Which Certificate Authority Should LIGO Use?

LIGO wishes to remove the burden from users of requesting, retrieving, and managing X.509 digital certificates and the associated private keys. A new authentication and authorization infrastructure design includes deploying MyProxy servers at all LIGO computing sites, and storing X.509 certificates and private keys in the MyProxy repositories. Rather than generating a proxy certificate using a locally stored and managed certificate and private key, users will retrieve a proxy credential from the MyProxy server after first authenticating to the MyProxy server using other LIGO credentials (primarily a Kerberos credential). The private keys will be stored unencrypted so that the MyProxy server can generate and issue a proxy certificate to the authenticated user. The certificates and keys stored in the MyProxy repositories are managed by the infrastructure and administrators so that end users no longer need to request, retrieve, and manage the certificate and key files. Storing unencrypted in a central repository the associated private keys for X.509 certificates issued by the DOEGrids CA would violate the DOEGrids Certificate Policy (see section 2.1.2 of version 2.9 of the policy document), and currently LIGO users are issued X.509 credentials signed by the DOEGrids CA. Three options are identified for moving forward with the new infrastructure: 1) start a dialogue with the DOEGrids CA to determine if the existing policy can be amended to support the desired LIGO use case or perhaps another subordinate CA might be created and managed by the DOEGrids CA to support the LIGO use case. 2) Continue a dialogue with the TeraGrid about the TeraGrid CA issuing credentials to LIGO users to be stored in LIGO MyProxy repositories. 3) Deploy a LIGO CA.