|
PKI-COORDPKI Coordination for Europe |
DRAFT Minutes of the PKI-COORD meeting
March 13, 2002
Aristo Zalen, Amsterdam, Netherlands
Agenda
1. Opening
2. Round table introduction
3. Agenda bashing
4. Actions from previous meetings
5. Round of NREN news update
6. European activity/projects Overview6.1. Grid Security Infrastructure (GSI) and the EU DataGrid Authentication Infrastructure - David Groep, NIKHEF7. Cooperation and coordination with PKI related projects in Internet2: MACE/Shibboleth, GRID
6.2. EuroPKI Update: the evolution of the EuroPKI and the NASTEC project - Corrado Derenale, EuroPKI
6.3. PERMIS Update
8. Discussion about the PKI-COORD Technical Agenda and proposed Term of Reference
9. Next meeting
10. AOB
11. New and Open Actions
Appendix A. List of AttendeesNote. Meeting Programme and presentations are available at http://www.terena.nl/projects/pki/pki-coord020313agenda.html
Apologies were received from:
Christoph Graff
David Chadwick
Roberto Barbera
2 and 3. Round of Introductions and Agenda
bashing
27 delegates attended the meeting from 14 countries. A list of those
attending is appended to these minutes.
4. Actions from previous meetings
Status of open actions from previous meetings:
|
|
|
||
| 0-1-1 | all | TERENA to establish a small group of NRENs representatives to draft a Statement about EuroPKI. | Removed |
| 0-2-1 | Begin to aggregate PKI CP's and prepare a list of the differences between these documents. TERENA to form group of volunteers for this work. | Preparation work has been done by TERENA, next step by NREN's experts | |
| 0-2-2 | Ken Klingenstein agreed to mail the new Internet2 CP to the pki-coord email distribution list. | Done | |
| 0-2-3 | YD | Yuri Demchenko agreed to send information on the IETF SACRED WG to the pki-coord email distribution list. | Initial information was sent to the list, detailed presentation to be sent to the list |
| 0-2-4 | AL, DL | Antonio Lioy & Diego Lopez will send information regarding the NASTEC project and software to the pki-coord email distribution list. | Done, covered in presentation by Corrado Derenale (see also http://www.setcce.org/nastec/) |
| 0-2-5 | AL, DL | Antonio Lioy & Diego Lopez also agreed to investigate the use of CA bridges and report back to the group on their findings | Ongoing |
| 0-2-6 | The Americans agreed to report-back on the progress made with using the Federal bridge PKI model. | Report on Agenda item 7 | |
| 0-3-1 | YD | Yuri Demchenko to update Internet2 related information at TERENA's PKI-COORD webpage. | Progressing |
| 0-3-2 | TERENA | TERENA Secretariat to invite GRID people working with Security issues to the next PKI-COORD meeting and investigate interest in holding special meeting to discuss possible GRID coordination activity/issues. | Done, resulted in this meeting and BoF on Middleware for GRID Aware Networks |
| 0-3-3 | PKI-COORD to collect requirements from different communities and define common requirement for the European wide PKI. | Transferred to the deliverables of the Task Force | |
| 0-3-4 | TERENA,
CG, TV, DL |
TERENA Secretariat and volunteers (Diego, Christoph, Ton) to prepare Questionnaire to collect these requirements | Transferred to the deliverables of the Task Force |
Regarding Action 0-2-2, Ken Klingenstein explained that now Internet2 has three documents: formal CP that can map to the federal government CP; a combined CP for lightweight use (with no legal responsibilities in the document0; third one is one page document on handling out Shibboleth accounts.
Regarding Action 0-2-3, Yuri updated on current status of IETF SACRED WG and explained that in addition to initial information on SACRED sent to the list he prepared presentation on SACRED Overview which is available at http://www.terena.nl/task-forces/tf-aace/docs/pki-coord--sacred-overview.ppt.
Diego explained that time constrain did not allow him to work more on
Action 0-2-5 to investigate the use of CA bridges in Europe, however they
are thinking about establishing experimental Bridge CA to serve cases when
some CAs of some communities don't want to join hierarchy (e.g., banks,
governments, etc.)
REDIRIS (Diego Lopes). Last week formally joined the EuroPKI. Received a certificate from them. Now re-writing a CP in compliance with RFC2527. Have the CPS for the root CA and the top level subordinate CA's, and will be re-signing all the certificates (in place of the self signed certificates). However, all current subordinate CA's will have the choice to join new hierarchy or stay in RedIRIS one. Current version 1.1.0 of PAPI includes hierarchical aggregation of points of access (PoA) that simplifies the management of resources that share a common access policy both at authentication point and at controlled resource. They have a plan in Spain to build some central PAPI service which is needed for small places with few computers that don't need full PAPI's complexity.
Ken asked about the level of assurance on the certificates they issue. Diego says they only issue Certificates to institutions from their constituency, the papers must be signed by two responsible people and responsibility need to be confirmed by telephone call with the person appointing CA's technical contact. Photo-ID authentication must be applied to anyone who gets issued a certificate. Revocation of certificates is possible. Currently 30% of Universities are using PKI but only few of them are using Certificates for real life applications like booking sports facilities with a smart card and exchange of medical data, library documents. There is no information of any university are using a commercial CA. The Spanich Tax Agency has agreement with some universities in order to accept their certificates for tax declaration.
GRNET (Panagiotis Saragiotis, GRNET) - Still waiting for funding before they can start the work
POLAND (Gorecka-Wolniewicz, Maja and Wolniewicz, Tomasz, NCU) - LDAP consortium has a project running. They have put forward for PKI (Politechnika Wroclawska is a member of NASTEC). They expect most people in Poland will have a certificate for official purposes (such as taxation, university admission), and it doesn't seem sensible to issue a separate certificate for the Universities.
SWEDEN (Wiberg, Torbjörn, Umeå Universitet) - they are further proceeding with PKI implementation for universities and University colleges (http://www.umu.se/it/projupp/swupki/). 5 or 6 members are in their system, two more universities have joined SwPKI recently. As a next step they plan to develop own tools, requirements are currently being discussed. Government procurement on citizens' Certificate finished in December 2001 but left many questions not clear: there is a couple of models for paying for certificate, revocation checks, smart card use, etc. Currently Tax authority issuee soft certificates for the taxation purposes that reside on the home computer. No plans to join EuroPKI.
Action 1-1. Torbjörn to send information about the Swedish Government procurement on PKI/Certificates for citizens to the list.
Germany (Peter Gietz, DAASI) - There is some activity going on in the German government to have a Federal PKI system (PKI1). They are finalizing a directory concept. Thinking of linking to a bridge CA that will be maintained by big companies such as the banks. The federal system will only issue certificates to CA's. Certificates for individuals maybe issued by organisations such as the post-office. Universities PKI system started with the DFN project in 1995 resides inside one network/hierarchy and in the future some Bridge CA with the Government PKI may be needed.
CESNET (Sova, Milan, CZ) - They are running PKI to support the Grid projects in Czech Republic. They have published their CP, CPS (in English) according to the GRID requirements, some tens of certificates have been issued. They started to push Academic PKI to persuade Universities to build compatible solutions/infrastructure.
Action 1-2. Milan to send the URL of the CP/CPS to the PKI-COORD mail list.
SURFnet (Verschuren, Ton, SURFnet) - They have now nine organisations in the PKI. Been piloting 4 projects since early 2001. One project on smartcard use for storing individual certificates has finished, there were many problems of simple technical character like printing on smartcard. Two reports of possible interest for the PKI-COORD group that came out of the PKI smartcard trials are available:
SWITZERLAND (Lenggenhager, Thomas, SWITCH) - The commercially operated public PKI in Switzerland (Swisskey) was closed down as the operators (2 Swiss banks) decided it was not a viable business. Currently an effort is on its way to find alternative solutions for a Swiss public PKI. Some independents undertook a feasibility study of the business model for PKI in Switzerland. It concluded that it was not viable until the government adopts the legal use of certificates. SWITCH is looking for other solutions to solve the problem of Authorisation and Authentication (AA) for the Academic community. Independent study on AA has been undertaken and now is in its middle, it targets three areas: technical, legal, and financial. Solutions investigated include PAPI, Shibboleth and SWITCH native solution. Report will be available not earlier that in May 2002, decision on the architecture will not be taken until the summer. Some of the Universities have adopted smart cards as ID for students. These could be used for storing private keys and certificates.
NORWAY (Anders Lund and Stig Venas) - UNINETT is not just focused
on PKI. It is looking at different ways for providing authorisation and
authentication through a single student ID card. They have a project called
FEIDE (presented at the last PKI-COORD meeting) consisting of three different
projects on PKI, user management, and AA techniques (for more information
see http://www.uninett.no/prosjekt/feide/
and http://www.terena.nl/task-forces/tf-aace/pki-coord011126minutes-draft.html#5.4).
The GNOMIS coordination group established to coordinate middleware projects
in Scandinavia will meet next time on Sunday 14 April in Copenhagen. Information
about the meeting will be sent to the pki-coord list.
6. European activity/projects Overview
6.1. Grid Security Infrastructure (GSI) and the EU DataGrid Authentication Infrastructure - David Groep, NIKHEF
David Groep explained Grid Security Infrastructure (GSI) as an introduction to his presentation (available at http://www.dutchgrid.nl/DataGrid/security/presentations/GSI-and-CACG-terena-20020313.ppt). The GSI is intended to solve the authentication and authorisation issues for dynamic communities. Main GSI components: proxy certificates (single sign-on and delegation); TLS/SSL (authentication and message protection); delegation protocol (remote delegation); GSS-API and extensions for Grid support. Proxy certificates define short-term restricted credentials created from a normal long-term X.509 credentials. TLS/SSL is used for resource authentication (data-storage, compute resources, web services etc.). David briefed on Proxy Certificate and TLS delegation protocol standardisation work in IETF.
Another specific component of the GSI is the Community Authorisation Service (CAS), which intends to solve the problem how does a large community grant its users access to a large set of resources. CAS delegates credentials on behalf of Virtual Organisation (VO) that can be handled in the resource being requested. Local resource can apply one policy based on delegation trace. CAS provides user community with information needed to authenticate resources. CAS is a component of the Globus ToolKits and expected to be available this year.
The European DataGrid (EDG) Project is working on a suite of middleware and test bed facilities for specific Grid applications. The middleware components are built on top of Globus toolkits: scheduling and accounting, data replication and management, monitoring, data storage, fabric and farm management. The EDG Test Bed 1 deployed in November 2001 had successful demo on March 1, 2002 and will be continuously upgraded till December 2003.
The first EDG CA was based on Globus "worthless" CA but for EDG "production" test bed stronger authentication was needed. Currently EDG project has 12 CA's been in operation for about a year, which issued totally around 1000 certificates and has a potential community of 10000-40000 users. An acceptable procedure for confirming the identity is based on personal contacts or some other rigorous methods for the requestor identification: basic trust in personal authentication by CA/RA (one CA per country for a tight local grid community); use of personal voice recognition of known person, or check official ID via an RA; RA-to-CA communications via integrity protected email; affiliation usually checked by looking into "public" directories; "host certificates" are introduced by a pre-certified administrator. No legal liability is accepted within the system, and it is not to be used for authorization of financial transactions.
Specified technical issues in running EDG CA's include: key management, CRL update, CP/CPS standard conformity (RFC2527 is preferred), cross-evaluation of CP/CPS by every CA manager and maintaining CA Feature Matrix and CA Acceptance Matrix. CA manager needs to balance between requirements from users and resource owners.
All resources have list of all CA's and map Certificates to users in a gridmap file. This approach has the growth problem and doesn't scale good. New projects like GrossGrid are looking for solutions outside EDG project. GGF currently also cannot provide scalable working solution.
David finished his presentation saying that finding acceptable solution
for the GRID community might be a challenge for this group.
6.2. EuroPKI Update: the evolution of the EuroPKI and the NASTEC project - Corrado Derenale
Since last presentation at the 3rd PKI-COORD meeting EuroPKI got new partners RedIRIS (since 5 march 2002) and Polish CA (since 30 Jan 2002). It is expected that Irish Academic and Research CA, which is run by commercial company Ezitrust Ltd., will become a member in 2Q 2002 and the Romanian CA in 3Q 2002. Pesaro province in Italy will join in 3Q 2002.
EuroPKI introduced new service Portal for Public Administration (PA) to facilitate the exchange of information between public administrations and other public/legal organisations that may reside in different PKI hierarchies. The portal will trust all the PKIs which are registered with it.
EC funded project NASTEC provides basis for EuroPKI to transfer expertise and extend its service to Central and Eastern European countries. NASTEC partners include Politechnico di Torino, Italy, SECUDE GmbH, Germany, SETCCE, Slovenia, Politechnica Wroclawska, Poland, Universitatea Politechnica din Bucuresti, Romania. More information at NASTEC project webpage at http://www.setcce.org/nastec/.
They will be working on a student on-line administration service using X.509 and creating demonstration portal for student services "Didattica". This means all the professors need an X.509 certificate. The portal will use a single sign-on LDAP based service with a web interface.
EuroPKI has several initiatives aimed at collecting and dissemination of experience and information between partners (including report on the uses of X.509 certificates). They have also intention to experiment with new collaborative proposal like Bridge CA between CA's.
More information about basic EuroPKI services and recently deployed
advanced EuroPKI services that include OCSP (with a single responder) and
a Time Stamp Authority (TSP) can be found in another Corrado's presentation
at http://www.terena.nl/task-forces/tf-aace/docs/1.EuroPki_Terena20020413.pdf
The presentation was cancelled with apologies from David Chadwick. Up-to-date
information on the project development and status is available at http://sec.isi.salford.ac.uk/permis/.
All of the work-in-progress section is open to discussion and feedback
is welcome on any aspect of it, however the website access policy requires
user registration.
7. Cooperation and coordination with PKI related projects in Internet2
HEBCA - Higher Education Bridge Certificate Authority (Michael Gettes)
Michael Gettes introduced the concept of Higher Education Bridge CA (BCA), which will be built on the same technologies as Federal BCA (FBCA) and will become a part of the US Federal PKI.
In BCA scenario, there is no single authority in overall control. The major advantage of the bridge model is that it is survivable; if one portion is compromised everything else is still OK. Only the cross certificates need to be regenerated to fix the problem. In Root CA architecture (which example is Euro PKI), if the root is compromised, then everything has to be regenerated. Cross certification in BCA allows for "one/two-way policy". Directories are critical in BCA world: cross certificates are published in directories and discovered via network (BCA/CA may remain off-line). Path Validation is another important element of BCA architecture: when application receives a Certificate, it finds a path back to signer of the Certificate validating the path for policy mapping and name constrain. Policy mapping can be LOA (level of assurance).
Higher Education PKI (HEPKI) development is coordinated by HEPKI Activity groups that represent the cooperative efforts of CREN, EDUCAUSE, and Internet2 (http://www.educause.edu/hepki/). Draft HEBCA Certificate Policy is available now. The HEBCA CP is congruent with the HE CP and FBCA CP.
The NIH-Educause Pilot project on Electronic Grant Application with Multiple Digital Signatures is now in its Phase Two that suppose connection to the FBCA (see diagram on Concept of Operations (CONOPS) in Michael's presentation http://www.internet2.edu/presentations/20020201-CAMP-Gettes.ppt). In order to make business with FBCA, HEBCA needs to establish cross certification to FBCA and as consequence to have adopted policies.
New software module DAVE (Discovery and Validation Engine) is added to support Registry of directories for BCAs. This will allow to validate Certificate path/trust based on BCA Directories as BCA themselves can be offline.
Michael presented animated PKI puzzle explaining complicated relations between all participants in HEPKI. The summary is that PKI is 1/3rd Technical and 2/3rd policy issues.
Michael also gave a presentation on Shibboleth from the CAMP meeting (slides are on the web - http://www.internet2.edu/presentations/20020202-CAMP-Cantor.ppt). He explained the role of the major Shibboleth components SHIRE and SHAR in determining access to online resources for the particular user according to his/her attributes stored in home university's directory. The important issue here is that identity should be opaque to person's ID in order to preserve privacy.
Planned Shibboleth deliverables: an open-source reference implementation of much (but not all) of SAML and all Shibboleth components, documentation (reference materials, deployment assistance), Policies and procedures for joining an initial community of sites (Club of Shib).
Shibboleth is using SAML (Security Assertion Markup Language - an XML-based security standard for exchanging authentication and authorization information) which is headed to last call, allowing version 1.0 publication of architecture and API. Alpha code was due in February and Beta implementation due is in late Spring 2002. SAML is a development of the XML-Based Security Services TC (SSTC) of OASIS (http://www.oasis-open.org/committees/security/).
Ken Klingenstein explained some technical issues in inter-realm authentication. There are three different transport options for pubcookies/tokens exchange between applications/sites: SAML that is used in Shibboleth, PAC (Privilege Access Certificate) tickets in Microsoft implementation of Kerberos 5, and X.509. All of them have their preferred use depending on applications architecture and requirements.
Ken made a short note about the PKI-lite Inter-institutional S/MIME Test Project (http://middleware.internet2.edu/hepki-tag/). They want to find a business case for signed email (else there is no reason for doing it). The US government is very concerned with foreign students, and this is driving a greater need for certificates.
NMI (NSF Middleware Initiative) Update (Ken Klingenstein)
Ken Klingenstein updated on current status of the NMI (NSF Middleware Initiative) development. The team of EDUCAUS and SURA/Internet2 is focusing now on developing NMI Architecture incorporating on inter-realm directories, security, and naming to make campus networks and desktop machines compatible with the middleware packages. There will be an NMI Release 1.0 on May 10th 2002 and the Release 2.0 in November 2002.
NMI Release 1.0 will have software, standards and services, and white papers (see for current information http://www.nmi-edit.org/development/). The software will include: GRID Center software based on GLOBUS and Condor-G, KX.509-KCA (Kerberized Certificate Authority) and KX.509 client (to generate a short term Kerberos tickets), WEBISO (Web Initial Sign-on ) Pubcookie.
The standards will include EDUperson 1.5 (will contain new attributes for Grid), EduOrg 1.0 (will associate attributes to institutions, such as management and security policies), commObject 1.0 (will associate attributes to a videoconferencing system, an IP telephone, or a user), XML namespace registry.
White papers will include: Best Practices in Directory Groups 1.0, VidMid architecture, LDAP Recipe 2.0, Certificate Policies for HighEd, Plumbing Campuses for Grids (to be developed in collaboration with the GRIDS Center).
In release 2.0 of the above the following will appear: standards for Shibboleth, eduVirtOrg (Directory Object Classes description for Virtual organisations); White Papers on Registry of Virtual Organisations, Registry of schemas.
Action 1-3. Ken to send pointer to the NMI Release 1.0 documents
when available.
8. Discussion about the PKI-COORD Technical Agenda and proposed Term of Reference
Moving to this Agenda item, John Dyer explained the procedure of establishing and responsibility of the TERENA Task Force (see for reference http://www.terena.nl/tech/ToR.html).
There was general agreement from the floor that people were willing to work on deliverables within the proposed task force. Invitations for candidates for TF chair were sought. Diego Lopez was unanimously accepted.
Ton expressed his feeling that the proposed charter widens the scope of the work from just PKI to include things like AAA (authorization, authentication, but not accounting as this was thought a bit too theoretical at the moment). Ken made remark that we need to differentiate PKI from X.509; particularly they talk about SAML as a PKI function but not X.509. He also thinks that this shift from pure PKI to AA might need different people to come to the meetings as authentication usually takes place at the campuses. A positive thing about the I2 initiative is that the people that do the campus stuff are also involved in I2.
Ton suggests that there was no such thing as an NREN in the US, Most NRENs are heavy on technological push and encourage people to try new things. However, the people at the campuses are generally happy to leave developments to the NRENs. The situation is not consistent between all European countries. In Sweden there is no centrally led development, it is undertaken by individual countries getting together themselves. In Norway, the opposite is true, with UNINETT leading developments. In general, people don't see much harm in extending AA issues to campuses.
Michael thinks that item B and D broaden the scope too much. Peter Gietz thinks it is important not to lose sight of the PKI even if the scope is broadened to encompass AA. Ken thinks the AA stuff will broaden itself and many inter-working issues will arise. TF should concern about intercampus federation. Summarising, Ton expressed his opinion that there is sufficient interest in the community to include AA in the remit.
Diego asked to go through the draft Term of reference and see if the group could reach consensus on each of the items.
After short discussion, people decided the new name should be TF-AACE - Task Force on Authorization, Authentication Coordination for Europe. Mailing list name and TF's webpage should be changed as well.
TF's work items, deliverables and timetable were discussed in details. The idea of one or two workshops was suggested as a supporting action for the Deliverables B and D; about 12-15 people indicated that they would be interested in attending.
In respect to the Deliverable C several people thought a European HE bridge would be a useful service to develop. It was suggested that cross certification and certificates interoperability should be examined.
It was agreed that remaining actions 0-3-2 and 0-3-3 from the last PKI-COORD meeting on Questionnaire to define common requirement for the European wide PKI will be included into the Deliverable A.
Ken made comment on Deliverable D on common identity on the Internet. He said that Microsoft passport is supposed to define a federated approach and campuses can run their own passport servers, so they don't need to let things like passwords off the campus. Ken informed the meeting that they will have meeting with Microsoft representatives and promised to report to the list on open issues.
Action 1-3. Ken to send open information about meeting with Microsoft on their Passport system.
Diego collected names of those who agreed to participate in deliverables. He promised to prepare list of milestones for all deliverable and post it to the list for discussion. List of milestones is needed before the TF-AACE ToR is submitted to the TTC.
Note. At the moment of publishing these minutes the updated Draft
TF-AACE Term of Reference and draft list of Teams and Deliverables are
available at http://www.terena.nl/task-forces/tf-aace/tf-aace-tor-draft.html
and http://www.terena.nl/tech/task-forces/tf-aace/tf-aace-tor-teams-draft.html
It was agreed that the next meeting will be held next before the TERENA TNC2002 Conference in Limerick on June 2, 2002 (half a day afternoon).
No AOB was discussed.
|
|
|
||
| 0-2-1 | Begin to aggregate PKI CP's and prepare a list of the differences between these documents. TERENA to form group of volunteers for this work. | Preparation work has been done by TERENA, next step by NREN's experts | |
| 0-2-3 | YD | Yuri Demchenko agreed to send information on the IETF SACRED WG to the pki-coord email distribution list. | Initial information was sent to the list, detailed presentation to be sent to the list |
| 0-2-5 | AL, DL | Antonio Lioy & Diego Lopez also agreed to investigate the use of CA bridges and report back to the group on their findings | Ongoing |
| 0-3-1 | YD | Yuri Demchenko to update Internet2 related information at TERENA's PKI-COORD webpage. | Progressing |
| 1-1 | Torbjörn Wiberg | Torbjörn to send information about the Swedish Government procurement on PKI/Certificates for citizens to the list. | |
| 1-2 | Milan Sova | Milan to send the URL of the CP/CPS to the PKI-COORD mail list. | |
| 1-2 | Ken Klingenstein | Ken to send pointer to the NMI Release 1.0 documents when available. | |
| 1-3 | Ken Klingenstein | Ken to send open information about meeting with Microsoft on their Passport system. | |
| 1 | Bekker, Henny | SURFnet |
| 2 | Chuguev, Konstantin | DANTE |
| 3 | Demchenko, Yuri | TERENA |
| 4 | Derenale, Corrado | Politecnico di Torino |
| 5 | Dyer, John | TERENA |
| 6 | Florio, Licia | TERENA |
| 7 | Gellert, Olaf | DFN-PCA |
| 8 | Gettes, Michael | Georgetown University |
| 9 | Gietz, Peter | DAASI International |
| 10 | Gorecka-Wolniewicz, Maja | NCU |
| 11 | Groep, David | NIKHEF/EU DataGrid |
| 12 | Klingenstein, Ken | Univ. Colorado/Internet2 |
| 13 | Kalogeras, Dimitros | Edunet, Greece |
| 14 | Lenggenhager, Thomas | SWITCH |
| 15 | Lopez, Diego | RedIRIS |
| 16 | Lund, Anders | UNINETT |
| 17 | Macias, Jose-Manuel | RedIRIS |
| 18 | Milinovic, Miroslav | SRCE / CARNet |
| 19 | Saragiotis, Panagiotis | GRNET |
| 20 | Sova, Milan | CESNET |
| 21 | Szuber, Sebastian | PSNC |
| 22 | Van Der Merwe, Chris | ARNES |
| 23 | Venaas, Stig | UNINETT |
| 24 | Verschuren, Ton | SURFnet |
| 25 | Wiberg, Torbjörn | Umeå Universitet |
| 26 | Wierenga, Klaas | SURFnet |
| 27 | Wolniewicz, Tomasz | NCU |
TERENA Technical Contact: Yuri Demchenko <demchenko@terena.nl>.
