VT Federated Identity Providers Assessment Task 1:Ireland
- Are personal e-Science certificates available through the Terena Certificate Service in your country?
- If yes, contact the NREN/institute/company that provides TCS in your country and check that the information about the available certificate types is up to date on the on the Terena webpage. If the information is in the list is incorrect, what needs to be fixed?
- If no, are there any plans to introduce the service (including timelines, obstacles identified, etc.)?
Yes, TCS is provided via the NREN operator (CESNET) The information on the Terena webpages is up to date. The only inaccuracy is the "Czech Republic (CESNET)" link pointing to the manual for TCS server certificates, instead of a general TCS service at CESNET.
- In order to obtain a personal e-Science certificate from TCS, a user has to be affiliated with an institute that is part of the national identity federation and that has established an appropriate Subscriber Agreement. Please collect information about the institutes from which your NGI expects users (e.g. universities, research institutes) and indicate whether:
- are those institutes members of your country's identity federation,
- have those institutions signed the Subscriber Agreement with the NREN, i.e. whether they allow to issue TCS personal e-Science certificates to their members.
The majority of Czech universities participate in the SAML nation-wide identity federation. A lot of grid users come from the Academy of Sciences of the Czech Republic, which hasn't joined the federation yet. Some piloting in this regard has been started but no particular deadlines are known at the moment.
The Academy of sciences has signed Subscriber Agreement.
- What is the process to get a personal e-Science certificate from TCS in your country?
The process is mediated via a web portal, which is provided by CESNET and which is connected to the TCS. Users authenticate in the usual way, i.e. they select their home organization from a list of institutes that joined TCS. After authentication with their home institute, the users select the type of the certificate to request (ordinary or e-science) and they're navigated through the whole process. The key pair is generated in the browser or users can choose to generate it by other means. The portal requires users to re-authenticate before the certificate is actually issued. The resulting certificate is automatically stored in the browser and bound with the private key.
- What are the rules for an institution in your country to join the identity federation and TCS?
- Is there any special fee that an institution pays for joining TCS and/or the identity federation?
The eduid.cz federation is open to any research institution, which has access to the Czech NREN. In order to join the TCS service the organization must fill in a set of forms (essentialy the TCS Subscriber Agreement) and make sure they comply with the requirements of the CPS (esp. they cover sufficiently the user's life cycle, etc.). After the forms are processed CESNET enables the access for the institution.
There is no fee for joining eduID.cz nor for TCS.
- Does your NGI or NREN provide any service similar to the TCS? Please choose zero or more from the following and provide a brief description:
There is no such a service.
- Any comments you have to TCS utilization in your NGI
The TCS is not well advertised in our country. TCS solves just a part of the credentials management problems since people are still required to handle the files with keys/certificates, which cause problems.