Description and Value Proposition
eduPKI’s purpose is to continue to offer certificates and a trust fabric to GÉANT and related services that the commercial sector is unable or unwilling to provide.
Technical Description
Open Menu
eduPKI provides the following facilities:
1. A Policy Management Authority (PMA) that defines and maintains the set of criteria that must be met by the participating CAs. It will accredit candidate CAs on the basis of an evaluation of their policies and their adherence to these criteria.
2. A repository, built on the existing TACAR that stores and distributes the participating CA certificates in a secure manner.
3. A Catch-All CA (eduPKI CA) that provides digital X.509 certificates to users unable to rely on an NREN CA.
Digital certificates are issued by Certification Authorities (CAs) and are used to guarantee secure and reliable communication between servers, between users, or between a user and a server.
In addition to the main registration authority which is run by the eduPKI service directly, eduPKI CA can also serve other registration authorities embedded in service teams.
CA accreditation process and Service registration processes are operated according to policies.
Offering
eduPKI’s purpose is to continue to offer certificates and a trust fabric to GÉANT and related services that the commercial sector is unable or unwilling to provide.
Reason to Act
Although the aim is to use existing CAs where possible for the reasons cited previously, there is nonetheless a requirement for a CA that issues certificates to all of the project’s participants in the following specific cases:
- some services may have specific requirements that are not easily supported by existing CAs;
- some end-users may be associated with an NREN that does not provide a CA service.
Consequently the eduPKI service operates a CA that complements the established CA services available to the GÉANT community to fill this niche.
Customer Experience
The service operator gets a certificate which meets their service requirements and is secure and trustworthy.
The end user therefore has a seamless experience in using the application provided by the service operator.
Benefits
Benefits for GÉANT Services
- avoid the creation of per service-based CAs
- achieve cost efficiencies by avoiding mitigating duplication of infrastructures
- facilitate consistency and best practices across the project
- Reduce the workload on other activities related to certificates management
- Increased security through use of digital certificates set up by experts
Benefits for Users
- Improves user experience, by relying whenever possible on certification authorities known to end-users (no DIY certificate errors).
Costs
No direct costs charged to GÉANT services who are the target user.
Alternatives
Commercial certificates (costly, and do not always match need).
Self signed certificates (lower trust)
Advantages
Innovative services with requirements not yet meetable by the open market can still be secured.
Users without access to a CA can still be served.
Engagement
The eduPKI Policy Management Authority is a group of technical experts within GÉANT that gathers trust fabric requirements from GÉANT Services that wish to deploy or use asserted identities based on X.509 digital certificates issued by a Public Key Infrastructure (PKI) for their authentication needs and – based on these requirements, best practices and standards – defines various sets of minimal criteria to be met and implemented by these PKIs. By working directly with the service owners, their needs are understood and met.
KPIs
Kpi name | RAG | KPI RAG |
---|---|---|
Availability % of www.edupki.org | Yellow | YELLOW |
Certificate Status Check Availability (CRL Download & OCSP) | Green | GREEN |
RA Service (certificate application & approval) availability | Green | GREEN |
CA Service (certificate & CRL issuance) availability | Green | GREEN |
Roadmap