The other use of a root CA is that there can be many subordinate CAs, each with a different
policy governing what types of users will be issued certificates, and under what circumstances.
This is important because different science communities have different models of trust
management. For example, ESnet currently operates three signing CAs: the DOEGrids CA, the
Fusion Grid CA, and the SSL server (service and host identities) CA.
The DOEGrids CA has a fairly traditional policy 0 related to identifying users physically and/or
individually before issuing certificates. Users generate a matched public and private (secret) key.
The public key is submitted to the CA along with a set of assertions about the user's identity, and
the user's scientific community registrar validates these assertions and approves the certification
of the user. The secret key is managed by the user, who must carefully protect it in order to
protect his or her cyber identity. That is, the user manages the secret key and "carries" it around
to use as the identifying token. The Fusion Grid CA 0 issues certificates to users who do not
control the secret key that represents their identity. The Fusion community stores all of the secret
keys on a key server, and the user must log in to the key server (using a different authentication
mechanism) in order to release the secret key for use in Grid authentication processes.
Each of these approaches to user cyber identity is legitimate and normal within the particular
community; however, the CA policy for each of these is written in a different way (and in some
sense they are mutually incompatible) 0, 0. What the CAs has in common is a set of requirements
for the standards of operation of the CA itself, independent of the policies by which user
certificates are issued 0.
This approach allows ESnet to provide high-quality CAs, that is, ones that have rigorous and
published policies that other parties can examine and use as a basis for willingness to establish a
trust federation in which certificates from a trusted group of CAs are accepted for access to the
science community's resources. This is the case with the DOEGrids CA, which serves the US
high energy physics (HEP) community and is trusted by the European HEP community 0. This
allows US scientists to present DOEGrids CA certificates for authentication to European HEP
systems and vice versa.
This brings us to the second service that ESnet provides, and that is the negotiation of the
common policies that allow a trust federation to be formed. This negotiation typically consists of
a long series of meetings where the people who operate the respective CAs get together and agree
on the framework for a common CA policy, point by point. Once this framework is established,
then the CAs can write their own policy that is compatible with the framework, thus enabling the
cross-realm use of certificates. To bring the point home again, the policy framework in the
science community typically represents an abstraction of the traditional trust mechanisms of that
particular science community, and these mechanisms may not be compatible with those of
another community. (So, the Fusion Grid certificates would not be accepted by the European HEP
community, because the policies of this CA are not compatible with the trust policy framework of
the HEP community.) It should also be observed that science community identity policy which
is intended to represent in cyber space the web-of-trust of a scientific collaboration are quite
different than the policies associated with accessing, e.g., a laboratory's financial or HR systems
and the same certificates would not be used for both purposes.
This service especially the DOE Grids CA is heavily and widely used, with several thousand
active human identity certificates and several thousand more active service and system identity
certificates that are issued to DOE scientists and their collaborators in the university community.
30
Page1 
Page29 
Page31 
Page177