Bill Yau (billyau_hpc@hku.hk) HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau (billyau_hpc@hku.hk)

Slides:

Advertisements

Similar presentations

Status of Auditing Guidelines Document Oct. 15 Yoshio Tanaka, AIST.

Advertisements

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

DESIGNING A PUBLIC KEY INFRASTRUCTURE

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Data management in the field Ari Haukijärvi 2nd EHES training seminar.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

KFKI CA József Kadlecsik KFKI RMKI

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Feyza Eryol TÜBİTAK ULAKBİM TR-GRID CA SELF-AUDIT & UPDATES.

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

H I A S T HIAST GRID CA 21 th EUGridPMA meeting Utrecht, January, 2011 Ghassan SABA Houssam ABED

IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani

Self-Audit & Status Report for KEK GRID CA Hiroyuki Matsunaga KEK (High Energy Accelerator Research Organization), Computing Research Center APGridPMA.

26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

J Jensen, STFC Chief Soapbox Officer 23 May 2017

AEGIS Certification Authority

UGRID CA Sergii Stirenko, Oleg Alienin

Guidelines for auditing Grid CAs

HellasGrid CA & euGridPMA

THE STEPS TO MANAGE THE GRID

Public Key Infrastructure (PKI)

جايگاه گواهی ديجيتالی در ايران

MaGrid CA Self audit and update

NATIONAL CENTRE FOR PHYSICS PK-Grid-CA

Emir Imamagić University Computing Centre (Srce)

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

HKU Grid Certificate Authority (HKU Grid CA) CP/CPS Reviewer’s Comments Bill Yau

KISTI CA Report Status & Self-Audit

BG.ACAD CA Self-audit report 2018

National Trust Platform

Presentation transcript:

Bill Yau (billyau_hpc@hku.hk) HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau (billyau_hpc@hku.hk)

Operating Organization HKU Grid CA ~ Classical offline CA operates since 2009 Examines subscriber’s information Approve CA and RA operator to operate affairs CA Manager Accept subscribing request Check subscribers’ information for consideration of approval RA Operator Operate and maintain the CA signing server & CA web server Manage CA private key and its copy Operate CA tasks: issue/revoke/rekey certificate and issue CRL Update CP/CPS, operation manuals and security documents CA Operator Help users related to HKU Grid CA operation Helpdesk Pui Tak HO Wing Keung KWAN Wing Keung KWAN Lilian CHAN Bill Yau Pui Tak HO, Wing Keung KWAN, Lilian CHAN , Bill Yau

Issued Certificates CN=HKU Grid CA User certificates 44 (As of 25th Mar, 2019) CN=HKU Grid CA User certificates Valid Expired/Revoked 44 Host Certificates 6 118 HKU GridCA 2 3 2 26

Materials Used for Auditing Guidelines for auditing Grid CAs version 1.1 Relevant IGTF Authentication Profile version 5.0 HKU Grid CA CP/CPS v3.0 (RFC 3647) CA Repository: http://ca.grid.hku.hk/ CA Certificate, CRL, End-Entity certificates Document published on the web repository: Certificate application procedure Certificate renew and revocation procedure

Operation Inspection Items CA room Located in the HKU ITS server room. Restricted to authorized people can access and all events are recorded. RA and CA machines Both are running on dedicated machines. CA signing machine is dedicated to CA operation and is completely offline. Backup media of the CA private key and its place Media storage of archived logs and other documents and their place Locked in safe deposit box which is located at another room where access control is restricted. Logs of RA and CA servers Records of operation of the RA and CA Access log to the CA room

Summary of Self Audit Result Score A (Good) 63 Score B (Minor Change) 1 Score C (Major Change) Score D (Must Change) Score X (Could not evaluate) 3

Score B (Minor Change) CA Key (14) Copies of the encrypted private key must be kept on offline media and only in secure places where access is controlled. During the auditing, we found that we have forgotten to create a paper-based backup of the private key as specified in the CP/CPS. CD-ROM based copy of the private key is safe and secure. The University of Hong Kong