Grid RA procedures
- This information is just for UK eScience CA Registration Authority administrators: Lawrie Lowe and Pete Faulkner.
- When assessing an applicant for a new certificate, we must have a face-to-face short interview with the applicant,
- we must be sure that the user is a valid person to use Grid facilities,
- the user email address should be one which will reach the user during the life-time of the certificate and any renewals,
- the valid ID must be photocopied on to the middle of a sheet of paper (taking care it's still a discernible photograph!)
- and this paper must be dated by the interviewer, with our signature or at least some indication of who conducted the interview,
- and the Approve web page must be printed out and put with the ID copy,
- We must follow the above procedure for a new certificate even if we have met the applicant before, and even if we have previously issued a certificate to them which has subsequently expired or been revoked. This is clear from the RA Operator Documentation.
- When renewing a user with an existing (unexpired) certificate, print out the Approve web page as an audit trail. It isn't necessary to see the applicant. It is necessary to be sure that the applicant is still a valid person to use the Grid, so if the user has left, and yet still wants to renew with us, liaising with firstname.lastname@example.org is definitely a good idea.
- For server registrations (rather than people), the applicant must be the administrator of the machine, not simply a user, and s/he must already have a valid certificate, and the email address provided should ideally be one which is generic rather than specific to that person (though it should reach that person). And we should be sure the server is to be used for valid Grid purposes.
- I keep all the CA stuff in green folders on my shelves, so if you do approvals/renewals when I'm away, please keep pages till my return. As these folders contain personal data, they need to be kept secure.
- If in doubt about procedures, we can contact email@example.com .