We thank the NCAR, Mesa Laboratory of the University Corporation for Atmospheric Research, Boulder, Colorado, U.S.A for hosting our successful TAGPMA 17 meeting, May 6-7, 2013.
We had 20 attendees at TAGPMA 17, 14 on site and 6 remotely via RedCLARA?
VC Espresso video teleconference.
Attending TAGPMA 17 in person were:
- Derek Simmel
- Scott Sakai
- Jim Basney
- Keith Chadwick
- Adam Slagell
- Steve Beaty
- Scott Rea
- Jim Marsteller
- Dhiva Murugananthan
- Dave Kelsey
- Andres Holguin
- David Groep
- Shreyas Cholia
- Alan Sill
Attendees via VCespresso Internet video teleconference included:
- Eric Yen
- John Wynkoop
- Nicolas Macia
- Ale Stolk
- Sergio Lietti
- Manuel Quintero
TAGPMA 17th Minute
Presentation slides are available on the TAGPMA 17 timetable at:
Monday 06 May 2013
Welcome and brief history of UCAR by Steve Beaty
Welcome session and TAGPMA update
Officer elections planned for Fall.
Fall Meeting first week of November in La Plata @ UNLP
Updates from APgridPMA?
2 F2F meetings a year - Spring/Fall
Require members to have annual audit.
SHA-2 capability after March 2013, some are running behind, expect after June 2013
SHA-1 EE certs to cease in September 2013
Next F2F meeting hosted by CNIC in October 2013
Update from EUgripPMA? and IGTF
- Membership update: Ireland pulled Grid funding in 2012. Ireland Grid CA decommissioned in 2012. Moved to TCS for service.
- SHA-2 Updated Timeline: September 2014 CAs may publish SHA-256 or SHA-512 CRLs. Middleware must be aware of this date. Plan is to have pilot users with SHA-2
- Kantara LoA2? & MICS update: Modify the MICS profile - Jim B. and David G. to send Derek proposed text, leave it open for discussion.
- Online HSM proposal: $25 HSM + $25 Rasberry pie + locked safe = Level 3 HSM?
- OCSP support: two documents: one guidance for CA, one for relying parties. Please review and provide comments.
- IPv6: 22 CAs offering working v6 CRLs. 72 endpoints to go.
- NCAR is pursuing TAGPMA accreditation, now in it's second revision and Steve is awaiting comments from reviewers.
- A second reviewer is needed to replace Shreyas.
- At the moment they have a need for host certs but will need user/robot certs in the future.
offers 1) Identity Federation, 2) Certificate Service (x.509) and Multifactor AuthN?
(OTP and smart cards) to members.
237 of the 500 members are subscribed to the certificate service.
Existing CA does not satisfy IGTF Namespace and Certificate lifetimes, therefore a new CA was needed.
IGTF Server CA: RAs sign agreement with InCommon
to issue certs for the domains in their control. In Second review at the moment.
David G. Comment: Baseline requirement (CAB forum) for pub CA is that the O is not present, if it is present it must be validated and either state or locality. CA has to validate.
Attribute Authorities update
Not much new to report.
Goal is to develop a "how to run a trustworthy attribute authority" profile for VOMs.
Version 1 of the document can be found here:
Next steps are to create an assessment spreadsheet and some volunteers (FermiLab?
& CERN) test for compliance.
Could we have a first pass for the next IGTF All Hands Meeting in November?
Registrar Policy Statement review
SHA-2 deployment schedule
DOEGrids Transition Timeline
Tuesday 07 May 2013
Identity Federations and TAGPMA contribution
-- Main./C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=Alejandra Stolk - 16 May 2013