Presentation is loading. Please wait.

Presentation is loading. Please wait.

UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin.

Published byElijah Byrd Modified over 8 years ago

Similar presentations

Presentation on theme: "UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin."— Presentation transcript:

1 UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin

2 UK e-Science Operated by the National Grid Service For UK e-Science activities

3 Status >= 21778 certificates issued over lifetime of CA – Not counting robots and other exceptions 10272 distinct 4820 currently valid, 3752 distinct – 2328 distinct hosts, 1424 distinct users – Does not include robot certs which are signed separately By email 94%.ac.uk, 1%.co.uk, 5%.com

4 Status 75 RAs – Each RA has one manager and one or more operators – A few “Roaming” 197 RA staff in database; – Not including CA staff – 19 “inactive” CA operators – More than one complete turnover  – Some extremely good sysadmins

5 Self Audit Results Using doc of 2009-02-17 – There is a later one but only a few days

6 Bs (6) RFC 3647: using 2527 (16) Tamper protected log: could be improved – Does it mean tamper proof or tamper evident? (31) CRL issuance – Fairly frequent but no code to ensure weekly issuance – Relies on users requesting revocation – Which they do

7 Bs cont’d (46) Rekey, not renew, software keys – In exceptional cases, software keys can been renewed – Not routine though – requires CA manager intervention – Doesn’t even work for key tokens atm  (51) Destruction of personal data doesn’t work – Needs support in software

8 Bs cont’d (53) RA audit – RAs are being audited but we cannot guarantee to audit every RA every year – Logistical problem: expensive, needs staff trained to audit, time consuming (travel) (54) List of CA/RA personnel – Exists but could be improved (58) Redistribution of CP/CPS – Is certainly OK, but is it explicitly mentioned?

9 Bs cont’d (62) Disaster recovery – Processes exist but can be improved (6) Name linked to single entity – Actually OK but operator documentation needs improving for oddball cases – Again software problems: code is there to list prior certs with same DN but has a few bugs

10 Cs (4) Host/svc authorised by owner of DNS or resp. admin – Local processes inadequate? (soapbox?) – IT support, delegated, (44) Cert profile – EE using nsCertType instead of EKU – Hysterical raisins – Has been tested by training CAs in the wild

11 Ds (34)-(35) CRL is v1 – Easy-ish to fix so made it D – Requires change to CP/CPS though (36) CRL uses MD5 – Should be fixed (48) Max 5 rekey – Code to support this doesn’t work: needs support in software AND updated RA procedures

12 Limiting rekey Database doesn’t know about key protection – (But robots are signed outside main DB) Database gets confused about – Scheduled vs unscheduled rekey – Following the renewal trail – All the data is there but is cumbersome to extract – Database schema not optimal for how we use it What to do about Roaming RAs

13 As (interesting ones) (39) “No shared certificates” – Users sharing private keys – Long lived proxies (61) Data protection regulation – Six pages (Appendix B) of legalese “Ownership” of host certs and how it’s checked

14 But All of this is not really the point – Well, it is, but it isn’t CA is showing signs of age, creaking, trying to cope with growth Software support MUST improve – Signing software is unforgiving of CA operator error – And operator staff have turned over completely – Software must support IGTF req’d processes – Better automated checks of requests Procedure documents need updating

15 CRL D/L failure Since you asked… Tier1/NGS main machine room cooling failed – Twice in three days, during August Temperature rose to 45 deg – Service emergency shutdown – Not supposed to be single point of failure Temporary CDP brought up – Not sure how well it worked

16 Overall Plan 1.Stay with current version of hacked OpenCA – Make even more changes 2.Update to latest version of OpenCA – Make even more than even more changes 3.Start from scratch but import old stuff 4.Replace browser support with Java clients and simpler online interface Outcome depends partly on available staff effort

17 The TAG Introduced a TAG – Technical Advisory Group – Being made part of NGS 3 – Stakeholder representation (mostly RPs): WLCG, OSG (/TG), GridPP, NGS, OMII-UK, … – Advisory, no direct policy remit – (overdue for a meeting early Sep) – Closed, confidential by default – Met twice already – No adequate infrastructure for secure comms

18 Current TODO list Tracking CA-side actions of revoked certs Better logging, notifications Support “new” certs (digsig?, objsign, robots) Separation of roles and duties Maybe making some things less specific – Avoid changing CP/CPS when stuff changes – More process into RA and CA op docs

19 Current TODO list Other security/usability improvements Take signing key wholly online? – Provided it fits into current env…? Move CDP Improve disaster recovery processes Shorten EE passphrase to 12? Better? Fix CP/CPS, corporate identity, modernise? – How to minimise duplications? More Xrefs?

20 Current TODO list Fully integrate other CAs into hierarchy – E.g. training CA, Shib CA, SSO CAs – Update Root CP/CPS, now out of date in some respects

21 Timescales Easy Ds: one month Harder fixes: one year – Require following plan, step 1, 2, 3, or 4. – Interim hacks delay proper solution

Download ppt "UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin."

Similar presentations

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept. 2013.

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.

On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.
Blueprint Meeting Notes Feb 20, 2009. Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

Similar presentations

Ads by Google