The purpose of this pilot is to build a setup in which users can access X.509-based resources without the need for them to understand the intricacies of a PKI. The pilot requires an online CA, plus a scalable trust model applicable for the multi-infrastructure-multi-federation European research landscape.

A high-level introduction is given in the this AARC blog post

Detailed description

A detailed description can be found in these wiki pages.

The setup consists of

The online CA is a service provider which has entered eduGAIN, and has as CA been accredited by IGTF (as a so-called IOTA CA). In order to protect the service, a filtering WAYF has been implemented which only accepts Identity Providers that publish the R&S set of attributes and are conforming to the Sirtfi. The combined service is running on a production level. The Master Portals run by EGI and ELIXIR are running as pilot services.


We have created two demonstrator Master Portal clients, which talk to a semi-production Master Portal (running for EGI), serviced by the production online CA. We also have setup a test VOMS service with test VO, to test and showcase the integration with a VOMS attribute authority. The two demonstrators are:

  1. a simple PHP program showing the basic API and handshake, with a possibility to execute the same demonstrator code. The code additionally shows how to integrate with VOMS or how to specify a specific IdP at the WAYF.
  2. a simple Science Gateway allowing access to a gsiftp-enabled storage service (a test dCache instance, This shows how X.509-based storage elements can be accessed using a science gateway, where authorization is based on VOMS attributes (group membership etc.).


The adaptations of the code for this pilot can be found on the github repository