BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS (www.iict.bas.bg) 32 nd EUGridPMA Meeting Poznan, 8-10.

Slides:



Advertisements
Similar presentations
Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
Advertisements

KIERAN JACOBSEN HP Understanding PKI and Certificate Services Gold Sponsors Silver Sponsors.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Chapter 11: Active Directory Certificate Services
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.
Configuring Directory Certificate Services Lesson 13.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
PKI Activities at Virginia September 2000 Jim Jokl
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.
KFKI CA József Kadlecsik KFKI RMKI
User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
Academia Sinica Grid Computing Certification Authority (ASGCCA)
KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly
0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.
Egypt Certification Authority Dr. Ayman Bahaa-Eldin EUN Director 8 May th EuGridPMA meeting, Germany.
NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.
Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.
PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
QuoVadis accreditation with EuGridPMA Alessandro Usai
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
Feyza Eryol TÜBİTAK ULAKBİM TR-GRID CA SELF-AUDIT & UPDATES.
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
QuoVadis Group Roman Brunner, Group CEO Update for EUGridPMA – May 12, 2009.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
Self-Audit & Status Report for KEK GRID CA Hiroyuki Matsunaga KEK (High Energy Accelerator Research Organization), Computing Research Center APGridPMA.
PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.
IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.
AEGIS Certification Authority
Classic X.509 AP updates (v4.1)
UGRID CA Sergii Stirenko, Oleg Alienin
Guidelines for auditing Grid CAs
MaGrid CA Self audit and update
Emir Imamagić University Computing Centre (Srce)
Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau
MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019
KISTI CA Report Status & Self-Audit
BG.ACAD CA Self-audit report 2018
Presentation transcript:

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10 Sep 2014 (15 slides)

BG.ACAD CA Overview (1) BG.ACAD CA is member since Serves academic community in Bulgaria Located in Sofia, IICT-BAS Implementation, very simple: – Online CA repository based on recent FreeBSD and Apache – Offline Signing machine with recent FreeBSD, OpenSSL and some own developed scripts. Issued certificates since 2007: – Personal: 371 – Hosts: 395 – Services: 1 Revoked certificates: 19 Currently valid certificates (total): 96 32nd EUGridPMA Meeting, Poznan, 8-10 Sep

3 BG.ACAD CA Overview (2) Current CP/CPS revision: 1.1, OID: TACAR member since Jan 2013 Since 1 Jan 2014 all new EE certificates are hashed with SHA-512. No complaints so far. The last SHA-1 certificate will expire in Jan Ready for issuing CRL hashed with SHA-512. The Online CA machine has full IPv6 support. CA staff members: 3 RAs: 12 people from 3 cities and 9 institutions in Bulgaria.

Self-audit  The previous self-audit was performed during the 22 nd meeting in Prague, 2011 and was approved in 2013  The current Self-audit was done in accordance with the OGF GFD.169 document.  Audit dates: 1-5 Sep 2014  Reviewers: TBD  Summary: – A: 62 Good. – B: 0 Recommendation (minor change) – C: 3 Recommendation (major change) – D: 1 Advice (must change) – X: 2 Could not evaluate (N/A) 32nd EUGridPMA Meeting, Poznan, 8-10 Sep

5 GFD.169 – 2.3 pre-examination CP/CPS – yes, in repository Relevant IGTF Authentication Profile(s) - yes Manuals for subscribers – yes, in repository Operational manuals – yes, available for the CA members CA Repository (e.g. Web site) - yes, CA Certificate – yes, in repository CRL – yes, in repository End entity certificates – yes, in repository HSM manual – N/A, offline signing machine. Any other document described as published in the repository in the CP/CPS – yes, EE statement, user guide. Any other document available for the auditors: EE declarations and evidences for user employment – yes, on papers.

32nd EUGridPMA Meeting, Poznan, 8-10 Sep GFD.169 – 2.4 Main examination (1) CA room for Online CA machine: located in IICT-BAS, in the main NOC of Bulgarian NREN (BREN). Restricted access, CCTV, fire alarm system. CA room for Offline CA signing machine: located in IICT-BAS inside the main academic HPC and data center. Access with personal RFID cards and keys, CCTV, 24/7 surveillance, fire alarm system. The removable hard disks of the machine are locked in a dedicated safe box. HSM – not present. Backup media of the CA private key – Yes. Burned on a CD-R and locked in a dedicated safe box on another floor in IICT-BAS. Offline media (sealed envelope) which contains a pass phrase of the CA private key – Yes. In the same safe box as above. May be a bad idea! But we haven’t another dedicated safe box for now.

32nd EUGridPMA Meeting, Poznan, 8-10 Sep GFD.169 – 2.4 Main examination (2) Media storage of archived logs and other documents and their place – Yes, the logs of offline CA are included in the full backups on 2 flash cards in a dedicated safe box. End entity certificates (if not available for the pre-examination), including issuance activities – Yes, in the repository. Logs of the CA/RA servers – No, there are no such servers. Logs of the CA repository (e.g. Web server) - Yes, on the server and included in the regular backups on a dedicated separated storage array. Records of operation of the CA private key (including accesses to the HSM) – No. TBD. Access log to the CA room – Yes. In the central security system. Based on the personal RFID cards usage. Any other documents (e.g. daily report of the CA operators) – No.

32nd EUGridPMA Meeting, Poznan, 8-10 Sep GFD.169 – 3 Auditing Checklist (1) Only the scores above A are described next. The following check has D score, must change: (34) No user certificates may be shared.  It is not clearly stated in CP/CPS. Chapter and user statement must be expanded.

32 nd EUGridPMA Meeting, Poznan, 8-10 Sep GFD.169 – 3 Auditing Checklist (2) The following checks have C scores, major change: (41) Certificates must not be renewed or re-keyed consecutively for more than 5 years without a form of auditable identity and eligibility verification, and this procedure must be described in the CP/CPS. Currently we defined this period as 3 years but we want to be 5 years.  Chapters 4.1.2, and will be changed and simplified.

32 nd EUGridPMA Meeting, Poznan, 8-10 Sep GFD.169 – 3 Auditing Checklist (3) The following checks have C scores, major change: (46) Every CA should perform operational audits of the CA/RA staff at least once per year. Operational audits are not made every year. Some improvement after the previous self-audit. There is no good description of the procedure in our operational manual which consists of CP/CPS mainly.  Operational manual will be changed.

32 nd EUGridPMA Meeting, Poznan, 8-10 Sep GFD.169 – 3 Auditing Checklist (4) The following checks have C scores, major change: (55) The CA must have an adequate compromise and disaster recovery procedure, and we willing to discuss this procedure in the PMA. The procedure need not be disclosed in the policy and practice statements. This item had C mark in the previous audit. We have a separate draft plan now, but still in progress.  We recently received a dreamy opportunity to realize off-site recovery on a remote location through funding from another project. The goal is to start a mirror of the CA repository within one working day. Probably it will be based on IPv6 routing failover capabilities and DNS reservation. We’ll see …

32 nd EUGridPMA Meeting, Poznan, 8-10 Sep GFD.169 – 3 Auditing Checklist (5) The following checks received X scores, could not evaluate: (15) The on-line CA architecture should provide for a (preferably tamper-protected) log of issued certificates and signed revocation lists.  No, we are offline CA (40) Certificates associated with a private key residing solely on hardware token may be …  No, our keys are stored in software.

32 nd EUGridPMA Meeting, Poznan, 8-10 Sep CA root certificate expiration The CA root certificate will expire on Feb , 19:00 UTC This means that the latest date for publishing the new certificate is Jan :00 UTC According to current CP/CPS v1.1, ch. 5.6, a new key pair must be generated and it smells like will be hashed with SHA-512 then. I think it will not be an easy job, so any advices from CAs who already completed such a procedure, are welcome.

32 nd EUGridPMA Meeting, Poznan, 8-10 Sep Additional changes We plan to do some small additional changes during the long external auditing period which follows now. These changes are outside of the GFD.169 auditing checklist. For example:  In CP/CPS, ch.1.1 will be added a statement that IICT-BAS is a full legal successor of IPP-BAS institute on behalf of which the CA was accredited in End of Self-Audit

Questions? Vladimir Dimitrov, 32nd EUGridPMA Meeting, Poznan, 8-10 Sep

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.