Resource Trust Evolution TF

Wednesday 1 Feb 2023, 17:00 → 18:00 Europe/Zurich

Proposed agenda:

• Future of Host Certificates
  • Is IGTF Certification still needed?
  • Fermilab issues with host cert provider
    • Can non-IGTF CAs be used for host/service certs if CA goes down?

 

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

 

AuthZ WG meeting minutes, 27 January 2023

GDB presentation, 13 July 2022

Present: Baptiste, Cédric, Christian, Dave K, David C, David G, John DS, John K, Julie, Linda, Maarten (notes), Mario, Max, Mine, Petr, Stefano, Stephan, Tom

Please send corrections.

Maarten first presents the introductory slides attached to the agenda.

Discussion:

Mine asks if we could add a CA that just gives out service certificates?
David C replies that Let's Encrypt (LE) certificates can also be used
as clients. Mine adds that user certificate subjects could be blocked
in mappings and that we do not have to worry about namespace collisions.
David G replies that such controls could be implemented in principle,
but that in practice, WLCG is just one customer at many sites and
maybe not even the biggest.

Mine asks what can be done if the CA problem affecting FNAL is not
going to be fixed in the short term? ATM all host certificates need
to be acquired manually.
David G answers that in Europe, TCS supports ACME very nicely and
that in the US, InCommon should also be OK in that respect.
Mine answers that it should indeed, but is broken for FNAL since
a few months now and that FNAL management are worried and asking
for a contingency plan. She adds that InCommon only provides non-IGTF
certificates to most of their customers and that FNAL are using
a special workflow for their IGTF host certificates.

Later in the meeting, John Kewley considers the possibility for
the UK CA to provide certificates to US sites and concludes that
it should not be difficult to implement that as a last resort.
There would need to be a Registration Agent in the US to approve
appropriate requests. A question is then asked about the CERN
Grid CA: could it be adjusted for such purposes?  Maarten expresses
his doubts, but will follow up with CA manager Hannah.
Dave K concludes that emergency CAs would be a good topic 
for discussion at the upcoming EUGridPMA meeting starting Feb 13.

Mario reminds us that even when this kind of certificate issues
has been solved in some way, we still need to discuss what we
can do about cloud provider host certificates.

Stephan argues that it is not sites that have to accept non-IGTF
certificates, but rather the VOs. He describes how third-party
transfers can be executed either in push or in pull mode,
and that for any SE service with a non-IGTF host certificate,
that service could be made to pull the data from the other SE,
such that the latter would not have to accept non-IGTF CAs.
He adds that for CEs it would be the VO's pilot factory that
has to be equipped with support for non-IGTF CAs.
Maarten concludes it would be good to try this out with a site
and report on experiences in a future meeting of our TF.

Dave K reminds us that LE certificates are good for encryption,
but not for authN.  David G adds it need not be extremely
difficult for a determined attacker to obtain a FNAL host cert,
making use of a DNS attack launched along the way.
David C points out that the research sector is an interesting
target for attackers these days and that we therefore have to
be careful in assessing the risks we expose ourselves to.
He reminds us that a few years ago, OSG Security Officer
Susan Sons created a report about acceptable usage of LE on OSG:

https://osg-htc.org/security/OSGISOppLetsEncrypt.pdf

We can discuss it in our next meeting.
 

17:00 → 17:20 Introduction

Speaker: Maarten Litmaath (CERN)

RTE_TF_meeting-2023-02-01-v11.pdf

RTE_TF_meeting-2023-02-01-v11.pptx