Page tree
Skip to end of metadata
Go to start of metadata


List of datasets


eduPKI operations - personal identification form for Registration Authorities

Dataset description:

Paper form for registering Registration Authority (RA) personnel

Purpose of processing:

To verify and assure RA personnel identity

Data source:

Input from user

Data storage and access:

Paper form stored at DFN-CERT. Access by eduPKI PMA

Data transfer:

Data is not transferred to any other party

Data retention:

If an RA certificate was created, the corresponding personal identification form is retained for 1 year after expiry of the certificate

Personal data processed:Yes

Dataset content


Data itemIs personal data (DPO fills in)Comment
1

Surname and given name

Yes
2

Phone number (work)

YesAdditional check needed.
3

E-mail-address (work)

Yes
4

Organization with organizational unit and address

No
5

Signature with date and place

Yes
6

Type of ID document and last 5 digits of ID document number presented to eduPKI PMA

No
7

Name of eduPKI PMA member performing the identification

Yes
8

Signature of eduPKI PMA member performing the identification with date and place

Yes

eduPKI operations - certificate application form

Dataset description:

Form (paper or file (PDF or scanned paper form)) for certificate application

Purpose of processing:

To create a X.509 certificate

Data source:

Input from user

Data storage and access:

Paper form or email with attached form (PDF or scan) stored at Registration Authority. Access by eduPKI Registration Authority (currently DFN-CERT, SRCE, RESTENA, GEANT)

Data transfer:

Data is not transferred to any other party

Data retention:

If a certificate was created, the corresponding request data is retained for 1 year after expiry of the certificate

Personal data processed:Yes

Dataset content


Data itemIs personal data (DPO fills in)Comment
1

Fingerprint of Public key

Yes
2

Request data for server certificates only: server name (FQDN), possibly multiple times

No
3

Request data for server certificates only: contact e-mail-address

YesIf personal email address.
4

Surname and given name of applicant (user)

Yes
5

Organization of applicant (user)

Yes
6

E-mail-address to be included in certificate (optional for server certificates, mandatory for personal certificates)

YesIf personal email address.
7

Date request was created

No
8

Signature of applicant

Yes
9

Date request was approved by Registration Authority

No
10

Signature of Registration Authority approving the request

Yes
11

Type of ID document presented to Registration Authority (but no further data from the ID document)

No

eduPKI operations - request data

Dataset description:

All data related to a certificate request

Purpose of processing:

To create a X.509 certificate and to contact the user

Data source:

Input from user

Data storage and access:

Stored in database operated in infrastructure of DFN-CERT. Access by designated DFN-CERT PKI operations personnel and by eduPKI Registration Authority (currently DFN-CERT, SRCE, RESTENA, GEANT)

Data transfer:

Data is not transferred to any other party

Data retention:

If a certificate was created, the corresponding request data is retained for 1 year after expiry of the issuing CA

If no certificate was created within 180 days of request data submission, request data is deleted

Personal data processed:Yes

Dataset content


Data itemIs personal data (DPO fills in)Comment
1

Public key

Yes
2

Request data for server certificates only: server name (FQDN), possibly multiple times

No
3

Request data for server certificates only: contact e-mail-address

YesIf personal email address.
4

Surname and given name of applicant (user)

Yes
5

Organization of applicant (user)

Yes
6

E-mail-address to be included in certificate (optional for server certificates, mandatory for personal certificates)

YesIf personal email address.
7

User-created PIN

Yes
8

Date of request creation

No
9

Date of request approval by Registration Authority

No
10

Identity of Registration Authority approving the request

No

eduPKI operations - revocation request data

Dataset description:

All data related to a revocation request

Purpose of processing:

To revoke X.509 certificates

Data source:

Input from user

Data storage and access:

Stored in database operated in infrastructure of DFN-CERT. Access by designated DFN-CERT PKI operations personnel and by eduPKI Registration Authority (currently DFN-CERT, SRCE, RESTENA, GEANT)

Data transfer:

Data is not transferred to any other party

Data retention:

1 year after expiry of the issuing CA

Personal data processed:Yes

Dataset content


Data itemIs personal data (DPO fills in)
1

Serial number of certificate to be revoked

Yes
2

Revocation reason

No
3

Date of revocation request creation

No
4

Date of revocation request approval by Registration Authority

No
5

Identity of Registration Authority approving the request

No

eduPKI operations - log and audit trail

Dataset description:

Log and audit trail related to certificate requests, revocation requests and RA operations

Purpose of processing:

Reliable audit trail to create an high assurance level for PKI operations

Data source:

Input from user and RA Operator

Data storage and access:

Stored on servers operated in infrastructure of DFN-CERT. Access by designated DFN-CERT PKI operations personnel

Data transfer:

Data is not transferred to any other party

Data retention:

audit trail archival for 1 year after expiry of the issuing CA

Personal data processed:Yes

Dataset content


Data itemIs personal data (DPO fills in)Comment
1

All data from Dataset “eduPKI operations - request data”

YesSome of data.
2

All data from Dataset “eduPKI operations - revocation request data”

YesSome of data.
3

Timestamp of modifications

No
4

IP address of client submitting the data

Yes
5

If modifications are made by a Registration Authority: Identity of Registration Authority

No

eduPKI operations - certificate data

Dataset description:

Data related to a certificate

Purpose of processing:

Part of PKI operations

Data source:

Input from certificate request created by user

Data storage and access:

Stored in database operated in infrastructure of DFN-CERT. Access by designated DFN-CERT PKI operations personnel and by eduPKI Registration Authority (currently DFN-CERT, SRCE, RESTENA, GEANT)

Data transfer:

Certificates and its contained data may be shared via a public web search, if the user agreed to publish the certificate during certificate application time.

Data retention:

audit trail archival for 1 year after expiry of the issuing CA

Personal data processed:Yes

Dataset content


Data itemIs personal data (DPO fills in)Comment
1

X.509 certificate with public key, names, validity dates and email-addresses described as below

Yes
2

Server certificates only: server name (FQDN), possibly multiple times

No
3

Personal certificates only: Surname and given name of user

Yes
4

Organization of applicant (user)

No
5

E-mail-address in certificate (optional for server certificates, mandatory for personal certificates)

YesIf personal email address.
6

Validity dates (start/end) of certificate

No

eduPKI operations - revocation status data CRL and OCSP


Dataset description:

revocation status information

Purpose of processing:

dissemination of revocation status information

Data source:

Internal databases

Data storage and access:

Stored in database operated in infrastructure of DFN-CERT. Access by designated DFN-CERT PKI operations personnel.

Public read access.

Data transfer:

Data is published worldwide

Data retention:

Archival for 1 year after expiry of the issuing CA

Personal data processed:Yes

Dataset content



Data itemIs personal data (DPO fills in)
1

Serial number of X.509 certificate

Yes MA:WHY
2

Revocation date

No

Description of fields

The details of service related datasets (data collections) should be filled with a list of all kinds of data which is collected or processed by this service. The table should be filled by the Service Manager and afterwards reconciled with the GEANT Data Protection Officer in order to address GDPR requirements. One service often incorporates several datasets.

<dataset_name> - name of dataset (collection of data processed in similar way).

Dataset description - brief explanation of the kind of information or entities the dataset contains.

Data source - what are source(s) of data - list of services, systems, applications, databases or similar source components, including user's input, from which data are being received. E.g. RIPE database, service ABC, organisation LDAP directory...

Data storage and access: describe where the data are stored, backup-ed etc. and who has access to the data.

Data transfer: list of other services, systems, applications, databases or similar destinations to which data are being sent. E.g. RIPE database, service ABC, GÉANT's database XYZ...

Data retention: describe data retention policy ie. for how long data are stored before being deleted. E.g. 1 year, 2 years after contract ending, forever...

Dataset content

  • Data item: a specific dataset item. It may be an attribute, component or structure within a dataset that can be clearly described in terms of content. If attribute, it is usually described with the formally assigned name and corresponding explanation of meaning, purpose, expected content or allowed values. Property values characterise all or some items (records, members...) within the dataset.
  • Is personal data (DPO fills in): whether this item is (a part of) personal data. Decided and entered by the GÉANT Data Protection Officer while analysing the GDPR requirements. Answer Yes of No.


Document ID


Version of document


Date of approval
Approved by
Status (draft, approved, obsolete)draft
Document owner (Service Manager?)
Contact person


Date of resubmission


Intervall of resubmission
Type of document (policy, procedure, Information)


https://wiki.geant.org/display/timops/eduPKI+RAGs