DOEGrids Certificate Service
Europeon Data Grid
Cross Grid CA
Privacy and Security

Earth System Grid II



ESG is a Virtual Organization authorized  to run a Registration Authority of the DOEGrids Certificate service. ESG can issue DOEGrids Identity and Service Certificates to its user community.  ESG has appointed the following people to the listed roles.
  1. Gary Strand: Point of Contact of ESG and RA for  ESG users at NCAR
  2. Alex Sim : RA for ESG users at LBL/NERSC
  3. RA for ESG users at ORNL: TBD
  4. Gary Strand  will officially represent ESG on the DOEGrids PMA.

$Id: RAesg.htm,v 1.3 2006/11/15 20:52:29 helm Exp $

The following is the ESG Appendix of the  DOEGrids CP/CPS, it describes ESG's identity vetting rules for its community.  All RAs and Subscribers of DOEGrids must comply with the CP/CPS. It is the responsibility of the RA to enforce these policies.

Appendix H: Earth System Grid II RA operational procedures

H.1 Background

One of the Virtual Organization Registration Authorities (VO RA) operating with some delegated authority of the DOESG CA is the Earth System Grid Registration Authority (ESG RA).  Information defining the Earth System Grid VO is available at  This appendix describes how the responsibilities for a VO RA are implemented for the ESG RA.  The Earth System Grid II (ESG) is a new research project sponsored by the U.S. DOE Office of Science under the auspices of the Scientific Discovery through Advanced Computing program (SciDAC). The primary goal of ESG is to address the formidable challenges associated with enabling analysis of and knowledge development from global Earth System models. Through a combination of Grid technologies and emerging community technology, distributed federations of supercomputers and large-scale data & analysis servers will provide a seamless and powerful environment that enables the next generation of climate research.


It is expected that the ESG RA will have a finite lifetime and is implemented an example of a VO RA which can serve the needs of the ESG community until other persistent RAs are developed which serve this community.

H.2 ESG RA staff

H.2.1 Membership

A number of persons are identified as comprising the ESG RA staff.  This list of persons is openly available on the ESG RA web site (e.g.,  Each of these persons has a valid certificate from the DOESG CA.

The initial set of persons to be included in the ESG RA staff are representatives from ESG membership organizations.  Additional persons may be appointed to the ESG RA staff by the ESG steering committee and approved by the DOESG CA.

H.2.2 Point of Contact (POC) with DOESG CA

All necessary communications between the DOESG CA and the <VO> about policy and practices pertaining to the duties of the RAs as defined in this document are transmitted via the Point of Contact (POC) for the <VO>. The POC shall be a member of the DOESG CA PMA.

H.3 ESG VO Community

The ESG Virtual Organization community is defined as all persons who are member of or collaborating with the software development working groups and Climate Experiments participating in ESG.  These working groups and climate experiments are listed at  The privilege of requesting a certificate is subject to restrictions defined in this document.

H.4 Authentication procedures

H.4.1 Authentication of individual identity

Any member of the ESG RA staff may authenticate a person to satisfy a request from the POC.  Person requesting certification must demonstrate reasonable evidence of membership in the ESG VO.

H.4.2 Communications

All communications essential for authenticating individual identities and transmitting this information between ESG RA staff to the DOESG CA are carried out in a secure manner.  In this context, secure means the information is not changed by third parties but does not mean that third parties may not observe the information.

The secure communications may be supplemented by insecure communications as long as the essential information is verified by a secure means.  For example, information about a certification or revocation request may be transmitted by insecure email as long as it is verified by secure means before transmission to the DOESG CA.

The means of secure communications acceptable are:

       face-to-face conversation

       telephone conversation between members of ESG RA staff

       telephone conversation between individuals already personally known to each other from face-to-face conversations

       secure digitally signed email between individuals with certificates from DOESG CA.


H.4.3 Steps in authentication for certification

H.4.3.1 Person Certificate

1.       A person requests a certificate from the DOESG CA community Registration Manager (RM); the request includes the name of an ESG RA staff that can authenticate the request. (secure means)

2.       DOE SG CA notifies ESG RA agents of a certification request. (insecure means)

3.       Agent retrives notification of certificate request from DOESG CA. (secure means)

4.       Agent notifies ESG RA staff member indicated in the request that a request is pending including the name, institution and email of the requester. (insecure means)

5.       ESG RA staff contacts requester and authenticate request. (secure means)

6.       ESG RA staff notifies agent that authentication has occured. (secure means)

7.       Agent notifies DOESG CA of the autehtication of the request using RM software. (secure means)

  1. Person requesting certificate receives notification from RM.


H.4.3.2 Host or Service Certificate

1.       A person requests a host or servcie certificate from the DOESG CA community RM.

2.       Agent receives notification of request and takes assignment if appropriate for this RA.

3.       Agent checks if person has a valid DOESG CA certifiate.

4.       Agent approves request if person has a valid DOESG certificate and rejects request if person does not have a valid DOESG certificate.


H.5 Lifetime of certificates

Identity certificates approved by the ESG RA have a lifetime of no more than 12 months from date of approval.



How to Request Certificates
Policy Management Authority
Certificate Service
Directory Service
Research and Development
CA Certificates
Certificate Request Workflow
EDG Testbed 1 requirements
Frequently Asked Questions
Send Info Request