EUGridPMA Guidelines and Authentication Profiles

• Classic X.509 CAs with secured infrastructure
  Formats available: Adobe PDF; Microsoft Word.

  This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements on traditional X.509 PKI CAs. Traditional X.509 Public Key Certification Authorities (traditional PKI CAs) issue long-term credentials to end-entities, who will themselves posses and control their key pair and their activation data. These CAs act as an independent trusted third party for both subscribers and relying parties within the infrastructure. These authorities will use a long-term signing key, which is stored in a secure manner as defined in the Profile.

• Accreditation Guidelines
  Formats available: Adobe PDF; Microsoft Word.

  The PMA will accredit Authorities based on the positive outcome of an initial review respect to all relevant guideline documents, and a successful registration process.

• High Level CA Profile (draft)
  Formats available: MS Word.

  This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements on higher-level CA certificates that are exclusively used to sign subordinate (end-entity issuing) CAs.

• One Statement Certificate Policies
  The one statement certificate policies define specific policies that are references in issued end-entity certificates.

• Protection of private key data for end-users in local and remote systems
  This document describes guidelines on the generation and storage of end-user private key material, using secure hardware tokens and appropriate computer systems. It applies to all systems that store key material on which certificates issued by IGTF accredited authorities are based, and may be used as guidance for any system that holds private key material.

• Approved Robots
  This document describes guidelines on the generation and storage of private key material, naming, and permissible key usage of automated clients (robots) that can hold credentials issued by IGTF Accredited Authorities. It defines requirements and recommendations for issuing authorities and applicants, and indicates the permissible 1SCP policies to assert in the Certificate Policies extension of the robot certificate.

Profiles from the other PMAs

• Short-lived Certificate Services Profile
  Formats available: MS Word
  Managed by: TAGPMA
  Original source: all versions.
  Status: approved by all PMAs

  This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements on a Short Lived Credential Service (SLCS) X.509 PKI CAs. SLCS X.509 Public Key Certification Authorities (SLCS PKI CAs) issue short-term credentials to end-entities, who will themselves posses and control their key pair and their activation data. These CAs act as an independent trusted third party for both subscribers and relying parties within the infrastructure. These authorities will use a long-term signing key, which is stored in a secure manner as defined in the Profile.

• Member Integrated Credential Services
  Formats available: PDF
  Managed by: TAGPMA
  Source: all versions
  Status: approved by IGTF (all PMAs)

  This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements for a Member Integrated X.509 PKI CAs. MICS X.509 Public Key Certification Authorities (MICS PKI CAs) issue credentials to end-entities, who will themselves posses and control their key pair and their activation data. These CAs act as an independent trusted third party for both subscribers and relying parties within the infrastructure. These issuing authorities will use a long-term signing key, which is stored in a secure manner as defined in the Profile.

• Experimental CA
  Formats available: MS Word (note: embedded text in larger document).
  Managed by: APGridPMA
  Status: approved by all PMAs

  Profile for experimental CAs. No aggregate distribution for these CAs is provided.