Difference between revisions of "2019-bidding/online-ca"

From EGIWiki
Jump to: navigation, search
m (Cosmetics)
(Replaced content with "{{Template:Deprecated}}")
 
(28 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Template:Op menubar}}{{Core_services_menubar}} {{TOC_right}}
+
{{Template:Deprecated}}
'''Go back to the [https://wiki.egi.eu/wiki/EGI_Core_activities:Bidding#Phase_IV_January_2021_-_June_2023|EGI Core Activities Bidding page].'''
 
 
 
'''(to add requirements on software licenses and FitSM Training & certification)'''
 
 
 
= Service name: Online CA (RCauth) =
 
 
 
==  Introduction ==
 
 
 
The Online CA is a Token Translation Service (TTS) generating X.509 certificates upon user request and making long-lived X.509 proxies available through a delegation service.
 
 
 
The Online CA is a critical component to enable access to the EGI infrastructure by a wider range of users. This activity must be operated in tight collaboration with the EGI Check-in Activity.
 
 
 
== Technical description ==
 
 
 
The components that are part of this core activity are:
 
* '''Delegation component''': provides the actual token translation between SAML and X.509.
 
** Highly sensitive component that requires a secure hardware setup including adequate physical security.
 
** Based on the CIlogon product, and the integration work done in AARC
 
* '''Certificates signing component''': is the certificate-generation component
 
** Certificate creations must be protected by hardware security modules
 
* The delegation component and certificate signing component must be run in accordance with the [https://documents.egi.eu/document/2752 IGTF Guidelines for Online CAs2] and be capable of at least operations under model (A).
 
 
 
Policy requirements:
 
* The Online CA must be certified as an IOTA CA in IGTF
 
* The delegation service must be REFEDS [https://refeds.org/research-and-scholarship R&S] and [https://refeds.org/sirtfi Sirtfi] compliant
 
* The service should be registered as a Service Provider in a national federation participating to eduGAIN
 
 
 
== Coordination ==
 
 
 
The Online CA activity will have to coordinate with the following stakeholders:
 
* IdPs: register where necessary new IdPs
 
** IIdPs must self-certify that they are fulfilling the [https://refeds.org/sirtfi REFEDS Sirtfi] requirements and must be confirmed by either their registrar federation or explicitly by agreement with RCauth that they fulfil the [https://refeds.org/research-and-scholarship REFEDS R&S] requirements
 
** Online CA operator must collect the paperwork for the self-assessment
 
* SPs: integrate with one or multiple Master portals
 
 
 
In case the OnlineCA contributes to an multi-e-infrastructure OnlineCA service, this may require an additional level of coordination with other entities contributing to the OnlineCA service:
 
* The EGI Online CA activity must accommodate and be able to act in unison with and under the control of any Policy Management Authority that hold the administrative control over the CA service, its Policy, and its relevant accreditations.
 
* The EGI Online CA activity must be able and willing to accommodate technical means to securely communicate with other parties that jointly provide the same Online CA service.
 
* Use of the service component provided by the EGI Online CA activity shall be non-discriminatory and available to all eligible users of the Online CA activity as managed by its Policy Management Authority.
 
 
 
== Operations ==
 
 
 
* Operation of the delegation component and the online CA in high availability and in compliance with the IGTF and EGI security policies.
 
* Creating an Availability and Continuity Plan and implementing countermeasures to mitigate the risks defined in the related risk assessment
 
 
 
== Support ==
 
 
 
Support will be provided through GGUS.
 
 
 
Examples of requested support:
 
* e-infrastructure service providers, e.g. CRL publishing
 
* EGI Security: e.g. credentials revocation
 
* Incident support: to the integrated master portal (end users should not contact directly the OnlineCA, since users' requests for support are directed to the master portal
 
 
 
== Maintenance ==
 
 
 
* Requirements gathering
 
* Documentation
 
 
 
== Service targets ==
 
 
 
Service must be provided with an availability and reliability of 95%.
 
Support level through the helpdesk support unit: Medium.
 
 
 
== Effort ==
 
 
 
Bids planning a effort of 6 Person Months/year would allow these services and activities to be addressed appropriately.
 
 
 
== References ==
 
 
 
More information about the Online CA service are available at [http://rcauth.eu/ RCauth homepage]
 

Latest revision as of 17:56, 20 November 2019

Alert.png This article is Deprecated and should no longer be used, but is still available for reasons of reference.