UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

Slides:



Advertisements
Similar presentations
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Advertisements

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
+1 (801) Standards for Registration Practices Statements IGTF Considerations.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Academia Sinica Grid Computing Certification Authority (ASGCCA)
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly
0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.
Egypt Certification Authority Dr. Ayman Bahaa-Eldin EUN Director 8 May th EuGridPMA meeting, Germany.
NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.
Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
GRID-FR French CA Alice de Bignicourt.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.
IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.
AEGIS Certification Authority
UGRID CA Sergii Stirenko, Oleg Alienin
جايگاه گواهی ديجيتالی در ايران
MaGrid CA Self audit and update
Emir Imamagić University Computing Centre (Srce)
Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau
MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019
KISTI CA Report Status & Self-Audit
BG.ACAD CA Self-audit report 2018
Presentation transcript:

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011

Overview  Self-audit was done in accordance with the GFD.169  Audit date: Jan 15, 2011  Summary: A : 52 B : 1 C : 8 D : 4 X : 3

3.1 Certification Authority CP/CPS (1) Every CA must have a CP/CPS (2) Is there a single CA organization per country, large region or international organization? UGRID CA is the country-wide CA. (3) Every CA must assign its CP/CPS an O.I.D. OID (4) Whenever there is a change in the CP/CPS the O.I.D. of the document must change… (C) Sergiy Velichkevych the a person determining CPS suitability for the policy

3.1 Certification Authority CP/CPS (5) All the CP/CPS under which valid certificates are issued must be available on the web. YES, all versions of CP/CPS are available on the web (6) The CP/CPS documents should be structured as defined in RFC YES (7) The CA computer where the signing of the certificates will take place must be a dedicated machine... The signing machine is a dedicated machine, completely offline and powered down between uses.

3.1 Certification Authority CA System (7) The CA system must be located in a secure environment... CA is located in High Performance Computing Center of the National Technical University of Ukraine “Kyiv Polytechnic Institute”. HPCC’s rooms are guarded with local security personnel. The signing machine locked in the safe with controlled access. (8) The CA system must be completely off-line or on-line. On-line CAs must use at least a FIPS CA is completely offline (9) The secure environment must be documented and approved by the PMA... (C) Secure environment not documented

3.1 Certification Authority CA Key (10) The CA key must have a minimum length of 2048 bits CA key is 2048 bits (11) The CA key must be configured for long term use 5 years, current Expiration date: Jan 19, 2013 (12) If the private key of the CA is software-based, it must be protected with a pass phrase … Yes, the private key is software-based. Protected with strong pass phrase known only to CA personnel. (13) Copies of the encrypted private key must be kept on offline media in a secure location where access is controlled. A copy of the encrypted private key is kept on offline media in secure location in the sealed box.

3.1 Certification Authority CA Key (14) The pass phrase of the encrypted private key must also be kept on offline media, separated from the encrypted private keys … YES (15) The on-line CA architecture should provide for a (preferably tamper-protected) log of issued certificates and signed revocation lists. (X) Not applicable, offline CA (16) When the CA’s cryptographic data needs to be changed, such a transition shall be managed … (C) Not documented (17) The overlap of the old and new key must be at least the longest time an end-entity certificate can be valid … (X) We haven’t changed CA crypto data yet

3.1 Certification Authority CA Certificate (18) CA must provide and allow distribution of an X.509 certificate to enable validation of end-entity certificates. Yes, published in EUGridPMA repository, available on the Web (19) Lifetime of the CA certificate must be no longer than 20 years. Lifetime of the CA certificate is 5 years (20) Lifetime of the CA certificate must be no less than two times of the maximum life time of an end entity certificate. YES, maximum lifetime of the end entity certificates is 1 year (21) The profile of the CA certificates must comply with the Grid Certificate Profile as defined by the Open Grid Forum GFD.125. YES

3.1 Certification Authority Certificate Revocation (22) Certificate revocation can be requested by end- entities, registration authorities, and the CA. Others can request … Usually, revocation can be requested by end-entity, RA or CA. Others can request revocation if they prove compromise of the private key. (23) The CA must react as soon as possible, but within one working day, to any revocation request received. Revocation requests are processed within one hour in working time and on a best effort basis on holidays. (24) Subscribers must request revocation of its certificate as soon as possible, but within one working day … Our clients are bound to it by our CP/CPS and the document they are signing for each request (25) Revocation requests must be properly authenticated. Encrypted and signed s in most cases. Photo ID in case if private key was lost.

3.1 Certification Authority Certificate Revocation List (26) Every CA must generate and publish CRLs. YES, (27) The CRL lifetime must be no more than 30 days. YES, 30 days (28) Every CA must issue a new CRL at least 7 days … YES, 10 days before nextUpdate field (29) Every CA must issue a new CRL immediately after a revocation. YES (30) The signed CRL must be published in a repository at least accessible via the World Wide Web, as soon as issued. YES, CRL is published as soon as issued (31) The CRLs must be compliant with RFC5280. YES

3.1 Certification Authority End Entity Certificates and Keys (32) The user key and the host key must have a minimum length of 1024 bits. YES (33) Lifetime of user certificates and host certificates must be no longer than 13 months. User and host certificated have lifetime not more than 12 months (34) No user certificates may be shared. Users are obliged through the CP/CPS and the document they are signing for each request (35) The authority shall issue X.509 certificates to end entities based on cryptographic data generated by the applicant … UGRID CA issue certificates to end entities based on cryptographic data generated by the applicant (36) Every CA should make a reasonable effort to make sure that subscribers realize the importance of properly protecting… It is clearly stated in the CP/CPS and in the paper certificate request form

3.1 Certification Authority End Entity Certificates and Keys (37) The end-entity certificates must comply with the Grid Certificate Profile as defined by the Open Grid Forum GFD.125. YES (38) If a commonName component is used as part of the subject DN, it should contain an appropriate presentation of the actual name of the end-entity. YES, first and last names in case of user certificate, and FQDN in case of host certificate (39) Certificates (and private keys) managed in a software token should only be re-keyed, not renewed. (D) It is stated in the CP/CPS, but we don’t check (40) Certificates associated with a private key residing solely on hardware token may be renewed … (X) Not applicable, don’t use hardware tokens (41) Certificates must not be renewed or re-keyed consecutively for more than 5 years without a form of... YES, the subscriber must go through the procedure equal to the application for a new certificate at least once every 3 years.

3.1 Certification Authority Records Archival (42) Every CA must record and archive all requests for certificates, along with all issued certificates, all requests for revocation, all the issued CRLs and login/logout/reboot information of the issuing machine. (D) all except login/logout/reboot information of the issuing machine (43) These records must be available to external auditors in the course of their work as auditor. (D)Difficult to make available for auditing (44) These records must be kept for at least three years, where the identity validation records must be kept at least as long as there are valid certificates based on such a validation. YES, all records are kept

3.1 Certification Authority Audit (45) Each CA must accept being audited by other accredited CAs to verify its compliance with the rules and procedures specified in its CP/CPS document. YES, section 8 CP/CPS (46) Every CA should perform operational audits of the CA/RA staff at least once per year. Internal audits are performed at least once per year (47) A list of CA and RA personnel should be maintained and verified at least once per year. YES, RA list verified several times a year

3.1 Certification Authority Publication and Repository Responsibilities (48) The repository must be run at least on a best-effort basis, with an intended availability of 24x7. (B) YES, but some hours of downtime was in 2010 due to power failures (49) The accredited authority must publish their X.509 signing certificate as the root of trust. Yes, our root is published by EUGridPMA/IGTF (50) Each authority must publish the following for their subscribers, relying parties and for the benefit of distribution YES, all info published (51) The originating authority must grant to the PMA and the Federation the right of unlimited re-distribution … No distribution restrictions (52) The CA should provide a means to validate the integrity of its root of trust. YES, SHA1 fingerprint is published by EUGridPMA/IGTF (53) The CA shall provide their trust anchor to a trust anchor repository... YES, available in the EUGridPMA/IGFT repositories

3.1 Certification Authority Privacy and Confidentiality (54) Accredited CAs must define a privacy and data release policy compliant with the relevant national legislation. The CA is responsible for recording, at the time of validation, sufficient information regarding the subscribers to identify the subscriber. The CA is not required to release such information unless provided by a valid legal request according to national laws applicable to that CA. (C) The legislation has changed at the end of 2010 and it is necessary to modify the policy according to it

3.1 Certification Authority Compromise and Disaster Recover (55) The CA must have an adequate compromise and disaster recovery procedure, and we willing to discuss this procedure in the PMA. The procedure need not be disclosed in the policy and practice statements. (D) No compromise and disaster recovery plans

3.2 RA Entity Identification (1) A PKI CA must define the role of a registration authority (RA), and these RAs are responsible for the identity vetting of all end entities. YES, section of CP/CPS (2) In order for an RA to validate the identity of a person, the subject should contact the RA face-to-face and present photo-id and/or valid official documents showing that the subject is an acceptable end entity as defined in the CP/CPS document of the CA. YES, The initial authentication of a person based on government-issued identification documents and physical appearance of the applicant to the RA. (3) In case of non-personal certificate requests, an RA should validate the identity and eligibility of the person in charge of the specific entities using a secure method. encrypted and signed s

3.2 RA Entity Identification (4) For host and service certificate requests, an RA should ensure that the requestor is appropriately authorized by the owner of the associated FQDN … (C)Host ownership verified by DNS/WHOIS and personal RA knowledge (5) An RA must validate the association of the certificate signing request. RA does it by comparing the personal data and public key modulus at the paper form and incoming request to be processed (6) The CA or RA should have documented evidence on retaining the same identity over time. In all cases, the certificate request submitted for certification must be bound to the act of identity vetting. Checks Photo ID

3.2 RA Name Uniqueness (5) Any single subject distinguished name must be linked to one and only one entity. YES (6) Over the entire lifetime of the CA it must not be linked to any other entity. YES

3.2 RA RA to CA Communications (7) All communications between the CA and the RA regarding certificate issuance or changes in the status of a certificate must be by secure and auditable methods. YES, Encrypted and signed s (8) The CP/CPS should describe how the RA or CA is informed of changes that may affect the status of the certificate. (C) This procedure isn’t well documented

3.2 RA Records Archival (9) The RA must record and archive all requests and confirmations. (C) only paper personal certificate request forms and photo ID copies (10) The CA is responsible for maintaining an archive of these records in an auditable form. (C) Difficult to make available for auditing

Thank You !