Vacations/Holidays have turned this into a very short month...
- Establish US participation with the European Data Grid CA managers
- Work on CP/CPS
- Continue defining software/hardware architecture
CERN European Data Grid CA managers meeting
Mike Helm and I traveled to CERN to describe our PKI efforts to the CA managers of EDG. Details of our trip is in our DOE trip report (PDF). Our PKI architecture was well received. This group provides some real world experience in deploying PKI for environments similar to ours.. Their review and feedback adds a real sanity check for our efforts. We will continue to work with EDG to insure we have an effective PKI peering relationship for Grid scientist and engineers. I also presented our efforts with the Global Grid Forum in defining a single CP for use by all our PKI's. Currently each member of the EDG CA managers produces individual/custom CP/CPSs. This leads to a significant effort to review each countries' PKI. Having one common CP, from GGF would help simplify reviewing/auditing PKI's. EDG members have promised to be more involve in the GGF effort.. We plan to continue participating with EDG and to work on getting each participating PKI reviewed/audited for trust.
Updated CP/CPS, worked on forming PMA
Version 1.0 of our CP/CPS went out for review and we received some very constructive feedback. This was incorporated and version 1.1 was released. The CP/CPS is in a reasonably stable condition. To facilitate the deployment and development of our PKI I am using the EDG model of combining the CP and CPS in one document. I am going to present this structure to GGF for their review. This simple concept is a big help in deploying PKI's.
To insure proper review/change control of our CP/CPS we have started setting up a Policy Management Authority. What will be it's final form and areas of responsibilities will be worked out over the next few months.
We are adding appendixes to the CP for each approved Registration Authority that exist under the DOESG CA. An RA represents a DOE site or virtual organization (i.e. SciDAC project). Each organization is responsible for defining their unique identity process. This process is written up as an appendix to the DOESG CA's CP. After it has been reviewed and approved by the organization, it is forwarded to the DOESG CA's PMA for final approval and inclusion in the CP. The PMA is currently being run as part of this project, but a formal committee is being formed to take over operations of the PKI.
Doug Olsen has been working with the PPDG organization to define their community identity process. He has written this up as the first appendix to our CP. His contribution is on the project web site as a word doc: Doug Olsen's RA input for CP/CPS with change bars
- A lot of additional work is needed on PMA...
- Order servers/racks
- Setup RAs