IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May 2014

IRAN-GRID CA Self Audit Overview IRAN-GRID CA Self Audit Conclusions

IRAN-GRID CA Self Audit IRAN-GRID CA

IRAN-GRID CA Self Audit Established in May 2008 Certificates for the Iranian academic and research community Public web site: Address Institute for Research in Fundamental Sciences (IPM), Niavaran square., Niavaran Bldg. Tehran, Iran, P. O. Box Tel: Fax:

IRAN-GRID CA Self Audit Organization CA & IRAN-GRID –Two staff members:  Shahin Rouhani,  Heydar Saadatmand Javan

IRAN-GRID CA Self Audit System Architecture OpenCA (to be upgraded) Online interface (RA) –Used for certificate requests –Used by RA for request confirmations –Deployed on institute’s main web server Offline (CA) –Laptop and backup media kept in safe accessible to CA staff only –Data transfer achieved by USB –Data backup performed after each operation

IRAN-GRID CA Self Audit Certificates Total: 20 issued certificates –Host: 10 –User: 10 Revoked: –user 11 –Host 2

IRAN-GRID CA Self Audit CP/CPS Update April 2010 Upgraded to RFC 3647

IRAN-GRID CA Self Audit SHA2 Upgrade Planned for June 2014

IRAN-GRID CA Self Audit Self audit

IRAN-GRID CA Self Audit Versions Guidelines for auditing Grid CAs version 1.0, by Y Tanaka, M Viljoen, S Rea –February 17, –Slight change: award marks instead of letters according to: D = 0 Advice (must change) C = 1 Recommendation (major change) B = 2 Recommendation (minor change) A = 3 Good X not available to check –This method provides a total numerical score IRAN-GRID CA CP/CPS Version 2.0(approved) –13 April 2010 –Available on

IRAN-GRID CA Self Audit Summary 1. Pre-examination –Operational Manuals for RA-CA staff were non existent. CA obliged to prepare manuals within two months 2. Main Examination –Total number of items: 70 –Total score: 207/210 ~ 98% Marks: –0: None –1: None –2: 3 items –3: 67 items –X: None

IRAN-GRID CA Self Audit Certification authority

IRAN-GRID CA Self Audit CP/CPS The CP/CPS documents should be structured as defined in RFC IRAN-GRID CA has upgraded to RFC 3647.

IRAN-GRID CA Self Audit CA System The secure environment must be documented and approved by the PMA, and that document or an approved audit thereof must be available to the PMA. This environment has only been audited by management 0f IPM- Grid. Last audit was in 2010, 2012 Audit was missed.

IRAN-GRID CA Self Audit Certificate Revocation List Every CA must issue a new CRL at least 7 days before expiration. Although it has never reached 0 days but sometimes at less than 7 days.

IRAN-GRID CA Self Audit Publication and repository responsibilities The repository must be run at least on a best-effort basis, with an intended availability of 24x7. With the exception of some downtime, this has been achieved. Downtimes happened mainly due to operator negligence in the server room.

IRAN-GRID CA Self Audit Registration authority

IRAN-GRID CA Self Audit Records and archival The CA is responsible for maintaining an archive of these records in an auditable form. Records were kept in a mixture of digital and paper. It was recommended that a complete parallel digital and paper format should be kept.

IRAN-GRID CA Self Audit Conclusion Our next Audit in 2016 Proposed changes and recommendations will be done during 2014; Upgrade OpenCA to 1.5.1; Upgrade to SHA2.

IRAN-GRID CA Self Audit Thank You!