Purpose

The GRIA Demo CA certificate is intended solely for the purpose of permitting users to evaluate GRIA using the GRIA Demo system at IT Innovation and any other use is prohibited.

The GRIA Demo CA is intended to be light weight and low value. No checks are performed to verify the identity of users when they register. No guarantees are made as to the CA signature on any certificate accurately representing its bearer or a registered user of the www.gria.org website.

A keystore containing a private key and a certificate representing a user is generated solely for the purpose of permitting users to evaluate GRIA using the GRIA Demo system at IT Innovation.

Participants

There is one CA. This is the GRIA Demo CA.

There is one Relying Party, and this is the GRIA Demo system hosted at IT Innovation.

There may be many users. These are individuals who want to quickly evaluate GRIA by downloading a client, and the keystore will permit using the client against the GRIA Demo system hosted at IT Innovation.

There are no Registration Authorities. Registration is the process the user undergoes when they want to access the private part of the www.gria.org website. The user's information is stored in their profile, which is securely held within the private part of the www.gria.org website. The certificate issued by the GRIA Demo CA is derived from the information in the user's profile.

User Distinguished Names (User DNs) are unique within the CA. This means that there may be no duplicate set of User DN fields in the CA (common name, email address, organisational unit, organisation, locality, state, country) representing one user.

Certificate Usage

The only permitted use for a certificate issued by the GRIA Demo CA is for evaluation of GRIA using the GRIA Demo system hosted by IT Innovation. All other use is prohibited.

Registration

A user enters data when they register at the GRIA website, and they may also optionally request a keystore for the purposes of evaluating GRIA using the GRIA Demo system at IT Innovation. Requesting a keystore means that the user accepts the terms and conditions of this Certificate Policy. The keystore data is generated from the data the user entered when they registered with the www.gria.org website.

No checks are made concerning the validity of any information used in the Subject field of certificates issued by the GRIA Demo CA. Hence no guarantees are made as to the validity of certificates issued by the GRIA Demo CA.

If a user requests a keystore, any certificates they have already issued by the GRIA Demo CA (i.e. bearing the same DN) will be revoked.

Certificate Lifecycle & Revocation

The keystore is generated on demand by the user, and a button is provided on the download pages for this. The keystore is deleted from IT Innovation's systems once it has been downloaded.

Certificates have a lifetime of three months from the date of generation.

If the bearer of a certificate is thought to behave incorrectly in their interaction with the GRIA Demo system, the certificate will be revoked.

If an already-certified user (i.e. a user who already has a keystore with a certificate issued by the GRIA Demo CA) requests a keystore, any existing certificates bearing the DN of that user will be revoked.

The Relying Party (the GRIA Demo system at IT Innovation) will always check the latest Certificate Revocation List every time a user connects to the GRIA Demo system.

If the CA is found to be compromised, the Relying Party will immediately remove the GRIA Demo CA certificate from its trusted store.

Data Protection

Information from the user's profile is used to generate the keystore. The information is subject to data protection legislation under English law, and is held by the University of Southampton only for the purpose of communicating with the user regarding the GRIA software. It will not be released to any third party.