MaGrid CA Self audit and update

Slides:



Advertisements
Similar presentations
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Advertisements

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.
User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
Academia Sinica Grid Computing Certification Authority (ASGCCA)
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly
0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
Egypt Certification Authority Dr. Ayman Bahaa-Eldin EUN Director 8 May th EuGridPMA meeting, Germany.
NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.
Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
NECTEC-GOC CA A Brief Status Report 13 th APGrid PMA Face-to-Face meeting March 24 th, 2014 Large-Scale Simulation Research Laboratory Information Communications.
Feyza Eryol TÜBİTAK ULAKBİM TR-GRID CA SELF-AUDIT & UPDATES.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
IHEP Grid CA Status Report F2F Meeting 17 Mar Computing Centre, IHEP,CAS,China.
TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI
MARWANTERENA Networking Conference 2006 ( May 2006, Catania, Italy) Redouane Merrouch Responsable du Réseau Marwan Moroccan NREN.
MD-Grid CA Valentin Pocotilenco RENAM Association
Self-Audit & Status Report for KEK GRID CA Hiroyuki Matsunaga KEK (High Energy Accelerator Research Organization), Computing Research Center APGridPMA.
GridMaGrid Users & Applications Conclusions 16/ Grid activities in Morocco Abderrahman El Kharrim CNRST - MaGrid Team Morocco Grid Workshop - Rabat,
26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL.
PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.
IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.
AEGIS Certification Authority
Classic X.509 AP updates (v4.1)
UGRID CA Sergii Stirenko, Oleg Alienin
Cryptography and Network Security
HellasGrid CA & euGridPMA
Chapter 27: System Security
Communications IGTF RAT Comms Challenge 3 Fall 2015
Digital Certificates and X.509
Fed/ED December 2007 Jim Jokl University of Virginia
NATIONAL CENTRE FOR PHYSICS PK-Grid-CA
ROA Content Proposal November 2006 Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Introduction to Let’s Encrypt
Emir Imamagić University Computing Centre (Srce)
Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau
MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019
HKU Grid Certificate Authority (HKU Grid CA) CP/CPS Reviewer’s Comments Bill Yau
KISTI CA Report Status & Self-Audit
BG.ACAD CA Self-audit report 2018
Presentation transcript:

MaGrid CA Self audit and update Nabil Talhaoui MaGrid - CNRST Mob.: +212 6 00 01 94 42 Mail: talhaoui@cnrst.ma Karlsruhe 2018 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 25/05/2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 Overview General information Some statistics Self-audit report Policy updates 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 General information Established by CNRST in October, 2006 and accredited in September 2007. Single CA in the Moroccan academic field. It provides X509 certificates for academic research and educational activities in Morocco (for e-science and grid). Managed by CNRST-MaGrid team. CP/CPS Document follows RFC 3647. Web site: http://www.magrid.ma/ca. After this brief overview about CNRST and his projects. Lets focus on the core of this presentation which the MaGrid CA It was Established last year in octeber, it it’s the single CA in Moroccan academic field, 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 General information CA operates under relatively old CP/CPS (v3.1) http://ra.magrid.ma/pub/policy Current OID for CP/CPS: 1.3.6.1.4.1.26529.10.1.3.1 New version 3.2 will be available soon, with some updates Changed to SHA2 (Since March 2015) Extended the lifetime of root cert in November 2017 After this brief overview about CNRST and his projects. Lets focus on the core of this presentation which the MaGrid CA It was Established last year in octeber, it it’s the single CA in Moroccan academic field, 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

Some Statistics (EE Certificates) From 2007 to 2017 (Before renewing the CA root) :  Total issued : 658 Certificates Number Valid Expired Revoked Users 431 403 28 Servers 227 225 2 From Nov, 2017 till now: 87 valid certificates (53 for users and 24 for servers) 5 revoked certificates (Users) Since March 2015, all EE certificates are issued using SHA-256 cryptographic hash function. 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

Some Statistics (RA List) From 2007 to 2017 : 4 RAs (University of Tangier, University of Oujda, CNESTEN and CNRST -Rabat) The CNRST RA serving to other Moroccan institutions : universities, research centers … Now (2018): Only one RA is operational (CNRST – Rabat) !!! So the F2F with users becomes complicated (long travel !!!)  Currently we are working with MARWAN NREN (IdF Team) to establish one RA for each university/institution (serving for MaGrid CA and for TCS certificates) 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 Self Audit Self audit was performed using guidelines for auditing Grid CAs version 1.1 from October 27, 2010. Audit date : May 11, 2018 Summary: 60 items with score A (good) 4 items with score B (minor change) 3 items with score X (N/A) 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 15.12.2010 Self Audit B – 1 : TRUE but to be clearer in CP/CPS (3.1.3 - 13)  Copies of the encrypted private key must be kept on offline media in a secure location where access is controlled. Should adapt text in cp/cps “media CD and USB”, but in practice of course. Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 15.12.2010 Self Audit B – 2 : TRUE in CP/CPS, but it should be in practice. (3.1.3 - 14) The pass phrase of the encrypted private key must also be kept on offline media, separated from the encrypted private keys and guarded in a secure location where only the authorized personnel of the CA have access. Alternatively, another documented procedure that is equally secure may be used. Problem: All are kept in the same location (is the same of signing machine). Solution : Should be moved to other secure location ? Will have an other safe for this. Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 15.12.2010 Self Audit B – 3 : TRUE in CP/CPS (3.1.6 - 28) Every CA must issue a new CRL at least 7 days before the time stated in the nextUpdate field for off-line CAs, at least 3 days before the time stated in the nextUpdate field for automatically issued CRLs by on-line CAs. Problem: Some CRLs were issued less than 7 days before the stated next update time in the latest-issued CRL Though there was no expired CRLs, we dedicated this task to one person who has programed the agenda of the CRL issuing every 22 days. Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 15.12.2010 Self Audit B – 4 : TRUE in practice, but not defined in CP/CPS (3.1.10 – 53) The CA shall provide their trust anchor to a trust anchor repository, specified by the accrediting PMA, via the method specified in the policy of the trust anchor repository. Not defined in Policy, but in practice of course Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 15.12.2010 Self Audit Issues identified by self-audit: Not all downtimes were announced to the relying parties. We will try with our best efforts to avoid this. Some CRLs were issued less than 7 days before the stated next update time in the latest-issued CRL. Though there was no expired CRLs (Solution: programmed task, a person dedicated ). Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 15.12.2010 Self Audit Issues identified by self-audit: Power failures due to the external raisons (Electric provider). CNRST has implement an electrogene-group witch can guarantee the continuity of power in case of power failure. All e-mail communications between the CA or an RA and a subscriber must be signed with a certified key in order to have the value of a proof. All requests for any action must be signed. Not all users know how to use the signed e-mail, so they prefer to come with there laptops directly to the RA/CA. We will give training to subscribers. Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 15.12.2010 Policy Updates New CA Manager, Address and phone changes Nabil Talhaoui has nominated as the new CA Manager of MaGrid CA instead of Dr. Redouane Merrouch the head of MARWAN/NREN. Changes of Manager CA Phone and e-mail They will be updated in the version 3.2 No change in work address, and Fax. Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

MaGrid CA and TCS Certificates 15.12.2010 MaGrid CA and TCS Certificates The CNRST, through MARWAN NREN, became a member of TCS following the signing of a contract with GEANT which is concluded for a period from 1st May 2018 to 30 June 2019. MARWAN NREN has elaborated an agreement of commitment for institutions, that are connected to MARWAN network, which fixes the conditions of use and it defines the list of people authorized to validate certificates and revocation requests, the declaration of organizations and domains so-called administrators. Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

MaGrid CA and TCS Certificates 15.12.2010 MaGrid CA and TCS Certificates At MaGrid CA level, we will nominate administrative contacts managing the TCS service, within universities and institutions that are connected to MARWAN, as RA Managers for MaGrid CA, so that solve the issue of unique RA which is currently centralized and done by the CNRST RA.  One RA by institution/university acting as RA for MaGrid CA and as administrative contact for MARWAN/TCS. Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

MaGrid CA and TCS Certificates 15.12.2010 MaGrid CA and TCS Certificates TCS Certificates MaGrid CA Certificates NREN Activities, projects and e-services Only Grid activities and projects Services Users Hosts Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 15.12.2010 CRL on IPv6 ? IPv6 on native MARWAN infrastructure Marwan Team are working on this.  The CRL on IPv6 will be available soon (there is any deadline ?) Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

Implement changes to the CP/CPS 15.12.2010 Implement changes to the CP/CPS The audit report is available for reviewers, All corrections will be in the new version of CP/CPS (Version 3.2), including : Changes from self audit Changes suggested from reviewers Some updates (New Manager CA Contacts) Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018 15.12.2010 Thank you Belnet 43th EUGridPMA meeting , Karlsruhe, KIT, 23 -25 May 2018

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.