The eduPKI service being developed within the GÉANT project aims to ease the adoption of digital certificates within the project in a cost-effective way. It aims to create a service able to support other of the project’s services in defining their security requirements, and to provide them with digital certificates.
eduPKI was a response to the need for better coordination to address security requirements of the services being developed in the project. Examples of services that can use eduPKI include perfSONAR, eduGAIN and eduroam, plus future services that will have security and trust requirements.
Digital certificates are issued by Certification Authorities (CAs) and are widely used to guarantee secure and reliable communication between servers, users, or between a user and a server. Examples of this are: a user connecting to a Web server securely using a web browser; or two users exchanging an email securely.
eduPKI will build on top of existing NREN CA services, federating them to make all participating CAs available to the Project’s services. A federated approach brings increased efficiency since a number of national CAs are already well-established and used within the NREN environment.
eduPKI aims to enable GÉANT services to obtain digital certificates from CAs operated by NRENs participating in the project, that meet those services' requirements. Thus Europe’s NRENs are encouraged to join the federated eduPKI service. Whilst eduPKI will rely on existing national CAs whenever possible, it will also operate a dedicated CA for test purposes and that will also support users belonging to an NREN that does not provide any CA service.
To achieve its goal eduPKI will offer three main facilities:
Policy Management Authority (PMA), which will define procedures to assess GN3 services' requirements and categorise them into profiles; and also procedures to assess existing national CA operations against the agreed profiles.
A dedicated Certification Authority (eduPKI CA), operated by DFN for test purposes and to support those NREN users that cannot rely on any national CA service.
An enhanced version of the existing TACAR (TERENA Academic Certificate Authority Repository), to store and distribute the eduPKI-participating Certificate Authority's root certificates (including the eduPKI CA root) in a secure manner.
By allowing existing CAs to issue certificates for those GÉANT project services that require them, eduPKI will permit users to deal with their NREN, following familiar procedures which will reduce the burden of using new services. So thanks to the federated approach, users will be able to obtain all necessary certificates from either the CA managed by their own NREN (or equivalent service) or via the eduPKI CA.