-
Created by
Frank Galligan, last updated by Carl E Harris Jr on Jul 18, 2009
3 minute read
Minutes for EJBCA PMA Workgroup Meeting on June 23, 2009
Attendees:
• Randy Pelt
• Karen Herrington (Absent)
• Ismael Alaoui
• Frank Galligan
• Phil Benchoff
• Randy Marchany (Absent)
• Mary Dunker
• Paul Toffenetti (Absent)
Frank indicated that eProv had completed its review and recommendations for changes to the VTCA CP and CPS documents for the VT Root, Class 1 Server, and Middleware CAs. These updates have been published to the EJBCA Wiki for review and comments by members of the PMA and the PMA Workgroup committee. The document update pages are located at:
VTCA Class 1 Server CPS Updates
VTCA Middleware CPS Updates proposed the following schedule to finalize the work completed by the PMA Workgroup committee:
June 23 - July 7: PMA review - 2 weeks
July 7 - 14: Resolve any issues
July 14 - 17: Update PDF documents
July 17: Randy Pelt digitally signs the update CP and CPS documents
July 17: eProv publishes the update CP and CPS documents to the PKI website
Frank suggested that we give access to the EJBCA Wiki to all PMA members so that they can review and comment on recommended changes to the policy documents. All agreed and Randy will send Frank a list of PMA members to be authorized to access and add comments to the Wiki.
Randy Pelt indicated that we need to hold a meeting with the PMA membership and will schedule it for July 7.
Phil asked if eProv can provide a summary of the major changes and if Randy Pelt can use a listserv for communicating with the PMA membership about the changes. Frank agreed to provide Randy Pelt with a summary of the major changes that have been made to the CP and CPS documents.
Mary indicated that a listserv may already be setup for the PMA and will look into this for Randy Pelt.
Phil pointed out that the requirement for encrypting the CA server backups had been dropped with the implemenation of online CAs which will be using the IT network backup services. Frank confirmed that the CA servers contain no sensitive information needing encryption and that it was the CA private key components that must be securely managed using specialized hardware like the LunaSA HSM.
Phil asked if the final CP and CPS documents that include the approved changes be emailed along with their checksums when commincating the finalized documents to the PMA membership. Frank indicated the procedure for calculating a checksum for these documents had already been documented and will assist Randy Pelt if needed.
Frank recommened that as the Certification Authority Administrators (CAA) for the VT User, Class 1 Server and Middleware CAs , the eProv staff should assume the primary responsibility for starting up these CA applications and logging into the HSM using the black PED key/PIN (requires physical presence at the console of the servers in the machine room). Because there are currently only two full time employees in eProv(Frank and Ismael), there is a need to identify individuals who can act as backups in the event eProv staff are not available. Options for designating CAA backups were discussed and everyone concluded that the best solution would be to have someone in IMS act in this role. Ismael said that he had already dicussed this senario with Michael Hosig in IMS who indicated it should not present a problem. However somone needs to followup with Karen Harrington to see if a person in IMS can act in the backup CAA capacity.
Mary Dunker also offered to act as a backup CAA. Everyone agreed that if it could be worked out, someone from IMS and Mary Dunker acting as CAA backups would be a good solution. The VTOC folks would no longer be repsonsible to act in the CAA role for the User CA.
Frank told the group that the IT Security planning doucments for the EJBCA implemenation projects had recently been approved by the SO and that there was a meeting scheduled with IMS on June 30 to review EJBCA testing. Another meeting with 4Help staff has been scheduled for July 2 to provide them with an orientation of EJBCA.
Frank informed the group that HSM USB PED keys will be distributed to VTCA HSM admins after eProv completes an upgrade from the LunaSA 2U HSM to the new LunaSA 1U HSM units recently purchased. Hopefully this can be completed shortly after EJBCA goes production but the timeline is dependant on getting an evaluation license agrrement finalized between VT legal counsel and SafeNet.