The following is the ESG Appendix of
the DOEGrids CP/CPS, it describes ESG's identity vetting rules
for its community. All RAs and Subscribers of DOEGrids must comply with
the CP/CPS. It is the responsibility of the RA to enforce these
Appendix H: Earth System Grid II RA operational procedures
One of the Virtual
Organization Registration Authorities (VO RA) operating with some
delegated authority of the DOESG CA is the Earth System Grid
Registration Authority (ESG RA). Information defining the Earth
System Grid VO is available at
http://www.earthsystemgrid.org/. This appendix describes how
the responsibilities for a VO RA are implemented for the ESG RA.
The Earth System Grid II (ESG) is
a new research project sponsored by the
U.S. DOE Office of Science under the auspices of the
Scientific Discovery through Advanced Computing program (SciDAC).
The primary goal of ESG is to address the formidable challenges
associated with enabling analysis of and knowledge development from
global Earth System models. Through a combination of Grid
technologies and emerging community technology, distributed
federations of supercomputers and large-scale data & analysis
servers will provide a seamless and powerful environment that
enables the next generation of climate research.
It is expected that the
ESG RA will have a finite lifetime and is implemented an example of
a VO RA which can serve the needs of the ESG community until other
persistent RA’s are developed which serve this community.
H.2 ESG RA staff
A number of persons are
identified as comprising the ESG RA staff. This list of persons is
openly available on the ESG RA web site (e.g., http://www.earthsystemgrid.org/RA/).
Each of these persons has a valid certificate from the DOESG CA.
The initial set of persons
to be included in the ESG RA staff are representatives from ESG
membership organizations. Additional persons may be appointed to
the ESG RA staff by the ESG steering committee and approved by the
H.2.2 Point of Contact (POC) with DOESG CA
necessary communications between the DOESG CA and the <VO> about
policy and practices pertaining to the duties of the RAs as defined
in this document are transmitted via the Point of Contact (POC) for
the <VO>. The POC shall be a member of the DOESG CA PMA.
H.3 ESG VO Community
The ESG Virtual
Organization community is defined as all persons
who are member of or collaborating with the software development
working groups and Climate Experiments participating in ESG. These
working groups and climate experiments are listed at
http://www.earthsystemgrid.org/. The privilege of requesting a
certificate is subject to restrictions defined in this document.
H.4 Authentication procedures
H.4.1 Authentication of individual identity
Any member of the ESG RA
staff may authenticate a person to satisfy a request from the POC.
Person requesting certification must demonstrate reasonable evidence
of membership in the ESG VO.
essential for authenticating individual identities and transmitting
this information between ESG RA staff to the DOESG CA are carried
out in a secure manner. In this context, secure means the
information is not changed by third parties but does not mean that
third parties may not observe the information.
The secure communications
may be supplemented by insecure communications as long as the
essential information is verified by a secure means. For example,
information about a certification or revocation request may be
transmitted by insecure email as long as it is verified by secure
means before transmission to the DOESG CA.
The means of secure
communications acceptable are:
telephone conversation between members
of ESG RA staff
telephone conversation between
individuals already personally known to each other from face-to-face
secure digitally signed email between
individuals with certificates from DOESG CA.
H.4.3 Steps in authentication for certification
H.4.3.1 Person Certificate
A person requests a certificate from the DOESG CA community
Registration Manager (RM); the request includes the name of an ESG
RA staff that can authenticate the request. (secure means)
DOE SG CA notifies ESG RA agents of a certification request.
Agent retrives notification of certificate request from DOESG
CA. (secure means)
Agent notifies ESG RA staff member indicated in the request
that a request is pending including the name, institution and email
of the requester. (insecure means)
ESG RA staff contacts requester and authenticate request.
ESG RA staff notifies agent that authentication has occured.
Agent notifies DOESG CA of the autehtication of the request
using RM software. (secure means)
Person requesting certificate receives notification from RM.
H.4.3.2 Host or Service Certificate
A person requests a host or servcie certificate from the
DOESG CA community RM.
Agent receives notification of request and takes assignment
if appropriate for this RA.
Agent checks if person has a valid DOESG CA certifiate.
Agent approves request if person has a valid DOESG
certificate and rejects request if person does not have a valid
H.5 Lifetime of certificates
approved by the ESG RA have a lifetime of no more than 12 months
from date of approval.