Minutes 2003-06-12

Introductions were made and the agenda agreed.

Round-table Status/Updates from current CAs

DOE Science Grid

Old DOE Science Grid certs accepted and renewed with new. Hardware storage modules in place. Vault installed. Offline off-site storage used to backup keys. From January 2004 only DOE Grid certs will be accepted. Users will be automatically notified.

LIP

Now issuing certs to other Portuguese institutions

Slovak Grid

Reissued certs. New RPM for server cert. Allow for institutions outside project.

Grid-Ireland

Some physical changes to security. Acceptance Matrix will be worked on over the summer.

CERN

No change in operation. Management moved from CS division to ?? division. Draft CP/CPS in use, taken to the lawyers and CERN security officer to approve. Lawyer examined the CP/CPS closely. Issues include governing law.

FZK

New root certificate, which will be issued shortly so that they are available before the end of the previous root cert. Waiting for RPMs. CA name changed. Marianne and CrossGrid websites need to be updated.

CESNET

Provide certs to old economic community for Czech Republic. Changed CP/CPS to mention new target audience.

UK

Changing extensions in cert. Fully qualified domain names. Non-critical extensions. Backup of private key requires 2/3 users. One of these is leaving so CPS needs to be changed. Could putting this in the CPS be a security hole? It highlights who to corrupt! This should only be documented internally.

Web based CA only supports Netscape 4.7. Another CA has support for IE, with the use of a patch to the client machine. Got the code from ECMRF. Now support NS 4.7 and IE x.x.

Spain

Developing RA web portal. Not ready but close. New person working in this area.

Distribution procedures and Cert Statistics

Aside: LDAP servers not available for some (most?) CAs.

RPMs and CRL management

In the past there have been RPMs ready, but not included in tagged release. (SlovakGrid) include out-of-date CRL with RPM, so that a CRL update is forced. (LIP) However, for UI, CRL update is not installed, so this would cause problems. Could get around this by only installing out-of-date CRL on CE, SE, etc. Useful for first installation, but upgrading a working system with LCFG would install an out-of-date CRL and stop the cluster working until the CRL is updated.

Procedures

CAs relatively stable, but there are changes.

Would be less secure to ask CAs to generate their own packages. Dave Kelsey will investigate streamlining the process with Sophie and Anders. Need to make sure these RPMs are included in EDG tags!

Physical exchange of secure information.

We need a policy. Suggested process: exchange email signing keys (PGP or X509) with all other CAs. Then information can be signed or encrypted to other CAs.

Still requires physical meetings. This is OK at meetings such as this, but more difficult if others do not attend!

For a new CA, they must give their key to the group physically, and then we can trust their communications.

A local/customized grid-cert-request

This would send a request to the local CA. Might simply present a message saying go to this website....

CA Statistics

Proposal: Collect quarterly statistics from CAs. from Q1 2001 to date

This could be difficult for large sites, depending on how this information was logged. Have to allow for expiration.

Aside: encrypting with expired, revoked certs will cause trouble. DOE don't allow encryption without escrowing.

The intention is to show the effort put into PKI and also to show the increase in user base.

What is the easiest value to get? Ignore revocation and expiry and just plot the issuing of certs.

Resolution: CAs will see what they can reasonably calculate and get back to Dave Kelsey. Suggestion: total certs issued or total certs valid.

Alternate CA software (Jens Jensen)

Presentation

Baltimore uniCert

Possible to use ARM (Advanced RA Manager) to validate requests before passing it on to a human RA.

RAL were quoted industrial strength prices for uniCert.

No special requirements for clients (browsers). Has a key-store and cert repository.

PyCA

(http://www.pyca.de/)

Has support scripts, but requires lots of manual configuration. Use it as lightweight CA in addition to Grid CA. For test purposes, authenticate with some local authentication mechanism.

Appears to have changed over the past year (more complex now?).

Aside: existing OpenCA system may not be scalable. For example DoS attack caused by google bots requesting list of valid certs.

Java Solution

Browsers do not come with JCE 1.4 (or even 1.3). May be necessary to manually upgrade JCE on clients.

Aside: Since this writes the PKCS12 file to disk we don't have to worry about extracting it from the browser.

Future: Jens would like to use a relational database to store requests, transactions, etc. Perhaps LDAP would be suitable.

Report on PKI Workshop (Bob Cowles)

Presentation

All problems have been solved

Proof of possession of private key: Need to show that the holder can use it once, i.e. to test usability.