[IT_600-R-002] 13:47:56 That's Jk: Yeah. [IT_600-R-002] 13:48:05 Even the transcript is working [IT_600-R-002] 13:48:14 give them. [IT_600-R-002] 13:48:22 Is also reported Records. [John Kewley - STFC UKRI] 13:48:54 Hi, David and everybody else [IT_600-R-002] 13:48:57 Hi Hi John! [John Kewley - STFC UKRI] 13:48:58 How is the schedule going? Where? Where? What, how are we expecting? [John Kewley - STFC UKRI] 13:49:05 Are you expecting me to talk [IT_600-R-002] 13:49:09 It's scheduled for 2 Pmc Sd. [IT_600-R-002] 13:49:12 Sodas won't be 10 min from now. [John Kewley - STFC UKRI] 13:49:13 Still wanna share Julie you're still on schedule. Good. Good. [John Kewley - STFC UKRI] 13:49:17 Okay, I've changed my background to be a Catario in Switzerland to give me a sense of Maybe I'm and then spirits with you, if not in in body. [John Kewley - STFC UKRI] 13:49:28 That's what I That was my view from our house in Switzerland. [IT_600-R-002] 13:49:29 Right. [IT_600-R-002] 13:49:29 right. [IT_600-R-002] 13:49:35 But you're not there. Anymore. This is just this is just memories of this. [John Kewley - STFC UKRI] 13:49:37 I wish I wish I was. Yes. [IT_600-R-002] 13:49:40 Yeah, okay. [IT_600-R-002] 13:49:42 Just want to ask [John Kewley - STFC UKRI] 13:49:44 I live there for 4 years. Yes. [IT_600-R-002] 13:49:47 And it looks really marks. [John Kewley - STFC UKRI] 13:49:56 Yeah, the way. Yeah, that's what you might know is, logo. [IT_600-R-002] 13:50:07 on a on a private plane or so You have the airport in the background. [John Kewley - STFC UKRI] 13:50:10 The efforts down below. Yeah, this is actually for 200 needs to my house at a place called a Cool house. [John Kewley - STFC UKRI] 13:50:15 Well, Kazakhura, which was the look Health Spa Hotel: Yeah, I was a 150 meters away to the sort of east of the south of that. [John Kewley - STFC UKRI] 13:50:27 So we got, we got a slightly different view. We couldn't see the airport, but for the year 2,000 we could look down on this whole valley and see all the fireworks below is which is it's quite interesting looking at fireworks from above rather than from below you don't get a little smoke for [IT_600-R-002] 13:50:40 Okay. [John Kewley - STFC UKRI] 13:50:45 instance. [IT_600-R-002] 13:50:50 But that's definitely an improver [John Kewley - STFC UKRI] 13:50:52 we did so once It it it it it was like a slightly cubity, and you could hear all these fireworks with the full shooting above all the low, level cloud you could see added. [John Kewley - STFC UKRI] 13:51:17 will. I have access to upload my slides afterwards, or email and you don't [IT_600-R-002] 13:51:22 You should have access, and if you don't, I'm not going [John Kewley - STFC UKRI] 13:51:26 It's not. I'll email them to you. Yeah, I'll do it tough to it. [IT_600-R-002] 13:51:31 I'll grant you access [IT_600-R-002] 13:51:36 Communication. Oh, you should have had! How many idiotic! [IT_600-R-002] 13:51:40 I would count. Do you have [IT_600-R-002] 13:51:52 Okay, you're also John Mark Curie: Absurd! Or Ch: how do you find that [John Kewley - STFC UKRI] 13:51:57 good, yeah, very [IT_600-R-002] 13:52:02 From the unknown Institute in the unknown country, in the unknown collaboration, though a node unknown, unknown. [John Kewley - STFC UKRI] 13:52:10 Yeah, obviously Isle of Man doesn't count. [John Kewley - STFC UKRI] 13:52:17 I haven't tried logging in [IT_600-R-002] 13:52:27 And you do. You should have upload runs. [John Kewley - STFC UKRI] 13:52:32 I'm trying [John Kewley - STFC UKRI] 13:52:36 Home Institution, Login. [IT_600-R-002] 13:52:38 it's a really interesting trial for accounting How many people have distinct accounts in India or so, just because they I think, and I'll go to secondary app because the Lhcd separate area students use my primary plan. [IT_600-R-002] 13:52:54 To get me into awareness. Hi tenically managed 67 people, you know Look, they're all 30,000. [IT_600-R-002] 13:53:06 Yeah. So I thought it was very important. Okay. [IT_600-R-002] 13:53:14 But you also got to inherit all the china and people who read. [IT_600-R-002] 13:53:18 Yes. [IT_600-R-002] 13:53:24 Which is an improvement of the nicot system. [IT_600-R-002] 13:53:24 There, if somebody leaves a supervisor has left. Okay, to stop belonging to 8 months, hey? [IT_600-R-002] 13:53:39 yeah. [John Kewley - STFC UKRI] 13:54:04 I'm creating a new indigo profile, apparently, and I'm not a little bit [John Kewley - STFC UKRI] 13:54:04 Yeah. [IT_600-R-002] 13:54:04 there, you sure you should not. You should just walk in [IT_600-R-002] 13:54:04 Do you see an edit button next to the sobox? [John Kewley - STFC UKRI] 13:54:04 Well, I'm logged into somebody now. [John Kewley - STFC UKRI] 13:54:14 Nope. [IT_600-R-002] 13:54:22 there's another. Yeah, you created a new account [John Kewley - STFC UKRI] 13:54:24 Yeah, yeah, yeah, only only unknown unknown this time. Probably. [IT_600-R-002] 13:54:30 Okay. [John Kewley - STFC UKRI] 13:54:30 I tried to look into my institutional login and didn't seem to work so [IT_600-R-002] 13:54:35 Okay, Now you should. You should have access once [John Kewley - STFC UKRI] 13:54:37 I will reload [IT_600-R-002] 13:54:47 What you do have to talk in trip with that [John Kewley - STFC UKRI] 13:54:50 I do have to? Can I add it? Can I? Can I Can I kill 2 of my clones [IT_600-R-002] 13:54:59 I don't think so. [John Kewley - STFC UKRI] 13:55:00 I can only add materials. [John Kewley - STFC UKRI] 13:55:07 Yes, I I can have materials. I'll do that afterwards. [IT_600-R-002] 13:55:27 okay. [IT_600-R-002] 13:55:34 Ask, Oh, I see. Listen! We saw the window [IT_600-R-002] 13:55:49 it sounds good. [IT_600-R-002] 13:55:54 Thank you. [IT_600-R-002] 13:56:04 And a transcript is really interesting, and we yes, yesterday [IT_600-R-002] 13:56:18 okay. [IT_600-R-002] 13:56:30 okay. [IT_600-R-002] 13:57:00 Okay, statement just today was, You can baptize what you trust. [IT_600-R-002] 13:57:09 Yeah. [John Kewley - STFC UKRI] 13:57:10 appetize. [IT_600-R-002] 13:57:15 So I I'm not sure what we said. What's the transcript that you Yeah, you can actually see. [John Kewley - STFC UKRI] 13:57:20 Yeah. [IT_600-R-002] 13:57:20 So you can baptize what you trust Yay. But for interpretationally, research communities between infrastructure and everything, it's good [John Kewley - STFC UKRI] 13:57:33 Well, we usually use the word annoying country. A lot of them baptize, but I'm anointing a registration authority or something [IT_600-R-002] 13:57:46 I thought it was kings and queens who got anointed. [IT_600-R-002] 13:57:49 Maybe maybe pitches just [John Kewley - STFC UKRI] 13:57:49 Well, blessing, let's see. Blessing was the other one. Wasn't it? [John Kewley - STFC UKRI] 13:57:54 To bless her. A certificate with our anus It doesn't sound too good right R. [IT_600-R-002] 13:58:06 I wonder how what what the transcript made of that [John Kewley - STFC UKRI] 13:58:09 A Hyford this? Yes, yes, okay. I have put things with talking astronautical things. [IT_600-R-002] 13:58:17 Yes, it has got it correctly right, Agnes [John Kewley - STFC UKRI] 13:58:22 Well done! [John Kewley - STFC UKRI] 13:58:27 Oh, English must be well. [IT_600-R-002] 13:58:30 Just disappear. [IT_600-R-002] 13:58:34 You can see it back [IT_600-R-002] 13:58:40 Yeah. [IT_600-R-002] 13:58:46 Supposed to be all right. Next, remember, remember, activities in this room are being moment worship on Eve [IT_600-R-002] 13:59:14 off certify, and sanctify. [IT_600-R-002] 13:59:17 We wanted to come to be identified or crucified. [IT_600-R-002] 13:59:22 I think a crucifixion. Yeah. [IT_600-R-002] 13:59:33 I think a crucifixion [IT_600-R-002] 13:59:36 One cross each. You you were in this place was meeting in that sort of headquarters in stuff. [IT_600-R-002] 13:59:47 Yeah. [IT_600-R-002] 13:59:48 I think we're still waiting for the official certified song. [IT_600-R-002] 13:59:51 If we had to. Yeah, we were trying to go. That was in type. [IT_600-R-002] 13:59:56 Thank you. [IT_600-R-002] 14:00:03 Oh, yeah, we got. I can very specific free. [IT_600-R-002] 14:00:10 We would like to do this cool, yeah, right? I mean, we're willing to host us out of nickel. [IT_600-R-002] 14:00:16 They call so [IT_600-R-002] 14:00:24 Yeah, then neither none of them niche, Nicole. [IT_600-R-002] 14:00:29 They were all the way you doing something So we will stand up and have this meeting, and they even really revise us with much. [IT_600-R-002] 14:00:35 And then it was a the boss 7. Yeah. [IT_600-R-002] 14:00:42 Came up to us and said was talking to us at lunch time, and then eventually he plucked up courage in it. [IT_600-R-002] 14:00:49 What we Oh, Nicole, it's really funny! [IT_600-R-002] 14:00:59 That's what we can up with. The was like before Hammond. [IT_600-R-002] 14:01:05 Okay. [IT_600-R-002] 14:01:07 Okay. [IT_600-R-002] 14:01:12 Since I don't trust the Transcript for one bit [IT_600-R-002] 14:01:17 And so I do expect John to say, really interesting fate. [IT_600-R-002] 14:01:22 Going to take some notes. [John Kewley - STFC UKRI] 14:01:27 my slides are Not that I'm fairly wordy rather than won't be saying too much. [John Kewley - STFC UKRI] 14:01:32 Isn't on them, so you said they can't trust the transcript to cope with my English [IT_600-R-002] 14:01:43 Now a certain language to English, but it doesn't mean that it's actually recognizing English at all. [IT_600-R-002] 14:01:48 A wonder what happens if I set a language to a Portuguese was a Korean [IT_600-R-002] 14:01:59 Now it's trying to capture Korean [John Kewley - STFC UKRI] 14:02:00 And [IT_600-R-002] 14:02:09 Oh, Italian is also fun. [IT_600-R-002] 14:02:18 Okay, but it has turn 2 o'clock. We have plenty of remote participants. [IT_600-R-002] 14:02:26 Again, including our okay. So books, Speaker: So John, very happy that you're here. [IT_600-R-002] 14:02:35 I'm not sure how voluntary your cell box is, having been press times into giving one volumes, but I really like to change. [John Kewley - STFC UKRI] 14:02:48 Yeah, okay, well, Yen suggested, I should give a talk about a certain topic. [John Kewley - STFC UKRI] 14:02:48 yeah. [IT_600-R-002] 14:02:51 So please look our hat. [John Kewley - STFC UKRI] 14:02:59 but then this is now turned into a soapbox talk. [John Kewley - STFC UKRI] 14:03:03 So it it's it's it's it's a 2, a 2, for a 2 for one, so it might not be ideal for either. [John Kewley - STFC UKRI] 14:03:09 But we'll see how this this something of interest in here. Let's see if I can share [John Kewley - STFC UKRI] 14:03:17 Okay, So okay. So this is, we usually have the end. [John Kewley - STFC UKRI] 14:03:21 So the Jj. So box. But this is a plus plus Jj. An increment of that. [John Kewley - STFC UKRI] 14:03:26 It's the Jk sobox, and it's 8 in the vetted by. [John Kewley - STFC UKRI] 14:03:31 Yes, will. And John, who worked with me on the Ca: My role is Ca service manager, which is more the kind of overseeing the running of it as opposed to the serious technical decisions which gents would make and running it on a day to day basis which would be will and [John Kewley - STFC UKRI] 14:03:51 John: Okay. [IT_600-R-002] 14:03:53 Cool. [IT_600-R-002] 14:03:56 Behind the channel [John Kewley - STFC UKRI] 14:03:57 So a quick bit of background. The Uk CIA has been considering reissuing up Pki hierarchy as shot to only for quite some time now, but deciding when and if took, great has has caused much discussion and basically how parallel should we be So [John Kewley - STFC UKRI] 14:04:18 this talk is also gonna think a little bit of get us. [John Kewley - STFC UKRI] 14:04:21 This is the soap, opera aspect, is thinking a little bit more about how much. Hi! [John Kewley - STFC UKRI] 14:04:24 How are we should be in in our role? Probably quite a lot. [John Kewley - STFC UKRI] 14:04:28 But let's say so. A quick picture of the Uk side, Ca's software infrastructure might put a bit more of other stuff into context So the left hand side we've got the outside world browsers We've got a java tool called set wizard. [John Kewley - STFC UKRI] 14:04:45 and somebody else is, yeah, reverse interface, and done their own thing called S. Sa. Sorcerer. [John Kewley - STFC UKRI] 14:04:53 Hello, I've never actually by that myself. And then we've also some command line scripts to apply for certificates, renew, etc. [John Kewley - STFC UKRI] 14:05:01 For Pcr. The browsers talk to our Ca portal. [John Kewley - STFC UKRI] 14:05:05 The back end of the so it was a Pcr. Is a Ca: server. [John Kewley - STFC UKRI] 14:05:09 We have a database, and then and that's all inside our rail network, and then we have what we call mostly offline. [John Kewley - STFC UKRI] 14:05:19 This is our offline Ca: Signing machine with Hsm. [John Kewley - STFC UKRI] 14:05:23 And it comes out because we we did do a change a few years ago, because of Covid, where we didn't have people on site traditionally would go downstairs, unlock the cage from the machine itself bring themselves onto the network to download what they have to sign leave the network [John Kewley - STFC UKRI] 14:05:40 sign back onto the network to upload it, come off the network again. [John Kewley - STFC UKRI] 14:05:45 we now do something similar, but it's actually it's pushed from the signing machine. [John Kewley - STFC UKRI] 14:05:55 So the signing machine itself comes on at certain times of day, which the Ca operators know about, and they can then log into it to do signing and then log off while while it's up. [John Kewley - STFC UKRI] 14:06:05 So we say, it's mostly offline. How big is it? [John Kewley - STFC UKRI] 14:06:11 Well, we used to have over 3,000 certificates being requested every year, and we had a list of fun, and game is trying to get these stats today, and the I have no, realized until I produced these that actually although it gradually went we got fewer and fewer [John Kewley - STFC UKRI] 14:06:34 certificates, generally from 2010 to 2016 in 2017, 1819. [John Kewley - STFC UKRI] 14:06:39 We actually went back up again, and I suspect that is, with the at least for host certificates. [John Kewley - STFC UKRI] 14:06:44 I think that is probably for our more use of Clad or S. CD. [John Kewley - STFC UKRI] 14:06:48 Cloud systems. But that was at least check on that. [John Kewley - STFC UKRI] 14:06:53 And as you'll see there, the the generally the the, There's a general downward trend in numbers but there are still a fair number of host certificates which are the dark blue, ones, and orange ones which are the personal certificates that you know it's not like we're [John Kewley - STFC UKRI] 14:07:07 we're winding down at the moment with it's still an active and thriving the community. [John Kewley - STFC UKRI] 14:07:12 We have a quick look at the hierarchy, because this is key with what we're doing. [John Kewley - STFC UKRI] 14:07:21 We started off with a sha, one hierarchy for this. [John Kewley - STFC UKRI] 14:07:26 What's the word incarnation of our of our Ca: We have previous ones Before that we had a root certificate, and we had. [John Kewley - STFC UKRI] 14:07:37 One I'll call 2 hyphen one there that was our original one, and then expired in 2,016. [John Kewley - STFC UKRI] 14:07:41 We signed 2 new certificates. The idea was that one was going to be for offline, use and one was going to be online. [John Kewley - STFC UKRI] 14:07:48 New super to develop for online use didn't really fully come about. [John Kewley - STFC UKRI] 14:07:54 And then there was all the worries about sure one and we shouldn't really have show ones in our intermediates, or an entity certificates. [John Kewley - STFC UKRI] 14:08:02 So we created a new version of Twob, same keys, different serial Saint Bn: So it's just a straightforward replacement and in fact, cannot coexist You know i've standard group us like hierarchy, with the the hash because [John Kewley - STFC UKRI] 14:08:26 it's got the same hash. Oh, no, they would sign new certificates quite happily. [John Kewley - STFC UKRI] 14:08:32 the key thing here is that this this talk is that if I present my Jkb. [John Kewley - STFC UKRI] 14:08:42 2 certificates and that, and maybe with the Twob 2 is alongside it, Then anyone attracts the route. [John Kewley - STFC UKRI] 14:08:48 We'll trust those. If if I don't doing my 2 V. [John Kewley - STFC UKRI] 14:08:53 2 with me, but the far end does still support the 2. [John Kewley - STFC UKRI] 14:08:57 V. One, and that will also be quite happy to accept mine. [John Kewley - STFC UKRI] 14:09:00 The trust goes that way as well. Not just for the Twob. [John Kewley - STFC UKRI] 14:09:03 2, because the key to the same, it's the authentication can happy with either kind of chain [John Kewley - STFC UKRI] 14:09:14 So [John Kewley - STFC UKRI] 14:09:18 Also. We were talking about this on Tuesday. I believe they that maybe we could reissue our route with also signed by Sha 2. [John Kewley - STFC UKRI] 14:09:26 hopefully we all realize that this is the route itself, being self signed is by, if shy, one is not not an issue, even though some people think it is and if that was the case, because we would again, be changing the sale but maintaining the dn and the keys it would also be quite. [John Kewley - STFC UKRI] 14:09:46 Happy to authenticate the 2 B 2, and therefore the Jkp. 2 certificate through that chain, as well [John Kewley - STFC UKRI] 14:09:56 Hopefully This is all kind of fairly fairly standard to everybody. That's what they understood. [IT_600-R-002] 14:10:01 yeah. [IT_600-R-002] 14:10:02 Yeah. [John Kewley - STFC UKRI] 14:10:02 So [John Kewley - STFC UKRI] 14:10:10 Our previous 2. B is still. What we say is in the wild It's it's been released, and you can't kind of unleash it from the Internet. [John Kewley - STFC UKRI] 14:10:17 There's plenty of sha one signed. [John Kewley - STFC UKRI] 14:10:19 There's also a couple of other show, one signs subordinates which I didn't mention there, as well as the 2, a one. [John Kewley - STFC UKRI] 14:10:25 We never reissued the 2 a one. So if people want to get the 2 a one and can manage to do funny stuff with that with the show, one in, it. [John Kewley - STFC UKRI] 14:10:35 Then there might be a possibility of a of a problem. [John Kewley - STFC UKRI] 14:10:39 We'll come into that in a moment. And I did notice in preparing for this talk, that 2 a is still mentioned explicitly in the the root signing policy And also. [John Kewley - STFC UKRI] 14:10:49 It's a namespace file as well, but maybe shouldn't be [John Kewley - STFC UKRI] 14:10:55 To be one, and to be 2 the same crl, so we can't monitor down. [John Kewley - STFC UKRI] 14:11:00 One idea was, Well, let's see which which ones are being used. [John Kewley - STFC UKRI] 14:11:04 Other people, still using to be one. Build one out there. The show, one sign, one. [John Kewley - STFC UKRI] 14:11:07 They're still using it? Because if so, there's this potentially that risk. [John Kewley - STFC UKRI] 14:11:09 But no, because they share the same case on the same dns. [John Kewley - STFC UKRI] 14:11:15 Then we have the same hash, and they have the same files, and they they also refer to the same physical crl as well. [John Kewley - STFC UKRI] 14:11:22 So that doesn't help us [John Kewley - STFC UKRI] 14:11:27 So I'm asserting that there is a problem or a potential problem It's a minor problem, and it it goes like this, because anything that trusts our route trust anything It's aside transitively assuming the old, intermediates on some even available with one end or the other of the [John Kewley - STFC UKRI] 14:11:49 transaction to join the dots. Then, because of that, then the old show on side subordinate cas, which were signed by the roots, are still implicitly trusted. [John Kewley - STFC UKRI] 14:12:01 if they magically appeared somewhere. People so trust trust them [John Kewley - STFC UKRI] 14:12:10 So, if show what is broken enough to allow malicious certificates that look like they're signed by that one of these old certificates, they'll still, therefore be trusted. [John Kewley - STFC UKRI] 14:12:20 now whether you can do that by breaking various aspects of shell. [John Kewley - STFC UKRI] 14:12:28 Want to reproduce and get clashes, and that sort of thing. [John Kewley - STFC UKRI] 14:12:31 I'm not experts enough to know, but I'm prepared to believe there is still a possibility that, depending how show one is broken. [John Kewley - STFC UKRI] 14:12:40 That's somebody can still do something with these. [John Kewley - STFC UKRI] 14:12:47 Now there are mitigations to these 2 statements. So I what I'm saying here is hospital. [John Kewley - STFC UKRI] 14:12:53 Just starting to use a new shelf, too. Intermediate. [John Kewley - STFC UKRI] 14:12:56 Ca: doesn't mean we take away all the issues that's having old sharp shell. [John Kewley - STFC UKRI] 14:13:01 One signed subordinates out there. They are used as part of a of a transaction. [John Kewley - STFC UKRI] 14:13:04 Then they could be used to to cause issues [John Kewley - STFC UKRI] 14:13:11 So the mitigation, first of all, in a browser world support for show, one has been removed almost everywhere. [John Kewley - STFC UKRI] 14:13:18 so that's previous. That just wouldn't work as long as, of course you're using a modern browser. [John Kewley - STFC UKRI] 14:13:25 You update your browser and your trusted Keystall has also been updated, so that as we we were alluding to her in the week, if this trying to update the key store isn't always easy and sometimes, if something already, exists with certainly for the same serial, number you [John Kewley - STFC UKRI] 14:13:43 can't overwrite it. I'm not certain if all browsers will allow you to update if the Dn and the these are the same. [John Kewley - STFC UKRI] 14:13:51 But the just to see those different. I would hope they would grid world most big systems would be name namespaces assigned policy files, so that gives us some protection from somebody crafting their own show one signed intermittent Ca: and that looks like it's, been signed [John Kewley - STFC UKRI] 14:14:13 by our reach, but also many sites don't just show one, but there are other worlds out there. [John Kewley - STFC UKRI] 14:14:22 This there are [John Kewley - STFC UKRI] 14:14:26 I have seen other. I think it's Java based stuff where it wasn't to being namespace and signing policy files, but it wasn't using the bravest. [John Kewley - STFC UKRI] 14:14:34 Job the browser namespaces, the Javascript. [John Kewley - STFC UKRI] 14:14:38 Sorry, browser, trusted key stores, and of course, misconfigured, poorly updated. [John Kewley - STFC UKRI] 14:14:45 6 systems could be to still be vulnerable, and all bets could be off. [John Kewley - STFC UKRI] 14:14:49 Hello! Any sort of embarrassment, and would be more at the end of those systems rather than at the end of the Ca. [John Kewley - STFC UKRI] 14:15:01 So that's a lot of ifs. So, I would just being a bit paranoid like that, Marvin. [John Kewley - STFC UKRI] 14:15:09 Here is the galaxy [John Kewley - STFC UKRI] 14:15:18 So what's the the impact of changing? If if we do decide, well, okay, maybe it's worth changing. [John Kewley - STFC UKRI] 14:15:24 Okay, good opportunity to modernize. We can look at different crypto. [John Kewley - STFC UKRI] 14:15:30 we'll have a look at that in In the subsequent slide. [John Kewley - STFC UKRI] 14:15:33 it'll take a few months to this, whatever this new high hierarchy is to So I I use the word percolate to percolate around the grid It Not everybody updates every month quite so quickly as they should we have to have the new things in place before [John Kewley - STFC UKRI] 14:15:50 we could even consider Starting to sign with them, we'd need to tweak different bits of our software, hoping one certificates in for another one is not a major issue, but sometimes for some period might have to support more than one you might have to support the old signing Ca: and [John Kewley - STFC UKRI] 14:16:13 the new, signing see at the same time that might need some tweaks and we've got to reissue all our various bits of software for ones that are available externally, and we have to get it might take a while for that. [John Kewley - STFC UKRI] 14:16:23 But to around the people, to use the newer versions of the software, well that's done. [John Kewley - STFC UKRI] 14:16:29 We can start signing you and renewal request for the Uca. [John Kewley - STFC UKRI] 14:16:32 I'm generating you, URL. I'll come back to this 1 30 months or so after later, after we've stopped signing with the old stuff, the also sort of expired so when that happens we can then start to dismantle the old stuff, remove it, from the [John Kewley - STFC UKRI] 14:16:51 Igtf side will final. See How else there's a bit to come back to zoom service in our main community is could be paid. [John Kewley - STFC UKRI] 14:17:02 Uk for Rca. And the majority of them use bombs for for their various videos, and some of the von services in use include the issue at the end, as well as the subject to end as part of the user's identity, So if you if you have a if you change, the dn of [John Kewley - STFC UKRI] 14:17:23 your Ca: which we would have to do if we were issuing a new Ca with new keys and potentially new crypto, a new hierarchy. [John Kewley - STFC UKRI] 14:17:33 then that would change, and that would change that they would have to re-register with this new identity. [John Kewley - STFC UKRI] 14:17:44 this various ways this can happen. One is each person for every deal that remember, off they can go on registered with the new identity, and join them up to the previous one or the server admins can do a global update to the database to allow anyone who I uses the [IT_600-R-002] 14:18:04 So okay. [John Kewley - STFC UKRI] 14:18:09 Uk signs to be cool. Somebody will. Will also be the same person. [John Kewley - STFC UKRI] 14:18:15 As if it's with this other DM. Or we could persuade them to so turn off the which the the main Uk ones have done is turn off the the issue of being as fast, as dancing is just your dn, is your identity for the uk ones [John Kewley - STFC UKRI] 14:18:34 So, looking at the opportunity to modernize, then the question, as well, We've had these now since 2,016. [John Kewley - STFC UKRI] 14:18:42 they're that plan to expire in 2027. [John Kewley - STFC UKRI] 14:18:46 I believe our roots, and our Ca. Should we use logic Case is, we are using 2, for 8 for everything at the moment, from root to and entity. [John Kewley - STFC UKRI] 14:18:59 Is it too soon to move to? I've read some stuff that suggests that elliptic curve is that we should probably avoid a mixed hierarchy? [John Kewley - STFC UKRI] 14:19:10 So, if there's going to be a a requirement for elliptic, for certificate, for certain applications, then you might need a curve. [John Kewley - STFC UKRI] 14:19:23 They might have to have elliptic curves all the way rather than mixing it up. [John Kewley - STFC UKRI] 14:19:29 I would hope that such issues are end out over time. [John Kewley - STFC UKRI] 14:19:33 But we never know that might be too soon. It's certainly to move to a mixed approach. Well, maybe. [John Kewley - STFC UKRI] 14:19:40 We should wait a bit longer? Maybe shot 2, 5, 6, maybe shot. [John Kewley - STFC UKRI] 14:19:43 2 is already might be having issues soon. Maybe, we should be thinking about, Show 3, and then again, what else is around the corner? [John Kewley - STFC UKRI] 14:19:54 none of these, th the stuff we're using at the moment our crypto we're using is is quantum safe. [John Kewley - STFC UKRI] 14:19:59 So we need to. I think the [John Kewley - STFC UKRI] 14:20:06 Yeah, So certainly the the Rsa stuff is not so. We should. [John Kewley - STFC UKRI] 14:20:10 We consider that and I've got a couple of links there. [John Kewley - STFC UKRI] 14:20:13 I did have a look at these, and not necessarily that modern ones, but I believe that it's we're still way early in the curve for moving towards quantum stuff that we don't need to be doing that so. [John Kewley - STFC UKRI] 14:20:27 In other words, we've we're also being as well as being paranoid about what what risks we have with our current hierarchy. [John Kewley - STFC UKRI] 14:20:36 We're also paranoid, but annoyed about moving too quickly, or I'm being too bleeding edge, which is what we used to referred to as Icl [IT_600-R-002] 14:20:49 Yeah. [John Kewley - STFC UKRI] 14:20:50 Just speaking of different different crypto. I I did some quick stats on the Icf. [John Kewley - STFC UKRI] 14:20:58 107. This is kind of what originated this, this idea of this talk to just to have a little look at what crypto other Ca is used, obviously David will know all these off my heart. [John Kewley - STFC UKRI] 14:21:12 But for the rest of you there are 88 accredited certificates in 1 1 7. [John Kewley - STFC UKRI] 14:21:17 Now that footnote these, according to the analysis I've done start, they might, I might have misunderstood something on the way, but I believe that 5 of them are to curve to a size 2, 5, 6, 3, 3, 4, 84, Rsa, and as you see there's still one [IT_600-R-002] 14:21:27 Sure. [John Kewley - STFC UKRI] 14:21:37 is one or 2, 4, and they go up to 2 by 2 by 8, 1, 9, 2. [John Kewley - STFC UKRI] 14:21:43 which is definitely quite large, so we'll come to some. [IT_600-R-002] 14:21:43 Okay. [John Kewley - STFC UKRI] 14:21:48 I haven't yet decided. If we move which one we're going for. [John Kewley - STFC UKRI] 14:21:51 But I will be to 8, 1, 9, 2, Okay, Just a quick look at these, whether they're self signed or not, I mean, you've got South Side, which are either route or they're. Self. [John Kewley - STFC UKRI] 14:22:07 Signed and also signed. And then there's also subordinate certificates [John Kewley - STFC UKRI] 14:22:18 And there's also 26 that assigned to a show, one which we had a slide from David yesterday. [John Kewley - STFC UKRI] 14:22:26 I'll come to in a minute. But 2 of those are subordinates, and they sign and and then to the certificates. [John Kewley - STFC UKRI] 14:22:33 So they're not self-signed. They are, and they signed. [IT_600-R-002] 14:22:38 So [John Kewley - STFC UKRI] 14:22:38 He says there's also 2 unaccredited and one experimental as well in in the current release. [John Kewley - STFC UKRI] 14:22:45 And then looking at the 2, We've got shot 2, 5, 6, 3, 4, and 5, 1, 2. [John Kewley - STFC UKRI] 14:22:50 So there's a good mix of those as well. So my my gut feeling looking at these is that if we're looking to increase from our current 2 or 4, 8, then 3, 7, 2, 4, 9, 6 would be safe. [John Kewley - STFC UKRI] 14:23:03 might not necessarily be desirable in terms of performance. [John Kewley - STFC UKRI] 14:23:07 But it's certainly there'll be safe. There must be widespread support if that amount of stuff is using it. [John Kewley - STFC UKRI] 14:23:13 And likewise, if we wanted to go above 2, 5, 6, there is prior art for other. Bigger ones. [John Kewley - STFC UKRI] 14:23:18 If we want to lively. 2, 5, 6 is still acceptable. [John Kewley - STFC UKRI] 14:23:23 So this is David's slide for the other day. These 2 on the left are signed by the 2, on the right, the roots on the right and the to the left are not. [John Kewley - STFC UKRI] 14:23:33 Root They're not self-signed on the show. [John Kewley - STFC UKRI] 14:23:34 One, and I believe this side Ecs. So they have their signing policy files say that they can sign these things, whether they do or not. [John Kewley - STFC UKRI] 14:23:45 It's a different question. So I'm raising this as A as a flag that that could be an issue here, which is, would not be solved just by reassuring of roots because these 2, aren't groups did you check on that statements were correct or [IT_600-R-002] 14:24:04 yeah, those who are actually old. I figure this research can actually withdraw them because they put in a new hierarchy. [IT_600-R-002] 14:24:04 yeah. [IT_600-R-002] 14:24:10 Now [John Kewley - STFC UKRI] 14:24:11 Okay, cool. That's good. So, therefore, they're just line around for the checking bill. [John Kewley - STFC UKRI] 14:24:15 Things. Could. Okay, So the question is to key or not to re key to Ricky or not to be key, which sounds like something Can Shakespeare's classic topicology to be or not to be well soon as we paranoid? [John Kewley - STFC UKRI] 14:24:36 I I like this this expression here. It's a if you're paranoid long enough, sooner or later, you're going to be right, was quite nice. [John Kewley - STFC UKRI] 14:24:44 I'm no idea who this guy is. So this is our question. [John Kewley - STFC UKRI] 14:24:50 So we've currently have the the following kind of options. [John Kewley - STFC UKRI] 14:24:55 we can consider that the risk is negligible. [John Kewley - STFC UKRI] 14:24:58 We just being far too paranoid about what might happen with all these ifs. [John Kewley - STFC UKRI] 14:25:03 So we got all the problems for now. Maybe we can see the next year we'll hear after. [John Kewley - STFC UKRI] 14:25:07 But before 2027, we're gonna have to do something, because that's when they expire. [John Kewley - STFC UKRI] 14:25:16 So the next option is, we could also avoid some of the logistical issues which, including the the the browsers or other software, refusing to even to accept shell on signed roots to be imported so we could do I call some housekeeping. [John Kewley - STFC UKRI] 14:25:34 We could re-sign the group. Shell one we can potentially accept that lifetime while we're at it. [IT_600-R-002] 14:25:37 Oh, so probably 4. Yeah. [John Kewley - STFC UKRI] 14:25:40 Sorry Let's resign the chart to instead 2, 5, 6 instead. [John Kewley - STFC UKRI] 14:25:48 we can revoke, if, in fact, wanna make it really really secure and pointless thing to show off 5, one [John Kewley - STFC UKRI] 14:25:57 5, 1, 2 instead we can revoke the previous show. [John Kewley - STFC UKRI] 14:26:00 Once subordinate certificate. So I did ask that on Monday doesn't seem to do anything, but it just sounds like possibly should assume you can still check signatures of old emails from a revoked certificate. [John Kewley - STFC UKRI] 14:26:18 Maybe you can't. And then we probably, I think we probably want to tell you if our namespace and signing policy files and move the 2 a mentioned from that, because it's it's not in use and it's time to show one we never issued it with [John Kewley - STFC UKRI] 14:26:35 extended time as well, and then third is, we could reissue a whole new hierarchy. [John Kewley - STFC UKRI] 14:26:39 So it's evolution, not revolution. So we, to make sure it's all sharp shot 2, 5, 6, or above signed the whole hierarchy. [John Kewley - STFC UKRI] 14:26:50 we can consider something bigger than I would say 2, or 4, 8, or even similar elliptic keys elliptic curve keys, and maybe some of them, organization and other aspects cause this is the time to change change. [IT_600-R-002] 14:26:55 Okay. [John Kewley - STFC UKRI] 14:27:03 The dns and and everything. So the end entity. Now the key. [John Kewley - STFC UKRI] 14:27:09 Thing is the end. Entity subject ends must remain the same, because it's going to be too much faster. [John Kewley - STFC UKRI] 14:27:14 if if if they ended up changing as well, and also their issue at the end, will change. [John Kewley - STFC UKRI] 14:27:24 So we need to be careful with that with the Vms. [John Kewley - STFC UKRI] 14:27:28 and then, after percolation period, we can stop to sign the new one. [John Kewley - STFC UKRI] 14:27:34 And evolve some line of software updates. We said before or option 4, is, we can try to plan properly for an off online. [John Kewley - STFC UKRI] 14:27:43 Ca: Maybe in conjunction with a separate offline. [John Kewley - STFC UKRI] 14:27:47 Ca: we'd certainly have to continue our offline for a certain period until everything run out on it. [John Kewley - STFC UKRI] 14:27:54 but whether then we'd have to be able to the online Ca and offline. [John Kewley - STFC UKRI] 14:27:59 Ca: would they need different hierarchies if we had both together? [John Kewley - STFC UKRI] 14:28:02 Would they need Could you renew an offline one with a new online one with the online, one need a different subject. [John Kewley - STFC UKRI] 14:28:11 Dn. For the identity certificates to show where it came from. [John Kewley - STFC UKRI] 14:28:16 that's all. Up in the air. It would be an opportunity to go to it for the sort of acme interface, so that a lot of other tools out there would work more seamlessly with our stuff rather than to use support. [John Kewley - STFC UKRI] 14:28:30 Our own. So was it, but we still need to support the back end for that, and it would need to coexist for some time with our existing stuff. [John Kewley - STFC UKRI] 14:28:39 So that would be a lot of extra hassles with us. [John Kewley - STFC UKRI] 14:28:43 And is that really worth it? 1 h? Numbers of host certificates are going down. [John Kewley - STFC UKRI] 14:28:53 some of them are being replaced by Tcs. [John Kewley - STFC UKRI] 14:28:57 Certificates, but not the gritty ones Our personal certificates are probably going down, and some of them may be approached. [John Kewley - STFC UKRI] 14:29:03 Maybe be using token based stuff in the future. So there's probably not worthwhile going that way. [IT_600-R-002] 14:29:07 So [John Kewley - STFC UKRI] 14:29:10 Tha those the options we're looking at [IT_600-R-002] 14:29:11 Yeah. [John Kewley - STFC UKRI] 14:29:14 so sort of final comments. I used to have this notion that well, people say, well, it's fairly secure, and I think well, it's even secure. It isn't you don't You can't. [John Kewley - STFC UKRI] 14:29:23 Sort of add on a bit security, you know. But then I softened up my approach. And I won't. Actually, Maybe it's what we want something like secure It's a certain level of assurance, but thinking about the very slides for this talk I think it may be some should be more like levels of [John Kewley - STFC UKRI] 14:29:43 Paranoia What how paranoid are you As to what you do? [IT_600-R-002] 14:29:44 Sure. [John Kewley - STFC UKRI] 14:29:52 so the final thoughts is went to move on. [John Kewley - STFC UKRI] 14:29:54 Such a thing should be when we are forced or proactively. [John Kewley - STFC UKRI] 14:29:58 And can you be too proactive? For instance, jumping now to do lowers with it, to curve the new stuff here, and then finding out in a year's time that everything needs to be constant safe. Then we would far, too quick. [John Kewley - STFC UKRI] 14:30:09 You know Likewise, if we wait away and wait until we're forced to move. [John Kewley - STFC UKRI] 14:30:14 Oh, how long! We can't wait! We've now We now have to get rid of everything and move in a hurry, and it's already a bit too late because of the if made to show one being cracked so so drastically or so. [John Kewley - STFC UKRI] 14:30:32 But our role in in security, and in certainly running Cas is to be paranoid. [John Kewley - STFC UKRI] 14:30:39 so so but how paranoid is too paranoid, So this is the more the sort of philosophical aspects of what he had tried to put into his his cell boxes. [John Kewley - STFC UKRI] 14:30:48 It's how paranoid should really be. We can't be parloaded about standing still. [John Kewley - STFC UKRI] 14:30:54 I avoided putting a picture of status quo at this this stage, but also paranoid about moving too quickly. [John Kewley - STFC UKRI] 14:31:08 So that's it for today. [John Kewley - STFC UKRI] 14:31:15 Scoop back. [IT_600-R-002] 14:31:17 Okay. So thanks a lot. Are there any immediate questions to the presentation I have a couple of comments, but good. [David Crooks - STFC UKRI] 14:31:29 I've just sorry I was just I was just going to note thinking about also the the discussions that we were having yesterday. [IT_600-R-002] 14:31:30 That also remote people yeah. [David Crooks - STFC UKRI] 14:31:39 About, splitting of, you know, transport and on authentication. [David Crooks - STFC UKRI] 14:31:46 I wonder I wonder if you know thinking about the you know, reducing number of host certificates whether there's a for example, We've seen a lot of appetite for things like Acme So is the reduction in whole certificates, because people want. [David Crooks - STFC UKRI] 14:32:03 To be able to use different technology. So therefore, that's why the reducing, not because the band is listed. [David Crooks - STFC UKRI] 14:32:12 so I just I I I tossed that into into the discussion. [David Crooks - STFC UKRI] 14:32:18 but yeah, and I think I I guess I guess it's worth noting. [David Crooks - STFC UKRI] 14:32:23 how paranoid is too paranoid. Sounds like, you know, someone needs to do some risk assessments, cause that's because that tells you the answer. [John Kewley - STFC UKRI] 14:32:30 I don't know [John Kewley - STFC UKRI] 14:32:36 Some risks are easy to quantify than others [IT_600-R-002] 14:32:38 Okay. [David Crooks - STFC UKRI] 14:32:38 Oh, sure I don't disagree with [John Kewley - STFC UKRI] 14:32:41 Yeah, I mean, certainly the splitting off would almost certainly reduce the the numbers of our that. [John Kewley - STFC UKRI] 14:32:50 That's another of the external factors that would come into your decision making process for this, and I think it would. [John Kewley - STFC UKRI] 14:32:56 It blows option 4 out the window of tried to do anything right. [John Kewley - STFC UKRI] 14:33:00 Radical. [John Kewley - STFC UKRI] 14:33:03 So [David Crooks - STFC UKRI] 14:33:06 I I think it's more and maybe this is an internal and well, so we should certainly have an internal Sdc discussion about running the the site. [David Crooks - STFC UKRI] 14:33:15 Ca: for your We need to make sure that we are thinking about the development of the Ca: alongside the other operational changes [IT_600-R-002] 14:33:30 You've thought about it a lot, John. Do you have a preference? [IT_600-R-002] 14:33:34 1, 2, 3 or not 4 user. [John Kewley - STFC UKRI] 14:33:38 yeah, yeah, we are certificates call to be as well, which is nice. [John Kewley - STFC UKRI] 14:33:45 Nice feel to. Well, we've done the decision so far for the last 2 years has been to delay. [John Kewley - STFC UKRI] 14:33:57 We didn't think that they this, the sha one, was the we couldn't put into black and white and absolute risk that if show one was broken, that something could could go yeah, somebody could. [John Kewley - STFC UKRI] 14:34:13 Do a nasty, but I know that people far great, with far greater mathematical and computer science, knowledge of security than me, has have thought. [John Kewley - STFC UKRI] 14:34:25 Something was secure. When there was holes in it, so the risk is always there. [John Kewley - STFC UKRI] 14:34:31 but each you know, that passes the more of these. [John Kewley - STFC UKRI] 14:34:37 The mitigations are there, so that that I mean, if everything in the world's stop, it, there's 2 levels of trust. [John Kewley - STFC UKRI] 14:34:45 This is trusting the algorithms, the mechanisms, and this trusting the the inherit trust in in a certificate regard as it works algorithms are in use. [John Kewley - STFC UKRI] 14:34:55 So those technologies in in in use, so our 2 a one can be trusted by certificates inherently, but it's [John Kewley - STFC UKRI] 14:35:08 It's crypto, isn't in the vast majority of places, so that will be good enough if nothing trusts the crypto in it. [John Kewley - STFC UKRI] 14:35:16 It doesn't matter how trustworthy it is. [John Kewley - STFC UKRI] 14:35:18 So the more time goes on, then, the less reason to be worried in that respect [IT_600-R-002] 14:35:24 Yeah. [IT_600-R-002] 14:35:26 Oh! [IT_600-R-002] 14:35:30 So now coming back to the show. One thing I thought, what you're seeing now is that really the software on the relying party and starts refusing Sharon And that's actually the only effective mitigation, because even refoking travel intermediates I think makes no real inherent sense, because [John Kewley - STFC UKRI] 14:35:42 Yep. [IT_600-R-002] 14:35:52 if shall, one is broken by collision. Somebody else could reachenerate another intermediate It's like slightly different serials. Reformation is based on the serial number generate their honor intermediate put into collision block. [John Kewley - STFC UKRI] 14:35:58 Okay. [John Kewley - STFC UKRI] 14:36:03 Yup [IT_600-R-002] 14:36:07 And still have a fellers, but now, completely out of your control. [IT_600-R-002] 14:36:11 Sha one intermediate. So that's not going to help, which also, I think that's revoking. The old shalom intermediates makes no technical sense [John Kewley - STFC UKRI] 14:36:14 It's not good to help you [IT_600-R-002] 14:36:26 having to show one route, should also have been fine. [IT_600-R-002] 14:36:30 Apart from the fact that it'd be Red hat and fine folks kind of want to simplify their software stack and have guards as well. [IT_600-R-002] 14:36:41 So I was Henry [John Kewley - STFC UKRI] 14:36:43 Well, I think I said a couple of years ago that I wondered if browsers at some point would stop trusting. [John Kewley - STFC UKRI] 14:36:50 Show one signed self signed Roots, and the statement coming back then was, Oh, no, no! [IT_600-R-002] 14:36:56 Sure. [John Kewley - STFC UKRI] 14:36:56 This that's that's it doesn't matter what it signed with, you know. [John Kewley - STFC UKRI] 14:37:00 But now they're refusing to accept them to be in searching them in. [John Kewley - STFC UKRI] 14:37:04 So, if these things do happen, even if we aren't, if they don't make sense [IT_600-R-002] 14:37:05 No, yeah, although the same thing as sort of built in ones, they still trust them [John Kewley - STFC UKRI] 14:37:12 Well, that's different. They trust them because they trust them [John Kewley - STFC UKRI] 14:37:18 Okay, it. They trust it. Yeah, Yeah, they they are. It's the 5 [IT_600-R-002] 14:37:18 Yeah, I I still think it's broken, softly signed. [IT_600-R-002] 14:37:20 But yeah, but for the practical thing, just reissuing the current road with Chateau. It's the same. [IT_600-R-002] 14:37:30 Keeper, and new serial should be perfectly fine. Got? Yeah. [John Kewley - STFC UKRI] 14:37:33 Yeah, it. It will sort that it's mitigates that that thing perfectly exactly. [John Kewley - STFC UKRI] 14:37:36 But while we're hmm [IT_600-R-002] 14:37:37 Because the other things are a bit more challenging elliptic curve. [IT_600-R-002] 14:37:43 Yes, it's out there. I'm not sure it has actually been tested wildly. [IT_600-R-002] 14:37:47 Oh, widely. Maybe. Finally we put them in for Tcs. [IT_600-R-002] 14:37:53 G. 4, because it was kind of felt like the right way to do. [IT_600-R-002] 14:37:57 But we have never promoted its use to the enthusiasm or sessions touched. [IT_600-R-002] 14:38:03 There. You can try it. It may work, or it may not. [IT_600-R-002] 14:38:11 the same holds a bit for Shah free. I'm not sure if we can actually support Sha 3 at a moment. [John Kewley - STFC UKRI] 14:38:17 No! That the to wait a bit. And yeah. Yeah. They would. [IT_600-R-002] 14:38:18 That's for trust. Break. [John Kewley - STFC UKRI] 14:38:22 Somebody would ask the question, Why not? The shell fees coming along? [John Kewley - STFC UKRI] 14:38:25 Why not wait till last and see? So yeah. [IT_600-R-002] 14:38:26 Yeah. But the reason for not waiting is because Shabbat is currently causing operation issues. [John Kewley - STFC UKRI] 14:38:32 Yeah. [IT_600-R-002] 14:38:34 A/C. Should be slightly better in terms of being having more shorter key length. [IT_600-R-002] 14:38:45 Better for embedded devices, beating Java. [IT_600-R-002] 14:38:48 Complete chain of elliptic curve. Mixing the hierarchies doesn't make sense. [IT_600-R-002] 14:38:51 People. I'm embedded on mobile devices and post call to Crypto. [IT_600-R-002] 14:39:02 I've seen that it was recently one of the main contenders in the NIST suite of Boston post quantum crypto algorithms was perfectly quantum. [John Kewley - STFC UKRI] 14:39:08 Hmm. [IT_600-R-002] 14:39:13 Resistant, but it could be broken on the classical computer within an hour. [IT_600-R-002] 14:39:20 So Okay, thank you so much for that algorithm. So a column computer was really hard for a computer. [John Kewley - STFC UKRI] 14:39:25 Oops. [IT_600-R-002] 14:39:29 But a standard CPU could do it in about an hour or so, so I would wait for that space to settle down a bit. [John Kewley - STFC UKRI] 14:39:39 Exactly. [IT_600-R-002] 14:39:43 so I would actually go for option 2. Oh, do the minimal amount of work now, and they'll see how it bans out [John Kewley - STFC UKRI] 14:39:52 Yeah, I think we need to get rid of the [John Kewley - STFC UKRI] 14:39:58 I mean, I think we can. Probably we should probably tie the up. [John Kewley - STFC UKRI] 14:40:03 Our the signing policy namespace files. [IT_600-R-002] 14:40:06 Yeah. [John Kewley - STFC UKRI] 14:40:09 the one question I did have that I did send an email as well. [John Kewley - STFC UKRI] 14:40:12 The the did you set ones had namespace files for non routes? [John Kewley - STFC UKRI] 14:40:20 Is that standard [IT_600-R-002] 14:40:23 you can do both [John Kewley - STFC UKRI] 14:40:24 Okay. [IT_600-R-002] 14:40:27 So that namespaces for the first intermediate trush. Thank you. [IT_600-R-002] 14:40:31 You'll find that has an experience as far as the one you should use, and if it doesn't have one, you escalator [John Kewley - STFC UKRI] 14:40:35 Great, How are you going? Which direction going from from end density upwards? [IT_600-R-002] 14:40:40 Yeah. [John Kewley - STFC UKRI] 14:40:41 Okay. [IT_600-R-002] 14:40:44 The audio that you could put in. Okay overrides locally. [John Kewley - STFC UKRI] 14:40:51 Okay, cool. [IT_600-R-002] 14:40:55 So there is actually, I think, some semantics for it. [IT_600-R-002] 14:40:57 the other, thing may be unrelated. Uk: is now using Tcs: Yeah no. [John Kewley - STFC UKRI] 14:41:05 I we we have, We have frugal jail Tcs. [John Kewley - STFC UKRI] 14:41:10 I believe just what the just issued ones. I think, may come through. [IT_600-R-002] 14:41:15 No God. If you have that. The yes, they they do. Yeah, Yeah. But done. But they're still charging us for the years. [John Kewley - STFC UKRI] 14:41:16 That is that good. Good. Anyone confirmed that David [David Crooks - STFC UKRI] 14:41:19 yes, I believe that's the case. [John Kewley - STFC UKRI] 14:41:23 Yes. [IT_600-R-002] 14:41:24 Okay, I It's charging [John Kewley - STFC UKRI] 14:41:28 I mean, I'm in the process of getting a code signing one from them through through Jessica which will be free set to go for our coat. [IT_600-R-002] 14:41:36 Bye, no so they don't give you access to the third manager. [John Kewley - STFC UKRI] 14:41:38 So it was it, for instance. [IT_600-R-002] 14:41:45 Interface from Saxigo. Ross. You should have that. [John Kewley - STFC UKRI] 14:41:49 Alright. Yes, some people have access to that [David Crooks - STFC UKRI] 14:41:50 so so [IT_600-R-002] 14:41:51 I don't know. They may give it to somebody at the site. Right? [John Kewley - STFC UKRI] 14:41:55 Yes, yeah, I can call [IT_600-R-002] 14:41:55 This is yeah. But because at that point there's no charging in force. [John Kewley - STFC UKRI] 14:42:00 No; but it's [David Crooks - STFC UKRI] 14:42:00 So [IT_600-R-002] 14:42:02 Actually, but David's gonna comment, I I I really don't know what's happening with the charging almost. [David Crooks - STFC UKRI] 14:42:07 So well. No, I I [IT_600-R-002] 14:42:07 Do you know David? [David Crooks - STFC UKRI] 14:42:12 This is maybe too soon to be talking about this. But so yes, I believe I believe we are being charged I don't think there's been any change to the pricing that I'm aware of. [David Crooks - STFC UKRI] 14:42:26 But I also note that there are various places in which we are considerably increasing our collaboration with just in a bunch of different ways, So there may be an opportunity for us to revisit pricing, or at least revisit pricing in some areas in the next few months for the uk which [David Crooks - STFC UKRI] 14:42:48 is so? That's not very useful, right in which it's not really concrete. [John Kewley - STFC UKRI] 14:42:49 Yeah. [David Crooks - STFC UKRI] 14:42:52 But I think you know [David Crooks - STFC UKRI] 14:42:57 We? Should I? We should. Yeah, We shouldn't. We shouldn't take pricing as a this will never change, because it has always been the case. [IT_600-R-002] 14:42:57 Yeah, so well, too. [David Crooks - STFC UKRI] 14:43:05 I think we should be cushy A few option to arises [John Kewley - STFC UKRI] 14:43:11 Hello! With 1,700 S. To a host certificate to the moment, which would all have to be which somebody down the line would have to pay sex to go for Yeah. [IT_600-R-002] 14:43:12 But [IT_600-R-002] 14:43:25 Well, you don't have to base that to go. [John Kewley - STFC UKRI] 14:43:27 somebody [John Kewley - STFC UKRI] 14:43:30 Nope Oh, right up. [IT_600-R-002] 14:43:32 Sexygo has already been paid, and so just call probably pay a yearly fee of which could be just €20,000 or so for unlimited service throughout the entire human, so that that's the underlying pricing for just if they don't make a 2 million [IT_600-R-002] 14:43:56 quid profit per year by selling certificates to dare members. [IT_600-R-002] 14:44:01 That's just a great model for just to bring in money. [IT_600-R-002] 14:44:06 and that's what they've historically done. [IT_600-R-002] 14:44:09 The pricing from Jay is fixed, and that's flat fee. [IT_600-R-002] 14:44:14 Annual based on your share membership level. Inspired by the genealogy [IT_600-R-002] 14:44:23 if you want to play chess a bit, you could say, Okay, you keep charging models for the regular certificates, but you do a one time unlimited flat feature for the the science certificates so for any science and and to your free science through educate [David Crooks - STFC UKRI] 14:44:48 yeah, because you [IT_600-R-002] 14:44:51 And you just never tell them that the E sign certificates are perfectly good Bki certificates. [IT_600-R-002] 14:45:01 So then you use those also on all your other public websites, because they are absolutely the same, apart from the domain component prefix and a couple of policy armies So you trick js into giving you unlimited flat fee the science certificates and you pay it with all the money your currently [IT_600-R-002] 14:45:26 spending on web surfacers [David Crooks - STFC UKRI] 14:45:30 Yeah, because and the scheme of things 20 K. Per year is not a lot of money. [IT_600-R-002] 14:45:36 No, and that's for the entire Uk [David Crooks - STFC UKRI] 14:45:39 sure. Yeah, yeah, absolutely so. But I think. But you know, this is A: this is A. [David Crooks - STFC UKRI] 14:45:44 So then this is not a technical discussion. This is a political and financial discussion. [David Crooks - STFC UKRI] 14:45:50 but I think we are in a environment where there could be some persuasion in her around this, because I think this is such an important area. [David Crooks - STFC UKRI] 14:46:06 And again we told you about this before, but you know there's a very high priority for the stuff in the Uk. [David Crooks - STFC UKRI] 14:46:10 And if it depending on how we frame the argument, like, for example, hey? [David Crooks - STFC UKRI] 14:46:18 Just by charging for all of these certificates. [David Crooks - STFC UKRI] 14:46:21 what you are doing is critically undermining our progress in improving our and protection and defense of our environment. [David Crooks - STFC UKRI] 14:46:34 If you push that in the right place there will be movement. [David Crooks - STFC UKRI] 14:46:40 So I think this is something that we should think carefully about approaching disk again, about so I will have a think [IT_600-R-002] 14:46:47 But but but I like. David's approach to saying, we want it for the east side It's not for the standard. [IT_600-R-002] 14:46:53 Yeah, is that that doesn't stop them making their 2 million [David Crooks - STFC UKRI] 14:46:54 Yeah, no, no, no. And I think I yeah, no exact. [John Kewley - STFC UKRI] 14:46:54 Yeah. [John Kewley - STFC UKRI] 14:46:57 But I would also temper a bit of what's the David said, though, was that it's not We wouldn't be tricking disk. [John Kewley - STFC UKRI] 14:47:06 We will be telling just we want it for the East Side certificates, and then, if people then use those E-signed certificates as web certificates that's something different [David Crooks - STFC UKRI] 14:47:17 And I think, and I think honestly, I think we can do this without we can be open and transparent. [David Crooks - STFC UKRI] 14:47:21 I think [John Kewley - STFC UKRI] 14:47:21 Immediately [John Kewley - STFC UKRI] 14:47:24 No one. [IT_600-R-002] 14:47:24 I tried it in the past, but, as you say, things have changed. [IT_600-R-002] 14:47:27 You've got a better relationship done [David Crooks - STFC UKRI] 14:47:30 Think well, things are changed. There's new people involved potentially although I don't know has that has changed over time. [David Crooks - STFC UKRI] 14:47:38 But yeah. I think there are opportunities that we should think about. [IT_600-R-002] 14:47:43 Yeah, somebody old pricing. I think the Uk is indeed talk to your share on membership category. [IT_600-R-002] 14:47:51 Yeah. Than it was. It's about 35,000 for the Uk. Per year in euros. Unlimited flashy, all organizations [John Kewley - STFC UKRI] 14:48:01 But [John Kewley - STFC UKRI] 14:48:05 But that's paid, regardless of how many we we any signs? [John Kewley - STFC UKRI] 14:48:09 Yes, so it's already paid. [IT_600-R-002] 14:48:10 Yeah, it's personal esion, Suvab: Sorry Co: Shining. [IT_600-R-002] 14:48:21 The only thing where you pay extraized document signing, because, Sectico will send you an a detailed by you Ups express mail that costs about $100 actuallyating, but that. [John Kewley - STFC UKRI] 14:48:31 No. [IT_600-R-002] 14:48:38 One you can also order yourself on the sectic on website Okay, give you an Id serve charges to organize a every organization that joins the Cs. [IT_600-R-002] 14:48:48 125 year olds per month for unlimited issuers [IT_600-R-002] 14:48:59 So somebody in Jessica's making an awful amount of money office for the Uk. [John Kewley - STFC UKRI] 14:49:07 Yeah, disc is not [IT_600-R-002] 14:49:07 That's that [David Crooks - STFC UKRI] 14:49:08 oh, we! Oh, we we No, no, it's just no, no, no, no, no, no, no, no! [IT_600-R-002] 14:49:10 Sorry. [IT_600-R-002] 14:49:15 Anyway, there's no point you can do to discuss it. [David Crooks - STFC UKRI] 14:49:15 It's yeah, yeah, but [IT_600-R-002] 14:49:17 This is a Yup political, financial. [John Kewley - STFC UKRI] 14:49:20 But Yeah, I think the key point there is that there is there are several external factors which may reduce the number of our host certificates having to be generated through the our interfaces in the future, and therefore, large-scale redevelopment of our software, at the moment is in [John Kewley - STFC UKRI] 14:49:38 my opinion, not really terrible. [IT_600-R-002] 14:49:43 Yeah, So that points to option. Number 2: [John Kewley - STFC UKRI] 14:49:45 Hmm. [IT_600-R-002] 14:49:50 One does. She managed to build a comfortable computer that can break to a time [John Kewley - STFC UKRI] 14:49:54 Yeah, Well, even 3 option 3 wouldn't help with that one [IT_600-R-002] 14:49:57 Okay. [John Kewley - STFC UKRI] 14:50:00 I mean the th. The 2 should be done, hey? Regardless, the question is whether we want to move to 3 or not. [IT_600-R-002] 14:50:10 Yeah, but I would encourage Number 2 as soon as possible. [John Kewley - STFC UKRI] 14:50:14 And if so, when [John Kewley - STFC UKRI] 14:50:14 Yeah. [IT_600-R-002] 14:50:17 We got to show, too, root. Yeah. [John Kewley - STFC UKRI] 14:50:24 and would you still stick it? Shot 2, 5, 6 for the root, So would you do something more, Eric? See? [John Kewley - STFC UKRI] 14:50:31 Cause nobody's ever gonna check it. Okay. [IT_600-R-002] 14:50:36 The computational effort is the same, for you have to 2 computational complexities. [IT_600-R-002] 14:50:40 One is chateau 56, and one is chaff, 5, 12. We go for shaft, 3, 8, 4. [IT_600-R-002] 14:50:48 You first calculate, child, 5, 12, and then job off some bits. [John Kewley - STFC UKRI] 14:50:51 Yeah. [IT_600-R-002] 14:50:51 So the computational complexity for 3, 8, 4, and 5 is the same. [John Kewley - STFC UKRI] 14:50:58 But it also it's also depends how often people are checking the crl for the route. [IT_600-R-002] 14:50:58 Okay. [John Kewley - STFC UKRI] 14:51:04 I suspect, is the only time that there will be. I will offer this. [John Kewley - STFC UKRI] 14:51:08 Ca: That's how often that gets checked [IT_600-R-002] 14:51:13 Yeah. [John Kewley - STFC UKRI] 14:51:14 Computational complexities are relevant to. It's never you. [John Kewley - STFC UKRI] 14:51:17 If he's never invoked [IT_600-R-002] 14:51:18 Yeah, the other thing is given that from our fate 28 bit route. [IT_600-R-002] 14:51:24 That's equivalent to about 160 bits off. [IT_600-R-002] 14:51:33 True data. Chicago, the old chateau 56 also doesn't make sense [John Kewley - STFC UKRI] 14:51:39 Which is 1 1, 2, I think. Yeah. But they Th: The key. [John Kewley - STFC UKRI] 14:51:43 Thing, though, is that they the signature on the route itself, is independent of the secretature algorithm is for signing crls and signing the cas. [IT_600-R-002] 14:51:50 Yeah. [John Kewley - STFC UKRI] 14:51:53 It would still sign the Cas with 2, 5, 6, still signed the C. O. [IT_600-R-002] 14:51:57 Yeah. [John Kewley - STFC UKRI] 14:51:57 2, 2, 5, 6, 5, 1, 2 in the route affects nobody ever, in my opinion, on my understanding [IT_600-R-002] 14:52:02 Yup [IT_600-R-002] 14:52:10 So will sure. 2, 5, 6, okay. [IT_600-R-002] 14:52:20 Are there any more questions? Oh, yeah, forms, please. Just tell you phone server operators to do the desktop. [IT_600-R-002] 14:52:28 Ca flag, because therefore, also help everyone outside of the Uk. [IT_600-R-002] 14:52:34 Who has gone through several cycles of Issuingio [IT_600-R-002] 14:52:40 And now you're muted [John Kewley - STFC UKRI] 14:52:45 you tied that to the chat window. This is the option that I, one of the 3 options, I said, which was to encourage them to ignore the issue at the end. And it's establishing Yeah, this was this has to be done for the main Uk: ones that Robert franks [IT_600-R-002] 14:52:54 Done. [John Kewley - STFC UKRI] 14:53:00 runs, but obviously our use. It's run systems ron stuff on bombs. So with bomb service all over the world, and therefore some of the other ones haven't got that option [IT_600-R-002] 14:53:13 Any phone server that has been in contact with, or Tcs or in common, or Cr log on, we'll have this option already turned on. [IT_600-R-002] 14:53:26 Because all of those have gone through several iterations [John Kewley - STFC UKRI] 14:53:27 that's a 6 [John Kewley - STFC UKRI] 14:53:28 That's a significant percentage I would suggest of great people. [IT_600-R-002] 14:53:30 No. [John Kewley - STFC UKRI] 14:53:35 Okay, yeah, cool. [IT_600-R-002] 14:53:41 Good any more questions? No, Then I want to thank you very much for the sobox. [IT_600-R-002] 14:53:51 Off into plus plus Jj: So what is pretty good? It's also now. [IT_600-R-002] 14:53:58 We should probably switch off the transcript extremely concrete [John Kewley - STFC UKRI] 14:54:03 sorry. [IT_600-R-002] 14:54:05 It's extremely concrete in terms of being actionable and operational. [IT_600-R-002] 14:54:10 So given. As we were discussing this morning, that we should be more actionable and operational. [IT_600-R-002] 14:54:16 I think this is good. [IT_600-R-002] 14:54:18 So thanks very much. I don't know any other items that our remote participants want to bring up cause of Julie noted all your name, so you will, appear as being, present for our entire meeting. [IT_600-R-002] 14:54:39 Yeah bye for deep respect for Metrosoft, Lydia Young David's mufa and John of setting through this very long meeting, seeing us drink coffee and have cross arms and Japanese delicacies, etc., and i'm trying to eat your microphone [IT_600-R-002] 14:55:04 And before we leave I do really want to find Hannah for organizing this one [IT_600-R-002] 14:55:15 sorry we had so many questions. I can try and zoom in on the cross homes. [IT_600-R-002] 14:55:21 Oh, yeah, perhaps one practical thing next meeting. Yeah, the next meeting should be in the end of January. [IT_600-R-002] 14:55:37 I think [IT_600-R-002] 14:55:37 So around come by the Would people like to host the January meeting, which would be at a either chat week of January, 16 or 23 or 30 censorship I would prefer either the sixteenth, or one declared, because I'm supposed to [IT_600-R-002] 14:56:09 be at the program committee on the twenty-fourth and on the project management. [IT_600-R-002] 14:56:15 Thingy the 30 first. You will also the letter One: Okay, so should be the week of January sixteenth. [IT_600-R-002] 14:56:25 Yeah, if possible, the only if that doesn't collide to anybody else's. [IT_600-R-002] 14:56:30 but for some reason January is popular. [IT_600-R-002] 14:56:37 Yeah, it's certainly a popular kind of indeed, very well, more popular than I thought, But anyway. [IT_600-R-002] 14:56:50 We could give an at its now already October we could move to February 6, 7, 8, 9. [IT_600-R-002] 14:57:01 I might have to rehearsal she on 4, 3, Sorry. [IT_600-R-002] 14:57:06 I'm not sure if I can, I might. I might still end up with doing that. [IT_600-R-002] 14:57:12 Sorry. Yeah, not if we go any later, we will run afoul of, you know, time like meetings or or to shame. [IT_600-R-002] 14:57:21 Symposium. Yeah, there won't be a shown. [IT_600-R-002] 14:57:23 Supposing there won't be a time meeting at least not okay. There will be a symposium, but not not so worthy. And and there won't be a time meeting as far as I understand from Peter It's either. [IT_600-R-002] 14:57:38 What the T. Said latest, either a second half of 23, but it could. [IT_600-R-002] 14:57:48 That's easy to be, as in the first quarter of 2024. [IT_600-R-002] 14:57:54 So that's that's the current status of Peter [IT_600-R-002] 14:58:02 So the next meeting of it tends to gravitate. [IT_600-R-002] 14:58:07 Towards January. 1617, 18, Yeah, unless we were talking about film for out. [IT_600-R-002] 14:58:24 hmm. [IT_600-R-002] 14:58:25 Yeah, just to reduce trouble. That's good. [IT_600-R-002] 14:58:29 If that was but that should be around cause we pick a date We can make a day that's being with a bit tall. [IT_600-R-002] 14:58:37 Between April and the February. Much seems to be busy with Asia, so I mean, I could also see if I could skip that week off the 6, 7, 8. [IT_600-R-002] 14:58:51 I don't expect to be the whole time on it, but you could be earlier in temporary. [IT_600-R-002] 14:58:56 Go cool. It would be nice. I say this on Savon, and 8 and a 10 Ferrar on the ninth on Thursday. [IT_600-R-002] 14:59:04 Yeah, how you don't have to travel over weekend. [IT_600-R-002] 14:59:11 on Monday. So first, sometimes you have 2 half days where people you know. [IT_600-R-002] 14:59:16 It's the afternoon we could do, but then we could start on Monday after you have the DNA in the Monday afternoon. [IT_600-R-002] 14:59:25 Could could we then do? A week later? Is that uncomfortable? 13? [IT_600-R-002] 14:59:29 Yeah, that would have Yeah, that's the other thing I need to check wait to a school holiday. [IT_600-R-002] 14:59:43 Start, all sits on the tree. Okay, So the week of the thirteenth is still far [IT_600-R-002] 14:59:53 twenty-two-three setting. 25. Is Coronavir. [IT_600-R-002] 14:59:55 that's fine. That's until Wednesday. [IT_600-R-002] 14:59:59 15, [IT_600-R-002] 15:00:04 From 4 are all stay. Fifteenth afternoon to Thursday, sixteenth. [IT_600-R-002] 15:00:15 Would not work [IT_600-R-002] 15:00:38 things do you say? Yeah, well, there is not a yeah, It'd be in February. [IT_600-R-002] 15:00:51 I think it's up to us to do to walk in our something. I'm not sure if there will be an official. T. [IT_600-R-002] 15:00:56 And I kick of meeting all dancing. [IT_600-R-002] 15:01:04 Yeah, meetings. I'm not sure if if if will be disastrous. [IT_600-R-002] 15:01:09 No. [IT_600-R-002] 15:01:12 Okay, yeah, So [IT_600-R-002] 15:01:22 So. So you're thinking, E grip penetrates, or Venus so sorry, so we agreed on the Ukraine my ankle meeting on Monday afternoon. [IT_600-R-002] 15:01:38 That only makes sense. If it's well, especially with coming here for around anybody. [IT_600-R-002] 15:01:47 yeah. Saves one trip So anchor in Monday afternoon. [IT_600-R-002] 15:01:51 Be your opinion. On the Tuesday or or we we can move those around. [IT_600-R-002] 15:02:00 yeah, what we can do from 4 in the afternoon, and [IT_600-R-002] 15:02:09 yeah. [IT_600-R-002] 15:02:15 possibly. Yeah, especially if you're from people. Show up when you have a holiday meeting people generally, unless you really stay on nice [IT_600-R-002] 15:02:28 I mean it would be nice if we do the the differences that the topics we think with that are most relevant to the film for our people. [IT_600-R-002] 15:02:37 Possibly on the morning before the official can for our meeting. [IT_600-R-002] 15:02:44 To cut in some cross reference. If people shout early. No, well, we called happily program. [IT_600-R-002] 15:02:50 Also the ankle meeting to be Finn for our relevant. [IT_600-R-002] 15:02:55 That that's another option. I mean that I'm happy to to fully blend it. [IT_600-R-002] 15:03:00 Yeah, and we don't need to decide any of that now. [IT_600-R-002] 15:03:07 booked Wednesday. And Thursday at least. [IT_600-R-002] 15:03:11 Okay, If Hannah could make a so we're not hitting any. [IT_600-R-002] 15:03:18 You're a big holdings. I don't think so. No, no! [IT_600-R-002] 15:03:23 So, for no, so the the the at least, the the the corner. [IT_600-R-002] 15:03:28 Also the that's a week that's starting the the eighteenth. [IT_600-R-002] 15:03:32 So school over there, at least for the southern part of the Netherlands, will also be the eighteenth and smoking. [IT_600-R-002] 15:03:41 Yeah, So that's the same, I see. Yeah, yeah, that's a week later, and [IT_600-R-002] 15:03:59 Hmm! Oh, and it be apparently even region North and middle, are supposed to have it one week. [IT_600-R-002] 15:04:07 Later, even so no longer influenced by it. [IT_600-R-002] 15:04:15 Yeah. Well, no, that's true. By the way, now, of course you're you're done with that. [IT_600-R-002] 15:04:20 Oh, you lucky pastors! [IT_600-R-002] 15:04:25 Okay, how to remote people call kind of happy with their dates. [IT_600-R-002] 15:04:33 It's now the best time to start quite planning your trip to sure. [IT_600-R-002] 15:04:39 Now the hostel is probably still available. I will take another hotel this time. [IT_600-R-002] 15:04:45 yeah, all of them. [IT_600-R-002] 15:04:50 Good the present rooms. I'm not sure how many people will be so [IT_600-R-002] 15:05:08 We can try that one [IT_600-R-002] 15:05:16 Okay. [IT_600-R-002] 15:05:25 thinking. Just One day we planned 2 days for a month. Who could be? Say 2 days. [IT_600-R-002] 15:05:31 Wednesday. First day Yeah, then we can decide. You know the time. [IT_600-R-002] 15:05:35 Have much of. Can we count tidings? [IT_600-R-002] 15:05:42 It's still looks pretty empty. So so. February 14, [IT_600-R-002] 15:05:55 17, [IT_600-R-002] 15:06:02 Oh, you cannot make reservations more than 4 months in our thoughts to us for ye! [IT_600-R-002] 15:06:11 Oh, for the yeah, So I have to wait another 2 weeks, and then you can go close [IT_600-R-002] 15:06:51 that helps. [IT_600-R-002] 15:07:03 okay. [IT_600-R-002] 15:07:11 Come, Thanks, again, thanks to all the remote participants, I'll try to take photographs of my notes, so you can try and read that into the same kind of machine learning approached at thee online stress transcript is trying to Do on our spoken words [IT_600-R-002] 15:07:33 So [IT_600-R-002] 15:07:47 That may be an appropriate representation of some of its qualities. [IT_600-R-002] 15:07:52 Good. [IT_600-R-002] 15:07:58 It doesn't even translate.