Skip to topic | Skip to bottom
Home
Sandbox
Create personal sidebar
Sandbox.NSFr1.2 - 23 Jan 2008 - 16:43 - MichaelHelm12345topic end
Start of topic | Skip to actions

Trusted Third Party Identity Verification

A person (a human end-entity (EE)) requests identity certification. An attestation by a trusted third party (TTP) about the identity of this person to a registration authority (RA) or the registration authority agent is sufficient evidence to permit the RA to accept the certification request.

This model of identification is based on the model used in the NSF or NERSC account and resource allocation system for supercomputer centers, and widely used throughout US research science (such as DOE user facilities and large scale physics experiments).

In the NSF or NERSC system, the TTP is the principal investigator (PI), who is usually the person who has acquired the allocation through a peer review process and is well-known in his community, probably known to the responsible members of the granting agency, but probably not known personally by anyone in the NSF or DOE user facility. These PIs have the right to name new account holders at the facility who will share the PIs allocation.

In other environments this TTP may be a supervisor, a project leader, a senior scientist, or other well-known figure whose judgment is trusted. Those who have roles similar to the PI are candidates for the TTP role: those who determine who can work on a project and who cannot, who make decisions about significant resource usage, who themselves assign other roles in a project to project members (VOMS).

The RA will determine who is an acceptable TTP, and maintain lists of these TTPs. The TTP SHOULD be personally known to the RA. Communications between the TTP and RA agent SHOULD be via a trusted path. RA or agents MUST have positive evidence, at the time they approve certification, that the EE himself has asked for this certification and the TTP approves it.

  • The RA MUST contact the EE directly (best effort), and confirm that this certification request was made by the EE.
  • The RA MUST contact the TTP directly (best effort), and ask the TTP to confirm the appropriateness of this EE’s certification. This confirmation MUST include confirmation that the EE is personally known to the TTP, and the TTP approves of the certification.

Direct contact means the RA employs a trusted, secure communications path to reach the TTP or EE, or has other means of confirming the contact even if the path would not be considered trustworthy. The contact method SHOULD be logged.

The RA or the CA MUST maintain logs and records showing that these transactions took place. These will be subject to audit and MUST be made available to appropriate auditors. Records MUST be kept for the lifetime of the certification in question.

In cases where secure communications paths cannot be used, immediate direct contact cannot take place or evidence is incomplete, the RA MAY complete certification, provided that the incomplete evidence is documented and satisfactory evidence is acquired in a reasonable time.

Here are some examples of satisfactory transactions and associated documentation.

“John Doe submitted a CSR. On 21 Jan 2008 I sent a signed email to JohnDoe@example.com, and his listed sponsor JaneLeader@example.com. Jane Leader is personally known to me from the BigScience? project. On 23 Jan 2008 I received a phone call from Jane confirming this certification in my voice mail, stating that John Doe was a member of her team, that this email address was in their project database, and he needed a certificate to begin work. On 23 Jan 2008 John Doe sent me an email confirming his request.”

“On 15 Jan 2008 I participated in a video conference that included Steve Manager and Jane Doe. Neither is personally known to me, but the sponsoring organization is, and it is clear Steve Manager is responsible. Steve asked Jane to get a certificate in this meeting, and I approved her request.” (Agent should confirm with Jane.)

Unacceptable as-is: additional documentation needed.

“On 19 Jan 2008 a request for a certificate from MarySmith@example.com arrived. My boss told me to approve it.”

“On 19 Jan 2008 the CraftyScience? PI announced on the VO-wide audio/video call that his group had joined OSG. I approved all the OSG:CraftyScience requests that came in the next 2 days.”

-- Main./DC=org/DC=doegrids/OU=People/CN=Michael Helm 12345 - 24 Jan 2008
to top

End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.2 | > | r1.1 | Total page history | Backlinks
You are here: Sandbox > IDVerif > NSF

to top

Copyright © 1999-2008 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback