![[Go to /]](/DutchGrid-logo-CA.gif){kind=logo}
Production CA
DutchDemo CA
Request certificate
Policy
List of issued certs
Root certificate
CRL
EDG Tutorial
NE/Benelux Tutorial
Test-Low CA
(discontinued)
Documentation
Links
switch to print layout
DutchGrid worthless DEMO CA Information
This page is pertinent only to the worthless DEMO CA (DutchDemoCA) operated by the DutchGrid and NIKHEF Certification Authorities. This CA was established explicitly for extremely light-weight authentication, for example for demonstration use with machines not normally connected to a network, or for student courses where a more stringent authentication method would induce unacceptable delays.
The policy of the DutchDemoCA is derived from the medium-security
CP/CPS, with the exception that no proper authentication is
done. For the policy, see this url.
This has the side effect that the certificates issued by the
"Worthless Demo CA" are largely worthless in a European context. Plase
make sure a DemoCert is accepted by your favourite resource
before applying for such a certificate.
If you want certification in the context of the EU DataGrid project,
you must apply for a medium-security certificate.
| Target audience | The DutchDemo "worthless" CA is a light-weight authority for use by students on the educational/research DAS-2 Grid infrastructure. It can also be used for tradeshow and demonstrator purposes. |
| Validity | The DutchGrid "demo" is a worthless certification authority and not trusted anywhere in Europe. It is, however, accepted on the ASCI "DAS-2" system and some personal laptops. |
| Getting your own | You can use the the web-based request form (also available over secure http). Be sure to select demo level certification in the radiobutton at the bottom of the form. Use your institutional email address, and send the mail from a system within your organisational network to be eligible for certification. |
| Renewing | Your certificate is valid for 180 days. If you want to
renew, you have to send a brand-new email using the
script generated by the request form interface. You will not be warned about an expiring certificate! |
| Accepting certificates | You should not accept demo certificates in your browser or on your web site. |
| Using this on the Grid | To accept this CA on your grid resource, you must install
the CA's root certificate in the
/etc/grid-security/certificates directory. You can
do that via installing an
RPM, or by downloading the
root certificate and a signing
policy file. Do not install the root cert on valuable resources! |
| Where is my cert? | See the list of all issued certificates. |
| Is this certificate correct? | This could apply to two different things. First, if you
want to check whether an issued certificate is not revoked, you
should check the Certificate
Revocation List or CRL. You should do that before
any reliance on a certificate. Secondly, there is no independent check of the root cert validity. |
| Notes and warnings | By requesting a certificate or by incorporating the DutchGrid/NIKHEF CA cert into your authentication scheme, you accept to comply with the policy associated with the use of the DutchGrid/NIKHEF CA. The DutchGrid/NIKHEF CA is run on a best-effort basis only and declines any responsibility for damages, including indirect or consequential damages, arising out of the use of the DutchGrid/NIKHEF CA certificates. The demo policy is detailed here. |
| Details | Details on the DutchDemo CA (root cert, directory, signing policy and tar-ball) |
| Application |
|---|
If you want to apply for a Demo certificate, please follow the guide in the User Help pages, and in the final stage request "Demo" certification.
| Worthless DutchDemo CA Information Summary |
|---|
| CA name/hash | DutchDemo worthless CA | 75304a28 |
| CA end-user request information | not yet available | |
| CA Globus configuration tar-file | packed tar file | |
| CA issued certificates | in HTML list format | |
| CA certificate |
PEM formatted file RPM package TAR.GZ package |
|
| CA certificateRevocationList | PEM format | |
| CA Policy | policies (current and previous) | |
| Cert Requests | Build-a-Cert web interface | Site specific manuals, see DutchGrid per-organization web site |
| Worthless DutchDemo CA Policy (CP/CPS) |
|---|
The following section from the medium-security CP/CPS do not apply for the Worthless DutchDemo CA:
- 1.2 (Identification) - the DEMO CA has no OID
- 1.3.1 (Cert authorities) - the DEMO CA may issue certs automatically
- 1.4.1.1 (Online repositories) - URLs may be different or non-existant
- 2.4.2 (Severability...) - the DEMO CA has NO severability etc.
- 2.7 (Compliance audit) - there shall be no auditing
- 3.1.4 (Uniqueness of names) - certificates issued by the DEMO CA may be re-certified under the medium-security policy, but not the other way round
- 3.1.7 (Possession of private key ) - no stipulations
- 3.1.8 (Authentication of organisation identity) - no stipulation
- 3.1.9 (Authentication of individual identity) - no stipulations
- 4.1 (Certificate Application) - the maximum life time shall be 180 days
- 4.5 (Security Audit Procedures) - no stipulation for entire section
- 4.6 (Records Archival) - no stipulation for entire section
- 4.8.1 (Computing resources ...) - no stipulations
- 5.1.1 (Site location ...) - The CA machine can be any desktop at NIKHEF that is capable of reading the ZIP disk with the CA archive and CA private key
- 5.1.2 (Physical access) - the medium with the CA private data will be in a locked room accessible only by NIKHEF personnel
- 6.1.1 (Key pair generation) - the system is not disconnected
- 6.1.5 (Key sizes) - the DEMO CA key is 1024 bits
- 6.2.4 (Private key backup) - there is no securely controlled environment
- 6.2.6 (Private key entry...) - the pass phrase is more than 8 characters
- 6.3.2 (The root certificate will expire on March 2, 2011
- 6.4.1 (Activation data) - no stipulation
- 6.5.1 (Specific computer security...) - the CA machine is connected to a network, the key pair is kept on removable media only