IGTF Risk Assessment Team 9/14/091

Membership RAT membership is open to all IGTF members Contact to join and help with the risk assessment process 9/14/092

IGTF RAT Audit ( ) Timeline: – 15 Jan: RAT begins drafting message – 11 Feb: Request sent to CA operators – 23 Feb: 57 of 80 CAs responded; reminder sent – 12 Mar: 75 of 80 CAs responded; reminder sent – 26 Mar: 77 of 80 CAs responded – 27 Apr: 77 of 80 CAs responded; reminder sent – 28 Apr: 78 of 80 CAs responded – 11 May: 79 of 80 CAs responded – 9 Aug: 80 of 80 CAs responded 9/14/093

IGTF RAT Audit ( ) Results: – 3 CAs issued certificates containing (EC)DSA keys, which will all be expired by Aug – 11 CAs issued certificates using MD5. – No CAs were currently issuing certificates using MD5. – 19 CAs issued CRLs using MD5. – 8 CAs were currently issuing CRLs using MD5. – 30 CAs had implemented automated checks for RSA keys with weak exponents. – 31 IGTF CAs had implemented automated checks for known weak Debian OpenSSL keys. – 38 IGTF CAs had implemented automated checks for issued certificates using MD5. 9/14/094

Communications Test Timeline: – 25 Aug: Request sent to CA operators – 26 Aug: 74 CAs responded within 24 hours; 20 CAs did not; follow-up request sent to non-responding CAs – 27 Aug: 15 more CAs responded; results posted to igtf- general, after which 1 more CA responded – 28 Aug: MD-Grid CA responded Still no response from: – 6fee79b0 IUCC – 742edd45 CALG – 8a PolishGrid 9/14/095

CRL Issues In August CAs that failed to update their CRLs prior to the Next Update date: – 3f0f4285 ULAGrid-CA-2008 – 742edd45 CALG CAs that failed to update their CRLs at least 3 days prior to the NextUpdate date: – 1f0e8352 NorduGrid – 24c3ccde UNAMgrid-ca – 3f0f4285 ULAGrid-CA-2008 – 6fee79b0 IUCC – 742edd45 CALG – 7d0d064a MARGI – 99f9f5a3 FNAL-SLCS – b7bcb7b2 UNLPGrid – d254cc30 CERN-Root CRLs that could not be downloaded for over 24 hours: – 367b75c3 UKeScienceCA-2007 – 3f0f4285 ULAGrid-CA-2008 – 6e3b436b AustrianGrid – 7b54708e MaGrid – 98ef0ee5 UKeScienceRoot-2007 CRLs with Last Update date in the future: – 742edd45 CALG 9/14/096

MD5 Status CAs issuing MD5 CRLs: – 1e12d831 APAC (CA cert expires Jan 2016) – 1e43b9cc Grid-Ireland (CA cert expires Jul 2012) – 367b75c3 UKeScienceCA-2007 (CA cert expires Oct 2012) – 5e5501f3 RMKI (CA cert expires Oct 2009) CA certificates with MD5 signatures: – 34a509c3 CNRS-Projets (expires Apr 2011) – cf4ba8c8 CNRS (expires Apr 2011) 9/14/097

SHA-1 -> SHA-2 Algorithms Issues: – PureTLS in Java CoG Kit (jglobus) 30 – SHA-2 support in OpenSSL starting in RHEL5/SL5 gLite 3.1 using RHEL4 through 2010 gLite 3.2 using RHEL5 Conclusion: Grid middleware not ready for SHA-2. 9/14/098

Null-Prefix Attacks Null character in subject of certificate request – CN= – CN=*\0.thoughtcrime.org Tricks automated checks performed by CA Tricks TLS software hostname matching algorithm Impact on IGTF host certificate request verification? – Example: NCSA MICS does automated verification; existing sanity checks reject null-prefix requests 9/14/099