General design and security risk review for the OSG CILogon CA instance
- MOU was missing John Towns' signature.
- MOU signed and updated.
- Question about where/when the SSL Client Certificate (Section F.1.1) is generated/sent.
- Clarifying text added to Section F.1.1.
- Can XSEDE obtain xsede.org host certificates from OSG?
- Yes, in the event that the InCommon Cert Service is unavailable. https://www.xsede.org/security/certificates/ is still the preferred method of getting host certificates for XSEDE.
- Should the CP/CPS reference XSEDE in addition to OSG?
- Since OSG manages the CA front-end and controls the subject namespace, and certificate requesters must be registered with OSG, it is clearer for the policy documents to specify OSG only. XSEDE members need to register with OSG to use this CA.
- Will this activity be delivering new CA certificates?
- No, the CILogon OSG CA certificate is already in the XSEDE CA distribution.
- CILogonOSGCPCPS.pdf contains broken links.
- Please use CILogonOSGCPCPS.docx instead.
- Formatting updates to CILogon-OSG-CA-Design.pdf.
Review Output Documents (Final)
- https://software.xsede.org/svn/sdi/activities/sdiact-237/trunk/Plans/XSEDE_OSG_MOU_CILOGON.pdf (updated with John Towns signature)
- https://software.xsede.org/svn/sdi/activities/sdiact-237/trunk/Plans/CILogon-OSG-CA-Design.pdf (Paragraph added to start of Section F.1.1 and formatting fixes).
- https://software.xsede.org/svn/sdi/activities/sdiact-237/trunk/Plans/CILogonOSGCPCPS.docx (Word version with working hyperlinks.)
Review Input Documents
Please focus on these questions:
- Does the proposed design satisfy the functional user requirements?
- Does the design satisfy the requirements from the XSEDE-OSG MOU (see Review Materials)
- Are the protocols and interfaces selected appropriate and secure?
- Are the services operated in a secure way and are the procedures appropriate to deal with planned and unplanned outages and unplanned incidents?
and the following solution supported scenarios:
- Issue user/host/service certificate
- Revoke user/host/service certificate
- Publish certificate revocation list (CRL)
ScheduleCurrent Date: 2019-04-22
Current Status: Closed (Design and Security Review)
|Target Date||Actual Date||Activity Milestone|
|2016-01-15||Review launch date|
|2016-01-25||Written feedback due (Reviewers)|
|2016-01-29||2016-02-16||Written response date (Review Material Developers)|
|2016-02-03||2016-02-16||Final approval due and completion date (Reviewers)|
Review Last Updated: 2016-02-16 9:21 am
If you are a reviewer, please login to sign or withdraw from this review.
- Terrence Fleury
SIGNED: 2016-01-22 11:58
- JP Navarro
SIGNED: 2016-01-26 09:34
- Mine Altunay
SIGNED: 2016-01-27 18:13
- Jim Marsteller
- Robert Quick
- Gary Rogers
- Tabitha Samuel
- Adam Slagell
- Shava Smallen
Review Material Developers