0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko

1 Outline Current status of NAREGI CA  Number of issued certificates  Update CP/CPS  Audits Compliance review report

2 Current status of NAREGI CA Number of issued certificates Number of issued certificates  server certificate : 1,350  client certificate : 110 NAREGI CA(NII) NAREGI (IMS,NII) Certificate User Hst administrator User adminstrator RA CA Repositor y CRL,Certificate information User Infomation Issue request Issue LCMP over SSL GlobusServer CA Operator UnicoreServer Certificate enrollment CA System Reception/Assessment HSM Distribute certificate NAREGI CA System Architecture SSL CA private key :Security officer Pass phrase :CA Operator

3 Update CP/CPS  NAREGI updated CPS to Ver2.1 on April 2 ､ 2007 Change Deleted ： The account registration Section 2 and 3 in CPS describes only the identify of user information (Of course in face to face) Added ： The rule of personal information use purpose To specify the rule to comply with the latest Classic Authentication Profile. Modified: User certificate validity period 12 months → 13 months TypeValidity Period Client certificate13 months(395days) Server Certificate Glubus server certificate13 months(395days) Unicore server certificate13 months(395days)

4 Audits  NAREGI CA is planning external audit. Auditor : KEK Iwamoto, Iida, Murakami, Ishikawa Support : AIST Tanaka Date : July 5,2007 ※ We will confirm Audit Guideline.

5 Compliance review report Section Classic Authentication ProfileNAREGI CA 3.1 Identity vetting rules ”The RA must ensure that the requestor is appropriately authorized by the owner of the FQDN or the responsible administrator of the machine to use the FQDN identifiers asserted in the certificate” The authorization procedure of FQDN owner was not clear in NAREGI CP/CPS. We added the following procedures ・ To confirm approval of a domain manager who is the responsible administrator ・ To Use WHOIS database for querying owners of the FQDN 4.2 Certificate Policy and Practice Statement Identification ”Whenever there is a change in the CP/CPS, the OID of the document must be changed. In the major changes, it must be announced to the accrediting PMA, and approved before signing any certificates under the new CP/CPS.” "In the currect NAREGI operation, for minor corrections such as misprints it is not done by requiring approval of the NAREGI PMA, instead it is done based on a decision of the security officer. In these cases, the minor version number will be updated, but a new OID will not be assigned.“ I believe it will be allowed to operate in this manner, but will it be a problem?

6 Classic Authentication ProfileNAREGI CA 8 Privacy and confidentiality -"As described “Update CPS” Changing CP/CPS to comply with the RFC3647 -It is not yet decided. Certificate profile -MUST/MUST NOT items are complying with the classic profile. SHOULD/SHOULD NOT items are the next page. We do not have a plan to change for the moment Compliance review report

7 SectionGrid Certificate Profile 0.22 NAREGI CA End-entity Certificate AddressThe attribute pkcs9 (“ Address”) SHOULD NOT be used in subject names. NAREGI use Address in subject names extendedKeyUsage The extendedKeyUsage (EKU) extension SHOULD be included in end-entity certificates. NAREGI do not use UKU subjectAlternativeName, issuerAlternativeName The subjectAlternativeName extension SHOULD be present for server certificates (including “host” and “service” certificates in the grid context), and, if present, MUST contain at least one FQDN in The dNSName attribute. NAREGI do not use subjectAlternativeName in server certificates. Compliance review report

8 END