Click here for the InCommon Participant Operational Practices.
UC Berkeley Background
- Over 30,000 students, approximately 10,000 staff and faculty, over 40,000 active hosts
- Central and Distributed IT support
- Central IST department manages many hosts for campus departments
- Local departments manage many of their own devices
- Central IST Enterprise Windows team already offered a PKI service which allowed personal enrollment for a variety of certs and resold Verisign SSL machine certificates
- CalNet - Identity Management team chosen to run new InCommon Certificate Service, gradually replacing the existing service as the InCommon service expands to cover a wider range of certificates
- CalNet team a small, technical staff - plan to delegate certificate administration broadly
- Chain of trust established through various levels of the organization
- Central administration - CIO approves RAO status for CalNet team - initial testing and central processing of cert requests
- Central IST DRAOs - DCIO approves DRAO status for central IST staff to approve SSL certs for centrally managed hosts
Broad-scale delegation - in progress
- Establish a delegation model similar to our existing CalNet deputy process, where we delegate identity vetting, account creation, and passphrase reset responsibility to trained and "deputized" departmental staff.
- Departmental DRAOs, recruited by sending requests to high-level departmental IT managers in large campus departments (Law School, Business School, EECS, etc) to appoint DRAOs
- For each department, gather enrollment information and set up DRAO account
- Continue seeking delegated admins as requests come in to central management team. Plan in-person trainings as DRAOs are identified.
- Train delegated administrators - approximate 1 hour in-person training required for all DRAOs.
- After training our first round of central IST DRAOs, they have raised a number of interesting questions.
Announcing the Service to Campus
We took a variety of approaches to announce the service to campus:
- General announcement email to various listservs on campus used by IT staff.
- Published an InCommon Certificate Services page, including an FAQ, on our website.
- Described the service at various committee meetings and campus forums.