Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

Published byLynette Newton Modified over 8 years ago

Similar presentations

Presentation on theme: "PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh."— Presentation transcript:

1 PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh

2 2 Brief History PK-Grid CA was first presented and accredited during 2 nd EuGridPMA meeting (held in September 2004) at Brussels Minor updates until 2012 –Infrastructure updates machine specs, kernel version, openssl updates –more secure premises Progressively restrictive access privileges among multiple physical tiers

3 3 Audit Results Audit guidelines used: GFD.125 (dated: March 31, 2008) In policy: – B: 3 – C: 1 – D: 3 – X: 4

4 4 “B”: 1/3 Is a CRL issued at least 7 days before expiration (for off-line) or 3 days before expiration (for on-line)? (CA item 29) –We missed it a couple of times.

5 5 “B”: 2/3 The repository must be run at least on a best-effort basis, with an intended availability of 24x7. (CA item 49) –We had few un-announced downtimes.

6 6 “B”: 3/3 Over the entire lifetime of the CA it must not be linked to any other entity. How does the CA guarantee this requirement? (RA item 8) –This guarantee is not explicitly mentioned in the CP/CPS.

7 7 “C”: 1/1 Every CA should perform operational audits of the CA/RA staff at least once per year. (CA item 47) –This has not been practiced regularly.

8 8 “D”: 1/3 Does the CA or RA have documented evidence on retaining the same identity over time? (RA item 6) –We need to have a documented evidence on retaining the same identity over time.

9 9 “D”: 2/3 Does the RA record and archive all requests and confirmations? (RA item 11) –The archival for requests and confirmations is currently done by the CA, as we have a small user community.

10 10 “D”: 3/3 Does the RA maintain the archive of these records in an auditable form? (RA item 12) –An RA does not maintain such records in auditable form. –The archival for requests and confirmations is currently done by the CA, as we have a small user community.

11 11 “X”: 1/4 Is the CA system completely off-line or one-line which uses FIPS 140-2 level 3 capable HSM operated in FIPS 140-2 level 3 mode? (CA item 9) –CA machine is completely offline. –Therefore, We do not have HSM.

12 12 “X”: 2/4 Does the on-line CA provide a log of issued certificates and a signed revocation list? Is the log tamper-protected? (CA item 16) –CA server is not an online machine.

13 13 “X”: 3/4 Are new EE certificates signed by a new cryptographic data? (CA item 18) –Yes, new certificates are signed by new cryptographic data. Is the old but still valid certificate available if there are still valid certificates signed by the old private key ? (CA item 18) –NO, as the transition period is not due yet! –Also, old certificates and old key is not valid any more.

14 14 “X”: 4/4 How is the re-new process described? (CA item 41) –We do not have a renewal policy for certificates as PK-GRID CA does not renew certificates rather it only rekeys…

15 Questions/Suggestions are welcome! 15

Download ppt "PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.

Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr. 2009 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar. 2010 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

Similar presentations

Ads by Google