WHY


Projects have a lot of similar requirements.

By centrally providing these as "building blocks", projects do not have to do this themselves and can focus on the service.

Already existing building blocks should be better "marketed".

This would improve efficiency.

By unifying policies across and between different service operators, it would be easier to relocate services.



SCOPE

  • VMs  
  • Service Monitoring 
  • Backup/restore/archiving - data retention (ties into GDPR)
  • Source code repositories (non-public and public)
  • PKI:
    • Strategy
    • certbot
    • TCS
    • eduPKI CA
    • let'sRadsec <= very eduroam specific? i.e. s
    • cab forum (related, maybe come down to lobby work?)
    • Certificate Transparency
  • Security Operations Centre (SOC) - in edugain ops in whitepaper
  • FirstLevelSupport (service desk)

WHAT

PKI:

  • Develop a PKI strategy for GN4 that will somehow put the PKI related GN services (such as TCS, eduPKI (knowledge center & CA), let'sRadSec, certbot, Certificate Transparency efforts and potential lobbying work at fora and organisation) into perspective. Shaping the services.
  • Develop and enhance tools and services (like certbot, let'sRadSec, TCS and eduPKI CA) to ease and broaden the use of PKI within the GN world.
    • certbot should be able to be used by server admins of standard web-servers and RadSec-servers to request and deploy certificates from ACMEv2 compatible CAs, like from TCS and eduPKI CA
    • Research how certbot can be fit into an Organisation Validated (OV) certificate issuing environment like it is currently for TCS & eduPKI
    • implement changes to certbot and/or a server component to connect to eduPKI CA's SOAP-API, for use with Let'sRadSec.
  • Providing independent services to strengthen the trust into public web-PKI and NREN / GN internal PKI by making the used PKI more transparent.
  • Providing certificate services that are based on GN/NREN requirements but independent from PKI developments outside of control GN and NRENs → "internal PKI"
  • Lobbying for GN/NREN specifics as an interested 3rd party at CA/Browser Forum. Though it's currently unclear what the goal or expected outcome of such task is. Except for the goal to research how GN participation could be possible in the forum and what it's possible impact could be.

HOW/WHEN

tbd



Post-Its:

AAI Pilots also need PROD stuff like securing, monitoring, policy

Certificate Transparency → Security: No it is immediately related to X.509 SSL certificates

eduPKI → change to internal service

PKI work needs revisions (eduPKO, CT, certbot, Let'sRadSec)


  • No labels