Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "2016-bidding/Online CA"

From EGIWiki
Jump to navigation Jump to search
Line 29: Line 29:
** Online CA operator must collect the paperwork for the self-assessment
** Online CA operator must collect the paperwork for the self-assessment
* SPs: configure one or multiple Master portals
* SPs: configure one or multiple Master portals
= Service level targets =
Availability 99%
Incident response on GGUS: high


= Effort =
= Effort =

Revision as of 17:28, 17 October 2016

Introduction

The Online CA will generate X.509 certificates upon user request making available through the delegation service long-lived X.509 proxies.

The Online CA is a critical component to enable access to the EGI infrastructure to a wider range of users. The operation of this activity must be executed in tight collaboration with the CheckIn Activity.

Given the importance of the activity the proposals should include information about an availability and continuity plan for the service.

Technical description

The components that are part of this core activity are:

  • Delegation service: this is the service that provides the actual token translation between SAML and X.509.
    • The service is an highly sensitive component that require a secure hardware setup including physical security.
    • Based on the CIlogon product, and the integration work done in AARC
  • Certificates signing component: is the certificate-generation component
    • Certificate creations must be protected by hardware security modules
    • The delegation service must have a private local network physical connection (or equivalent) with the certificates generation component

Policy requirements:

  • The Online CA must be certified as an IOTA CA in IGTF
  • The delegation service must be R&S and Sirtifi compliant
  • The service should be registered as a Service Provider in a national federation participating to eduGAIN

Coordination

The Online CA activity will have to coordinate with the following stakeholders:

  • IdPs: register where necessary new IdPs
    • IdPs must self-certify that they are fulfilling the R&S and Sirtifi requirements
    • Online CA operator must collect the paperwork for the self-assessment
  • SPs: configure one or multiple Master portals

Effort