CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F ASGC March 08, 2010
Overview CNIC Grid CA/SDG CA Self Audit Conclusion
CNIC Grid CA CNIC is an institute of CASCNIC is an institute of CAS CNIC Grid CACNIC Grid CA –The security infrastructure of CNIC Grid –Root CA CNIC Grid CA RepositoryCNIC Grid CA Repository – –CP/CPS –Introduction –Manual CA CertificateCA Certificate –20 years validity –Only issues sub-CA certificate and CA servers and operators certificates
SDG CA Scientific Data Grid (SDG)Scientific Data Grid (SDG) –Scientific Data Grid (SDG) is an application grid based on scientific data resources sharing and collaboration. SDG CASDG CA –the SDG security infrastructure –The subordinate CA of CNIC Grid CA SDG CA Repository CP/CPSSDG CA Repository CP/CPS – –CP/CPS –Introduction –Manual SDG CA CertificateSDG CA Certificate –20 years validity Type of certificatesType of certificates –Person –Host –Service Approved by APGridPMA in July 2006
CNIC Grid/SDG CA staff operators Kevin Dong Kai Nan Kevin Dong Yihua Zheng Yueda Wang Huabiao Li All staff Administrator: Kevin Dong
Hardware CA serverCA server –DELL GX620 P4 CPU 3.20GHz, Red Hat Linux AS4 –Offline, no connection to any other network –UPS is supplied RA serverRA server –DELL GX620 P4 CPU 3.20GHz, Red Hat Linux AS4 –connected to the Internet Only the necessary ports for RA operation are opened. Other ports are filtered by the firewall. –UPS is supplied Web server (repository)Web server (repository) –The same machine as RA Server –connected to the Internet Same as RA Server –UPS is supplied
Sofeware OpenCA CertUtitily Tool –Generate CSR
Physical Access CA roomCA room –Located in the CNIC machine room. –Limited person can enter. Security OfficerSecurity Officer CA OperatorsCA Operators Other CNIC administratorsOther CNIC administrators –Doors equipped with fingerprint recognition system. –Monitored by the CCTV Physical accessPhysical access –The CA operator is not allowed to access the CA machines alone and need to do so with the other CA operator. –If the CA operator needs to access the CA machines alone, he must notify the fact to the user administrator by s before and after entering the room. –All events about the access to the machines must be recorded in the paper sheets prepared in the room. The events include the names of CA operators, date and time of entering/leaving the room, and the purpose of the access to the machine. –The filled sheets will be kept in the dedicated safe box.
1. Generate keypair and CSR locally and upload the CSR to RA or Fill the form and generate CSR automatically and send to RA(web page)RA 2. Identified by in- person interview or official document User Admin. CA Operator 3. Instruct CA operators to accept the request RA server CA server 7. Copy the CSR to CA server 8. Issue the certificate with proper validity 9. Copy the certificate to USB key 12. Send successful issuing mail and CRIN mail 4. Approve the CSR 5. Copy the CSR to USB disk 6. Give the USB key to other CA operator 10. Copy the certificate to RA server 11. Publish the certificate User Workflow of Issuing Certificates
Current status of SDG CA Number of issued certificatesNumber of issued certificates –by Mar. 07, Total User Certificate Service Certificate Host Certificate Total
Current status of SDG CA by Mar. 07, 2010)Current Status (by Mar. 07, 2010) Valid Certificate50 Expired Certificate199 Revoked Certificate30 Total279
Current status of CNIC Grid CA Number of issued certificatesNumber of issued certificates –by Mar. 07, Total Sub-CA Certificate Host Certificate Total211105
Current status of CNIC Grid CA Valid Certificate2 Expired Certificate3 Revoked Certificate0 Total5 by Mar. 07, 2010)Current Status (by Mar. 07, 2010)
Self Audit SDG CA –CP/CPS 1.8->1.9 –CRL Profile 1.3->1.4 CNIC Grid CA –CP/CPS 1.4->1.5 –CRL Profile 1.2->1.3 AuditingSpreadsheet.xls –IGTF classic profile: IGTF-AP-classic-4-2 –Special thanks to Yoshio
Summary Marks –A: 66 –B: 3 –C: 2 –D: 0
RA - (4) RA should ensure that the requester is appropriately authorized by the owner of the associated FQDN or the responsible administrator of the machine to use the FQDN identifiers asserted in the certificate. –In section 4.3.1, the role to ensure the FQDN will be defined in CP/CPS. –B
RA - (6) The CA or RA should have documented evidence on retaining the same identity over time. –It is obvious that the DN is unique for a person because the or FQDN is included. Now it is defined in section –C
CA - (16) The on-line CA architecture must provide for a log of issued certificates and revocations. The log should be tamper- protected. –The logs are available and archived. We will make logs tamper-protected. –C
CA - (27),(32) The authority must publish CRLs, and these CRLs should be compliant with RFC5280. –In section 2 and section 4.9.8, "the repository of certificates and CRLs are available at though RFC 5280 is not explicitly defined in CP/CPS. The RFC 5280 will be defined in the CP/CPS. –B
CA - (45) Identity validation records must be kept at least as long as there are valid certificates based on such a validation. –The identity validation records are kept at least as long as there are valid certificates based on such a validation. But it is not mentioned in CP/CPS. We will add in section –B
Conclusion Positive Update of CP/CPS and CRL profile –Done –Release soon