Registration Authority

The ASF Certificate Authority exists to provide a framework to issue certificates that are intended to be used to control access to ASF infrastructure. The body that controls the issuing of these certificates and assigning their attributes is known as a Registration Authority. This page provides details of the working of the Registration Authority established for the ASF.

The following rules will be applied by the ASF CA.

• Unsigned requests will be rejected.
• The email address of the ecrtificate will be used as a unique identifier.
• Group membership will be listed in the certificate. When group membership changes a new certificate will be issued.
• The CA will make no attempt to verify the groups being requested beyond finding a suitable signature in the group authorisation file.

The ASF Board will maintain a list of those who may approve an initial request for a certificate. (It is envisaged that these people will be the members of the infrastructure team who have root access.) The board will verify the keys of all these people and maintain a file that lists them.

The CA will reject ANY request for an initial certificate to be issued unless it has been signed by one of these keys.

• All certificates will initially be issed without any group membership.
• A file will be maintained (by whom?) that lists who (name and PGP key ID) may submit requests for each group.
• Once group membership has been changed a new certificate will be issued.

In order to revoke a certificate one of the authorised keys must have signed the text of such a request. The text of the request must contain the apache.org email address of the certificate. The ASF CA will maintain an otherwise current and correct certificate which has been revoked in order to facilitate testing.

The following outline aims to describe the entire process of setting up and running the ASF CA, from start to finish. It's hoped that by describing the process in this way many questions will be answered.

Setup

The board will create a file that contains a list of people (with their approved Key ID's) who may make requests for certificates to be issued by the ASF CA. The file will contain

• Name of person
• Email address of person (the apache dot org one)
• Key ID of the PGP key that they will use when making the request

# Certificate Authorisation file
# people listed below may request certificates be issued/revoked.

Jo Bloggs <bloggs@apache.org> [12345678]

Once this file has been created and uploaded to the server then the CA may be used for certificate creation.

Before being of any use one other file needs to be created. This file provides a list of the groups that may be requested for certificates and who is authorised to request each group.

# Group Authorisation file

test: Jo Bloggs <bloggs@apache.org> [12345678]

With this file uploaded to the server all is ready.

Issuing a Certificate

It's envisaged that the certificate issue will simply be added to the existing sequence of events for new committers, as follows.

• PMC grants committer privileges. They send an email to the infrastructure team advising them.
• The infrastructure team
  • creates the new account
  • sets up mail redirection as required
  • sends out the ASF welcome note which includes instructions that inform the new committer to create a Certificate Request (CSR) and email it to the infrastructure team.
• The infrastructure team check that the CSR is correct and if it is they sign the request and send it to the CA.
• The CA processes the mail and if succesful sends the new certificate to the committer.

Committer Authorisation

Once a PMC has added a new committer they should also send an email (signed) requesting a change of group membership for the committer. The CA will store valid requests and apply them every time the certificate is regenerated, so even if the committer has not sent a CSR or the infrastructure team have not submitted the CSR the request will still be accepted.

the format of the emails is very simple.

Committer: bloggs@apache.org
Groups: +test -members

As many groups as required can be adde to the Groups line, but ithe person signing the email MUST have authorisation to make changes for ALL groups listed or the mail will be rejected.