EU Grid PMA 2005-01-26

NRENs — Diego Lopez

Updated TACAR policy

TF-EMC2 deliverable on trust in grids

Cotswolds Group initiative

eIRG Workshop

Server Certificate Service — Jan Meijer

A service (not a PKI, not a CA)

European NREN PKI history

Current Real Cert Usage

Some other uses

Other anticipated uses

Why server certs?



Commercial CA

Server certificate service

Financial Model

Someone talking to Mozilla Foundation to get NREN root certs in. SSL guys at Mozilla don’t want to weaken trust compared to IE. They want to set the barrier high. However some of the current CAs they inherited from Netscape and IPlanet are dubious.

What would it take for Grid world to trust commercial CA services? If a CA provider is not restrictive enough, make RA more restrictive.

If this gets useful for Grid applications we should try to accredit it. Action: Create mailing list for RP requirements for this service.

Status from current CAs

RMKI-KFKI: some updates needed to CP/CPS

UK: ~1600 certs. New RAs every month or two. 50 RAs. Working on Single Sign-on. Working on migration of OpenCA. Can migrate DB from Berkeley DB to Postgres. Need to update CP/DPS for Data Protection and Freedom of Information Acts.

NorduGrid: need to rekey in a few months. Request from Iceland to join CA. they now have a cp/cps.

German: Change from MD5 to SHA1.

Canada: Hit 1000 issued certs. Expiry in two years. Aim for rekeying March 2005. Some problems from GridSite and SRM users. Plan for rekeying.

Ireland: Have not upgraded OpenCA from 0.8. Triple hex digits of certs issued.

Czech: Plan to switch to (commercial, shining) Entrust CA in first half of 2005.

DOE Grids: On the issue of migration: easiest approach is to let the old CA die and allow users to trade in old certs for new. Migrating to AOL Netscape CA.

INFN: Nothing exciting. 55 RAs and growing steadily.

SEEGRID CA: Process presented to RA managers. Certs for RA managers to be issued first.

Russian: Problems with VOMS compatibility. Problems handing over to new organization as it is impossible to prove that copies of private key are not retained.

Estonia: talks with Latvia and Lithuania. Plans to run Baltic Grid CA.

Dutch: recently updated CP/CPS. Moved to paper-based RA process. RA checks ID, records ID type and number, and signs in blue ink. Migrate responsibility to SARA.

CERN CA: No significant changes except one minor change to reflect change in CERN badges.