|
Draft: 2 Date: May 31, 2006
|
| Campus CA Requirements | |||
|---|---|---|---|
| Item | SubItem | Description | Importance |
| 1 | CA Operation and Security | ||
| a | Use of native OpenSSL with "Engine" support to enable the use of HSMs for CA Private Key Protection | ||
| a-1 | Direct support and documentation for Rainbow iKey and/or Alladin eToken for low-throughput CAs | ||
| a-2 | Direct support for nCipher and/or other high-speed HSMs | ||
| b | Rational software mechanism for CA private key protection | ||
| c | Ability to sign requests for End Entity certificates | ||
| d | Ability to generate key pair and request and deliver a PKCS-12 containing the user's key pair, their personal certificate, and the root and intermediate certificates. | ||
| e | CA will maintain a database of the certificates that it issues | ||
| f | Support for certificate revocation (requires database above) | ||
| g | Support for an OCSP responder (requires database above) | ||
| h | Support for manual RA interface for approval of server certificates | ||
| h | Some server certificate content validation mechanism | ||
| h | Manual operations-based issuance of server certificates only | ||
| i | Ability to email users prior to certificate expiration | ||
| j | Flexible configuration options for certificate expiration dates. E.g., one year but not over the summer, all on a single day, etc | ||
| 2 | User Interface | ||
| a | Assumption that this is an on-line CA and that delivered certificates are marked as non-exportable in the user's certificate store when practical | ||
| b | Direct support for Internet Explorer for certificate request generation, certificate delivery and installation, and root/intermediate certificate installation | ||
| c | Direct support for FireFox for certificate request generation, certificate delivery and installation, and root/intermediate certificate installation | ||
| d | Direct support for Netscape for certificate request generation, certificate delivery and installation, and root/intermediate certificate installation | ||
| e | Direct support for other browsers for certificate request generation, certificate delivery and installation, and root/intermediate certificate installation | ||
| f | Cut and paste web interface for uploading certificate requests. Can be especially important if web-based interface for server certificates is implemented. | ||
| g | Ability to email the end user receiving the certificate with instructions, a copy of a click-through agreement, etc | ||
| 3 | Default Certificate Profile | ||
| a | By default upon installation, the CA will issue certificates using the PKI-Lite certificate profile for users. A matching profile for server certificates needs to be developed. Some fields such as Subject, SubjectAlt Name, and Serial Number will vary for each certificate issued. Naming information will come from the validated user's certificate request. | ||
| 4 | Logging Information | ||
| a | Each certificate issued | ||
| b | Each certificate revoked | ||
| c | Failed request validations | ||
| d | ?? | ||
| 5 | Campus Identity Management Interface | ||
| a | Assume that the site will preauthenticate the user and deliver the validated user in the Remote User environment variable? | ||
| b | Assume that the site will provide whatever data is needed to validate the request. A likely interface might be a call-out that the CA can make, providing the user's login name and receiving back the information needed to validate the certificate request. What information in the request should be validated? | ||
| b | A direct LDAP interface and/or perhaps a set of shell scripts as the example interface | ||
| 6 | Installation Process :-) | ||
| a | ./configure | ||
| b | make install | ||
| 7 | Documentation | ||
| a | Recommended campus deployment guide | ||
| b | USHER subordination how-to | ||
| c | Summary of known-supported applications | ||
| 8 | Some software candidates | ||
| a | CA software developed by HEPKI schools | ||
| b | Our Opensource crypto software list. | ||