[Go to /]
Structures
Membership
Contact us

IGTF
APGridPMA
TAGPMA
REFEDS
SCI
WISE

Documents
Charter
Guidelines
One Statement Policies

CAOPS-WG
Wiki

Technical Info
CA Distribution download
Subject Locator
Find your local CA
About your certificate

Newsletter issues
Subscribe
Service notices

Tools download and fetch-crl
Technical documentation
IGTF OID Registry
SHA-2 timeline

Meetings
Abingdon, UK, May 29-30, 2024

Overview
Agendas
Intranet and Reviews (closed)

EUGridPMA Guidelines and Authentication Profiles

  • IGTF Levels of Authentication Assurance
    Formats available: Adobe PDF; Microsoft Word.

    Traditionally assurance levels have been identified on a single scale. In terms of a single linear scale, relying parties have often considered authorities compliant with ASPEN (technical implementation: SLCS), BIRCH (technical implementation: MICS), or CEDAR (technical implementation: Classic Secured) to be similar in terms of assurance level, and authorities compliant with DOGWOOD (technical implementation: IOTA) to be different. In this document, several aspects are separated and relying parties may find more fine-grained controls.

  • IGTF PKI Technology Guidelines
    The IGTF PKI Technology Guidelines define how X.509 structured credentials are to be issued, managed, distributed, and withdrawn to comply with the IGTF Authentication Profiles. It may be used in conjunction with technology-agnostic identity assurance specifications to define such Authentication Profiles.

  • Classic X.509 CAs with secured infrastructure
    Formats available: Adobe PDF; Microsoft Word.

    This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements on traditional X.509 PKI CAs. Traditional X.509 Public Key Certification Authorities (traditional PKI CAs) issue long-term credentials to end-entities, who will themselves posses and control their key pair and their activation data. These CAs act as an independent trusted third party for both subscribers and relying parties within the infrastructure. These authorities will use a long-term signing key, which is stored in a secure manner as defined in the Profile.

  • Accreditation Guidelines
    Formats available: Adobe PDF; Microsoft Word.

    The PMA will accredit Authorities based on the positive outcome of an initial review respect to all relevant guideline documents, and a successful registration process.

  • Identifier-Only Trust Assurance AP
    Formats available: MS Word, Adobe PDF.

    IOTA authorities perform vetting adequate to ensure unique, non-re-assigned identities, and so do using secured and trusted infrastructure.
    Important notice: IOTA authorities are not required to collect more data than are necessary for fulfilling the uniqueness requirements, and credentials issued by authorities under this profile may not provide sufficient information to independently trace individual subscribers, and should be used in conjunction with complementary identification and vetting processes.

  • Guidelines for Secure Operation of Attribute Authorities and issuers of statements for entities
    Formats available: Adobe PDF; AARC-G071; (DOI https://doi.org/10.5281/zenodo.5927799)

    This guideline describes the minimum requirements and recommendations for the operation of Attribute Authority Services.

  • Protection of private key data for end-users in local and remote systems
    This document describes guidelines on the generation and storage of end-user private key material, using secure hardware tokens and appropriate computer systems. It applies to all systems that store key material on which certificates issued by IGTF accredited authorities are based, and may be used as guidance for any system that holds private key material.

  • Approved Robots
    This document describes guidelines on the generation and storage of private key material, naming, and permissible key usage of automated clients (robots) that can hold credentials issued by IGTF Accredited Authorities. It defines requirements and recommendations for issuing authorities and applicants, and indicates the permissible 1SCP policies to assert in the Certificate Policies extension of the robot certificate.

  • Operation of Trusted Credential Stores (draft)
    This document describes the minimum requirements and recommendations for the operation by a Credential Store (CS) by a trusted CS Operator.

  • Guidelines for On-line PKI Certification Authorities (draft)
    The Guidelines for On-line PKI Certification Authorities apply to those PKI CAs where the certificate issuing machine is directly or indirectly connected to any other computer device. The architecture should protect against the very harmful leaking of private keys, since there is no viable possibility to quickly withdraw a compromised root CA from trust anchor distributions.

  • High Level CA Profile (draft)
    Formats available: PDF.

    This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements on higher-level CA certificates that are exclusively used to sign subordinate (end-entity issuing) CAs.

  • One Statement Certificate Policies
    The one statement certificate policies define specific policies that are references in issued end-entity certificates.

  • Vetting Model Guidelines for BIRCH and CEDAR assurance (draft provisional)

    The BIRCH and CEDAR assurance profiles state that identity vetting of applicants should be based on a face-to-face meeting and should be confirmed via photo-identification and/or similar valid official documents.
    This document defines a process by which the PMAs will assess requests by authorities to implement a remote identity vetting process. The PMAs shall - based on these guidelines - asses sufficiency of process and - when the proposed process is endorsed - will permit the authority to use the proposed process.


Profiles from the other PMAs

  • Short-lived Certificate Services Profile
    Formats available: PDF
    Managed by: TAGPMA
    Original source: all versions.
    Status: approved by all PMAs

    This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements on a Short Lived Credential Service (SLCS) X.509 PKI CAs. SLCS X.509 Public Key Certification Authorities (SLCS PKI CAs) issue short-term credentials to end-entities, who will themselves posses and control their key pair and their activation data. These CAs act as an independent trusted third party for both subscribers and relying parties within the infrastructure. These authorities will use a long-term signing key, which is stored in a secure manner as defined in the Profile.

  • Member Integrated Credential Services
    Formats available: PDF
    Managed by: TAGPMA
    Source: version 1.2 (doc), (pdf); all previous versions
    Status: approved by IGTF (all PMAs)

    This is an Authentication Profile of the International Grid Trust Federation describing the minimum requirements for a Member Integrated X.509 PKI CAs. MICS X.509 Public Key Certification Authorities (MICS PKI CAs) issue credentials to end-entities, who will themselves posses and control their key pair and their activation data. These CAs act as an independent trusted third party for both subscribers and relying parties within the infrastructure. These issuing authorities will use a long-term signing key, which is stored in a secure manner as defined in the Profile.

  • Experimental CA
    Formats available: MS Word (note: embedded text in larger document).
    Managed by: APGridPMA
    Status: approved by all PMAs

    Profile for experimental CAs. No aggregate distribution for these CAs is provided.


Comments to David Groep. This site is hosted at Nikhef, subject to the privacy policy.