CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

Slides:



Advertisements
Similar presentations
INFN CA1 active since July manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.
Advertisements

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.
IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
1 of 2 Going on vacation requires careful preparation and there are a number of things you should do at the office before taking extended time off. This.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
This PowerPoint presentation will show you how to use your productively and successfully.
Configuring Active Directory Certificate Services Lesson 13.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
Network Security Onno W. Purbo Buku Keamanan Jaringan Internet Toko Buku Gramedia.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
Large-scale issuing of host certs in a member-integrated or institutional CA environment.
How to be an online student. How does it work? An online course follows a schedule and syllabus with due dates for assignments (just like an on-campus.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
The CA Distribution Process David Groep, July 2007.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Module 9: Fundamentals of Securing Network Communication.
Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.
Updates from the EUGridPMA David Groep, July 16 st, 2007.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.
Updates from the EUGridPMA David Groep, Nov 7 nd, 2008.
EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005
1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien April 20, th APGridPMA in Taipei.
Automated Certificate Management ACME + Let’s Encrypt Richard
Distribution Repository Structure David Groep,
Discussions on the Life Ray Portal and credential management David Groep, Oct 11 th, 2011.
Updates from the EUGridPMA David Groep, May 9 st, 2007.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks ROC Security Contacts R. Rumler Lyon/Villeurbanne.
Lessons Learned from disaster recovery Jinny Chien April 20, th APGridPMA in Taipei.
Updates from the European Side of the Pond David Groep, November 2006.
Sergiu April 2006June 2006 Overview of TeraGrid Security Working Group Activities James Marsteller CISSP, Working Group Chair.
APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.
Recent lessons learned: Operational Security David Kelsey CCLRC/RAL, UK GDB Meeting, BNL, 5 Sep 2006.
TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.
Applying Laurillard’s Conversational Framework to Blended Learning Blogging and Collaborative Activity Design R Papworth, R Walker & W Britcliffe E-Learning.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Updates from the EUGridPMA David Groep, Oct 17 st, 2007.
IGTF Risk Assessment Team 5/11/091.
Web Cacheability of CRLs David Groep, Jan 26 th, 2009.
AEGIS Certification Authority
IGTF Risk Assessment Team
Communications IGTF RAT Comms Challenge 3 Fall 2015
ITE Full-Time Nitec Course Application
MaGrid CA Self audit and update
Communications Ensuring a responsive IGTF community through periodic validation of communication co-supported by the Dutch National e-Infrastructure coordinated.
Internet Social Media. Internet Social Media Benefits: Internet is a useful tool if utilized appropriately. Uses Benefits: Internet is a useful tool.
Presentation transcript:

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – CVE

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Approx time line  Released: Tue, May 13  (CVE number reserved: Jan 15, 2008!)  Picked up by Roberto Cecchini same day  Tue May 13  ‘informal’ request for assessment sent to PMA members  several CAs start revoking affected end-entity certs  Wed May 14  Bulk checking tool distributed to the PMA lists  PMA itself checked IGTF distribution  Affected CA root certs identified and re-generated  Fri May 16  Updates IGTF distribution with updated CA  Release coordinated with OSCT EGEE/LCG public advisory  Still limited (~50%) CA response on affected EE certs

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – The week after  Mon, May 19  31 responses received and appropriate action taken  Still 10 CAs did not respond at all  Tue, May 20  Sent ‘final’ warning to personal addresses  End of day: 36 responses received, 4 pending  One pleaded extension of checking till Friday …  Wed, May 21  For those CAs that have a EE list retrievable, did checking myself  For selected CAs, bypassed CA and contact Ees  Publication of list of keypairs escalates the issue  Thu, May 22 – …

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – What did we learn?  Requests for action from PMA should be univocal and clear in what action is required  CA contact addresses are ill-watched  And people behind the addresses are not always the same people as those technically operating the CA  Response can take N mails and still wait for a week  Response to all mails is even more important than action  The RPs need an IGTF-wide response  CA suspension can be done  But is very upsetting and must never be done lightly  And needs couple of key people to share responsibility  The PMA structure was not ROBAB proof

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Implemented structure and process  For public vulnerabilities only  Communicate to relying parties that the PMA is aware  Publish this statement on-line and send to the PMA announce list(s) - with URL for updated information  A IGTF wide Risk Assessment Team assesses issue  Jim Basney, Jens Jensen, Willy Weisz, Yoshio Tanaka, Jinny Chien, David Groep, Vinod Rebello  Define expected time for responses from Cas  Interacts with RAT and CSIRT teams from RPs

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Response  Send query to all CAs  Initial address taken from.info file  Signed , but not encrypted  Define expected response  For urgent issues, use per-CA escalation procedure  CA response  All Cas are expected to send an ACK next business day  Full response before RAT-established dead line  CAs can of course ask for extension but need to keep responding to RAT requests any time!  Escalation  per-PMA core team (for EUGridPMA: DaveK, UrsulaE, Jan Jona J, DavidG) agrees what happens in case of serious malfunction – if rapid action is indeed needed

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – CA actions requested  Respond to all RAT s!  Check that address in your meta-data is OK  And there is somebody watching  Deposit your escalation procedure  For example: do you want the RAT to phone you? 1: send to this personal address if no response: 2: call me at the office on number XX if no response: 3: call me at home on number YY if no response: 4: call ZZ at number AA  This information is kept private and encrypted by the RAT members (incl. the PMA chairs)  And never used otherwise…  Act within the RAT time line

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – ROBAB  PMA operations were too concentrated  Shared control passwords to more people  For EUGridPMA also AndersW can now do everything  web sites hosting machine access  domain name management (.org+.info)  forwarding configuration  CVS management  Enable all chairs to sign the IGTF distribution with the SAME key  Securely distributed to MikeH, YoshioT, AndersW  Replication of key web sites (already did that for the IGTF distribution itself)

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – RAT  See Jim’s presentation …

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.