Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

Similar presentations


Presentation on theme: "1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008."— Presentation transcript:

1 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March

2 2 Outline ASGCCA basic audit Information ASGCCA Audit Score list The Detailed Audit Report Summary & Further Plan

3 3 ASGCCA Self-Audit Info Time : March 2008 Place : Academia Sinica Staff : Jinny Chien, Min Tsai, Felix Lee and Eric Yen The relevant document: CP/CPS, CA cert, EE cert, Host cert and any other document available for the auditors Others : CA room, CA machine etc….

4 4 A List of Marks for Auditing According to the result of the examination and each item can be scored from A to D, and X as below. A : Good B : Recommendation (minor change) C : Recommendation (major change) D : Advice (must change) X : Could not evaluate (N/A)

5 5 ASGCCA Self-Audit Status Full items are 71 During this evaluation, ASGCCA got the following scores. Score A (Good): 57 / 71 Score B (minor change): 10 / 71 Score C (major change): 2 / 71 Score D (must change): 1 / 71 Score X (N/A): 1 / 71 The following reports only included score B to score X

6 6 The Audit Report Format ScoreASGCCA gets the score at this item DiagnosisCheck the relevant documents StatusThe status of ASGCCA now SolutionThe improvability of ASGCCA Evaluation: The items of the auditing checklist

7 7 Self-Audit Detailed Report(1)‏ ScoreB DiagnosisASGCCA CP/CPS Status The ASGCCA CP/CPS is structured in RFC 2527 Solution (In progress) We plan to modify current the CP/CPS this year and the new CP/CPS will follow RFC Evaluation: The CP/CPS document is structured in RFC 3647

8 8 Self-Audit Detailed Report(2)‏ ScoreD DiagnosisASGCCA CA certificate and CRL Status CA ’ s cert and CRL describe the signature algorithm is MD5. (MD5 must not be used in particular)‏ Solution (In progress) Use another signature algorithm such as SHA1 and add it at the annual CA schedule Evaluation: The message digests of the certificate and CRLs generated

9 9 Self-Audit Detailed Report(3)‏ ScoreB DiagnosisCA certificate and EE certificates Status CA cert and EE cert are compliant with the current Grid Certificate Profile but there is MD5 problem must be resolved. Solution (In progress) Use another signature algorithm such as SHA1 and add it at the annual CA schedule Evaluation: CA cert and EE cert must comply with the IGTF and OGF profile

10 10 Self-Audit Detailed Report(4)‏ ScoreB DiagnosisASGCCA CRLs Status No description in the current CP/CPS and we use CRL version 1 Solution (In Progress ) Check the CRL profile and modify the current CP/CPS. Evaluation: The CRLs must be compliant with RFC 3280 and use version 2(recommended)‏

11 11 Self-Audit Detailed Report(5)‏ ScoreC DiagnosisASGCCA CP/CPS Status ASGCCA CP/CPS does not describe the transition procedure Solution (Done) We modified the current CP/CPS and added this information to the version 2.1 Evaluation: The CP/CPS described the transition of the CA’s cryptographic data

12 12 Self-Audit Detailed Report(6)‏ ScoreA DiagnosisASGCCA CA certificate Status Old and New ASGCCA CA life time are not longer than 20 years. However, our CP/CPS is only states 5 years limit. Solution (Done) We modified the current CP/CPS and added this information to the version 2.1 Evaluation: The CA lifetime must be no longer than 20 years

13 13 Self-Audit Detailed Report(7)‏ ScoreB Diagnosiscertificates Status We have re-key procedures which are described on the CA web page but not in the CP/CPS Solution (Done) We modified the current CP/CPS and added this information to the version 2.1 Evaluation: The rekey process described to the CP/CPS

14 14 Self-Audit Detailed Report(8)‏ ScoreB DiagnosisAudits and CP/CPS Status There are more information about the compliance audit but no information describing how we audit RAs Solution (Done) We modified the current CP/CPS and added this information to the version 2.1 Evaluation: The CA perform operational audits of CA/RA at the regular time

15 15 Self-Audit Detailed Report(9)‏ ScoreB DiagnosisHost certificate Status Users directly access the secure web page to generate FQDNs. Then CA will verify this request with RAs. Solution (Done) User -> RA -> CA This information must add to the version 2.1 Evaluation: How does the RA verify the FQDN of the host certificate

16 16 Self-Audit Detailed Report(10)‏ ScoreB DiagnosisCA and RA Status ASGCCA uses signed mails between CA and RA but there is no information to the current CP/CPS and only on the web Solution (Done) Added the details to the draft version 2.1 Evaluation: The secure communication between CA and RA

17 17 Summary & Further Plan ASGCCA will resolve the following problems in MD5 problem on all certificates from ASGCCA 2.The CP/CPS is compliant with RFC CRL profile is compliant with RFC Publish new version CP/CPS

18 18 Reference ASGCCA web The current CP/CPS The revised CP/CPS version 2.1 The Audit Report

19 19 Any Question? Thanks for the listening


Download ppt "1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008."

Similar presentations


Ads by Google