Currently, OSG PKI does not require user to select a sponsor while submitting a user certificate request. In the past, DOEGrid certificate request form allowed users to select a sponsor from dropdown, or manually specify sponsor name/email/phone number which has assisted for RA to process the request.
RA often doesn't know who the requester is (a new graduate student, for example), but the requester should know a sponsor (usually a supervisor) that RA knows. This allows RA to make approval decision more quickly and more accurately.
OSG PKI team has decided to add this capability to OSG PKI for our next OIM release (v3.14) - scheduled on 3/26.
Following changes are proposed to implement requested functionality on OIM user interface. No changes are need for CLI since we currently provide no CLI for user certificate requests.
A. Splitting RA / Sponsor information
Currently, sponsor information is stored as part of RA/Tertiary contacts.
In order to provide separate access control between RA and Sponsor, and cleaner implementation, we should create a dedicated contact type named "Sponsor". Proposed UI will look like following:
Sponsor contact could contain a single primary contact and up to 30 secondary sponsor contacts. Currently there are no distinction between primary and secondary sponsor - just following the existing convention with other contact types.
User certificate model will be updated to use separate contact type for various access control functions, and functions use to pull lists of RA or sponsors.
Database migration script will be written to migrate Tertiary RAs (current sponsors) to the new dedicated sponsor list as secondary sponsors.
B. Allowing all VO contacts to edit sponsor list
Sponsor list will be editable by any contacts listed in VO contacts including RAs. (RA contacts can only be edited by OSG PKI staff) OSG PKI staff can also edit sponsor fields on all VOs.
C. Requiring a user to select (or manually specify) a sponsor
Current form allows user to select a VO. We will add a new required field for a sponsor.
If selected VO has sponsors listed (some VO could have none), then user will be able to select a sponsor from a dropdown list.
User could also choose "Manually Specify" in order to manually specify a sponsor not listed in the dropdown list.
If user selected a VO with no sponsor listed, then user will not see sponsor dropdown list, but instead see a sponsor detail.
Again, user is required to enter full name and email address of a sponsor in order to submit the request.
D. Update request notification to include sponsor information and alert to RA
When a user submits a request, sponsor email address will be CC-ed to the Footprints notification ticket. Also, if a user specify a sponsor from the sponsor dropbox box, meaning selected sponsor is a valid sponsor registered for that VO, then OIM will add following notes to the notification ticket
User has selected a registered sponsor: Soichi Hayashi which has been CC-ed to this request.
If a user has manually specified a sponsor, then OIM will add following instead.
User has manually entered sponsor information with name: Soichi Hayashi. RA must confirm the identify of this sponsor. RA should also consider registering this sponsor for this VO.
All of above features as described in this document has been prototyped and can be tested on OIM-ITB
Unless major changes are necessary, I expect these changes to be released on our next GOC production window of 3/26.