...
| Panel |
|---|
| title | Example: The Initiator / Certifier Process for UCTrust Metadata |
|---|
|
The following process is used to prepare updated metadata for deployment: - Campuses send a scanned image their UCTrust certification letters to all initiators and certifiers at UCTrust-L@ucop.edu.
- An initiator collects the updated metadata into a compressed tar file called UCTrustMetadata.tar.gz.
- That initiator creates the initiator's digital signature file, UCTrustMetadata.tar.gz.initiator.sig, with the following command:
SignUCTrustInitiator UCTrustMetadata.tar.gz - The initiator then sends the compressed tar file and the initiator's digital signature file to a certifier.
- The certifier verifies the correctness of the updated metadata in the compressed tar file. If it is not correct, the initiator is asked for a correction. If it is correct, the certifier creates the certifier's digital signature file, UCTrustMetadata.tar.gz.certifier.sig, from the initiator's digital signature file with the following command:
SignUCTrustCertifier UCTrustMetadata.tar.gz - The three files, UCTrustMetadata.tar.gz, UCTrustMetadata.tar.gz.initiator.sig, and UCTrustMetadata.tar.gz.certifier.sig, are deployed on the UCTrust web site. Credential Providers and Resource Providers download the three files on a nightly basis and execute the following command:
CheckUCTrustSignatures UCTrustMetadata.tar.gz
before using the information to ensure that it has not been modified, and that it has been produced by an initiator and reviewed by a certifier.
|
...
The public keys of all initiators are collected in a "keyring" file called UCTrustInitiators.gpg that is distributed with the SignUCTrustInitiator, SignUCTrustCertifier, and CheckUCTrustSignaturesscripts CheckUCTrustSignatures scripts. The public keys of the certifiers are similarly collected in a file called UCTrustCertifiers.gpg. Updates to these keyring files and the associated scripts are themselves distributed via the initiator / certifier process.
...