Version 5 of the CILogon Basic CA Policy was reviewed by TAGPMA in July 2016 and is now in operation. This update enables CILogon to allow identification and authentication of certificate applicants using international identity providers via eduGAIN (Section 3.2.2) and support Robot certificates at Fermilab (Section 3.1.1).
We have updated Section 5.1 of the CILogon Certificate Policy and Certification Practice Statement (CP/CPS) documents at http://ca.cilogon.org/policy to add descriptions of the physical controls for the equipment at NICS that is hosting a secure CILogon replica. This replica will provide continuity of service in case of an outage of our primary equipment at NCSA. Thanks to NICS and XSEDE for this improvement in CILogon's reliability!
The CILogon Basic CA policy has been updated to version 3 to comply with the IGTF IOTA AP. The CA was accredited by IGTF in June 2014.
We have updated Section 3.1 (Naming) of the CILogon OpenID CA Certificate Policy and Practice Statement (CP/CPS). Now certificate subjects include the subject's name, as provided by the OpenID Provider, rather than the OpenID Identifier URL. Also, the CILogon OpenID CA will now include email addresses in certificate subject alternative names.
Today's announcement of the IGTF 1.38 distribution marks the final step in the accreditation of the CILogon Silver CA by the International Grid Trust Federation (IGTF). This follows the approval in October of the CILogon Silver CA Policy by The Americas Grid Policy Management Authority (TAGPMA). The CILogon Silver CA relies on campus authentication that satisfies the InCommon Silver Identity Assurance Profile, so it will not be fully operational until the first InCommon campuses are accredited at the Silver level under the InCommon Identity Assurance program. To serve researchers from campuses that are not (yet) at the InCommon Silver level, CILogon also operates Basic and OpenID CAs at https://cilogon.org.
We are changing the hash algorithm (i.e., message digest algorithm) that the CILogon CAs use when signing certificates from SHA-1 to SHA-256, per NIST recommendations. The Open Science Grid provides hash algorithm compatibility information. If this change causes any problems for your applications, please contact firstname.lastname@example.org.
New versions of the CILogon Silver, Basic, and OpenID CA Certificate Policy and Certification Practice Statement (CP/CPS) documents are now available. The new policies allow for CA generation of subscriber private keys in cases where it eases the subscriber enrollment process. We believe this update will enable significant improvements to the usability and compatibility of the CILogon Service (https://cilogon.org). This policy change has been discussed in TAGPMA and EUGridPMA. For more details, see our TAGPMA wiki page on the topic.
The Americas Grid Policy Management Authority (TAGPMA) today voted to accredit the CILogon Silver CA Policy under the Member Integrated Credential Services (MICS) Profile, allowing the CA to issue certificates valid for up to 13 months. This accreditation is a step forward for certificates from https://cilogon.org being accepted by members of the International Grid Trust Federation (IGTF) including TeraGrid, Open Science Grid (OSG), European Grid Infrastructure (EGI), and Worldwide LHC Computing Grid (WLCG). Following an operational review by TAGPMA, the CILogon Silver CA will achieve "accredited" status in the IGTF Trust Anchor Distribution. The CILogon Silver CA relies on campus authentication that satisfies the InCommon Silver Identity Assurance Profile, so it will not be fully operational until the first InCommon campuses are accredited at the Silver level under the InCommon Identity Assurance program. To serve researchers from campuses that are not (yet) at the InCommon Silver level, CILogon also operates Basic and OpenID CAs at https://cilogon.org.
The International Grid Trust Federation CA distribution version 1.37, released today, includes the self-signed CILogon Silver, Basic, and OpenID CA certificates (and associated configuration files) in the "experimental" area. This provides to relying parties a trusted distribution path for the CILogon CA's self-signed certificates, which are also available directly from the CILogon CA web site (http://ca.cilogon.org/). Note that this does not imply that the CILogon CAs have been accredited by IGTF. Only CAs included in the "accredited" area of the distribution have completed the IGTF accreditation process, not those in the "experimental" area where the CILogon CA certificates can currently be found. The CILogon Silver CA is under review by the TAGPMA for IGTF accreditation. The next opportunity for a TAGPMA accreditation vote for the CILogon Silver CA is the upcoming TAGPMA Face-to-Face Meeting October 4-7 in Lubbock, Texas.
1-10 of 14