[Go to /]
Structures
Membership
Contact us

IGTF
APGridPMA
TAGPMA
REFEDS
SCI
WISE

Documents
Charter
Guidelines
One Statement Policies

CAOPS-WG
Wiki

Technical Info
CA Distribution download
Subject Locator
Find your local CA
About your certificate

Newsletter issues
Subscribe
Service notices

Tools download and fetch-crl
Technical documentation
IGTF OID Registry
SHA-2 timeline

Meetings
Abingdon, UK, May 29-30, 2024

Overview
Agendas
Intranet and Reviews (closed)

Joining the EUGridPMA

The first question to ask yourself is: why join the EUGridPMA in the first place? If you are running a Certification Authority for your own institute, or for an internal grid project, you probably should not be interested in joining at this time. The EUGridPMA is there to establish cross-institutional and internation trust relations for Grid identity providers, and poses serious minimum requirements and accreditation procedures.

But, if you are not deterred by this, please read on to get started with your certification authority and embark on the path towards accreditation.

Why join

Many Grid projects in Europe and elsewhere (which includes all EU eInfrastructure projects: EGEE, DEISA, SEE-GRID and the US OSG) and also many related and national projects (e.g. the LHC Computing Grid), accept some or all of the authentication profiles and the accreditation by the IGTF and EUGridPMA as sufficient to trust an identity provider.
For example, a certificate provider (CA) whose certificates are to be accepted by EGEE and OSG should first become a member of the EUGridPMA group (or the APGridPMA, TAGPMA if you are based in the Asia Pacific region or the Americas, respectively).

Approval and Accreditation

The PMA will accredit Authorities based on the positive outcome of an initial review with respect to all relevant guideline documents, and a successful registration process. At the start of the acceptance process, the prospective members requests the PMA Chair (using the address chair@pmaname.org, where pmaname is in this case eugridpma) to join the CA mailing list dg-eur-ca@services.cnrs.fr by sending a mail to the PMA Chair. The prospective member then sends the CP/CPS document around to the other members for comments. The chair will then ask at least two PMA members to review that CP/CPS in detail. If the first version has obvious inconsistencies, the chair may defer appointing the referees until the appropriate changes have been implemented. After sufficient iteration a CP/CPS is considered ready for presentation at the next PMA meeting.

At that meeting, it should be presented in person to the PMA and the most critical points of the CP/CPS - explain the authentication and vetting procedure and the physical security measures, record persistency, procedures and such - must be detailed. Based on the implemented recommendations of the assigned reviewers and the discussion in the meeting, the prospective member may either be approved immediately by the PMA, or this may be deferred until the recommended changes are implemented. In the latter case, the final CP/CPS must be sent to the full mailing list and a two-week voting period must ensue.

Technical means

As far as the technical side of running a CA is concerned there is no single solution. PMA members use everything from simple scripts wrapping OpenSSL to HSM solutions using Open Source tools, as well as many different commercial solutions, from e.g. Entrust or RSA. The appropriate solution will be found by looking at what your requirements are e.g. scale, geographical user distribution and security. But bear in mind that technical security controls are only just one part of the requirements, the identity vetting process and the processes are likely to incur the highest cost.

The main link is the EUGridPMA at http://www.eugridpma.org from this you can find all information about the member CAs and much information can be found on their various websites and other links off this page. The members of this group are quite willing to respond to serious questions.

Also, you must consider and comply with the Grid Certificate Profile as published by the OGF CAOPS-WG.

Literature

On the literature side there are quite a few books but we have found "Planning for PKI" by Housley and Polk, Wiley 2001 good background. There's also an O'Reilly book - "Network Security with OpenSSL"

OpenCA project is here: http://www.openca.org/ and various versions of it have been used for example for the UK e-Science CA and for GridIreland.

Netscape CMS is here http://developer.netscape.com/docs/manuals/cms/41/dep_gide/contents.htm has used the documentation to understand certificate extensions (although there is currently no experience in using Netscape CMS in the group).

More technical but still readable after you have got the basics is "The X509 Style Guide" http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt. Peter Gutmanns homepage is also worth a browse if you have time http://www.cs.auckland.ac.nz/~pgut001/

If you are able to understand German, the Deutsche Forschungs Net (DFN) has written an excellent guide to OpenSSL and the operations of a Certification Authority in DFN-Bericht Nr. 89 at http://www.dfn-cert.de/dfn/berichte/db089/.

This is extensive work going on in GGF in the CAOPS Working Group: http://caops.es.net/.

Here's one with loads of links to confuse us ;-) http://www.ietf.org/html.charters/pkix-charter.html

And the PGP pages have some nice very basic introductions to the technologies http://www.pgpi.org/

One thing not much discussed is legal issues relating to import, export or use of encryption technologies. In many European countries that is no longer an issue but maybe in your contry you'll need to be more aware. This may influence your choice of software to use.


Thanks to Ian Neilson for providing most of this overview
Comments to David Groep. This site is hosted at Nikhef, subject to the privacy policy.