The following is the FNC Appendix of the DOEGrids CP/CPS, it
describes FNC identity vetting rules for their community. This
appendix is part of the DOEGrids CP/CPS. All VO and sites of
DOEGrids must comply with this CP/CPS. It is the responsibility of
the RA to enforce these policies.
One
of the Virtual Organization
Registration Authorities (VO RA) operating with some delegated
authority of the DOESG CA is the National Fusion Collaboratory
Registration Authority (NFC RA).
Information defining the National Fusion Collaboratory is
available at http://www.fusiongrid.org/.
This appendix describes how the responsibilities for a VO
RA are implemented for the NFC RA.
The
National Fusion Collaboratory is a creation of a SciDAC proposal
to “advance the science of high temperature plasma physics for
magnetic fusion”. This VO will exist for at least the 3-year
funding period of that proposal, and if successful may become a
more lasting entity. The need for the NFC RA itself will last as
long as the Collaboratory does, and will at least cover the period
where any X.509 certificates approved by this RA are still valid.
A
number of persons are identified as comprising the NFC RA staff,
which is the group of sponsors who are authorized to perform the
identity check on individuals requesting a certificate.
This list of persons is available to NFC members at (FusionGrid
Staff Members).
Each of these persons has a valid certificate from the
DOESG CA.
The
initial set of persons to be included in the NFC RA staff is
comprised of the PI s
from each of the 6 institutions funded by the National Fusion
Collaboratory SciDAC project. Additional persons may be appointed
to the NFC RA staff by the current members with the approval of
the DOESG CA.
The
NFC Virtual Organization community is defined as all persons
authorized to use any of the National Fusion Collaboratory’s
on-line resources. Any one of the Collaboratory PI’s may
authorize a new member of the community. The privilege of
requesting a certificate is subject to restrictions defined in
this document.
Any
member of the NFC RA staff (a sponsor) may authenticate a person
requesting a certificate. Person
requesting certification must demonstrate reasonable evidence of
membership in the NFC VO.
All
communications essential for authenticating individual identities
and transmitting this information between NFC RA staff to the
DOESG CA are carried out in a secure manner.
In this context, secure means the information is not
changed by third parties but does not mean that third parties may
not observe the information.
The
secure communications may be supplemented by insecure
communications as long as the essential information is verified by
a secure means. For
example, information about a certification or revocation request
may be transmitted by insecure email as long as it is verified by
secure means before transmission to the DOESG CA.
The
means of secure communications acceptable are:
Ø
face-to-face conversation
Ø
telephone conversation between members of NFC RA
staff
Ø
telephone conversation between individuals already
personally known to each other from face-to-face conversations
Ø
secure digitally signed email between individuals
with certificates from
DOESG
CA
.
1.
A person requests a certificate from
DOESG
CA
community RM;
the request includes the name of a NFC RA staff (sponsor) that can
authenticate the request.
2.
Agent receives notification of the
request and
takes assignment if appropriate for this RA.
3.
Agent notifies NFC RA sponsor indicated in request that a
request is pending including the name, institution and email of
the requester
4.
NFC RA sponsor contacts requester and authenticates request
(secure means).
5.
NFC RA sponsor confirms or refutes the request to the
agent. (secure means)
6.
Agent approves or rejects the request using the
community
RM.
7.
Person requesting certificate receives notification from RM.
1. A person requests a host or service
certificate from the DOESG CA community RM.
2. Agent
receives notification of the request and takes assignment if
appropriate for this RA.
3. Requesting person sends e-mail signed by a
valid DOESG certificate confirming the request.
4. Agent approves the request if the
requester has been designated by a NFC sponsor to receive host or
service certificates for the site specified in the certificate
host name.
5. Person requesting the certificate receives
notification from the RM.
Identity
certificates approved by the NFC RA have a lifetime of no more
than 24 months from date of approval.
|
