...
Panel |
---|
title | Example: The Initiator / Certifier Process for UCTrust Metadata |
---|
|
The following process is used to prepare updated metadata for deployment: - Campuses send a scanned image their UCTrust certification letters to all initiators and certifiers at UCTrust-L@ucop.edu.
- An initiator collects the updated metadata into a compressed tar file calledUCTrustMetadata.tar.gz.
- That initiator creates the initiator's digital signature file, UCTrustMetadata.tar.gz.initiator.sig, with the following command:
**SignUCTrustInitiator UCTrustMetadata.tar.gz - The initiator then sends the compressed tar file and the initiator's digital signature file to a certifier.
- The certifier verifies the correctness of the updated metadata in the compressed tar file. If it is not correct, the initiator is asked for a correction. If it is correct, the certifier creates the certifier's digital signature file, UCTrustMetadata.tar.gz.certifier.sig, from the initiator's digital signature file with the following command:
**SignUCTrustCertifier UCTrustMetadata.tar.gz - The three files, UCTrustMetadata.tar.gz, UCTrustMetadata.tar.gz.initiator.sig, and UCTrustMetadata.tar.gz.certifier.sig, are deployed on the UCTrust web site. Credential Providers and Resource Providers download the three files on a nightly basis and execute the following command:
** CheckUCTrustSignatures UCTrustMetadata.tar.gz before using the information to ensure that it has not been modified, and that it has been produced by an initiator and reviewed by a certifier.
|
...
PGP public/private key pairs are used to create and verify the digital signatures used by the initiator / certifier process. Initiators and certifiers each have a unique key pair, and they are each responsible for the protection of their private keys in a manner consistent for restricted data, as described in Business and Finance Bulletin IS-3, Electronic Information Security.
The public keys of all initiators are collected in a "keyring" file called UCTrustInitiators.gpg that is distributed with the SignUCTrustInitiator, SignUCTrustCertifier, and CheckUCTrustSignaturesscripts. The public keys of the certifiers are similarly collected in a file called UCTrustCertifiers.gpg. Updates to these keyring files and the associated scripts are themselves distributed via the initiator / certifier process.
...