18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Slides:

Advertisements

Similar presentations

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

Advertisements

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

IHEP Grid CA Status Report Gongxing Sun 5 th F2F Meeting 16 Sep Computer Center, IHEP,CAS,China.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

QuoVadis accreditation with EuGridPMA Alessandro Usai

Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

NECTEC-GOC CA A Brief Status Report 13 th APGrid PMA Face-to-Face meeting March 24 th, 2014 Large-Scale Simulation Research Laboratory Information Communications.

Feyza Eryol TÜBİTAK ULAKBİM TR-GRID CA SELF-AUDIT & UPDATES.

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

© 2007 Open Grid Forum Authentication Service Profile Christos Kanellopoulos 14 th EUGridPMA, Lisbon, PT October 7 th, 2008.

PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

AEGIS Certification Authority

UGRID CA Sergii Stirenko, Oleg Alienin

MaGrid CA Self audit and update

Emir Imamagić University Computing Centre (Srce)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

HKU Grid Certificate Authority (HKU Grid CA) CP/CPS Reviewer’s Comments Bill Yau

KISTI CA Report Status & Self-Audit

BG.ACAD CA Self-audit report 2018

Presentation transcript:

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia

18 th EUGridPMA, Dublin / SRCE CA Self Audit Overview  SRCE CA  Self Audit  Certification Authority  Registration Authority  Conclusion

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA

18 th EUGridPMA, Dublin / SRCE CA Self Audit Overview  Established in May 2006  Certificates for the Croatian academic and research community  Public web site:  address:  Approved by EUGridPMA in July 2006  Classic AP 4.0

18 th EUGridPMA, Dublin / SRCE CA Self Audit Organization  CA & SRCE  Three staff members: Hrvoje Sute, Emir Imamagic, Dobrisa Dobrenic  Two lightweight RAs  ETFOS (Faculty of Electrical Engineering in Osijek, Croatia), Goran Martinovic  FESB (University of Split Faculty of Electrical Engineering, Mechanical Engineering and Naval Architecture), Dubravko Balic

18 th EUGridPMA, Dublin / SRCE CA Self Audit System Architecture  OpenCA  Online interface (RA)  Used by EE for certificate requests  Used by RAs for request confirmations  Deployed on institute’s main web server  Offline (CA)  Hard drives kept in safe accessible to CA staff only  Data transfer achieve USB  Data backup performed after each operation

18 th EUGridPMA, Dublin / SRCE CA Self Audit Certificates  Total: 364 issued certificates  Host: 161  User: 201  Valid: 133 certificates  Host: 60  User: 73  Revoked: 63  Host: 40 (mainly retired machines)  User: 23 (mainly forgotten passphrase and accidentally deleted private keys)

18 th EUGridPMA, Dublin / SRCE CA Self Audit CP/CPS Update  Version 1.1  November 20 th 2009  Updated EE & CA extensions  Made compliant with Grid Certificate Profile

18 th EUGridPMA, Dublin / SRCE CA Self Audit SELF AUDIT

18 th EUGridPMA, Dublin / SRCE CA Self Audit Versions  Guidelines for auditing Grid CAs version 1.0  November 11 th 2009  SRCE CA CP/CPS version 1.1  November 20 th 2009

18 th EUGridPMA, Dublin / SRCE CA Self Audit Summary  Total number of items: 68  Marks:  C: 2  B: 3  X: 1  A: 62  There are few As with comment/question

18 th EUGridPMA, Dublin / SRCE CA Self Audit CERTIFICATION AUTHORITY

18 th EUGridPMA, Dublin / SRCE CA Self Audit CP/CPS  B – 1.4  Item description: Whenever there is a change in the CP/CPS the O.I.D. of the document must change and the major changes must be announced to the responsible PMA and approved before signing any certificates under the new CP/CPS.  Status: Procedure is not explicitly defined in CP/CPS.  Practice: Updated CP/CPS is published to EUGridPMA before issuing new certificate.  Solution: Will be added in the next CP/CPS update.

18 th EUGridPMA, Dublin / SRCE CA Self Audit CP/CPS  C – 1.6  Item description: The CP/CPS documents should be structured as defined in RFC  Status: CP/CPS is structured as defined in RFC  Solution: Currently we do not have resources to perform such major update. Current CP/CPS defines well our practices. We can consider updating in future if strongly requested from PMA and Relying Parties.

18 th EUGridPMA, Dublin / SRCE CA Self Audit CA System  A – 2.10  Item description: The secure environment must be documented and approved by the PMA, and that document or an approved audit thereof must be available to the PMA.  Comment: System is partially described in CP/CPS in sections, documentation is available on site's Wiki pages. Is this sufficient?

18 th EUGridPMA, Dublin / SRCE CA Self Audit Certificate Revocation  A – 5.23  Item description: Certificate revocation can be requested by end- entities, registration authorities, and the CA. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.  Comment: Section defines that revocation can be requested by EE, RA and any other entity providing evidence. Section defines that SRCE CA manages the functions of its RA. Is this sufficient?

18 th EUGridPMA, Dublin / SRCE CA Self Audit Certificate Revocation  B – 5.25  Item description: Subscribers must request revocation of its certificate as soon as possible, but within one working day after detection of he/she lost or compromised the private key pertaining to the certificate, the data in the certificate are no longer valid.  Status: CP/CPS doesn’t define one working day deadline.  Comment: This requirement was added in classic AP 4.1.  Solution: Will be added in the next CP/CPS update.

18 th EUGridPMA, Dublin / SRCE CA Self Audit End Entity Certificates and Keys  C – 7.38  Item description: The end-entity certificates must comply with the Grid Certificate Profile as defined by the Open Grid Forum GFD.125. The policyIdentifier must include the OID for Authentication Profile under which the Certification Authority has been accredited. For Classic AP, OID is  Status: This is not defined in CP/CPS.  Comment: This requirement was added in classic AP 4.2.  Solution: Will be added in the next CP/CPS update.

18 th EUGridPMA, Dublin / SRCE CA Self Audit End Entity Certificates and Keys  X – 5.41  Item description: Certificates associated with a private key residing solely on hardware token may be renewed for a validity period of up to 5 years (for equivalent RSA key lengths of 2048 bits) or 3 years (for equivalent RSA key lengths of 1024 bits).  Comment: CA does not support keys residing on hardware tokens.

18 th EUGridPMA, Dublin / SRCE CA Self Audit Records Archival  B – 8.45  Item description: These records must be kept for at least three years, where the identity validation records must be kept at least as long as there are valid certificates based on such a validation.  Status: CP/CPS does not define archiving identity validation record.  Practice: We make photocopies of IDs and store them permanently in safe deposit.  Comment: This requirement was added in classic AP 4.1.  Solution: Will be added in the next CP/CPS update.

18 th EUGridPMA, Dublin / SRCE CA Self Audit REGISTRATION AUTHORITY

18 th EUGridPMA, Dublin / SRCE CA Self Audit Records and Archival  A – 2.11  Item description: The RA must record and archive all requests and confirmations.  Comment: All RAs use central OpenCA instance which archives all requests and confirmations.

18 th EUGridPMA, Dublin / SRCE CA Self Audit Conclusion  CA certificate renewal is this year  Update of CP/CPS will be done at the same time  The proposed changes  Changes proposed by reviewers  Changes in classic AP 4.3

18 th EUGridPMA, Dublin / SRCE CA Self Audit Thank You! Questions?