Presentation is loading. Please wait.

Presentation is loading. Please wait.

CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008."— Presentation transcript:

1 CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008

2 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 2 David Groep – davidg@eugridpma.org CVE-2008-0166

3 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 3 David Groep – davidg@eugridpma.org Approx time line  Released: Tue, May 13  (CVE number reserved: Jan 15, 2008!)  Picked up by Roberto Cecchini same day  Tue May 13  ‘informal’ request for assessment sent to PMA members  several CAs start revoking affected end-entity certs  Wed May 14  Bulk checking tool distributed to the PMA lists  PMA itself checked IGTF distribution  Affected CA root certs identified and re-generated  Fri May 16  Updates IGTF distribution with updated CA  Release coordinated with OSCT EGEE/LCG public advisory  Still limited (~50%) CA response on affected EE certs

4 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 4 David Groep – davidg@eugridpma.org The week after  Mon, May 19  31 responses received and appropriate action taken  Still 10 CAs did not respond at all  Tue, May 20  Sent ‘final’ warning to personal addresses  End of day: 36 responses received, 4 pending  One pleaded extension of checking till Friday …  Wed, May 21  For those CAs that have a EE list retrievable, did checking myself  For selected CAs, bypassed CA and contact Ees  Publication of list of keypairs escalates the issue  Thu, May 22 – …

5 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 5 David Groep – davidg@eugridpma.org What did we learn?  Requests for action from PMA should be univocal and clear in what action is required  CA contact addresses are ill-watched  And people behind the addresses are not always the same people as those technically operating the CA  Response can take N mails and still wait for a week  Response to all mails is even more important than action  The RPs need an IGTF-wide response  CA suspension can be done  But is very upsetting and must never be done lightly  And needs couple of key people to share responsibility  The PMA structure was not ROBAB proof

6 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 6 David Groep – davidg@eugridpma.org Implemented structure and process  For public vulnerabilities only  Communicate to relying parties that the PMA is aware  Publish this statement on-line and send to the PMA announce list(s) - with URL for updated information  A IGTF wide Risk Assessment Team assesses issue  Jim Basney, Jens Jensen, Willy Weisz, Yoshio Tanaka, Jinny Chien, David Groep, Vinod Rebello (igtf-rat@eugridpma.org)igtf-rat@eugridpma.org  Define expected time for responses from Cas  Interacts with RAT and CSIRT teams from RPs

7 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 7 David Groep – davidg@eugridpma.org Response  Send query to all CAs  Initial address taken from.info file  Signed email, but not encrypted  Define expected response  For urgent issues, use per-CA escalation procedure  CA response  All Cas are expected to send an ACK next business day  Full response before RAT-established dead line  CAs can of course ask for extension but need to keep responding to RAT requests any time!  Escalation  per-PMA core team (for EUGridPMA: DaveK, UrsulaE, Jan Jona J, DavidG) agrees what happens in case of serious malfunction – if rapid action is indeed needed

8 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 8 David Groep – davidg@eugridpma.org CA actions requested  Respond to all RAT emails!  Check that email address in your meta-data is OK  And there is somebody watching  Deposit your escalation procedure  For example: do you want the RAT to phone you? 1: send email to this personal address if no response: 2: call me at the office on number XX if no response: 3: call me at home on number YY if no response: 4: call ZZ at number AA  This information is kept private and encrypted by the RAT members (incl. the PMA chairs)  And never used otherwise…  Act within the RAT time line

9 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 9 David Groep – davidg@eugridpma.org ROBAB  PMA operations were too concentrated  Shared control passwords to more people  For EUGridPMA also AndersW can now do everything  web sites hosting machine access  domain name management (.org+.info)  email forwarding configuration  CVS management  Enable all chairs to sign the IGTF distribution with the SAME key  Securely distributed to MikeH, YoshioT, AndersW  Replication of key web sites (already did that for the IGTF distribution itself)

10 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 10 David Groep – davidg@eugridpma.org RAT  See Jim’s presentation …

11

Download ppt "CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008."

Similar presentations

INFN CA1 active since July 1998 manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.

INFN CA1 active since July manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.
Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.

© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.
IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.

IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
1 of 2 Going on vacation requires careful preparation and there are a number of things you should do at the office before taking extended time off. This.

1 of 2 Going on vacation requires careful preparation and there are a number of things you should do at the office before taking extended time off. This.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp://www.apgridpma.org/meetings/index.html Call for note takers!

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
This PowerPoint presentation will show you how to use your email productively and successfully.

This PowerPoint presentation will show you how to use your productively and successfully.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.

Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
Network Security Onno W. Purbo Buku Keamanan Jaringan Internet Toko Buku Gramedia.

Network Security Onno W. Purbo Buku Keamanan Jaringan Internet Toko Buku Gramedia.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
Large-scale issuing of host certs in a member-integrated or institutional CA environment.

Large-scale issuing of host certs in a member-integrated or institutional CA environment.

Similar presentations

Ads by Google