DOE Grids Service Transition
ESnet has decided to transition support and management for the certificate services provided by the DOE Grids public key infrastructure (PKI) to the Open Sciences Grid (OSG). OSG and ESnet provide service to many of the same user communities, and have long been collaborators in the areas of identity and security. ESnet and OSG have evaluated a wide variety of options to meet the requirements of the DOE research community. OSG has concluded it will establish a replacement PKI supported by a contract with DigiCert, a commercial PKI provider.
Background and Timeline
In December 2011, OSG initiated a pilot service with included careful testing of DigiCert certificates, registration interfaces, and management APIs and use in community applications including data, job, database, and other services that virtual organizations and collaborations regularly use.
The commercial CA pilot concluded in February 2012 and revealed no major issues. Based on the results, the team worked with the OSG Executive Team on its final anaylsis and recommendations. At the end of February 2012, ESnet, OSG and appropriate DOE program managers met to review and finalized next steps for transitioning the service over the next 12 months. Beginning in Spring 2012, OSG began implementation of the new service and is working with early testers to ensure the service is sound and ready for production in early 2013. ESnet will be working with its users and with OSG to ensure a seamless transition of all services by March 2013.
This page will be updated with information on the transition as it becomes available. Please feel free to contact us with any questions at anytime.
email to DOEGrids CA customers: December 2, 2011
email to DOEGrids CA customers: February 22, 2012
email to DOEGrids CA customers: June 4, 2012
email to DOEGrids CA customers: August 29, 2012
Why is ESnet transitioning its service to OSG?
Ten years ago ESnet began offering certificate services to the DOE Office of Science. These services were at that time only in their infancy and no effective commercial solutions existing to fill this need for our community. Over the past decade, other organizations within the research and education community like OSG have begun to provide similar services to a similar and sometimes overlapping customer base. At the same time, vendor solutions have matured significantly and now provide greater cost efficiency and technical capabilities than ever before. Vendors are also more interested in partnering with the R&E community. Combined, these factors led ESnet to re-evaluate how our community would be best served for its certificate service needs into the future.
What is the timeline for transitioning service?
It is our goal to work with all of our users and with OSG to ensure a smooth and seamless transition by March 2013. Details of the implementation plan can be found here: https://twiki.grid.iu.edu/bin/view/Security/OSGCATransition2012
Why did OSG select DigiCert as its pilot service?
OSG performed a comprehensive evaluation of a wide variety of service options that could meet the unique requirements of the DOE research community. This analysis reviewed various community and commercial options on the requirements. Digicert rose to the top as potentially able to effectively meet the criteria. The current pilot service is rigorously testing all attributes of the service including the registration interfaces, and management APIs. The certificates will also be tested to ensure suitability for particular community applications including data, job, database, and other services that Virtual Organizations (VOs) regularly use.
Why did OSG decide to partner with a commercial partner?
Operating a certification authority is a serious responsibility. OSG considered the options of ramping up its own skills and expertise in the area versus contracting with a well-established trusted commercial partner. There was suitable benefits to partnering, that it was worth initial exploration through the pilot, and given the success of the pilot, we believe the partnership is the best path for OSG to provide a trustworthy, user friendly, cost-effective service for its user community.
What if our certificates expire before the end of 2012. How should we renew these?
We encourage you to renew your certificate as you normally would with DOEGrids CA. Your certificates will remain valid until they expire.
What if my organization would like to explore other options besides the OSG service?
While ESnet fully supports the OSG service as a path forward for our users, we understand that you may want to explore other certificate service options outside of this proposed solution. If this is the case, ESnet staff would be glad to work with you on a one-on-one basis to understand your needs and concerns and help identify possible solutions.
What should a customer do to get more information about the OSG service and the DigiCert pilot?
ESnet would be happy to facilitate a one-on-one conversation with our OSG partners. Ruth Pordes, OSG Executive Director (firstname.lastname@example.org) and Von Welch, OSG CA Transition Program manager (email@example.com) are the primary contacts at OSG.
OSG Certificate Service Transition website:https://twiki.grid.iu.edu/bin/view/Security/OSGCATransition2012