Guidelines for auditing Grid CAs

Slides:

Advertisements

Similar presentations

Updates of the APGrid PMA Catania March 3, 2009 Yoshio Tanaka APGridPMA Chair, AIST, Japan.

Advertisements

Status of Auditing Guidelines Document Oct. 15 Yoshio Tanaka, AIST.

Tips to a Successful Monitoring Visit

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

By Waqar Hussaian International Islamic university Islamabad.

National Institute of Advanced Industrial Science and Technology Proposals for auditing Yoshio Tanaka Grid Technology Research.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

EMS Auditing Definitions

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

D. Keane June Internal Quality Audits (4.14) -ISO Requirements for Internal Audits -The Audit Process -Templates for Meeting Requirements.

Compliance Monitoring Audit Tutorial Version 1.0 April 2013.

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Study Circle 4 October 2009 SA Documentation.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

QUALITY OF EVIDENCE FRCC Compliance Workshop September/October 2008.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

 Definition of a quality Audit  Types of audit  Qualifications of quality auditors  The audit process.

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.

National Institute of Advanced Industrial Science and Technology Updates of the APGrid PMA Yoshio Tanaka APGrid PMA, Chair Grid Technology Research Center,

Security fundamentals Topic 5 Using a Public Key Infrastructure.

KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.

Lessons Learned from disaster recovery Jinny Chien April 20, th APGridPMA in Taipei.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

International Grid Trust Federation Session GGF 19 Chapel Hill, NC, USA Thursday, Feb CAOPS-WG session #1.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

Records Management Reality

Remote Site Initiation Visits

Alternative Governance Models for PKI

Public Key Infrastructure (PKI)

Module Overview Installing and Configuring a Network Policy Server

AEGIS Certification Authority

Updates of the APGrid PMA

UGRID CA Sergii Stirenko, Oleg Alienin

NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit

HellasGrid CA & euGridPMA

VAR Preparation Meeting

CAPE Internal Assessment

Flooding Walkdown Guidance

Designers’ Manual Appendix Contents

Internal Audit Training

MaGrid CA Self audit and update

WHAT TO EXPECT: A CROWN CORPORATION’S GUIDE TO A SPECIAL EXAMINATION

NATIONAL CENTRE FOR PHYSICS PK-Grid-CA

Emir Imamagić University Computing Centre (Srce)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

KISTI CA Report Status & Self-Audit

BG.ACAD CA Self-audit report 2018

Wealth Management Meeting Asset Management Execution

Presentation transcript:

Guidelines for auditing Grid CAs Yoshio Tanaka AIST, Japan

background APGrid PMA is doing external (mutual) audit. The purpose of auditing is to improve CA operation NAREGI has subjectively selected audit items from the WebTrustTM Criteria based on the minimum CA requirements. It would be helpful to have documentation which justifies the choices describes the detailed procedures of auditing e.g. how each item should be verified? by document review, interview, or inspection ?

Proposed contents (1/4) Introduction Audit checklist describes audit items and justifies them. Procedures of auditing Pre examination: static review of documents (~weeks) CP/CPS Manuals for subscribers (e.g. enrollment manual) Operational manuals (for CA operators) CA repository checks whether all documents described as “published on the repository” in the CP/CPS are available CA Certificate CRL End entity certificates HSM manual (or appropriate web site) As a result of pre-examination, an auditor prepares score sheets and figures out issues need to be interviewed.

Proposed contents (2/4) Procedures of auditing (cont’d) Main examination: interview & inspection (half day) interview (~ 3 hours) All issues which were not clarified by static review will be interviewed to the CA operators. An auditor especially interested in How the CA private key is protected (including access control to the CA room). Enough events have been recorded? Flow chart of issuing end entity certificates. (1) generate a key pair (2) send a CSR (3) RA verifies the end entity (4) RA communicates with the CA (5) CA issues an end entity certificate (6) the end entity obtains her/his certificate

Proposed contents (3/4) Procedures of auditing (cont’d) Main examination: interview & inspection (half day) (cont’d) inspection (~ 1 hour) All archived logs CA system log emails records of how the RA verified end entities … Facilities, devices CA room (how the access is controlled) CA server (including network connection) RA server Repository (web) server HSM backup media a safe box

Proposed contents (4/4) Procedures of auditing (cont’d) Post examination: draft report Send the report to the CA The CA is requested to send a report which describes plans (including schedule) for the improvements.

Plans for drafting NGO/Singapore uses a commercial CA (Netrust Inc.) Netrust agreed to publish their audit report. confidential and available only for APGrid PMA auditors I’ll review the audit report, then draft this document. PROMISE to draft by the next GGF in Tokyo 

a question How to justify the audit checklist audit items were subjectively selected from WebTrustTM criteria based on the minimum CA requirements. Does ‘justify’ mean to justify the minimum CA requirements?