EUGridPMA Guidelines and Authentication Profiles

• IGTF Levels of Authentication Assurance
  Formats available: Adobe PDF; Microsoft Word.

  Traditionally assurance levels have been identified on a single scale. In terms of a single linear scale, relying parties have often considered authorities compliant with ASPEN (technical implementation: SLCS), BIRCH (technical implementation: MICS), or CEDAR (technical implementation: Classic Secured) to be similar in terms of assurance level, and authorities compliant with DOGWOOD (technical implementation: IOTA) to be different. In this document, several aspects are separated and relying parties may find more fine-grained controls.

• IGTF PKI Technology Guidelines
  The IGTF PKI Technology Guidelines define how X.509 structured credentials are to be issued, managed, distributed, and withdrawn to comply with the IGTF Authentication Profiles. It may be used in conjunction with technology-agnostic identity assurance specifications to define such Authentication Profiles.

• Classic X.509 CAs with secured infrastructure
  Formats available: Adobe PDF; Microsoft Word.

  This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements on traditional X.509 PKI CAs. Traditional X.509 Public Key Certification Authorities (traditional PKI CAs) issue long-term credentials to end-entities, who will themselves posses and control their key pair and their activation data. These CAs act as an independent trusted third party for both subscribers and relying parties within the infrastructure. These authorities will use a long-term signing key, which is stored in a secure manner as defined in the Profile.

• Accreditation Guidelines
  Formats available: Adobe PDF; Microsoft Word.

  The PMA will accredit Authorities based on the positive outcome of an initial review respect to all relevant guideline documents, and a successful registration process.

• Identifier-Only Trust Assurance AP
  Formats available: MS Word, Adobe PDF.
  

  IOTA authorities perform vetting adequate to ensure unique, non-re-assigned identities, and so do using secured and trusted infrastructure.
  Important notice: IOTA authorities are not required to collect more data than are necessary for fulfilling the uniqueness requirements, and credentials issued by authorities under this profile may not provide sufficient information to independently trace individual subscribers, and should be used in conjunction with complementary identification and vetting processes.

• Guidelines for Secure Operation of Attribute Authorities and issuers of statements for entities
  Formats available: Adobe PDF; AARC-G071; (DOI https://doi.org/10.5281/zenodo.5927799)

  This guideline describes the minimum requirements and recommendations for the operation of Attribute Authority Services.

• Protection of private key data for end-users in local and remote systems
  This document describes guidelines on the generation and storage of end-user private key material, using secure hardware tokens and appropriate computer systems. It applies to all systems that store key material on which certificates issued by IGTF accredited authorities are based, and may be used as guidance for any system that holds private key material.

• Approved Robots
  This document describes guidelines on the generation and storage of private key material, naming, and permissible key usage of automated clients (robots) that can hold credentials issued by IGTF Accredited Authorities. It defines requirements and recommendations for issuing authorities and applicants, and indicates the permissible 1SCP policies to assert in the Certificate Policies extension of the robot certificate.

• Operation of Trusted Credential Stores (draft)
  This document describes the minimum requirements and recommendations for the operation by a Credential Store (CS) by a trusted CS Operator.

• Guidelines for On-line PKI Certification Authorities (draft)
  The Guidelines for On-line PKI Certification Authorities apply to those PKI CAs where the certificate issuing machine is directly or indirectly connected to any other computer device. The architecture should protect against the very harmful leaking of private keys, since there is no viable possibility to quickly withdraw a compromised root CA from trust anchor distributions.

• High Level CA Profile (draft)
  Formats available: PDF.

  This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements on higher-level CA certificates that are exclusively used to sign subordinate (end-entity issuing) CAs.

• One Statement Certificate Policies
  The one statement certificate policies define specific policies that are references in issued end-entity certificates.

• Vetting Model Guidelines for BIRCH and CEDAR assurance (draft provisional)
  

  The BIRCH and CEDAR assurance profiles state that identity vetting of applicants should be based on a face-to-face meeting and should be confirmed via photo-identification and/or similar valid official documents.
  This document defines a process by which the PMAs will assess requests by authorities to implement a remote identity vetting process. The PMAs shall - based on these guidelines - asses sufficiency of process and - when the proposed process is endorsed - will permit the authority to use the proposed process.

Profiles from the other PMAs

• Short-lived Certificate Services Profile
  Formats available: PDF
  Managed by: TAGPMA
  Original source: all versions.
  Status: approved by all PMAs

  This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements on a Short Lived Credential Service (SLCS) X.509 PKI CAs. SLCS X.509 Public Key Certification Authorities (SLCS PKI CAs) issue short-term credentials to end-entities, who will themselves posses and control their key pair and their activation data. These CAs act as an independent trusted third party for both subscribers and relying parties within the infrastructure. These authorities will use a long-term signing key, which is stored in a secure manner as defined in the Profile.

• Member Integrated Credential Services
  Formats available: PDF
  Managed by: TAGPMA
  Source: version 1.2 (doc), (pdf); all previous versions
  Status: approved by IGTF (all PMAs)

  This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements for a Member Integrated X.509 PKI CAs. MICS X.509 Public Key Certification Authorities (MICS PKI CAs) issue credentials to end-entities, who will themselves posses and control their key pair and their activation data. These CAs act as an independent trusted third party for both subscribers and relying parties within the infrastructure. These issuing authorities will use a long-term signing key, which is stored in a secure manner as defined in the Profile.

• Domain Control Validation-Only Trust Assurance Certificate Services Profile
  Formats available: PDF, docx
  Managed by: TAGPMA
  Original source: all versions.
  Status: approved by all PMAs

  This is an Authentication Profile of the IGTF describing the minimum requirements on X.509 PKI authorities issuing certificates for systems and online services identified by their Internet Domain Name, where the domain control vetting is adequate to ensure unique, non-re-assigned certificate subjects, and generated by authorities using secured and trusted infrastructure. Such authorities are not required to collect more data than are necessary for fulfilling the uniqueness requirements, and credentials issued by authorities under this profile may not provide sufficient information to independently trace individual subscribers and should be used in conjunction with complementary identification and vetting processes.

• Experimental CA
  Formats available: MS Word (note: embedded text in larger document).
  Managed by: APGridPMA
  Status: approved by all PMAs

  Profile for experimental CAs. No aggregate distribution for these CAs is provided.