Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr Linda Cornwall STFC/RAL EGI OMB 27th September 2013

Published byIngar Thoresen Modified over 5 years ago

Similar presentations

Presentation on theme: "Dr Linda Cornwall STFC/RAL EGI OMB 27th September 2013"— Presentation transcript:

1 Dr Linda Cornwall STFC/RAL EGI OMB 27th September 2013
EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency Suspension – request for approval Dr Linda Cornwall STFC/RAL EGI OMB 27th September 2013 7/29/2019

2 Contents Why a procedure – reminder Main changes to document
Central Security Emergency suspension Why is it so difficult to agree Request for approval Linda Cornwall.

3 Why a procedure? When a situation occurs, and a certificate is compromised, EGI CSIRT needs to have a procedure in place Act in an agreed manner Saves time, know what to do Protects sites quickly We are now on 11th version of this procedure

4 Types of Certificate which may be compromised
User certificate Most common case Emergency suspension may apply Host or service certificate Robot certificate Similar to the User certificate CA compromise 7/29/2019

5 Document re-structured
Section 2 contains the Compromised User Certificate procedure Includes Central Security Emergency Suspension Also applies to compromised Robot certificates ‘Short’ - refers to details and explanations in other sections Section 3 contains Compromised Host or Service certificate procedure Section 4 compromised CA

6 Section 5 – Central Security Emergency Suspension
This is now discussed in section 5. The need for security emergency suspension to be carried out by EGI CSIRT is to protect sites from malicious and other mis-use Most likely reason is the certificate is linked to malicious jobs or a security incident Also if certificate has been exposed, e.g. proxy placed on a web page

7 Central security emergency suspension (2)
For proper incident response EGI-CSIRT needs a mechanism to quickly suspend a DN involved in an incident Infrastructure wide Central security emergency suspension provides this Sites are protected quickly, e.g. during an incident which occurs out of hours Suspension list under the control of EGI CSIRT and WLCG CSIRT – no involvement of 3rd parties A DN can be re-instated quickly 7/29/2019

8 Central Security emergency suspension (3)
Emergency suspension must be at CSIRT discretion, cannot think of all possible criteria. Use common sense. Carried out in conjunction with the EGI Security incident handling procedure Info on types of criteria in document Emphasize this is separate from certificate revocation

9 NOT a ‘blacklist’ of users
Central Security Emergency suspension does NOT imply fault on the certificate owner’s part A system may have been compromised containing the certificate A proxy may have been exposed by a vulnerability and used by a malicious user 7/29/2019

10 Emergency suspension vs. revocation
Some comments said we were confusing these two Clear in our minds, probably not clear enough in document Emphasized the difference EGI CSIRT may carry out central security emergency suspension CAs carry out revocation But it may be necessary for certificate to be revoked and re-issued before restoring access to a user 7/29/2019

11 Main changes to document - contd
Section 6 provides more details and info on handling compromised user certificates Section 7 provides more details and info on compromised robot and multi-user certificates These sections are referred to in the ‘shorter’ procedures.

12 Why is it so difficult to agree?
Some want certainty Defined procedure always follow Some want discretion There are likely to be emergencies/situations which have not been anticipated So - Simple procedure usually carried out steps may be ‘skipped’ if not appropriate Incident handling people have to have discretion to do what is necessary to contain incident

13 Why is it so difficult to agree (2)?
Some want certainty that an ‘innocent’ user is never suspended Can’t guarantee this System containing credentials may have been compromised Emphasize that suspension does NOT imply user at fault Imagine Central Security Emergency Suspension is likely to be quite rare a few incidents per year

14 Now we think the document:-
Clearer after the re-structuring Especially section 2 Taken account of comments from OMB members and discussed widely within CSIRT/OMB It’s well iterated And Central Security Emergency Suspension is (almost) ready

15 Request for approval Therefore, approval of this document is requested

16 Comments, questions…. ?? 7/29/2019

17 Notes. 7/29/2019

Download ppt "Dr Linda Cornwall STFC/RAL EGI OMB 27th September 2013"

Similar presentations

Private Key Protection. Whats it about Without the private key, the certificate is useless One of two main purposes of cert: –Prove possession of private.

Private Key Protection. Whats it about Without the private key, the certificate is useless One of two main purposes of cert: –Prove possession of private.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Page 1 Conflicts of Interest Peter Hughes IESBA December 2012 New York, USA.

Page 1 Conflicts of Interest Peter Hughes IESBA December 2012 New York, USA.
T-76.4115/5115 Software Development Project I/II Project Planning Jari Vanhanen Ohjelmistoliiketoiminnan ja –tuotannon laboratorio Software Business and.

T /5115 Software Development Project I/II Project Planning Jari Vanhanen Ohjelmistoliiketoiminnan ja –tuotannon laboratorio Software Business and.
Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:

Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.
Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005

Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.
OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.
Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005

Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005

Similar presentations

Ads by Google