International Grid Trust Federation Session GGF 20 Manchester

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2

Agenda • Updates from regional PMAs (15”) – APGrid PMA (Yoshio) – EUGrid PMA (David) – TAGPMA (Darcy) • Problems in compliance with the new Authentication Profile (20”) • Authentication Profiles (20”) – Member Integrated Credential Services AP (Darcy? ) – Portal-based Credential Services AP (Yoshio) • Hardware Tokens (20”) – Robots (Jens)

Updates of the APGrid PMA OGF 20 IGTF Yoshio Tanaka

Updates Audited KEK Grid CA Date: April 13 th Used the new auditing document Found the following five major problems (but easy to solve). In some end entity certificates, the value of X 509 v 3 Certificate Policies extension is incorrect. It is 1. 3. 6. 1. 4. 1. 200. 198. 1. 102 but it should be 1. 3. 6. 1. 4. 1. 200. 198. 1. 10. 2. Inconsistency of the certificate profile and the profile document. Neither exended. Key. Usage nor ns. Cert. Type is specified in end entity certificates. Email address was used in the subject name of end entity certificates. Inappropriate description about renew keys.

Updates Some CAs has modified / is modifying CP/CPS and/or profiles to comply with the new Classic AP. Done AIST Grid CA, APAC Grid CA, CNIC Grid CA, NAREGI CA Ongoing ASGC CA, IHEP CA, KEK Grid CA, NECTEC CA Details will be reported in the next F 2 F. APAC Grid CA will issue certificates for New Zealand.

Members (13 + 4) 9 Accredited CAs In operation AIST (Japan) APAC (Australia) ASGCC (Taiwan) CNIC (China) IHEP (China) KEK (Japan) NAREGI (Japan) NECTEC (Thailand) Will be in operation NCHC (Taiwan) 1 CA under review NGO (Singapore) Will be re-accredited KISTI (Korea) Planning PRAGMA (USA) Thai. Grid (Thailand) General membership Osaka U. (Japan) U. Hong Kong (China) U. Hyderabad (India) USM (Malaysia)

Next F 2 F Meeting Date: June 4 th (Mon) Venue: Biopolis, Singapore Co-located event: Grid Asia 2007 Agenda (tentative): Updates from CAs (esp. compliance with thew new Classic AP) Review of MICS profile Discussions on profile of Portal-based CS

Problems in compliance with the new Authentication Profile

AIST’s experiences A) User certificates - Added Extended Key Usage x 509 Ext Key Usage: 1. 3. 6. 1. 5. 5. 7. 3. 2 = PKIX-IDKP-Client. Auth B) Host certificates - Added Extended Key Usage x 509 Ext Key Usage: 1. 3. 6. 1. 5. 5. 7. 3. 1 = PKIX-IDKP-Server. Auth 1. 3. 6. 1. 5. 5. 7. 3. 2 = PKIX-IDKP-Client. Auth - Added Subject Alt Name x 509 Subject Alt Name: [2] FQDN of the host - Changed Key Usage removed non. Repudiation x 509 Key Usage: [critical] digital. Signature, key. Encipherment, data. Encipherment, (0 xb 0)

Supposed problems Some CAs need to modify profiles of the Root CA Certificate to comply with the new Classic AP and the proposed Grid Certificate Profile. Marking key. Usage as critical was dropped from MUST to SHOULD, but some root CA certificates does not mark basic. Constraints as critical. Some CA embed an email address in the subject name of end entity certificates. Probably more (as figured out through the auditing of KEK Grid CA).

Portal-based Credential Services Profile Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST

Schedule 1 st draft by EUGrid PMA F 2 F @ Istanbul Will be reviewed at Istanbul followed by APGrid PMA at Singapore. 2 nd draft by TAGPMA F 2 F @ Banff 3 rd draft by EUGrid PMA F 2 f in fall or OGF 21