Presentation is loading. Please wait.

Presentation is loading. Please wait.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Published byLeo Dominic Montgomery Modified over 7 years ago

Similar presentations

Presentation on theme: "HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2."— Presentation transcript:

1 HellasGrid CA self Audit

2 In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2

3 Brief history HellasGrid CA was first presented and accredited in 2002 Major update on 2006 Minor updates until 2010 3

4 Audit results Audit guidelines used: GFD.169 April 19, 2010 In policy: – B: 10 – C: 5 – D: 1 – X: 2 But in practice 8 "B” are “A” 4

5 “B”: 1/10 Is there a single CA organization per country, large region or international organization? (CA item 2) – Stated correctly but only in section 1.1 Overview instead of 1.3.1 Certification Authorities – Practically an A 5

6 "B": 2/10 Is the CA system a dedicated system? (CA item 7) – Should be written more clearly – Practically an A 6

7 "B": 3/10 Is the CA system located in a secure environment where access is controlled? (CA item 8) – The building id has a typo… It should be 22b instead of 22d… – Practically an A 7

8 "B": 4/10 Does the CPS describe the protection of the CA private key? (CA item 13) – Yes, but under 6.4.1 Activation data generation and installation (not 6.2.8 Method for activating private key which is suggested) – Practically an A 8

9 "B": 5/10 Is a new CRL issued immediately after a revocation? (CA item 30) – Yes, but this is described in 4.10.1 Operational Characteristics (not 4.9.9 On-line revocation/status checking availability which is suggested) – Practically an A 9

10 "B": 6/10 Is the protection of private keys described as an end entity obligation? (CA item 37) – Yes, but this is described so in sections 4.1.1 Who can submit a certificate application and 6.4.1 Activation data generation and installation (not in 6.2.8 Method of activating private key which is suggested) – Practically an A 10

11 "B": 7/10 How does the CA perform operational audits? (CA item 47) – This is described in section 5.3.4 Retraining frequency and requirements (not in 5.4 Audit logging procedures which is suggested) – Practically an A 11

12 "B": 8/10 Is the web repository available 24x7 on a best? (CA item 49) – This is stated in section 2.4 Access control on repositories and not in section 2.1 Repositories which is suggested – Practically an A 12

13 "B": 9/10 How are privacy and confidentiality described? (CA item 55) – In general well enough but some further development of sections 9.3 Confidentiality of Business Information and 9.4 Privacy of personal information is suggested 13

14 "B": 10/10 How is the CA or the RA informed of changes? (RA item 8) – In general well enough but some further development of sections 4.8 Certificate modification and 4.9 Certificate revocation and suspension could be done 14

15 "C": 1/5 Does the CP/CPS describe the CP/CPS change procedures, publication and notification policies, and approval procedures? (CA item 4) – These are mentioned and described in section 1.5 Policy Administration. It is suggested that the relevant content is moved to section 9.12 Amendments and be further developed. 15

16 "C": 2/5 Is the CRL compliant with RFC 5280? (CA item 32) – Reason Code for all revoked certificates is: Unspecified. According to RFC 5280: “reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value” 16

17 "C": 3/5 No user keys may be shared. Is this described as an end-entity obligation? (CA item 35) – This is partly discussed in section 6.1.1 Key Pair Generation. It is suggested that the text is refined and moved to section 4.5.1 Subscriber Private Key and Certificate Usage. 17

18 "C": 4/5 Over the entire lifetime of the CA it must not be linked to any other entity. How does the CA guarantee this requirement? (RA item 6) – This is discussed but we suggest making the procedure more clear in section 3.1.5 Uniqueness of names. 18

19 "C": 5/5 Does the RA maintain the archive of records in auditable form? (RA item 10) – This is not made clear in CP/CPS. Re-wording and refinement of the text in section 5.5.1 Types of Records Archived is suggested. 19

20 “D”: 1/1 The end entity certificated must comply with the Grid Certificate Profile…? (CA item 38) – Section 7.1 of CP/CPS should be updated – In practice (after inspection): In subscribers certificates usage of Non-repudiation should be removed from keyUsage In host/service certificates extendedKeyUsage should be included in the extensions. 20

21 "X": 1/2 The on-line CA architecture should provide for a (preferably tamper-protected) log of issued certificates and signed revocation lists (CA item 16) – Not online CA 21

22 "X": 2/2 The RA must record and archive all requests and confirmations. Does the RA record and archive all requests and confirmations? (RA item 9) – Aside application data other relevant information is archived via the HellasGrid user portal 22

Download ppt "HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2."

Similar presentations

RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.
Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
+1 (801) 877-2100 Standards for Registration Practices Statements IGTF Considerations.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

Similar presentations

Ads by Google