News as of 11 December, 2018
- Read also the full policy
The DCA Service will keep a minimal amount of personal information, compatible with the goals of the service.
The goal of the RCauth Pilot ICA data processing is to provide a service that issues unique, long-term, non-reassigned identity assertions to its subscribers and their explicitly authorized (software) agents for the purpose of access control to and secure operation and management of academic and research distributed digital infrastructures.
All personal data processed by the RCauth Pilot ICA is a result of an explicit, user-initiated action, to which the user is a conscious and informed participant.
Besides this processing for delivering the certificate service, the DCA Service will store user information in log files and audit archives. These logs and audit records are used solely for administrative, operational, monitoring, security, and dispute resolution purposes of the RCauth Pilot ICA service. It may be shared for security incident response purposes with other authorised participants in the academic and research distributed digital infrastructures via secured mechanisms, only for the same purposes and only as far as necessary to provide the incident response capability.
Before authenticating the applicant, the service will inform the user regarding the goal of the service and give the applicant the choice to continue or abort the authentication. The information will describe the types of personal data that will be processed, the fact that this information may be shared with other authorised participants as stated in section 18.104.22.168, and contain a reference to this CP/CPS and the Privacy Plan contained therein.
The user will be informed when a certificate is requested, and can at that point object to the processing of the data. By continuing the certificate request process, the user agrees to the processing for the goals stated above. This attribute release agreement may be remembered across sessions, and this agreement can be withdrawn by the user discretionarily.
The following information will be processed:
- The name (display name, common name, and given name and surname) of the user
- An administrative number provided by the IdP used to identify the applicant (eduPersonUniqueID, eduPersonPrincipalName, or eduPersonTargetedID)
- A business electronic mail address of the user
- The professional affiliation of the user, for the purpose of embedding it in the certificate and for the security logs and audit records
- Any specific entitlements and authentication assurance level information provided that enable the certificate issuance to proceed
The following information will be stored:
- The issued certificates, containing the name of the user, the IdP administrative number or an rendering thereof, and the affiliation
- In the security audit logs, the certificate subject name including the information listed above, together with the affiliation (IdP entity identifier) and the full IdP administrative number
The following anonymous information derived from the personal data will be stored:
- In a long-term persistent database a one-way cryptographically non-salted secure digest of the certificate subject user elements to ensure non-reassignment of identifiers
- In a long-term persistent database a salted one-way cryptographically secure digest of the concatenation of all values of the attributes provided as by the IdP from the ordered list of displayName, givenName, sn, commonName, mail
The information is processed by the DCA Service at Nikhef, Amsterdam, The Netherlands, according to the conditions stated in section 5.1. Backups of data are stored under a confidentiality agreement by the contracted service provider Vancis, located in the Netherlands.
The information is received and processed by the RCauth Pilot ICA service, and the DCA Managers, Administrators and Operators responsible for this service.
Certificates and certificate information may be disclosed, after explicit consent by the user, to software agents and services that act on behalf of the user, and that have registered with the RCauth Pilot ICA service.
Having been so informed and the user having consented during the certificate application, the name and contact information consisting of the organisational affiliation (the IdP name) may be shared for security incident response purposes with other authorised participants in the academic and research distributed digital infrastructures via secured mechanisms, only for the same purpose, and only as far as necessary to provide the incident response capability.
Information may be shared with law enforcement if the RCauth CA, the DCA Service, Nikhef, or the Foundation FOM is so required by Dutch law.
For more information the user is referred to this comprehensive policy and practice statement at https://www.rcauth.eu/policy/.
Users can request access to information regarding all their data at any time, and all reasonable requests to correct and/or amend the data will be processed promptly. Due to the nature of the service, the RCauth service has a legitimate interest in recording the information recorded as per section 3.2.3 for as long as the certificate is valid plus the audit log retention period.
The personal data is protected in accordance with this CP/CPS, specifically sections 5.1 and 5.2.
Specifically the data is exclusively processed on
- The CA front-end web server, which is maintained at a high level of security and behind a double firewall both at the edge of the network and on the system itself, and where the software is maintained in accordance with best practices for vulnerability management and patching. It will run a minimal set of services. Access is via secure, encrypted and authenticated means only, and only from selected networks to which DCA service personnel have access.
This system is contained in a dedicated locked cabinet in a secure data centre to which access is individually controlled.
- The on-site disk back service, which is only accessible over a network from designated systems within Nikhef designated for secure system management operations, or through a VPN tunnel to which users authenticate with individual credentials, and to which only specifically authorized systems management personnel of Nikhef and the DCA service have access.
This system is contained in a secure data centre to which access is individually controlled.
- The off-site redundant tape backup service, which is managed under contract by Vancis Amsterdam, to which only authorized service personnel have access, and which is located in a vault inside a secure data centre where access is individually controlled.
All software is kept up to date and vulnerabilities in the software are patched promptly. Databases containing personal data are not accessible from outside the system.
The specific data protection measures are disclosed and discussed with accrediting bodies and qualified relying parties. Incidents involving personal data shall be pro-actively disclosed with the active users of the service, based on the communications information available at that time.
The information that is stored will be retained for the following periods:
- issued certificates, including the information contained therein name of the user, the IdP-provided administrative number, and the users affiliation (organisation name) for a period of 6 months after the end of the validity period of the issued certificate, i.e. in total 19 months.
- the subject name and the non-shortened versions of the affiliation (IdP entity identifier, home organisation name) and the full IdP administrative number for 19 months after the initial authentication transaction has completed, i.e. 6 months after the issued certificate has expired.
After this periods, the information will be archived in a separate long-term archive. The information in the long-term archive will be kept for a period of three years after the issuance of the certificate. The information in the archive is accessible only to the DCA Administrators and will be used exclusively for dispute resolution purposes.
In separate security audit logs will be recorded the attributes used to construct and issue the certificate - the displayName, commonName, givenName, sn, mail, eP(Scoped)Affiliation, ePPN, ePTID, ePUID, ePEntitlement, ePAssurance, the SAML NameID and the SAML AuthenticationContextClassReference as provided by the IdP to the service - for a period of 6 months. This information is not further archived.
The one-way cryptographically non-salted secure digest of the certificate subject user elements is not personal information and will be recorded in the database until three years after the RCauth service has ceased operation.
The salted one-way cryptographically secure digest of the concatenation of all values of the attributes provided as by the IdP from the ordered list of displayName, givenName, sn, commonName, mail is not personal information and will be recorded in the database until three years after the RCauth service has ceased operation.
In addition to the above, backups of all data are stored under confidentiality agreements and only for the purpose of security investigations and data recovery for a period of 90 days.