This page is holding information about requirements for Certificate Transparency (CT) operations, in terms of required infrastructure and resources. RESPONSIBLE: Information provided here is initially populated by the development team (during the transition phase), and revised based on the need or in a yearly service check by Certificate Transparency (CT) Service Manager. |
Infrastructure Requirements
Indicate requirements for VMs, grouping the requirements for multiple VMs in one column. Add as many columns as necessary, adding the sensible distinguisher for each group that will make it easier for later reference.
| VM requirements | Frontend | Signing | Merge |
|---|---|---|---|
| Description of usage | Frontend node | Signing node | Merge node |
| Number of VMs with same specification | 5 | 2 | 2 |
| Hardware requirements (CPU, RAM, disk space) | 8xCPU; 16G RAM; 2x1TB SSD | 1xCPU; 4G RAM; 20G HDD | 4xCPU; 16G RAM; 2x1TB SSD |
| Network connection requirements | 1 Gpbs | 1 Gbps
| 1 Gbps |
| IP addressing requirements (IPv4, IPv6, public routable) | 1 x IPv4 + 1 x IPv6 public 1 x IPv4 + 1 x IPv6 private2 | 1 x IPv4 + 1 x IPv6 private2 | 1 x IPv4 + 1 x IPv6 private2 |
Naming requirements1 |
| Other resource requirements | Frontend nodes | Signing nodes |
|---|---|---|
| Load balancing service | TBD: Homemade, using DNS? | |
| HTTP caching service | TBD: Varnish? | |
| TLS termination service | TBD: hitch? | |
| Tor onion service | Tor client | |
| 2 x HSM1 | PKCS#11 interface |
1 Hardware Security Module with support for deterministic ECDSA (NIST P-256) with HMAC-SHA256 and ed25519 (PureEdDSA).
Infrastructure hosting requirements
Hosting requirements | All systems |
|---|---|
Availability | "lots of nines" |
Backup (what, frequency, retention period) | Configuration only (/etc), daily |
Monitoring and alerting1 |
|
Measuring and Reporting2 | |
Log retention3 | |
Security policy for access and usage4 |
1 At minimum network accessibility (outside of LAN) and hardware resource usage must be monitored. Indicate if some of this resources can be deemed critical so that adequate thresholds for alerting are implemented. Additional, indicate which specific applications uptime and operational health must be monitored and alerting implemented.
2Define what should be measured, how and with what period in order to deliver appropriate reporting relating to KPIs, usage, etc.
4Define the policy for limiting accessing to the infrastructure piece and where it should be implemented (system level, network level etc.)
System and Application maintenance requirements
System and Application Requirements | |
|---|---|
Operating system | Linux with proper Docker support |
Applications1 | N/A |
| Maintenance hours2 | None – maintenance is performed on parts of the log but not affecting the service |
Configuration management | Docker containers deployed and run by cosmos + Puppet (i.e. multiverse) |
1 List the applications installed on a system, and add corresponding licenses where applicable.
2 Define window appropriate for regular maintenance. /give some recommendations
Human resources requirements
Indicate requirements both in skills and manpower needed, for personnel needed for devops team (that maintains service specific applications) and for L2 support.
Human resources requirements | add_distinguisher | add_distinguisher |
|---|---|---|
Description | ||
Manpower | ||
| Recommended number of persons (considering backups) | ||
| Skills |
1 Comment
Linus Nordberg
Note that what's described here is a full log instance, most likely to be split up among a number of NREN's.