GGF6 CAOPS Session 1
October 16, 2002
8-9:30am
http://gridcp.es.net/

Scribes: Jim Basney and Jem Treadwell

Agenda:
- Agenda Bashing (5 min)
- Overview of document process (Marty, 5 min)
- CAOPs charter statement ratification (10 min)
- Milestone Review and Update (Tony, 10 min)
- Final Call on documents
  Quick overview of latest changes and status/next steps (10 min each)
  - GGF CP (Tony and Randy)
  - Trust Model (Mary)
  - PMA (Michael)
- Certificate Profiles (Michael, 20 min)
- Session 2 setup

Randy gave an overview of the agenda.  There were no comments on it.

Marty gave an overview of the GGF document process.
- Four types of GGF documents:
  Informational
  Experimental
  Community Practice
  Recommendation
- Document publically announced on mailing list for two weeks of comments.
  If WG consensus is reached, the document is forwarded to the GGF
  steering group.
  Then the document goes on the ggf.org web site for public comment.

Tony presented the charter for the group, originally presented at GGF5.

Are other (non-GGF) groups working on this?
European Data Grid, Federal Bridge, Internet2 (focus on campus needs).
This group has a community focus on Grids.
This WG is not working on user private key management.
Is there any relationship with NMI?
No, NMI is a packaging initiative and doesn't develop policies.
Topics to be addressed by this group:
  CP/CPS, Policy Management Authority charters, Cross trust models,
  Certificate Profiles, Certificate Revocation List management,
  Physical security management, Disaster Recovery

Randy reviewed the WG milestones (on web site).

Randy reviewed modifications to the certificate profile document.
- Clarified that document only addressed authentication.
- Clarified that the policy must have an associated OID.
  - Comment: How do you find a document by OID?  Don't know.
    A URI?  Too short lived.
    Should be addressed by certificate extensions?
    Why do we need the OID if you can't use it for anything?
    OID does tell you that you're looking at the right document once
    you've found it.
    Should you embed the URL for the policy document in the policy document?
- Cleaned up applicability, roles, assurance level section.
- Changed contact details section to state that you MUST document who
  administers your CP and the contacts for your CP.
- Removed suspension requirement because nobody does it as far as we know.
- Removed reference to non-existent field xyz.
- Comment: Repository obligations are separate according to IETF rules.
- Cleaned up statement on confidentiality to improve readability.
  Can't release subscriber information.
- IPR statement clarified that no rights are asserted on this document.
- Statement added that subject and issuer names should be meaningful.
- Revocation request language clarified.
  What authentication methods may be used for revocation?
  Comment: Language is not clear about what certificate must be accepted.
  Authenticate with the certificate to be revoked.
  Comment: Language doesn't say what the CA must do after accepting the
  revocation request.  MUST the CA act on it?
Grid CP document format needs to be changed to comply with GGF requirements.

Mary reviewed current status of Trust Model document.
Had good discussions on mailing list since last GGF.
No modifications since last announcement on the mailing list.
The current draft adds more sections on delegation to previous draft.
Mike added more text on HSMs (offline hardware key storage).
Plan to submit the document as a Community Best Practice document.
Last call on document will be announced on the mailing list.
Is the document in the GGF format, using the GGF document template?
Formatting changes need to be made before last call.

Michael talked about the Policy Management Authority document.
Peter Geitz was the initial author.
Document hasn't changed since July.
DOE Grids PMA charter used this document.
Randy plans to use it for the TeraGrid PMA.
This document will be submitted as a Community Practice document.
Last call on the mailing list soon.

Michael Helm gave a presentation on the Certificate Profile Document.
This document may become a standards track document.
The document specifically addresses certificate extensions.
Is anyone interested in CRL extensions?
Current document surveys current community/industry practice.
Many sites seem to be re-building their CAs at this time.
Grid uses are the main emphasis but other applications may be considered.
CA fields and extensions can be addressed by this document.
- CPS URLs
- Disclaimers, identifiers, other text
- Policy mapping OIDs
- CRL distro point
- OCSP (no experience yet in the community)
- SubjectAltName: email
- Netscape Cert types (are they obsolete?  can they be removed?)
- PKIX
EE fields and extensions:
- simpler but essentially identical to CA list
- Netscape cert types (no longer needed?)
- SubjectAltName issues
- Are there subclasses of EEs?  (people, services, hosts)
Document status:
- Data collection is finished.
- What are the requirements of standard browsers and other software?
- Are there any other contributers?  A few volunteers were found.
- Aim to have draft available by December.
Can GGF ask developers to code to this standard?  PKIX did that.
The WG should review the Internet2 profile document.
SMIME is killer app for Internet2 but so far has not been a priority
for the Grid community.
No need for GGF digital signature activity unless there is a unique
Grid requirement for it.  Other communities outside GGF are working on it.
Lack of support for name constraints in current software is a big problem.
We've tried to remain compliant with PKIX.
Cost of extensions in the CA certificate is they can be costly to
update, i.e., because new CA certificate must be re-distributed.

Randy: Establishing one-to-one trust between virtual organizations is costly.
Can we establish a PMA that can be a single aggregation point for trust
relationships?
Grids want to get out of the CA business.  The long-term solution
should be to use CAs from commercial and government providers.

European model appears to be one CA per country.
For UK, there is one CA for entire e-Science community.

Can we create a mechanism by which policies may be changed?
Bridge model may give more flexibility but is not well supported by
existing software.

Torsten Goss-Walter presented An Analysis of the UNICORE Security Model.
Document is on the WG web site.
GRIP: Grid Interoperability Project
Build a bridge between UNICORE and Globus.
http://www.grid-interoperability.org
Grid security is a major issue for Grid interworking.
Need compatible PKI, common CP.
Plan to use a commercial CA.
How flexible is a commercial CA regarding policy?
GGF drafts (GFD-I):
- "An Analysis of the UNICORE Security Model"
- "The GRIP PKI and Certificate Policy"
- "Grid Security Interoperation" (subject to change)
Should these be GGF documents?  It's a way to share information with
the Grid community.  Documents should be explicit regarding how the
experience can be applied by others in the community.