Silver CA Policy

Frequently Asked Questions (FAQ)

  • When I log on at https://cilogon.org/, why do I see "Level of Assurance: Basic" rather than "Level of Assurance: Silver"?
    • Users will see "Level of Assurance: Basic" if their authentication attributes from their identity provider do not meet the CILogon Silver CA's policy requirements. To check, visit https://test.cilogon.org/testidp/ and Log On. In the list of SAML Attributes shown, confirm that Level of Assurance contains https://refeds.org/assurance/profile/cappuccino and AuthnContextClassRef contains https://refeds.org/profile/sfa or https://refeds.org/profile/mfa. If it doesn't, look in the list of Metadata Attributes for the Support Contact for your identity provider and contact them for assistance.
    • In the case of the XSEDE IdP, Level of Assurance will contain https://refeds.org/assurance/profile/cappuccino only if the user is on an active allocation as shown at https://portal.xsede.org/allocations/usage.
  • How do I configure my IdP so that my users can obtain CILogon Silver certificates?
    • Set an eduPersonAssurance attribute containing the value https://refeds.org/assurance/profile/cappuccino in the SAML authentication assertion to indicate that the assertion has been issued under the conditions of the Cappuccino profile defined in the REFEDS Assurance Framework.
    • Set the SAML AuthnContextClassRef value to https://refeds.org/profile/sfa or https://refeds.org/profile/mfa in the SAML authentication assertion to indicate that the assertion has been issued under the conditions of either the REFEDS Single Factor Authentication Profile or the REFEDS Multi Factor Authentication Profile.
  • What if only a subset of my IdP's users meet the REFEDS Cappuccino level of assurance?
    • It is not necessary for all your users to meet the REFEDS Cappuccino requirements. Set the eduPersonAssurance and AuthnContextClassRef values for the users that do, and they will be able to obtain CILogon Silver certificates. Your other users may obtain CILogon Basic CA certificates instead.
  • Where can I find more information about REFEDS Cappuccino?
    • While https://refeds.org/assurance/profile/cappuccino is the attribute value for indicating compliance with the Cappuccino profile in the REFEDS Assurance Framework, there is no web page at that location. Please visit https://refeds.org/assurance for information about the REFEDS Assurance Framework including the Cappuccino profile.
  • How does REFEDS Assurance relate to IGTF Assurance?
    • The REFEDS Assurance Framework contains explicit mappings to IGTF Assurance for identity proofing. REFEDS "low" maps to IGTF DOGWOOD and IGTF ASPEN, and REFEDS "medium" maps to IGTF BIRCH and IGTF CEDAR. Since the CILogon Silver CA is an IGTF MICS CA, it requires the IGTF BIRCH level of assurance, corresponding to REFEDS "medium" which is part of the Cappuccino profile defined in the REFEDS Assurance Framework.

Revision History

  • 1.3.6.1.4.1.34998.1.1.13 (Nov 6 2018): Updates to address TAGPMA review: add support for standard IGTF Robot DNs (Section 3.1.1), require REFEDS SFA/MFA authentication profile in combination with Cappuccino (Section 3.2), and archive snapshots of InCommon/eduGAIN metadata (Section 5.4.1).
  • 1.3.6.1.4.1.34998.1.1.12 (Oct 15 2018): Replaced references to InCommon Silver Identity Assurance Profile with references to REFEDS Assurance Framework’s Cappuccino Profile (Section 3.2). Allow identification and authentication of certificate applicants via eduGAIN (Section 3.2.2). Support Robot certificates (Section 3.1.1). Document use of OAuth for grid portals (Section 4.1.2). Add E-mail Protection to X509v3 Extended Key Usage certificate extension (Section 7.1.2).
  • 1.3.6.1.4.1.34998.1.1.11 (Dec 3 2014): Minor updates for InCommon Silver Identity Assurance Profile v1.1. Increase CRL validity period from two weeks to 30 days (Section 2.3). Added ORNL site information (Section 5.1).
  • 1.3.6.1.4.1.34998.1.1.10 (Feb 3 2011): Further clarify process for CA generation of subscriber private keys.
  • 1.3.6.1.4.1.34998.1.1.9 (Jan 12 2011): Allow CA generation of private keys (for TAGPMA discussion).
  • 1.3.6.1.4.1.34998.1.1.8 (Dec 14 2010): Added SHA-2 hash functions per NIST Policy.
  • 1.3.6.1.4.1.34998.1.1.7 (Oct 6 2010): Approved under the IGTF MICS Profile by TAGPMA vote on Oct 6 2010 in Lubbock, Texas.
  • 1.3.6.1.4.1.34998.1.1.6 (Oct 5 2010): Submitted to TAGPMA reviewers on Oct 5 2010. Modified to comply with MICS Profile instead of SLCS Profile (i.e., reverted to Version 4 content).
  • 1.3.6.1.4.1.34998.1.1.5 (Sep 28 2010): Submitted to TAGPMA reviewers on Sep 28 2010. Modified to comply with SLCS Profile instead of MICS Profile.
  • 1.3.6.1.4.1.34998.1.1.4 (Sep 13 2010): Submitted to TAGPMA reviewers on Sep 13 2010, addressing review comments received to-date.
  • 1.3.6.1.4.1.34998.1.1.3 (Jul 28 2010): Submitted to TAGPMA reviewers on Jul 28 2010, addressing review comments received to-date.
  • 1.3.6.1.4.1.34998.1.1.2 (Apr 2 2010): Submitted to TAGPMA reviewers on Apr 2 2010, addressing review comments received to-date.
  • 1.3.6.1.4.1.34998.1.1.1 (Jan 15 2010): Submitted to TAGPMA reviewers on Jan 15 2010.