R1 - minimal revocation privilege
Requirement from OSG that all agents should not be able to revoke all certificates.
R2 - 3,5 year ID revetting
Requirement from IGTF that ID is re-vetted every 5 years for 2K bit keys, 3 years for 1K bit keys.
R3 - improved notification for VOs & subscribers
Requirement from OSG community that status of certificate request processing is
more transparent and that managers from the VOs can monitor requests in their domain.
R4 - ability to monitor actions of Agents and Grid Admins
Neede by OSG RA.
Some workshops are being planned.
I. Issues and Problems
I1 - single supplier risk
Identified in OSG contingency planning as a risk.
I2 - integration of NCSA CA
I3 - rearrange CPS RA appendices
I4 - validating email addresses in cert requests
It would be VERY useful if the CA web software would validate email addresses in the certificate requests automatically.
S. Possible Solutions
S1 - CA cloning
Esnet has project in motion to clone the DOEGrids CA. This addresses I1
S2 - alternate CA supplier
Jim & NCSA will provide a CA that OSG can use. This addresses I1
S3 - separate Registration Manager for OSG
This addresses R3
S4 - "Replicate" DOEGrids CA database
Means to copy data out of the CA and store it into an SQL database that
supports analysis and monitoring. Addresses R4
A. Actions and Goals
A1 - meet R1
Doug, Mike, Dhiva to work something out.
A2 - meet R2
Mike, Dhiva and Doug to work something out.
A3 - Jim Basney to supply another CA
A3.1 - discuss integration of NCSA CA
A4 - fix I3
Doug to work with Vicky to extract and re-organize RA appendices.