Status of the IGTF InCommon CA v2?

[Bockelman, Brian]

Hi all,

Some friends received an email, below, from the InCommon CA team noting that a new InCommon CA arrived ... today!

I don't recall the new CA being added to the IGTF bundle (and I don't see it in the latest release notes) so is it safe to assume that things are "in preparation" behind the scenes? What's the new chain look like?

My primary concern is support load -- we'll need to announce broadly to our community to possibly avoid the new option until trust roots can be updated. Is there a timeframe on things?

Thanks,

Brian

"""
Hello Everyone-

We are happy to announce that, beginning tomorrow morning, March 8th, you will be able to issue all types of SSL certificates from the new InCommon intermediate CA. The current regular SSL CA will expire in October of 2024.

To issue a certificate from the new CA, you only need to choose a "V2" certificate type when enrolling a new SSL certificate. The new certificate types all begin with "V2", so "V2 InCommon SSL", "V2 IGTF Server Cert", etc.

The old profiles will be removed on 8/31/23.

Please note: All existing SSL auto-renewals will need manual adjustment so that they do not renew from the profiles that use the old CA.
"""

[David Groep]

Hi Brian, all,

I know nothing about these changes, and there has been no updates to the
back-end sources of the IGTF distribution. No nothing is planned
for release either.

Now, without new intermediates, even if the root remains the same many
of the client will not accept it. Same for the corresponding root (no
isue what the root of the new InCommon intermediates is). If it is
an existing one, its RPDNC namespaces files should be updated. If
it is a new root, it much be introduced.

So I would advise AGAINST USING ANY NEW PROFILES or products for
now, until the process as completed. There is still plenty of
time to move (the current InCommon intermediates expire in December 2023)
and no need to rush now.

My EUR0.02!

DavidG.

--
David Groep

** Nikhef, Dutch National Institute for Subatomic Physics, PDP programme **
** Maastricht University, FSE - Department of Advanced Computing Sciences **
** Visiting address: Science Park 110 room D1.09, NL 1098 XG Amsterdam NL **
** PHS1 Room C4.032, Paul-Henri Spaaklaan 1, Maastricht **
** Phone: +31 20 5922179, keybase.io: dlg, Signal: +31646812179 **
** PGP: 0xD80134C2 308E076A FP: 2facebea12803ba145685a21d80134c2308e076a **

[Bockelman, Brian]

> On Mar 8, 2023, at 1:55 PM, David Groep <dav...@nikhef.nl> wrote:
>
> Hi Brian, all,
>
> I know nothing about these changes, and there has been no updates to the
> back-end sources of the IGTF distribution. No nothing is planned
> for release either.
>

Ah, too bad. I was hoping I was just being left off the CC.

> Now, without new intermediates, even if the root remains the same many
> of the client will not accept it. Same for the corresponding root (no
> isue what the root of the new InCommon intermediates is). If it is
> an existing one, its RPDNC namespaces files should be updated. If
> it is a new root, it much be introduced.
>

From the email message, sounds like a new intermediary?

The sticky problem is I suspect with many non-namespace-aware clients, the certs will appear to "just work" meaning there may be some really subtle problems to debug.

> So I would advise AGAINST USING ANY NEW PROFILES or products for
> now, until the process as completed. There is still plenty of
> time to move (the current InCommon intermediates expire in December 2023)
> and no need to rush now.
>

Yes .... the problem is we'll have to communicate clearly to *not* select this in the drop down box. Often the cert generation is handled by university IT support staff with little background, meaning that instructing the service administrators on what to do is insufficient. It's an unpleasant game of telephone where we provide guidance to service sysadmins who send support desk tickets to someone else at the university...

> My EUR0.02!
>

EUR 0.02 is still quite valuable!

Brian

[David Groep]

Hi Brian,

crt.sh is wonderful: I found back that the InCommon CA, and it has
a new root - which is actually a shared one with may other global
ICAs

https://crt.sh/?caid=254837

I can conceivable add it and release it relatively soon - things here
are rather hectic with all EC proposal deadlines by tomorrow :((

I'll have a look. Maybe I can squeeze it into the 1.119 release which
is coming out shortly.

But it would still have been jolly nice if things were communicated
up-front, rather than having overdue rushes!

Will try and fix this

DavidG.

[Bockelman, Brian]

> On Mar 8, 2023, at 2:12 PM, David Groep <dav...@nikhef.nl> wrote:
>
> Hi Brian,
>

> crt.sh is wonderful: I found back that the InCommon CA, and it has
> a new root - which is actually a shared one with may other global
> ICAs
>
> https://crt.sh/?caid=254837
>
> I can conceivable add it and release it relatively soon - things here
> are rather hectic with all EC proposal deadlines by tomorrow :((
>
> I'll have a look. Maybe I can squeeze it into the 1.119 release which
> is coming out shortly.
>

I don't think we need to move quite that quickly... would like to hear from InCommon to make sure we're getting this right.

I suspect we have a week or two before things get ugly in terms of many new certs flying around...

> But it would still have been jolly nice if things were communicated
> up-front, rather than having overdue rushes!
>

Indeed!

Brian

[David Groep]

For the UK Root lready an update was planned for Monday (1.119). I've
now added the new InCommon IGTF Server CA 2 to it as well:

https://dl.igtf.net/distribution/tests/PMA-PRIVATE-PREVIEW/releases/1.119/

(with the corresponding EGI release at
https://egi-igtf.ndpf.info/distribution/egi/current/)

Now I just hope I did not break the TCS and DigitalTrust LLC ... who are
also subodinates of the same USERTrust RSA root.
Well, everyone should be using ECC certs ayway :)

DavidG.

[Derek Simmel]

This is news to me as well -

Thanks for letting us know - we will coordinate the transition as needed with the InCommon TAGPMA representative (Jim Basney).

- Derek

> --
> To unsubscribe from this group and stop receiving emails from it, send an email to tagpma-genera...@tagpma.org.
>

---
Derek Simmel
Pittsburgh Supercomputing Center
+1 (412) 268-1035

[David Groep]

Hi Derek,

Meanwhile, I did enter it (with ll the dependencies and changes into the
upcoming 1.119 release.
So unless I made a mistake there, Jim does not need to *do* anything.
Esp. since this new ICA is intertwinned with both GEANT TCS (EU) and
DigitalTrust LLC (AE) and needed changes throughout the distribution.

https://dl.igtf.net/distribution/tests/PMA-PRIVATE-PREVIEW/releases/1.119/

has the latest I made of it. If it works and does not break things,
we might release this on Monday already (there was a release needed for
the UK anyway)

DavidG.

[Derek Simmel]

Hi David,

I don't think we should be making additions/changes to the distribution without input and direction from the InCommon member representative (Jim B).

We can discuss it at next week's (March 14) TAGPMA meeting.

I'd like Jim to introduce and explain what this new (replacement?) CA is and any changes applicable to the CP/CPS for the accredited InCommon IGTF Server CA.

- Derek

[David Groep]

Hi Derek, all,

But if there are sites now putting these new certs in production, it
will upset the rest of the ecosystem. And we also don't want too
many releases. The one on Monday was needed ad will happen then (because
of the UK), but I can't then do a release a few days after :(

So @Jim: I would much rather have that you announce this and
confirm that what is is now is what you intended!

DavidG.

[Derek Simmel]

David,

The new CA certificate has a different PKI hierarchy, and is missing the policy OID of the accredited InCommon IGTF Server CA.

I think the CPS needs to be updated to reflect these changes, and the new CA cert needs to have the accredited CA's (updated) policy OID in it. TAGPMA members should be given the opportunity to review it. This is normally a 2-week period.

- Derek

> On Mar 8, 2023, at 5:15 PM, David Groep <dav...@nikhef.nl> wrote:
>
> WARNING: This e-mail has been altered by MIMEDefang. Following this
> paragraph are indications of the actual changes made. For more
> information about your site's MIMEDefang policy, contact
> PSC support group <postm...@psc.edu>. For more information about MIMEDefang, see:
>
> https://mimedefang.org/enduser/
>
> An attachment named 8079908720.crt was removed from this document as it
> constituted a security hazard. If you require this document, please contact
> the sender and arrange an alternate means of receiving it.

[David Groep]

Hi Derek,

On 2023-03-09 00:18, Derek Simmel wrote:
> David,
>
> The new CA certificate has a different PKI hierarchy, and is missing the policy OID of the accredited InCommon IGTF Server CA.

The CA should not have the policy OID, but the EECs issues by it.
The hierarchy is als not very new, since its root has been in for ages
(as part of TCS and DigitalTrust).
So I would really favour just putting that one out. Our RPs will be
happy for it - and will face trouble without it.

Of course I like it better announced and planned, but breaking infra
is also not nice :)

DavidG.

[David Kelsey - STFC UKRI]

All,

As a relying party, I fully agree that we do not wish to see things break. BUT we also want trust to be preserved. Making changes to the IGTF roots of trust without proper announcement by the CA itself and consideration by the PMA is not following our normal procedures. I would like to hear from the InCommon CA - preferably before we add the new info. I have not studied all the info - but this all sounds very strange and way away from my perception of the usual behaviour of the InCommon CAs.

Regards
Dave

Dr David Kelsey | Particle Physics Department
UKRI, STFC Rutherford Appleton Laboratory, Harwell Campus,  Didcot OX11 0QX United Kingdom
Tel | Office: +44 (0) 1235 445746
Email | david....@stfc.ac.uk       http://www.stfc.ukri.org

[Derek Simmel]

David,

No-one likes infrastructure to break, but procedures were not respected here, and I'd like to be fair to all CAs and avoid setting a bad precedent.
The IGTF distribution is the only tangible enforcement vehicle we have to compel compliance.

GFD.225 does say that Policy OIDs in CA certificates are optional, and should be avoided in self-signed CA certificates. Policy OIDs are recommended in EE certificates. The InCommon RSA IGTF Server CA 2 certificate is not self-signed, and is an ICA subordinate to unaccredited CAs in Sectigo's hierarchy.

If this CA is replacing the accredited one, I'd like the new CA certificate to be consistent with the one it's replacing - My preference is that this ICA should have its CPS's OID listed in its CA certificate, as it was before, but that's not why I'd hold this up from distribution.

The hierarchy differs from the stated hierarchy in the CPS - COMODO is no longer there - and the CPS should be updated accordingly - this should be a quick fix, and generally acceptable given the well-known and well-established trustchain.

I'd like to understand what the changes in scope for this new CA are, and whether the CPS covers it. Who are the current relying parties that need this CA in place ASAP?

- Derek

[David Groep]

On well ... and can try an undo the fixes again ....

[David Groep]

Dear all,

The new InC IGF Server CA 2 is no longer in the accredited CA list.
The CA itself is now under 'experimental', where it is harmless and
in good company of the CILogon Basic CA for now.
The reqquisite changes to the HLCA namespaces remain in effect - these
are changes from Sectigo that will not materially affect InCommon or
TAGPMA now. (the Sectigo self-signed roots are TCS/EUGridPMA
introduced and live in that part of the srouce tree.

The previews at
https://dl.igtf.net/distribution/tests/PMA-PRIVATE-PREVIEW/releases/1.119/
https://egi-igtf.ndpf.info/distribution/egi/current/
have been updated to reflect this.

DavidG.

[Derek Simmel]

Hi Brian,

The ball is currently in InCommon's court. I sent them comments and corrections for their CPS, which Paul Caskey (cc'd above) applied, and (per e-mail of April 7,2023) sent to InCommon legal folks to review.

As soon as we get the updated CPS back to review by TAGPMA, we can review it for acceptance, which I expect can be completed quickly.

- Derek

> On Apr 21, 2023, at 4:28 PM, Brian Lin <bl...@cs.wisc.edu> wrote:
>
> Hi all,
>
> (Adding some interested parties from PATh Production Services)
>
> Have we heard any news from InCommon about the aforementioned changes? I am a little concerned about the mention of old profile removal on 31 Aug 2023 in the original email as well as some of our sites being able to issue IGTF CA v2 signed certificates.
>
> Thanks,
> Brian
> From: Derek Simmel <dsi...@psc.edu>
> Sent: Wednesday, March 8, 2023 7:12 PM
> To: David Groep <dav...@nikhef.nl>
> Cc: Bockelman, Brian <bbock...@morgridge.org>; TAGPMA General <tagpma-...@tagpma.org>; Brian Lin <bl...@cs.wisc.edu>; Jim Basney <jba...@illinois.edu>

> Subject: Re: [tagpma-general] Status of the IGTF InCommon CA v2?

---
Derek Simmel, TAGPMA Chair
dsi...@psc.edu
+1 (412) 268-1035

[Brian Lin]

Hi all,

(Adding some interested parties from PATh Production Services)

Have we heard any news from InCommon about the aforementioned changes? I am a little concerned about the mention of old profile removal on 31 Aug 2023 in the original email as well as some of our sites being able to issue IGTF CA v2 signed certificates.

Thanks,

Brian

From: Derek Simmel <dsi...@psc.edu>
Sent: Wednesday, March 8, 2023 7:12 PM
To: David Groep <dav...@nikhef.nl>
Cc: Bockelman, Brian <bbock...@morgridge.org>; TAGPMA General <tagpma-...@tagpma.org>; Brian Lin <bl...@cs.wisc.edu>; Jim Basney <jba...@illinois.edu>
Subject: Re: [tagpma-general] Status of the IGTF InCommon CA v2?

 

[Derek Simmel]

Paul,

Thanks for the update - Let us know if we can test any example certificates or other operational bits.

- Derek

> On Apr 28, 2023, at 4:13 PM, Paul Caskey <pca...@internet2.edu> wrote:
>
> Hi Everyone-
>
> I just got off an internal call RE: this CPS. We're down to only a few items to finish and will continue work on it next week.
>
> I expect it will be done soon. At the same time, Sectigo should soon spin up a new IGTF intermediate CA with the correct OID (the current one is generating certificates without our OID).
>
> My apologies for the delay.
>
>
>
> Have a good weekend!
> -Paul

>
>> -----Original Message-----
>> From: Derek Simmel <dsi...@psc.edu>
>> Sent: Friday, April 21, 2023 4:57 PM
>> To: Brian Lin <bl...@cs.wisc.edu>
>> Cc: David Groep <dav...@nikhef.nl>; Brian Bockelman
>> <bbock...@morgridge.org>; TAGPMA General <tagpma-
>> gen...@tagpma.org>; Jim Basney <jba...@illinois.edu>; Matyas Selmeci
>> <mat...@cs.wisc.edu>; John Thiltges <jthi...@unl.edu>; Paul Caskey
>> <pca...@internet2.edu>
>> Subject: Re: [tagpma-general] Status of the IGTF InCommon CA v2?
>>

[David Groep]

Dear all,

As we are now preparing the IGTF 1.120 release, due May 30th, is the
InCommon-RSA-IGTF-Server-CA-2 now ready to be tagged as accredited:classic?

Thanks for any updates!
DavidG.

[Derek Simmel]

Hi Paul,

Approval can be done out of band if the CP/CPS is distributed via the tagpma-private mailing list, which I can do - but I need the current edition to send (or send a link to).

- Derek

> On May 19, 2023, at 12:13 PM, Paul Caskey <pca...@internet2.edu> wrote:
>
> Hi Derek-
>
> We think we are mostly done with our review of this new version of the InCommon IGTF CPS.
>
> Does the approval process require a regular meeting of the TAGPMA or can it be done out of band?
>
> I'm asking because we want our Steering Committee (serves as our PA) to also review/approve the CPS after TAGPMA and they next meet on 6/5.
>
>
> Thanks,

[Paul Caskey]

Hi Derek-

We think we are mostly done with our review of this new version of the InCommon IGTF CPS.

Does the approval process require a regular meeting of the TAGPMA or can it be done out of band?

I'm asking because we want our Steering Committee (serves as our PA) to also review/approve the CPS after TAGPMA and they next meet on 6/5.


Thanks,

-Paul


> -----Original Message-----
> From: Derek Simmel <dsi...@psc.edu>

> Sent: Friday, April 28, 2023 3:17 PM
> To: Paul Caskey <pca...@internet2.edu>

[Paul Caskey]

Hi Derek-

I just received a test cert from Sectigo for the new version "3" IGTF SSL CA.

It looks OK to me, but can you take a look and make sure it looks good (see attached)?

The policy OID refers to just the main branch "2" of the CPS and we are working on version 2.0 of the CPS.


Thanks!

-Paul



> -----Original Message-----
> From: Derek Simmel <dsi...@psc.edu>
> Sent: Friday, May 19, 2023 11:22 AM
> To: Paul Caskey <pca...@internet2.edu>
> Cc: Brian Lin <bl...@cs.wisc.edu>; David Groep <dav...@nikhef.nl>; Brian
> Bockelman <bbock...@morgridge.org>; TAGPMA General <tagpma-
> gen...@tagpma.org>; Jim Basney <jba...@illinois.edu>; Matyas Selmeci
> <mat...@cs.wisc.edu>; John Thiltges <jthi...@unl.edu>
> Subject: Re: [tagpma-general] Status of the IGTF InCommon CA v2?
>

[Paul Caskey]

Hi Everyone-

We've finally finished revisions and approvals on this side for our revised CPS.

It is attached here for review.

Please let me know what else I need to do in order to have it formally considered by the TAGPMA.

Thanks,
-Paul


> -----Original Message-----
> From: Derek Simmel <dsi...@psc.edu>

> Sent: Friday, May 19, 2023 11:22 AM

> To: Paul Caskey <pca...@internet2.edu>
> Cc: Brian Lin <bl...@cs.wisc.edu>; David Groep <dav...@nikhef.nl>; Brian
> Bockelman <bbock...@morgridge.org>; TAGPMA General <tagpma-
> gen...@tagpma.org>; Jim Basney <jba...@illinois.edu>; Matyas Selmeci
> <mat...@cs.wisc.edu>; John Thiltges <jthi...@unl.edu>
> Subject: Re: [tagpma-general] Status of the IGTF InCommon CA v2?
>