Jump to Navigation

CA Policy

This page provides the CP/CPS of the UK e-Science CA, and various other CAs operated by the NGS.

CP/CPS is an abbreviation of Certificate Policy and Certification Practices Statement.  It is like an agreement or a contract, between people who get certificates, the resources that "consume" them, and the Certification Authority itself.  Anyone who does anything with a certificate is subject to the CP/CPS (specifically, the version under which the certificate was issued).

If this sounds like gobbledygook, you should go to the About certificates  page instead.

UK e-Science CA

The current version is 1.4.

Version Date CP/CPS Changelog What's new?
0.7 - cps-0.7.pdf - -
0.8 - cps-0.8.pdf cps-0.7-0.8.pdf -
0.9 - cps-0.9.pdf cps-0.8-0.9.pdf whatsnew-0.9
1.0 30.10.2003 cps-1_0.pdf cps-0_9-1_0.pdf whatsnew-1_0
1.1 04.03.2005 cps-1_1.pdf cps-1_0-1_1.pdf whatsnew-1_1
1.2 15.05.2005 cps-1_2.pdf cps-1_1-1_2.pdf whatsnew-1_2
1.3 04.08.2006 cps-1_3.pdf cps-1_2-1_3.pdf whatsnew-1_3
1.4 04.12.2007 cps-1_4.pdf cps-1_3-1_4.pdf whatsnew-1_4
1.5 03.02.2010      
2.0 09.03.2015 cp-2.0.pdf   Rewritten

 Root CA

The current version is 1.0.


CP/CPS Version 1.2. The OID of this certificate policy and practices statement is

iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) stfc(11439) site-independent(1) ngs(3) sarongs(1) cps(1) major-version-1(1) minor-version-2(2)

The SARoNGS CA authenticates individuals via the UK Access Management Federation based on their eduPersonTargetedID attributes. It is a requirement that identity providers (IdPs) subscribe to section 6 of the Rules of Membership which commits them to providing traceable identity management. SARoNGS is a short-lived credential service (SLCS)

SARoNGS generates pseudonymised ids: they can be traced back to the original identity in two steps: first via SARoNGS: we can map the credential back to the eduPersonTargetID and/or session id. While we cannot release this data according to the rules of running a service provider in the federation, we will pursue the matter ourselves with the relevant identity provider: they are then required to follow up with the original user.

The SARoNGS private key is online, it is installed in a crypto module which is certified to FIPS 140-2, Level 3 (and it's running in Level 3 mode). Certificates are issued automatically based on successful authentication to a home institution IdP complying with section 6.

SARoNGS goes to great lengths to ensure uniqueness of ids. In theory, a site will be permitted to recycle an eduPersonTargetedID two years after it was last used (it is of course not something sites are likely to do, as the software they run will be designed to avoid this.) It is therefore the SARoNGS policy to regenerate the SARoNGS id for a given eduPersonTargetedID which has not been used for two years or more.

A distinct namespace has been assigned to SARoNGS: DNs are of the form:


SARoNGS is registered by STFC in the UK access management federation. By the rules of membership, STFC is not permitted to pass these attributes to anyone outside STFC - at least not without the user's permission. We therefore generate an random, but fixed, string identifying the user which is mapped by SARoNGS to the user's eduPersonTargetedID.

Training CA

The training CA creates and issues credentials for training and related testing purposes. Certificates and private keys are generated by the CA and issued to a single person who is responsible for the certificates. This person will normally distribute the training certificates to the end users, keeping track of who gets which certificates.

Only people authorised to use the service can obtain certificates. They authenticate to the CA using their e-Science CA certificate.

The training CA also issues host certificates.


by Dr. Radut