OSG RA plans

Doug Olson, LBNL

May 2006

2

Contents

• RA, agent, sponsor layout & OU=People use case

• Sample web form

• Agent Role

• GridAdmin Role

• Questions

• Schedule

4

2. notify

OSG RA Layout

CDF

CMS

DES

DOSAR

DZero

Fermilab

fMRI

GADU

geant4

GLOW

GRASE

GridChem

GridEx

GROW

i2u2

iVDGL

LIGO

mariachi

MIS

nanoHUB

SDSS

STAR

USATLAS

DOEGrids CA 1

RegistrationManager

RegisteredVOs

RegisteredSupportCenters

CSC

DOSAR

DZero

Fermilab

fGOC

GADU

GRASE

GROW-GOC

LIGO

mariach-support

OSG-GOC

PROD_SLAC

SDSS

STAR

TACC

UC CI

USATLAS

USCMS

VDT

Agents within eachsupport center knowwhich VOs and sitesthey support

Subscriber

Sponsor

Certificate10. download

4.c verify 4.d reply

4.e. confirm or deny

5. approveor reject

request

1. submit

Subscriber choosesone of the existingOSG registered VOs Draft 19 Apr 2006

Typical use case forpersonal certificate.

3. retrieve

request 4.b authenticate

7.

6.

2,8. notify

2,8. notify

VOsponsor

DB

4.a check authorizedsponsors

RA Log

9. Record RA actions

5

Example request web form

Subscriber choosesOSG RA and thenselects their VO.

Agents seen an emailnotification with“OSG - <VO>” in thesubject line, where<VO> is one from thelist.

Sponsor is a hint to theagent for where to findan actual sponsor.

Subscriber should puta meaningful descriptionin the comment field aboutwhy the need a certificate.

6

Agent AuthorizationA.3.3 Letter requesting RA Agent Role

Dear DOEGrids Operations:

I [Name] will be acting as an Agent of the Registration Authority for OSG. I have been authorized by OSG to represent them for the purposes of approving/revoking DOEGrids certificates in our community. I have read and agree to the following clauses: In acting as the Agent of the RA for OSG I have read, understood and accept the

responsibilities and tasks assigned to an Agent as laid out in the DOEGrids CP/CPS. http://www.doegrids.org/Docs/CP-CPS.pdf.

I understand that DOEGrids Certification Service will notify me by email of changes to CP/CPS and I will immediately notify the DOEGrids PMA if I am no longer willing to act as an Agent for my RA under any new CP/CPS.

I understand that failure to fulfill my responsibilities and tasks under this agreement may result in the termination of my appointment as a Agent for OSG

I agree only to act on enrolment requests associated with the OSG. I understand that I am responsible for the revocation of certificates that are suspected of being

compromised or issued in violation of the DOEGrids CP/CPS policies. I understand that I am responsible for customer support for our OSG related to DOEGrids

certificate issuance, revocation and information.

7

Authorization for GridAdmin

A.3.4.1 Letter Requesting a Grid Admin role This letter is written by the individual requesting to be a Grid Admin and sent to the responsible Registration Authority. Dear RA of OSG: I [Name of new Grid Admin] would like to be a Grid admin for OSG. I would like to be authorized to request and approve DOEGrids Service certificates for the following name space(s):

a. FQDN 1 or range of addresses for a particular domain b. FQDN 2 c. others

1. As the Grid Admin for OSG I have read and understand the responsibilities and

tasks assigned to a Grid Admin as laid out in the DOEGrids CP/CPS. http://www.doegrids.org/Docs/CP-CPS.pdf.

2. I agree that as Grid Admin I will only submit and approve Service certificates for the FQDNs listed above.

3. I understand that I am responsible for the revocation of certificates that are suspected of being compromised or issued in violation of the DOEGrids CP/CPS policies.

8

Questions

• What about people not members of one of the existing VOs?

• What about OU=Services requests?– Require specifying domain name of server along with

RA affiliation, to include in subject line of email notification

• Current style example: (email subject, request DN)[doesg-ra] DOEGrids CA - OSG Certificate Request in Queue (request id: NNNNN)

CN=http/bandicoot.uits.indiana.edu,OU=Services,DC=doegrids,DC=org. • Would become:

[doesg-ra] DOEGrids CA - OSG uits.indiana.edu Certificate Request in Queue (request id: NNNNN)

9

OSG RA Schedule

• Addition of OSG RA policy expected soon (Friday?)

• OSG RA functioning by July 1

• Establishing agents in Support Centers will proceed as practical