GGF CA Ops Working Group GGF7 Wed Mar 5 2003 16:00-17:30 Tsukui room, Hotel Intercontinental Keio Plaza, Tokyo Agenda: 1. Review Minutes from last meeting - lead by Tony and Randy 2. Review Last call documents - lead by Marty Humphrey - Trust Model - PMA Charter - Grid CP 3. Review Milestones 10/17/2002 Finish Global Grid Forum Certificate Policy Model 10/17/2002 Finish Trust Model 10/17/2002 2nd Draft of Certificate Profile 10/17/2002 2nd Draft of Policy Management Authority Working Charter 05/07/2003 Finish Certificate Profile 05/07/2003 Finish Policy Management Authority Working Charter 3. Review Working Documents - Re-review Policy Management Authority Charter - lead by Tony - Discuss Grid Certificate extensions profile - lead by Michael - Discuss Automated Client Certificates - lead by Steve Chan - Discuss Grid Common CA naming practices - lead by Michael - Discuss Machine Assisted Trust Mechanisms for Grids - lead by Paul Madsen - Review UNICORE Security Model Final version - lead by Letz Reinhard - Discuss PKI Disclosure Statement - lead by Tony 4. Next Steps Discussion - Cross trust models - Certificate Profiles - Certificate Revocation list management - Physical security management - Disaster recovery Meeting Minutes: Tony reviewed GGF Intellectual Property Notice, online at . Tony reviewed the agenda. Tony presented the "Machine Assisted Trust Mechanisms for Grids" paper. - Simple low-cost alternative to CP/CPS for the establishment of bi-lateral trust relationships between Grid entities. - Better than PKI Disclosure Statement - No strong binding between PDS and CA - PDS is not machine readable - No publishing rules - discovery - Unnecessarily hierarchic - Unable to provide detail on the apps for which a particular cert class is appropriate - XML schema for QIK statement is under development. Question: Is this of interest for OGSA security efforts? - Tony says this paper may end up in another working group, perhaps an OGSA working group. - Tony: It could be generalized to exchanging general policy information, with a CA-specific application (i.e., a schema for CA policy). Question: Is this tied to digital signature work in OASIS? - Tony didn't know. Comment: Paul is trying to solve the problem of how to trust CAs -- a problem that many of us are struggling with. May support provisional authorization while further investigation is done. Allows you to find out information about unknown CAs. Very useful given how many CAs there are. Some in the session hadn't read the document but expressed interest. Tony presented a "PKI Disclosure Statement" paper. - Simple document published by PMA that summarizes the CP/CPS - Easy to review by subscribers and relying parties - Doesn't replace CP/CPS - Only an interim step to automation (QIK) - Based on ABA PAG appendix 6 - Originally proposed by VeriSign Example at Please review this document for discussion and review at GGF8. Marty reviewed the working group's last call documents. - Miscommunication impeded GFSG review - GFSG discussion closed Feb 12 - no comments on Certificate Policy Model paper - GFSG would like to change title of "Trust model" paper to "Trust issues" - 60 day public comment will begin soon but GGF infrastructure for that isn't in place yet - Concern was expressed by some members about the delays for these documents compared with other WG's documents. - GFSG was alarmed by PMA document, which advocated GGF running a PKI and its associated PMA - was returned, needing "addl edits" or "outside of the working group's charter" - Peter Gates and Bob Cowles have made comments. - New version on web site. - Comment: Is this for Grid CAs? If it's not specific to Grid PKIs, why are we doing it? - Tony: We could add specific language for Grids as needed. - Comment: Could be generalized to other forms of authentication. Why limit to PKIs? - Marty: That would be outside the scope of this group. Michael presented "Grid Certificate Extensions Profile" document. - Based on review of current practice and problems discovered in practice for EDG. - interoperability problems with X.509 extensions - status: new draft is now available, needs additional authors, review, and discussion - comments: - RFC 3280 review? - RFC 3280 not fully implemented by vendors - standard or best practice? - authorization profile? Michael solicits feedback from people "with an axe to grind." :) Michael presented "Grid Common CA Naming Practices" document. - Antithesis of the CA extension problem - CA extension difficulties - ambiguity in PKIX profile (eg. policy extension) - immaturity of community use (eg. CRL / OCSP) - certs can be re-issued but expensive - difficulty in arriving at a useful std (time) - Difficult to discover CA documents (CRLs, public keys, CP) Michael asks if the group is interested in picking up this paper as a work item. - Comment: PKIX and X.509 have solutions for this. - embed info (URL) in X.509 certificate extensions - but difficult to change existing certificates - CRL pointers support URLs embedded in old certificates Michael presented a roadmap: - CA extensions + naming -> - PKI services discovery (perhaps SRV) - some interest in this in PKIX & IETF too - CA extensions + QIK -> - Automation of data collection for trust - Add: SRV for CA : Get - Automation of trust for strange EE certificate, subject to various rules - CPS + PKI disclosure -> policy presentation Michael will begin a discussion of this on the mailing list. Marty clarified that previous documents used an old public comment process, and this working group's documents will use a new public comment process that is being put in place very soon now. Matt Crawford presented an "Automated Client Certificates" paper. - Certificates for processes which are not specifically initiated by a human. Such processes may not be describable as Services. - Can these entities exist in a Grid PKI? Consensus: Yes. - How to handle separate instances of a distributed system? Matt will keep the list posted on updates to this paper. Reinhard Letz presented a "UNICORE Security Model" paper. - Comment: Is this out of scope for this working group? - Since it's informational, there's no problem. - Will be submitted for final call as informational. New paper will provide an overview of UNICORE CA and RA infrastructure, with details of UNICORE CA policy. Meeting adjourned.