HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Slides:

Advertisements

Similar presentations

RPKI Certificate Policy Status Update Stephen Kent.

Advertisements

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Grid Canada Certificate Authority Darcy Quesnel

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

The NGS Support Centre Katie Weeks. NGS Support Centre SLD Many areas to NGS Support Centre –SLD defines supported areas including: Certification Authority.

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

RPKI Certificate Policy Status Update Stephen Kent.

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Feyza Eryol TÜBİTAK ULAKBİM TR-GRID CA SELF-AUDIT & UPDATES.

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

Self-Audit & Status Report for KEK GRID CA Hiroyuki Matsunaga KEK (High Energy Accelerator Research Organization), Computing Research Center APGridPMA.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

AEGIS Certification Authority

UGRID CA Sergii Stirenko, Oleg Alienin

Guidelines for auditing Grid CAs

جايگاه گواهی ديجيتالی در ايران

MaGrid CA Self audit and update

Emir Imamagić University Computing Centre (Srce)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

HKU Grid Certificate Authority (HKU Grid CA) CP/CPS Reviewer’s Comments Bill Yau

KISTI CA Report Status & Self-Audit

BG.ACAD CA Self-audit report 2018

Presentation transcript:

HellasGrid CA self Audit

In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2

Brief history HellasGrid CA was first presented and accredited in 2002 Major update on 2006 Minor updates until

Audit results Audit guidelines used: GFD.169 April 19, 2010 In policy: – B: 10 – C: 5 – D: 1 – X: 2 But in practice 8 "B” are “A” 4

“B”: 1/10 Is there a single CA organization per country, large region or international organization? (CA item 2) – Stated correctly but only in section 1.1 Overview instead of Certification Authorities – Practically an A 5

"B": 2/10 Is the CA system a dedicated system? (CA item 7) – Should be written more clearly – Practically an A 6

"B": 3/10 Is the CA system located in a secure environment where access is controlled? (CA item 8) – The building id has a typo… It should be 22b instead of 22d… – Practically an A 7

"B": 4/10 Does the CPS describe the protection of the CA private key? (CA item 13) – Yes, but under Activation data generation and installation (not Method for activating private key which is suggested) – Practically an A 8

"B": 5/10 Is a new CRL issued immediately after a revocation? (CA item 30) – Yes, but this is described in Operational Characteristics (not On-line revocation/status checking availability which is suggested) – Practically an A 9

"B": 6/10 Is the protection of private keys described as an end entity obligation? (CA item 37) – Yes, but this is described so in sections Who can submit a certificate application and Activation data generation and installation (not in Method of activating private key which is suggested) – Practically an A 10

"B": 7/10 How does the CA perform operational audits? (CA item 47) – This is described in section Retraining frequency and requirements (not in 5.4 Audit logging procedures which is suggested) – Practically an A 11

"B": 8/10 Is the web repository available 24x7 on a best? (CA item 49) – This is stated in section 2.4 Access control on repositories and not in section 2.1 Repositories which is suggested – Practically an A 12

"B": 9/10 How are privacy and confidentiality described? (CA item 55) – In general well enough but some further development of sections 9.3 Confidentiality of Business Information and 9.4 Privacy of personal information is suggested 13

"B": 10/10 How is the CA or the RA informed of changes? (RA item 8) – In general well enough but some further development of sections 4.8 Certificate modification and 4.9 Certificate revocation and suspension could be done 14

"C": 1/5 Does the CP/CPS describe the CP/CPS change procedures, publication and notification policies, and approval procedures? (CA item 4) – These are mentioned and described in section 1.5 Policy Administration. It is suggested that the relevant content is moved to section 9.12 Amendments and be further developed. 15

"C": 2/5 Is the CRL compliant with RFC 5280? (CA item 32) – Reason Code for all revoked certificates is: Unspecified. According to RFC 5280: “reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value” 16

"C": 3/5 No user keys may be shared. Is this described as an end-entity obligation? (CA item 35) – This is partly discussed in section Key Pair Generation. It is suggested that the text is refined and moved to section Subscriber Private Key and Certificate Usage. 17

"C": 4/5 Over the entire lifetime of the CA it must not be linked to any other entity. How does the CA guarantee this requirement? (RA item 6) – This is discussed but we suggest making the procedure more clear in section Uniqueness of names. 18

"C": 5/5 Does the RA maintain the archive of records in auditable form? (RA item 10) – This is not made clear in CP/CPS. Re-wording and refinement of the text in section Types of Records Archived is suggested. 19

“D”: 1/1 The end entity certificated must comply with the Grid Certificate Profile…? (CA item 38) – Section 7.1 of CP/CPS should be updated – In practice (after inspection): In subscribers certificates usage of Non-repudiation should be removed from keyUsage In host/service certificates extendedKeyUsage should be included in the extensions. 20

"X": 1/2 The on-line CA architecture should provide for a (preferably tamper-protected) log of issued certificates and signed revocation lists (CA item 16) – Not online CA 21

"X": 2/2 The RA must record and archive all requests and confirmations. Does the RA record and archive all requests and confirmations? (RA item 9) – Aside application data other relevant information is archived via the HellasGrid user portal 22