OGF27 CAOPS meeting Agenda: - Status of the RPDNC Document [ DavidG, Jens Jensen] - Status of the Auditing Guidelines Document [ Yoshio Tanaka ] - Status of Authentication Service Profile Document [ Christos Kanellopoulos ] - Discussion on private key protection [ Jens Jensen ] - Input to OGF for the collaboration between CAOPs and IGTF - AOB Summary: * Yoshio will update the Auditing Guidelines by end of November to match the latest Classic AP and provide a spreadsheet checklist as a separate document. Alan Sill will help. * DavidG and Jens will respond to the public comments and make minor edits as needed to the RPDNC document by end of November. * Jens and Scott will draft a document on private key protection by the next OGF. * Yoshio Tanaka and Jim Basney will be reviewers for the ARCS SLCS. Minutes: Unfortunately Christos could not join us due to illness. Yoshio gave an update on the Auditing Guidelines document. Public comment period was Mar 2 to Apr 1 2009. Nine comments were submitted, four of them were just "I support." Yoshio hasn't had time to address the remaining five comments. Needs to be updated to latest IGTF Classic AP. Document must be updated when Classic AP is updated? Does OGF process support this? GFDs aren't meant to be updated frequently. GFD.125 has never been revised. We have collected changes for the next version. A revision would be a new document. Goes through public comment again. Make this document an example, and IGTF maintains the updated version. Or maintain it on gridforge? Could the checklist be moved to a separate spreadsheet? TAGPMA has a spreadsheet. Should it also include RFC 2527 paragraph numbers? Already does. It will be published on the OGF website once it's a GFD. Update to support MICS and SLCS profiles? APGridPMA doesn't have MICS or SLCS, so Yoshio doesn't have experience with them. Can someone else add it? Should the audit guidelines be profile-specific? Can they be more general? A lot of work to change at this point. Alan Sill volunteered to help. Provide spreadsheet checklist as a separate document. DavidG gave an update on the RPDNC document. Only one reviewer posted comments during the public comment period. The document doesn't sufficiently address an RPDNC file's life-cycle. Need to re-iterate that the relying party creates these files. David and Jens will work to clarify this. Is there an issue of trust between the CA and the RPDNC creator? Entirely up to relying party to do it. This document should focus on the RPDNC requirements. Some of the more complex examples show the composition of RPDNC policies. Jens will look at clarifying it. Alan recommends looking at openspf.org as an example policy framework. Are proxy certificates in-scope? No. Also editorial comments. Should the security considerations section discuss distribution of RPDNCs? We consider it out of scope, which should be stated in the security considerations section. DavidG and Jens will write responses to the comments and make minor edits to the document. The group is not aware of any progress on the Authentication Service Profile template document and Christos is unfortunately not here (due to illness) to give us an update. Jens led a discussion on private key protection. Goal: document best practices on private key protection. IGTF is drafting an End User Private Key Protection document. Scott Rea has documented a scheme for generating and distributing CA private keys for USHER. Key backup versus escrow. Escrow is storing the key with a 3rd party. Aim to have a draft by next OGF. Scott Rea volunteers to help. A community practice document that lists several options. Dhiva gave an update on the DOEGrids CA move to netHSMs. Will start with one netHSM for low usage CA and monitor. Then later move DOEGrids CA to netHSMs. Deploy second netHSM in remote location. Using nCipher netHSMs. Dartmouth uses Luna SA4. ES.net netHSMs will be in production next week in multiple locations. Brazilian Cryptus HSM. Could be used as a netHSM. FIPS Level 4 - wipes itself frequently for voltage violations. DOEGrids runs netHSM client on Linux. Two options: nToken or nCipher software. Brazilian HSM follows OpenHSM framework. Jens has MyProxy connected to nCipher HSM. NCSA has MyProxy connected to SafeNet HSM. Christos proposed a discussion of input to OGF but he's not here... Not sure what this is about. IGTF should become a formal partner of OGF? Jens will consider. Discussion of agenda for IGTF workshop session this afternoon: * Review of ARCS SLCS * Discussion of CA termination End of CAOPS session. Begin of IGTF workshop session. Neil Witheridge presented the ARCS SLCS. Federations members will self-assert that they meet requirements and must be open to external audit, but it's not clear that audits will be required. Current SLCS not up to SLCS Profile identity vetting requirements. SLCS client screen-scrapes Shibboleth IdP login page for authentication. SLCS server is modified software from SWITCH. IGTF SLCS will look for eduPersonAssurance value of LOA2. CN component consists of 'cn' attribute value and 'auEduPersonSharedToken' attribute value from Shibboleth. Requirement for delegation to grid portals. Are there portals that can't meet the guidelines of <https://grid.ie/eugridpma/wiki/GuidelineOnPrivateKeyProtection>? In that case, Neil proposed a proxy delegation architecture rather than a direct SLCS certificate issuance to the portal. Accreditation timeline depends on Australian Federation timeline. Likely will pursue accreditation next year. IGTF should proceed with the Private Key Protection document so it can be referenced by the Authentication Profiles by the end of the year. Yoshio and Jim Basney will be reviewers for this CA. Yoshio led a discussion of CA termination. APAC project is done. ARCS took over the APAC CA. Desire is to change the CA name. If issuer name changes, users will need to re-register with VOMS. UK and Swiss have done a CA name change like this. Discussion of difference between SLCS EECs issued to portals versus proxy certificates issued to portals. Adjourn for the day.