Date: Fri, 29 Mar 2024 11:39:27 +0000 (UTC) Message-ID: <459286320.7905.1711712367465@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7904_1000578123.1711712367463" ------=_Part_7904_1000578123.1711712367463 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The InCommon metadata signing process involves the following co= mponents and actors:
The metadata signing key is the private key used to sign InComm= on metadata. The public key that corresponds to the private metadata signin= g key is bound to the metadata signing certificate, which is stored on a secure we= b server (ops.incommon.org). This key pair together form the basis of the <= a href=3D"/display/InCFederation/Managing+Trust+in+Keys+Used+for+Metadata">= trust fabric of the InCommon Federation.
The metadata signing key is a secure offline key. It is stored on the ha= rd drive of an offline laptop, which is kept in a safe in a secure facility= (#1) with strict physical access controls.
Access to the safe itself requires both a key and a pin. A Key Autho= rity Officer provides the key while a Technical Authority Officer<= /em> knows the pin. A single individual can not be both a Key Authority Off= icer and a Technical Authority Officer, that is, no one person knows both t= he location of the key and the pin. Thus two people with strict separation = of duties are required to access the laptop in the safe.
Unsigned metadata is stored in a digital repository on a secure server w= ith limited physical and network access. The server is locked in a cage in = a secure facility (#2) with strict physical access controls and video surve= illance. The server is protected by a firewall that restricts network acces= s to the InCommon Fed= eration Manager and the eduGAIN metadata server.
A software process that orchestrates metadata import and signing is run daily accord= ing to precise hours of operation. This software process runs o= n the offline laptop. The Technical Authority Officer initiates the softwar= e process in the presence of the Key Authority Officer.
In the same way that a bank deposit box requires two distinct physical k= eys, the metadata signing process requires two human actors, a Key Authorit= y Officer and a Technical Authority Officer. Only the Key Authority Officer= can access the safe while only the Technical Authority Officer can run the= software process. Both are needed to complete the metadata signing process= . Each limits the actions of the other.