GGF6 CAOPS Session 2
October 16, 2002
12-1:30pm
http://gridcp.es.net/

Scribes: Jim Basney and Shawn Mullen

Agenda:
- Steve Chan's Automated Client Certificates paper.
- CRLs
- Certificate publication
- Online CAs
- PMA coordination

Stephen Chan made a presentation on Automated Client Certificates.
Requesting a change to the CP.
Use cases: automated tools, backup, file replication
Don't want to overload people or services certificates.
Want to avoid generating hundres of certs which are indistinguishable
from one another.
Comment: Server certificates don't need to be tied to a specific host.
  Hostname in cert helps user verify they're talking to the right
  machine but there's no requirement that it be there.
Some CA policies require that server certificates be restricted to a
single machine.
Issues: identity/accountability, shared certificates
Question: Does NERSC currently have single sign-on?  No.
Comment: Backup account must have high privilege to access files.
  What is the vulnerability of a private key stored with the backup
  account?
Proposed: New namespace for automated clients (ou=Robot).
  Shared certificates
  Policy that acknowledges IT organizations as certificate owner.
Robot certs can be recognized as being used for a specific purpose.
Question: How can you tell if a certificate is being used incorrectly?
Tony: Stay away from ou=nersc.gov.  We've been down that path.
Comment: Why have a new namespace?  What does it buy us?
  We want the certificate subject to indicate the type of the credential.
  Policy regarding private keys.  Host keys must stay on a single host
  but may be unencrypted.  User keys must always be encrypted.
  Similar problem occurs with Kerberos.  Created categories of
  Kerberos principles for each purpose.
Is the problem that it's too difficult to generate so many certificates?
Is this a Grid problem?  Some of the scenarios are local.  But the
replication example is a Grid example.
What about Steve Chan/Robot in the grid-mapfile?
Right now the /CN=proxy is stripped off in GSI comparisons.
Steve shouldn't need to be around to create a new Robot cert when the
machine boots.
Suggestion: Use service certificates with regular expressions in grid-mapfile.
Why not just use a new CA (sub-CA)?
The problem is sharing the certificate across a large number of machines.
These certificates should probably not be issued by high-security CAs.
A separate CA with a separate CP can issue the certificates.
We want to resist creating more top-level CAs.
It could be part of the CA hierarchy.
Does WG feel this is a legitimate area for the WG to work on?
General consensus: Yes.
Steve and Matt will produce a draft document for discussion by the WG
for GGF7.
Eventually it will be folded into the CP document.
Will other communities (example: Federal Bridge) accept this in the CP?

Tony and Randy have been talking with the MAGIC group to coordinate
PMAs in the US.
Should this group work on PMA coordination?
Would that be a standing committee?  GGF won't do that.
Do we want to come up with a policy/guidance as a group to help bridge PMAs?
We need a specific proposal.
Tony and Randy will introduce one at next GGF meeting.
Bottom-up federation is another approach to this issue.
Not using certs for authorization transport.

Randy began a discussion of Online CAs (for example, KCA).
Traditional policies don't address Online CAs.
A CPS for online CAs?
Already done in the UK.
Online CA: authenticate to obtain a session credential.
Credential repositories are related.
Also need to address the identity issues.
Need both a CP and CPS.
Related issue: KCA credentials are too short for long-running jobs.
Also need definitions/terminologies.  What is an online CA?
It is a credential translation service.
The motivation is to reduce the cost of obtaining certificates.
We can call it token services, according to the name in the Web
Services Security roadmap.
Mike Helm, Matt Crawford, and Doug Engert will draft a document.
Need to coordinate with OGSA Security Identity working group.

Certificate publishing / online certificate repositories.
Mike Helm and Roberto will work on this document.
Certificates need to be published in an LDAP database.
Related to VOMS - Virtual Organization Membership Service.
Needs to be a requirement for Grid CAs.
Call it "Queryable online certificate storage".

Certificate Revocation Lists need to be addressed.
EU Data Grid distributes CRLs daily.
Globus CA has 6000 certificates.  600 entries in CRL.
Should we recommend OCSP?
Federal Bridge supports CRL and OCSP.
OpenSSL has an OCSPv1 implementation but it's not included in the
standard distribution.
It can be addressed by Mike in the certificate profile extension document.