REVIEW-14: SDIACT-237 Provide OSG a dedicated CILogon CA instance via REST web interface - Design/Security Review

Overview

General design and security risk review for the OSG CILogon CA instance

Review Summary

  • MOU was missing John Towns' signature.
    • MOU signed and updated.
  • Question about where/when the SSL Client Certificate (Section F.1.1) is generated/sent.
    • Clarifying text added to Section F.1.1.
  • Can XSEDE obtain xsede.org host certificates from OSG?
  • Should the CP/CPS reference XSEDE in addition to OSG?
    • Since OSG manages the CA front-end and controls the subject namespace, and certificate requesters must be registered with OSG, it is clearer for the policy documents to specify OSG only. XSEDE members need to register with OSG to use this CA.
  • Will this activity be delivering new CA certificates?
    • No, the CILogon OSG CA certificate is already in the XSEDE CA distribution.
  • CILogonOSGCPCPS.pdf contains broken links.
    • Please use CILogonOSGCPCPS.docx instead.
  • Formatting updates to CILogon-OSG-CA-Design.pdf.

Review Output Documents (Final)

Review Input Documents

https://software.xsede.org/svn/sdi/activities/sdiact-237/trunk/Plans/XSEDE_OSG_MOU_CILOGON.pdf
https://software.xsede.org/svn/sdi/activities/sdiact-237/trunk/Plans/CILogon-OSG-CA-Design.pdf
https://software.xsede.org/svn/sdi/activities/sdiact-237/trunk/Plans/CILogonOSGCPCPS.pdf

Review Criteria

Please focus on these questions:

  1. Does the proposed design satisfy the functional user requirements?
  2. Does the design satisfy the requirements from the XSEDE-OSG MOU (see Review Materials)
  3. Are the protocols and interfaces selected appropriate and secure?
  4. Are the services operated in a secure way and are the procedures appropriate to deal with planned and unplanned outages and unplanned incidents?

and the following solution supported scenarios:

  1. Issue user/host/service certificate
  2. Revoke user/host/service certificate
  3. Publish certificate revocation list (CRL)

Schedule

Current Date: 2025-05-24
Current Status: Closed (Design and Security Review)
Target Date Actual Date Activity Milestone
  2016-01-15 Review launch date
2016-01-25 Written feedback due (Reviewers)
2016-01-29 2016-02-16 Written response date (Review Material Developers)
2016-02-03 2016-02-16 Final approval due and completion date (Reviewers)
Review Created: 2016-01-14 7:48 am
Review Last Updated: 2016-02-16 9:21 am

 

Reviewers

If you are a reviewer, please login to sign or withdraw from this review.

Required

  • Terrence Fleury
    SIGNED: 2016-01-22 11:58
  • John-Paul Navarro
    SIGNED: 2016-01-26 09:34

Optional

  • Mine Altunay
    SIGNED: 2016-01-27 18:13
  • Jim Marsteller
  • Robert Quick
  • Gary Rogers
  • Tabitha Samuel
  • Adam Slagell
  • Shava Smallen
    VIEWED: 2019-11-07 09:56

Review Material Developers

Jim Basney

Review Facilitator

John-Paul Navarro

 

Please post your comments using the "New topic" or "Post reply" buttons in the forum below.


National Science Foundation (NSF)

© ACCESS All Rights Reserved.

ACCESS is an advanced computing and data resource supported by the National Science Foundation and made possible through these lead institutions and their partners:
Carnegie Mellon University, University of Colorado Boulder, University of Illinois at Urbana-Champaign, and State University of New York at Buffalo .


Administrative Login