modified AP will come into changes before the modified AP will come into effect.effect.

Authorities accredited by a PMA are always Authorities accredited by a PMA are always subject to the policies and practices of a subject to the policies and practices of a specific AP as decided by the accrediting PMA.specific AP as decided by the accrediting PMA.

Any changes to the policy and practices of a Any changes to the policy and practices of a authority after accreditation will void the authority after accreditation will void the accreditation unless the changes have been accreditation unless the changes have been approved by the accrediting PMA prior to approved by the accrediting PMA prior to their taking effect.their taking effect.

Requirements for accredited authorities

Maintain at least one contact Maintain at least one contact mechanism which must allow for un-mechanism which must allow for un-moderated access to report problems moderated access to report problems and faults regarding the authority by and faults regarding the authority by the relying parties and genral public.the relying parties and genral public.

This point of contact shall be made This point of contact shall be made known to the accrediting PMA and the known to the accrediting PMA and the IGTF for subsequent re-publishing.IGTF for subsequent re-publishing.

Must disclose to the accrediting PMA Must disclose to the accrediting PMA and to the general public its and to the general public its documented policies and practices.documented policies and practices.

Implementation of the federation

Each PMA maintains information of all accredited CAs.Each PMA maintains information of all accredited CAs.Root certificateCRL Distribution PointPoint of contactSigning policy filePoint to the CP/CPS

Information of the all PMA is packed into a single tarball/RPM Information of the all PMA is packed into a single tarball/RPM and distributed as an IGTF CA distributionand distributed as an IGTF CA distribution

No hierarchies. All accredited CAs are included in a flat structureOnce you will be accredited by the APGrid PMA, you will be an IGTF-accredited CA

IGTF CA distribution is released in every few weeksIGTF CA distribution is released in every few weeksDavid Groep will notify all member CAs the plan of the new release to ask reports of any updates.Distribution frequency is flexible.

The information is stored in the CVS repository maintained The information is stored in the CVS repository maintained by the EUGrid PMAby the EUGrid PMA

Yoshio, Mason, and Darcy have accounts on the CVS serverIf you have modified CA cert, etc., please let me know.

IGTF CA distribution is available from the EUGrid PMA web IGTF CA distribution is available from the EUGrid PMA web site and the APGrid PMA web site.site and the APGrid PMA web site.APGrid PMA is planning to mirror the CVS server as wel.APGrid PMA is planning to mirror the CVS server as wel.

Chair’s role

A Point of Contact for the PMAA Point of Contact for the PMA

Running the PMA meetingsRunning the PMA meetings

Ensuring that all voting is recorded and publishedEnsuring that all voting is recorded and published

Leads discussionsLeads discussions

Contributes to the IGTFContributes to the IGTFAttend meetings of EUGridPMA and TAGPMAAttend OGFBest effort basis

Maintains the IGTF CA DistributionMaintains the IGTF CA DistributionCommit/delete/update files of APGridPMA-accredited CA

Maintains web siteMaintains web site

Maintains MLMaintains ML

Businesses

Chair electionChair election

Next F2F meetingNext F2F meetingSeptember 2008, Singapore

How to protect the ML from SPAMSHow to protect the ML from SPAMS

TACAR and PGP/Thawte key signingTACAR and PGP/Thawte key signing

7th TAGPMA Face-to-Face

Meeting

TACAR Registration and Accreditation

Vinod Rebello and Mike helm

NERSC, Oakland, CA, USAApril 2 – 4, 2008

The Americas Grid Policy Management Authority

157th TAGPMA F2F, April 2008 Vinod Rebello – vinod@ic.uff.br

TACAR

• http://www.tacar.org• The TERENA Academic CA Repository (TACAR)

offers a trusted and centralized place where root CA certificates can be stored and safely downloaded.

• The only requirement to be part of TACAR is that the applying CA operates for the research and academic community

• IGTF and TAGPMA approved third party repository

167th TAGPMA F2F, April 2008 Vinod Rebello – vinod@ic.uff.br

Joining TACAR

• Read Policy – currently version 1.4.3• CA Manager should fill in the Letter of Registration

(Annex I)– Contain info on the CA, Root certificate, location of

CP/CPS and its PDF fingerprint• The Letter of Accreditation needs to be signed by

the head of the institution to which the CA is affiliated.

• Letters which are being provided for the first time must be validated via a face-to-face meeting between the representative(s) of the applying CA and a TACAR representative

177th TAGPMA F2F, April 2008 Vinod Rebello – vinod@ic.uff.br

Required files

• Letters to be presented on paper (two copies of each) and in electronic (PDF) form on CD

• Also on CD– The detached PGP signatures of the two letters– PDF version of the CP/CPS– Root Certificate in PEM format– And their respective detached PGP signatures– Also the PGP Key

187th TAGPMA F2F, April 2008 Vinod Rebello – vinod@ic.uff.br

Trusted Introducer

• If you cant meet with Licia Fiorio in person then talk to Mike Helm Yoshio Tanaka

• The TI is basically the TERENA RA.• The TI will deliver all material collected to

TERENA by using signed email for the electronic information and postal mail or face-to-face meeting for the paper material.