We thank the Latin American Conference on High Perfomance Computing (www.clcar.org) and the the Technlogical University of Panama in Panama City, Panama, for hosting our successful TAGPMA 16 meeting, August 29-30, 2012.
We had 20 attendees at TAGPMA 16, 9 on site and 11 remotely via EVO Internet video teleconference.
Attending TAGPMA 16 in person were:
- Derek Simmel, PSC, U.S.A., TAGPMA Chair
- Scott Rea, DigiCert?, U.S.A., TAGPMA Vice-Chair
- Alejandra Stolk, ULA, Venezuela, TAGPMA Secretary
- Jim Basney, NCSA & OSG, U.S.A.
- Adam Slagell, XSEDE, U.S.A
- David Kelsey, WLCG, Switzerland
- Milan Sova, CESNET & EUGridPMA, Czech Republic
Attendees via EVO Internet video teleconference included:
- Alan Sill, Texas Tech University, U.S.A.
- Vinod Rebello, UFF, Brazil
- Paula Venoza, UNLP, Argentina
- Shreyas Cholia, NERSC, U.S.A.
- Irwin Gaines, FermiLab?, U.S.A.
- Roger Impey, Grid Canada, Canada
- Manuel Quintero, UNAM, Mexico
- Francisco Martinez, UNAM, Mexico
- Sandra Jaque, REUNA, Chile
- Otto Huiman Carrasco, SENAMHI, Peru
- Eric Yen, ASGC, Taiwan, APGridPMA? Chair
Guest presentations made in person at TAGPMA 16 included:
- Querube Urriola, CIDETYS, Panamá
- Luis Núñez, redCLARA, Colombia
TAGPMA 16th Minute
Presentation slides are available on the TAGPMA 16 timetable at:
Wednesday, August 29, 2012
Welcome Session and TAGPMA update
Derek Simmel, TAGPMA Chair, started the meeting with a presentation summarizing current TAGPMA activities, and the results of the recent survey of TAGPMA
Authentication Provider (CA operator) members regarding three questions:
(1) SHA2 (SHA-512/384/256/224): When will your CA be able to generate/sign using a SHA2 (as opposed to SHA-1)
- Almost all TAGPMA APs are able to generate/sign using SHA-2 now, or will be able to before December 31, 2012.
(2) OCSP: When will your CA be able to provide an OCSP (Online Certificate Status Protocol) service?
- Only one TAGPMA AP currently provides OCSP service (DigiCert?) - others do not have a need for it as expressed by their subscribers, and have no plans to deploy it.
(3) IPv6: When will your CA's online services (e.g., CRL download server, OCSP service, CA website) be accessible via IPv6 network addressing?
Updates from APGridPMA?
- About half of the TAGPMA APs support availability of their CA resources via IPv6. Others have no plans to provide availability via IPV6 - some due to limitiations of their network service at their organizations.
Eric Yen, APGridPMA?
Chair, made a presentation regarding Asia/Pacific Grid PMA activities via EVO Internet video teleconference.
Updates from EUgridPMA? and IGTF
Milan Sova and Dave Kelsey provided an update regarding EUGridPMA
(Europe/Africa/Middle East) activities.
CIDETYS, Panama prospective TAGPMA AP Member presentation
Querube Urriola gave a presentation in support of CIDETYS' application for TAGPMA membership. Several UTP staff members joined the meeting for this presentation. CIDETYS promotes the use of free software, and supports grid computing infrastructure in Panama. With the completion of the giSela project, Panama is interested in finding or possibly operating a new CA to provide credentials to users in Panama. Following discussion of their objectives, we recommended that CIDETYS join TAGPMA as a relying party member first, with a possible change to authentication provider at a later date if they decide to operate a CA for Panama.
From Platforms to Communities, REDClara
Luis Núñez, representing redCLARA, gave a presentation entitled, "From Platforms to Communities: Building Advanced Computing in Latin America." redCLARA is interested in collaborating with TAGPMA to establish federated identity solutions. redCLARA is well-connected to several Latin American TAGPMA member organizations - this may facilitate co-location of meetings. redCLARA's next meetings will be in Cuenca, Ecuador during November 12-16, 2012, and in Mexico City during June, 2013. We suggested that redCLARA join TAGPMA as a relying party member.
SHA-2 Testing and Experience by current accredited CAs
David Kelsey decribed progress on the SHA-2 adoption effort. Key points include:
OCSP and IPv6 support feasibility by current accredited CAs
- Every certificate signed must differ by at least the certificate serial number. This means that if a CA wants to issue two editions of a certificate, one signed with SHA-1 and the other with SHA-2, then two separate certificates must be generated, differing by at least by the serial number, even if all other fields remain the same. CAs may not sign the same certificate twice.
- Only SHA-2 512 and SHA-2 256 will be supported. The 384 and 224 variants are not supported by various commonly used software (e.g. Java).
- While certificates are still being signed using SHA-1, a SHA-1 signed CRL should be available.
- When certificates are signed using SHA-2, a SHA-2 signed CRL should be available.
- One goal is that by Summer 2013, all applicable middleware software and services can support both SHA-2 and RFC proxies; dCache and Bestman are key middlewares for WLCG. It may be more realistic to expect these to be satisfied by January 2014.
- SHA-1 is to be retired by March 31, 2014 for end entity certificates and CRLs.
- After March 31, 2014, all newly created CA certificates should be SAH-2 signed.
Milan Sova spoke about Online Certificate Status Protocol (OCSP)
- IETF RFC 5019 "The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments"
- At this time there is no mandate for IGTF-accredited CAs to support/provide OSCP
Milan Sova also spoke about IPv6 addressability for CA service and publications, including CRLs:
Attribute Authorities update
- Pressure to adopt IPV6 is higher in the Middle East and Europe - while U.S.A. still has large ranges of IPv4 addresses available.
- (Jim Basney) MyProxy? software is IPv6-ready
- (Scott Rea) DigiCert? content servers are IPv6 addressable, but CRLs are not, because the content distribution networks (CDNs) employed to make CRLs available do not (yet) support IPv6
Dave Kelsey spoke about the status of the Attribute Authority Service Provider operational guidelines document progress - the current edition is still the May 10, 2012 document.
- It would be helpful to have a checklist for AASPs to go with the guidelines.
Thrusday, August 30, 2012
OSCP over DNS?
Scott Rea spoke briefly about OCSP over DNS:
Registrar Policy Statement update
- The idea is to use DNS to cache OCSP data; CAs push OCSP data into DNS
- The AIA in certificates takes the form dns://
- The burden on DNS is local to the CA's infrastructure
Scott Rea led a review & editing session for the Registration Practice Statement (RPS) document. This document is intended to serve as a template for Registrars to fill out, as they represent their (local) communities on behalf of accredited CAs.
TAGPMA membership review
Derek led a review of TAGPMA membership:
Planning for TAGPMA 17 and 18:
- NIH has resigned through non-participation and no response to inquiries made.
- SURAGrid has resigned as their project has ended
- TACC has not been participating lately - we need to determine whether they should be suspended. (Update September 2012: TACC plans to retire its CAs and will not be renewing their membership in TAGPMA).
- Suggestions for locations include Ecuador, Argentina (if mid-to-late in the year), Fermilab?
- TAGPMA 17 should be scheduled in the February~April 2013 time frame
- TAGPMA 18 should be scheduled in the August~October 2013 time frame
- IGTF All-Hands (TAGPMA's turn to host next year) should be co-located with TAGPMA 18
0. Follow up with the TAGPMA AP members that did not provide responses to the survey questions.
1. TAGPMA members should vote to accept or decline March 31, 2014 as the cut-off date for SHA-1 -> SHA-2.
2. Jim Basney to take over role as Trusted Introducer for accredited CAs to the TERENA Academic Certification Authority Repository (done). Many thanks to Mike Helm for his service in this role to date.
3. TAGPMA members should vote to accept or decline CIDETYS Panama as a new TAGPMA RP member (done, accepted).
4. TAGPMA members should vote to accept or decline redCLARA as a new TAGPMA RP member (done, accepted).
5. Contact TACC to determine whether they plan to continue as a TAGPMA member (done, answer is no; they will be retiring their CAs).
6. Identify dates, locations and hosts for TAGPMA 17 (Feb~Apr, 2013) and TAGPMA 18 (Aug~Oct, 2013).
-- Main./C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=Alejandra Stolk - 25 Sep 2012