Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

2016-bidding/Online CA

From EGIWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Introduction

The Online CA will generate X.509 certificates upon user request making available through the delegation service long-lived X.509 proxies.

The Online CA is a critical component to enable access to the EGI infrastructure to a wider range of users. The operation of this activity must be executed in tight collaboration with the CheckIn Activity.

Given the importance of the activity the proposals should include information about an availability and continuity plan for the service.

Technical description

The components that are part of this core activity are:

  • Delegation service: this is the service that provides the actual token translation between SAML and X.509.
    • The service is an highly sensitive component that require a secure hardware setup including physical security.
    • Based on the CIlogon product, and the integration work done in AARC
  • Certificates signing component: is the certificate-generation component
    • Certificate creations must be protected by hardware security modules
    • The delegation service and certificate signing component must be run in accordance with the IGTF Guidelines for Online CAs [1] and be capable of at least operations under model (A).

Policy requirements:

  • The Online CA must be certified as an IOTA CA in IGTF
  • The delegation service must be R&S and Sirtifi compliant
  • The service should be registered as a Service Provider in a national federation participating to eduGAIN

Operations

Operations of the delegation service and the online CA in high availability and in compliance with the IGTF and EGI security policies.

Coordination

The Online CA activity will have to coordinate with the following stakeholders:

  • IdPs: register where necessary new IdPs
    • IdPs must self-certify that they are fulfilling the R&S and Sirtifi requirements
    • Online CA operator must collect the paperwork for the self-assessment
  • SPs: integrate with one or multiple Master portals

Ideally the OnlineCA can be a service provided to multiple e-infrastructure and be unique in Europe, but such deployment will require that the Online CA is contributed by multiple e-infrastructures, e.g. other e-infrastructures in Europe may deploy the same service to be used as redundant instances of the same CA.

In case the OnlineCA contributes to an multi-e-infrastructure OnlineCA service, this may require an additional level of coordination with other entities contributing to the OnlineCA service:

  • The EGI Online CA activity must accommodate and be able to act in unison with and under the control of any Policy Management Authority that hold the administrative control over the CA service, its Policy, and its relevant accreditations.
  • the EGI Online CA activity must be able and willing to accommodate technical means to securely communicate with other parties that jointly provide the same Online CA service.
  • use of the services provided by the EGI Online CA activity shall be non-discriminatory and available to all eligible users of the Online CA Service as managed by its Policy Management Authority

Support

Support will be provided through GGUS.

Examples of requested support:

  • e-infrastructure service providers, e.g. CRL publishing
  • EGI Security: e.g. credentials revocation
  • Incident support: to the integrated master portal (end users should not contact directly the OnlineCA, since users' requests for support are directed to the master portal

Maintenance

  • Requirements gathering
  • Documentation

Service targets

Service must be provided with an availability and reliability of 95%. Support level through the helpdesk support unit: Medium

Effort

Bids planning a effort of 6 Person Months/year would allow these services and activities to be addressed appropriately.

References

More information about the Online CA service are available at http://rcauth.eu/