National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

Slides:

Advertisements

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Advertisements

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

A responsibility based model EDG CA Managers Meeting June 13, 2003.

Report on Attribute Certificates By Ganesh Godavari.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Security+ Guide to Network Security Fundamentals, Fourth Edition

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.

NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.

Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

IHEP Grid CA Status Report Gongxing Sun 5 th F2F Meeting 16 Sep Computer Center, IHEP,CAS,China.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

KEK GRID CA Takashi Sasaki Computing Research Center KEK.

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.

APGridPMA Update Eric Yen APGridPMA August, 2014.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

CAISO Public Key Infrastructure: Supporting Secure ICCP Leslie DeAnda Senior Information Security Analyst, Information Security, CAISO EMS Users Group.

AEGIS Certification Authority

UGRID CA Sergii Stirenko, Oleg Alienin

جايگاه گواهی ديجيتالی در ايران

PKI (Public Key Infrastructure)

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

Presentation transcript:

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio Tanaka Information Technology Research Institute AIST, Japan

Issued certificates User certificates: 154 (136) Valid: 32 (31) Invalid (revoked or expired): 122 (105) Host certificates: 2204 (1706) Valid: 397 (509) Invalid (revoked or expired): 1647 (1197) LDAP certificates: 264 (262) Valid: 33 (33) Invalid (revoked or expired): 231 (229)

At first Grid Technology Research Center completed its term in last March (Jan to Mar. 2008). Since April, we belong to Information Technology Research Institute. Replaced “Grid Technology Research Center” to “Information Technology Research Institute” in CP/CPS.

Results of self-auditing: Score B (22)Certificate revocation can be requested by users, the registration authorities, and the CA. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key. The CP/CPS does not describe that “others can request revocation.” Who can request revocation Subscribers, the AIST GRID RA and the AIST GRID CA can request revocation. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.

Results of self-auditing: Score B (23)The CA must react as soon as possible, but within one working day, to any revocation request received. The CP/CPS does not describe “but within one working day.” Revocation request grace period AIST GRID CA will processes revocation as soon as it receives the request, but at least within one working day. The revocation information will be published to the AIST GRID PKI repository.

Results of self-auditing: Score B (24)An end entity must request revocation of its certificate as soon as possible, but within one working day after detection of… The CP/CPS does not describe “but within one working day.” End entity, host administrator obligation … - Instruct the CA to revoke the certificate promptly, but at least within one working day, upon any actual or suspected loss, disclosure, or other compromise of the subscriber’s private key.

Results of self-auditing: Score B (43)Certificates (and private keys) managed in a software token should only be re-keyed, not renewed. (45)Certificates may be renewed or re-keyed for more than 5 years without a form of identity and eligibility verification, and this procedure must be described in the CP/CPS. The CP/CPS does not clearly distinguish re-key and renew. 3.2 Routine Rekey Enrollment request is necessary if the certificate is expired. AIST GRID CA does not allow to re-issue a new end-entity certificate using the same key pair with an issued certificate. End-entity certificates may be rekeyed for less than 5 years without a form of identity and eligibility verification. If an end-entity certificate has been rekeyed for 5 years, the initial identity vetting procedures defined in CPS[3.1 Initial registration] are required.

Results of self-auditing: Score C (15)When the CA’s cryptographic data needs to be changed, such a transition shall be managed; from the time of distribution of the new cryptographic data, only the new key will be used for certificate signing purposes. (16)The overlap of the old and new key must be at least the longest time an end-entity certificate can be valid. The older but still valid certificate must be available to verify old signatures – and the secret key to sign CRLs – until all the certificates signed using the associated private key have also expired. The CP/CPS does not describe the transition procedure 3.2 Routine Rekey When the root CA Certificate will be expired, AIST GRID CA will issue a new root CA Certificate at least one year before the expiration. From the time of distribution of the new CA Certificate, only the new key will be used for certificate signing purposes. The older but still valid certificate must be available to verify old signatures – and the secret key to sign CRLs – until all the certificates signed using the associated private key have also expired.

Results of self-auditing: Score C (25)Revocation requests must be properly authenticated. Authentication of revocation requests descried in the CP/CPS is applicable only for the following case: A user, who has a valid certificate and corresponding private key, requests revocation of her/his/host certificate. 3.4 Revocation request If a revocation request of a certificate is made by the owner of the certificate and the owner has a corresponding private key, the revocation request is authenticated by possession of the private key. Otherwise, revocation request is authenticated by the RA either by face-to-face meeting, phone call or exchanging s.

Last one AIST GRID CA Certificate was valid for 5 years AIST GRID CA will change the validity period of the root CA certificate to 20 years. Assigned a new OID 4.7 CA certificate validity CA will stop to sign new user certificates by its private key before it is shorten than user certificates. CA certificate validity is 20years Certification Practices Statements CA Certificate Policy