Sphinx CA policy
Usage Policy for Sphinx CA signing certificate
Sphinx CA signing certificate:
serial = 1C
subject = /DC=net/DC=ES/OU=Certificate Authorities/CN=sphinx.nersc.gov
Certificate Policy Statement:
Implementation Notes and Practices:
Under the current implementation:
- The Certificate Authority, and the associated signing
certificate will reside on the host
"sphinx1.nersc.gov".
- NERSC will use a MyProxy based service to generate short lived user
certificates in real time (It will be a live Online CA service).
- Users will authenticate to the MyProxy service using a secure
channel (SSL) and submit their authentication token to the service.
- The MyProxy service will use PAM to authenticate the users.
- Authentication tokens will either be a NERSC One Time Password
token, or a NERSC LDAP username/password combination.
- Upon authentication the credential service creates a new short lived
GSI credential for the given user. It issues a certificate with a
persistent (DN will always be the same for a given user across
multiple logins) and unique (DN will always be unique for any given
user) DN.
- Certificates are only issued to valid NERSC users. A user must have
a valid NERSC login, and an associated password in the NIM-LDAP
database, or a valid NERSC One Time Password token.
Contacts:
Primary Contact: Shreyas Cholia <scholia AT lbl.gov>
Security Contact: Steve Chan <sychan AT lbl.gov>
|