4 th apgrid pma f2f meeting academia sinica, taipei, taiwan april 8, 2008 agenda call for note...
Post on 18-Dec-2015
218 Views
Preview:
TRANSCRIPT
4th APGrid PMA F2F MeetingAcademia Sinica, Taipei, TaiwanAcademia Sinica, Taipei, Taiwan
April 8, 2008April 8, 2008
AgendaAgenda
http://www.apgridpma.org/meetings/http://www.apgridpma.org/meetings/index.htmlindex.html
Call for note takers!Call for note takers!
Updates of the APGrid PMAand recap of the IGTF
Yoshio TanakaYoshio Tanaka
Chair,APGrid PMA / AISTChair,APGrid PMA / AIST
Asia Pacific Grid PMAGeneral Policy Management Authority in Asia PacificGeneral Policy Management Authority in Asia Pacific
Not specific for ApGrid, Not specific for PRAGMA…
Launched on June 1Launched on June 1stst, 2004, 2004
Defines minimum CA requirementsDefines minimum CA requirements
Based on IGTF Classic AP maintained by EUGridPMA
APGrid PMA approved that we accept two levels of CA:APGrid PMA approved that we accept two levels of CA:
Experimental-level CAAlternative of the Globus CA
Can be trusted within A-P communities
Production-level CAStrict management is necessary
Expected to be trusted by international communities
MeetingsMeetings
Regular VTC (every 3~4 months)
F2F meeting (once or twice a year)
Members (13 + 4)
9 Accredited CAs9 Accredited CAs
In operationAIST (Japan)APAC (Australia)ASGCC (Taiwan)CNIC (China)IHEP (China)KEK (Japan)KISTI (Korea)NAREGI (Japan)NECTEC (Thailand)
3 CAs under review3 CAs under reviewNGO (Singapore)PRAGMA (USA)NCHC (Taiwan)
PlanningPlanningThaiGrid (Thailand)CDAC (India)
General membershipGeneral membershipOsaka U. (Japan)U. Hong Kong (China)U. Hyderabad (India)USM (Malaysia)
Scope of the APGrid PMA
Manage the PMA membershipManage the PMA membership
Define charter and minimum CA requirementsDefine charter and minimum CA requirements
Publish related documentsPublish related documents
Maintain and revise the documentsMaintain and revise the documents
Accredit authorities with respect to the Accredit authorities with respect to the minimum CA requirementsminimum CA requirements
Coordinate auditing and re-certification of Coordinate auditing and re-certification of accredited authoritiesaccredited authorities
Monitor member CA signing namespacesMonitor member CA signing namespaces
Operate a secure collection point for Operate a secure collection point for information about accredited CAsinformation about accredited CAs
Be primarily concerned with Grid communities Be primarily concerned with Grid communities in Asia Pacific, and their external partnersin Asia Pacific, and their external partners
APGrid PMA responsibilities
CP/CPSCP/CPSResponsible for supporting and auditing the development and maintenance of the CP/CPS for CAs in Asia Pacific.
Other documentsOther documentsCharterMinimum CA requirementsAuthentication Profiles
APGrid PMA responsibilities (cont’d)
AccreditationAccreditationAccredit authorities according to the procedure defined in the charter.
AuditAuditAPGrid PMA is doing external auditing
OperationOperationEvery CA must be responsible for its operation. The PMA is NOT an operation unit but a policy management authority.
ObligationObligationAll PMA members are understood to represent the best interest of their national/regional communities and expected active participation to activities of the PMA.
General Architecture of the IGTF
Member PMAs are responsible for accrediting Member PMAs are responsible for accrediting authoritiesauthorities
The IGTF maintains a set of authentication The IGTF maintains a set of authentication profiles (APs) that specify the policy and profiles (APs) that specify the policy and technical requirements for a class of identity technical requirements for a class of identity assertions and assertion providers.assertions and assertion providers.
Each AP is assigned by the IGTF to a specific Each AP is assigned by the IGTF to a specific member PMA.member PMA.
Classic AP (EUGrid PMA)Short Lived Credential Services (SLCS) AP (TAGPMA)Member Integrated Credential Services (MICS) AP (TAGPMA)
General Architecture of the IGTF (cont’d)
Proposed changes to an AP will be circulated Proposed changes to an AP will be circulated to all chairs of the IGTF member PMAs.to all chairs of the IGTF member PMAs.
All of the PMA chairs, after approval by their All of the PMA chairs, after approval by their PMA, are required to endorse the proposed PMA, are required to endorse the proposed changes before the modified AP will come into changes before the modified AP will come into effect.effect.
Authorities accredited by a PMA are always Authorities accredited by a PMA are always subject to the policies and practices of a subject to the policies and practices of a specific AP as decided by the accrediting PMA.specific AP as decided by the accrediting PMA.
Any changes to the policy and practices of a Any changes to the policy and practices of a authority after accreditation will void the authority after accreditation will void the accreditation unless the changes have been accreditation unless the changes have been approved by the accrediting PMA prior to approved by the accrediting PMA prior to their taking effect.their taking effect.
Requirements for accredited authorities
Maintain at least one contact Maintain at least one contact mechanism which must allow for un-mechanism which must allow for un-moderated access to report problems moderated access to report problems and faults regarding the authority by and faults regarding the authority by the relying parties and genral public.the relying parties and genral public.
This point of contact shall be made This point of contact shall be made known to the accrediting PMA and the known to the accrediting PMA and the IGTF for subsequent re-publishing.IGTF for subsequent re-publishing.
Must disclose to the accrediting PMA Must disclose to the accrediting PMA and to the general public its and to the general public its documented policies and practices.documented policies and practices.
Implementation of the federation
Each PMA maintains information of all accredited CAs.Each PMA maintains information of all accredited CAs.Root certificateCRL Distribution PointPoint of contactSigning policy filePoint to the CP/CPS
Information of the all PMA is packed into a single tarball/RPM Information of the all PMA is packed into a single tarball/RPM and distributed as an IGTF CA distributionand distributed as an IGTF CA distribution
No hierarchies. All accredited CAs are included in a flat structureOnce you will be accredited by the APGrid PMA, you will be an IGTF-accredited CA
IGTF CA distribution is released in every few weeksIGTF CA distribution is released in every few weeksDavid Groep will notify all member CAs the plan of the new release to ask reports of any updates.Distribution frequency is flexible.
The information is stored in the CVS repository maintained The information is stored in the CVS repository maintained by the EUGrid PMAby the EUGrid PMA
Yoshio, Mason, and Darcy have accounts on the CVS serverIf you have modified CA cert, etc., please let me know.
IGTF CA distribution is available from the EUGrid PMA web IGTF CA distribution is available from the EUGrid PMA web site and the APGrid PMA web site.site and the APGrid PMA web site.APGrid PMA is planning to mirror the CVS server as wel.APGrid PMA is planning to mirror the CVS server as wel.
Chair’s role
A Point of Contact for the PMAA Point of Contact for the PMA
Running the PMA meetingsRunning the PMA meetings
Ensuring that all voting is recorded and publishedEnsuring that all voting is recorded and published
Leads discussionsLeads discussions
Contributes to the IGTFContributes to the IGTFAttend meetings of EUGridPMA and TAGPMAAttend OGFBest effort basis
Maintains the IGTF CA DistributionMaintains the IGTF CA DistributionCommit/delete/update files of APGridPMA-accredited CA
Maintains web siteMaintains web site
Maintains MLMaintains ML
Businesses
Chair electionChair election
Next F2F meetingNext F2F meetingSeptember 2008, Singapore
How to protect the ML from SPAMSHow to protect the ML from SPAMS
TACAR and PGP/Thawte key signingTACAR and PGP/Thawte key signing
7th TAGPMA Face-to-Face
Meeting
TACAR Registration and Accreditation
Vinod Rebello and Mike helm
NERSC, Oakland, CA, USAApril 2 – 4, 2008
The Americas Grid Policy Management Authority
157th TAGPMA F2F, April 2008 Vinod Rebello – vinod@ic.uff.br
TACAR
• http://www.tacar.org• The TERENA Academic CA Repository (TACAR)
offers a trusted and centralized place where root CA certificates can be stored and safely downloaded.
• The only requirement to be part of TACAR is that the applying CA operates for the research and academic community
• IGTF and TAGPMA approved third party repository
167th TAGPMA F2F, April 2008 Vinod Rebello – vinod@ic.uff.br
Joining TACAR
• Read Policy – currently version 1.4.3• CA Manager should fill in the Letter of Registration
(Annex I)– Contain info on the CA, Root certificate, location of
CP/CPS and its PDF fingerprint• The Letter of Accreditation needs to be signed by
the head of the institution to which the CA is affiliated.
• Letters which are being provided for the first time must be validated via a face-to-face meeting between the representative(s) of the applying CA and a TACAR representative
177th TAGPMA F2F, April 2008 Vinod Rebello – vinod@ic.uff.br
Required files
• Letters to be presented on paper (two copies of each) and in electronic (PDF) form on CD
• Also on CD– The detached PGP signatures of the two letters– PDF version of the CP/CPS– Root Certificate in PEM format– And their respective detached PGP signatures– Also the PGP Key
187th TAGPMA F2F, April 2008 Vinod Rebello – vinod@ic.uff.br
Trusted Introducer
• If you cant meet with Licia Fiorio in person then talk to Mike Helm Yoshio Tanaka
• The TI is basically the TERENA RA.• The TI will deliver all material collected to
TERENA by using signed email for the electronic information and postal mail or face-to-face meeting for the paper material.
top related