JISC

The primary requirement for a national X.509 certificate-issuing service comes from e-Science. This demand is forecast to rise from about 1,000 certificates in issue now to 20,000 within 3–5 years. Important secondary requirements for certificates arise from secure e-mail and cross-institutional use of secure web servers, including the forthcoming national deployment of the Shibboleth access-control framework.

Executive Summary

At present, the e-Science community issues its own certificates from a CA at Rutherford Appleton Laboratory (RAL) and a network of local and regional RAs around the country. At the outset of this project, it was believed that the RAL CA had reached the limit of its capacity. However, the actual capacity limit is now thought to be an order of magnitude greater, at about 10,000.

This increase in capacity gives more time to implement the report’s main proposal, to set up two JISC CAs. One would issue medium-assurance certificates acceptable to e-Science. End users would be registered with it either individually by existing e-Science RAs or (at lower cost) in bulk from existing institutional staff and student databases. Bulk registration would be limited to institutions capable of satisfying the Grid Policy Management Authorities that they operate sufficiently rigorous administrative processes for vetting the identities of their members. The second JISC CA would issue basic-assurance certificates. Current e-Science resources would not accept these certificates (though future ones might). The users of this CA would be registered in bulk from any institution’s existing databases, populated using current administrative processes. Optionally, a third CA could be set up to allow self-registration by anyone with a valid UK academic e-mail address, thus lowering the barriers to experimentation with cross-institutional use of certificates (e.g., for secure e-mail).

Potential outsourcing suppliers were approached to determine feasibility and indicative pricing for the services described above. There was general agreement that the proposals are feasible, with prices being quoted on the order of £50,000 for set-up, plus annual costs ranging from £50,000 to £300,000 for 20,000 certificates. Set-up here covers only administrative start-up of the new CAs and excludes the additional cost of developing bespoke software to upload bulk registration data from institutions.

The main recommendations

To consider moving towards a system of two JISC CAs, basic and medium assurance, as described above.
Given that the RAL CA has greater capacity than was previously thought, discussion should begin between the JISC, the e-Science community, and RAL CA staff about the future role of the RAL CA.

One option would be for the RAL CA to become the proposed medium-assurance JISC CA, extending its remit beyond e-Science to more general H&FE purposes and working with the Grid Policy Management Authorities to assist the creation of the proposed institutional bulk RAs and their acceptance by e-Science, while working to further increase capacity, possibly by outsourcing some of its mechanical functions. In this approach, the proposed basic-assurance CA could either be set up at RAL as an extension of the existing facility or outsourced.

Alternatively, JISC might request formal bids from outsourcing vendors for its own CAs, in the expectation that the RAL CA would be phased out. Note that if the RAL CA were to continue in operation then the JISC certificates could not be used for e-Science purposes, both because in most circumstances international Grid policy only recognises one CA per country and because of the momentum of existing e-Science CA arrangements. 

Regardless of the specific arrangements for actual CA operation, it may be desirable to set up a standing policy body, covering e-Science, JISC and other academic users, which could settle certification policy questions and liaise with international policy bodies. 

Read the final report below