NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Slides:



Advertisements
Similar presentations
APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.
Advertisements

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
Academia Sinica Grid Computing Certification Authority (ASGCCA)
KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly
0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.
Egypt Certification Authority Dr. Ayman Bahaa-Eldin EUN Director 8 May th EuGridPMA meeting, Germany.
Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
NECTEC-GOC CA A Brief Status Report 13 th APGrid PMA Face-to-Face meeting March 24 th, 2014 Large-Scale Simulation Research Laboratory Information Communications.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI
Self-Audit & Status Report for KEK GRID CA Hiroyuki Matsunaga KEK (High Energy Accelerator Research Organization), Computing Research Center APGridPMA.
PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.
IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.
AEGIS Certification Authority
UGRID CA Sergii Stirenko, Oleg Alienin
Guidelines for auditing Grid CAs
MaGrid CA Self audit and update
NATIONAL CENTRE FOR PHYSICS PK-Grid-CA
Emir Imamagić University Computing Centre (Srce)
Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau
MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019
KISTI CA Report Status & Self-Audit
BG.ACAD CA Self-audit report 2018
Presentation transcript:

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale Simulation Research Laboratory National Electronics and Computer Technology Center, Thailand

2 Outlines » NECTEC-GOC CA » Self Audit » Certification Authority » Registration Authority » Summary

3 Overview » NECTEC-GOC CA operates by Large-Scale Simulation Research Laboratory » Accredited by APGrid PMA in October 2006 » Compilation in Classic AP version 4.2 » Certificates for the collaborators related to NECTEC Grid Computing research. » Initial lifetime » 10 years, until January 2017 » Software » OpenCA software version 0.9.6

4 System Architecture » OpenCA » Online interface (RA) » Used by EE for certificate requests » Used by RAs for request confirmations » Offline (CA) » CA machine kept in safe deposit box accessible to CA staff only » Data transfer achieve USB » Data backup performed after each operation

5 Certificates Status » Total: 105 issued certificates » User: 61 » Host: 44 » Valid: 71 certificates » User: 53 » Host: 18 » Expired: 34 certificates » User: 8 » Host: 26 » Revoked: none

6 SELF AUDIT

7 Materials used of auditing » The following documents are referred: » Guidelines for auditing Grid CAs version 1.0  December 11 th 2009 » NECTEC-GOC CA CP/CPS version 1.1 (RFC 2527)  August 2009 » NECTEC-GOC CA CP/CPS new version (RFC 3647 unapproved) » CA Repository  » CA Certificate, CRL, End-Entity certificates » Other document described as published on the web repository  Certificate application procedure  Certificate renew and revocation procedure

8 Materials used of auditing » The following are the subjects of the inspection: » CA room » RA and CA machines » Backup media of the CA private key and its place » Media storage of archived logs and other documents and their place e.g. safe deposit box » Logs of RA and CA servers » Records of operation of the RA and CA » Access log to the CA room

9 CA No immediate change (1) 1 CP/CPS (3) Network of RA Already in new version (6) 1 (6) all versions of CP/CPS on web 1 (7) RFC (15) CA pass phrase backup in offline media 3 (17) CA key change 3 (18) CA key change overlap 5 (24) CA react to revocation request To be added to new version (3) 5 (25) Revocation request (subscriber obligation) 7 (42) Re-verification for rekeying 9 (47) Annual operational audit Not relevant (2) 3 (16) online CA log 7 (41) renewal of key in HW token

10 RA Already in new version (3) 1 (3) Secure ID validation for non-personal certificate 1 (4) Authorization of host/service certificate 1 (5) Association of CSR for host/service certificate To be added to new version (2) 1 (7) CSR bounded to ID vetting 3 (11) How to inform CA/RA about EE status change Question (1) 1 (6) Identify retaining

11 SELF AUDIT RESULTS: CERTIFICATION AUTHORITY

12 1. CP/CPS » (3) There should be a single end-entity issuing CA with a wide network of RA. » Score: B » Status: The CP/CPS describes that a single end-entity issuing CA with one RA operator. » Practice: Currently, there is one RA operator, only, since the user community is still small.

13 1. CP/CPS » (6) All the CP/CPS under which valid certificates are issued must be available on the web. » Score: B » Status:  The CP/CPS does not describe that all the versions of CP/CPS under which valid certificates are issued must be available on the web.  All versions (two) of CP/CPS are available on the web » Solution:  The new version of CP/CPS has described that all CP/CPS under which valid certificates are issued has been published on the web.

14 1. CP/CPS » (7) The CP/CPS documents should be structured as defined in RFC » Score: B » Status: The current CP/CPS is structured as defined in RFC » Solution: Currently, the new version of CP/CPS which conform with RFC 3647 has been drafted but it unapproved from APGrid PMA

15 3. CA Key » (15) The pass phrase of the encrypted private key must also be kept on offline media, separated from the encrypted private keys and guarded in a secure location where only the authorized personnel of the CA have access. Alternatively, another documented procedure that is equally secure may be used. » Score: B » Status: The current CP/CPS does not describe about the backup of pass phrase. » Solution: The procedure appears in the new version of CP/CPS which describes that the pass phrase is kept in a sealed envelop.

16 3. CA Key » (16) The on-line CA architecture must provide for a log of issued certificates and signed revocations. The log should be tamper- protected. » Score: X » Status: Cloud not evaluate. » Practice: The CA system is completely offline.

17 3. CA Key » (17) When the CA’s cryptographic data needs to be changed, such a transition shall be managed; from the time of distribution of the new cryptographic data, only the new key will be used for certificate signing purposes. » Score: C » Status: The CP/CPS does not describe about transition of the CA’s cryptographic data. » Solution: The new version of CP/CPS describes that when the CA’s cryptographic data is changed, from the time of new cryptographic data distribution, only the new CA certificate will be used for certificate signing purpose.

18 3. CA Key » (18) The overlap of the old and new keys must be at least the longest time an end-entity certificate can be valid. The older but still valid certificate must be available to verify old signatures – and the secret key to sign CRLs – until all the certificates signed using the associated private key have also expired. » Score: C » Status: The CP/CPS does not describe how to handle such situations. » Solution: The new version of CP/CPS describes that the overlap of the old and new CA certificate must be at least the longest time an end-entity certificate can be valid (1 year). The old CA certificate will be valid and available to verify old signatures and the secret key to sign CRLs until all the certificates signed using the associated private key have also expired.

19 5. Certificate Revocation » (24) The CA must react as soon as possible, but within one working day, to any revocation request received. » Score: B » Status: The current CP/CPS does not specify the time period to react to revocation requests. » Solution: The procedure is described in the new version of CP/CPS that the CA should process the certificate revocation request within one working day after receiving the request.

20 5. Certificate Revocation » (25) Subscribers must request revocation of its certificate as soon as possible, but within one working day after detection of: - he/she lost or compromised the private key pertaining to the certificate, - The data in the certificate are no longer valid. » Score: B » Status: CP/CPS does not include EE obligation to requesting revocation of she/he lost or compromised the private key or any data in the certificate is no longer valid. » Solution: Will be added in the new version of CP/CPS.

21 7. End Entity Certificates and keys » (41) Certificates associated with a private key residing solely on hardware token may be renewed for a period of up to 5 years (for equivalent RSA key lengths of 2048 bits) or 3 years (for equivalent RSA key lengths of 1024 bits). » Score: X » Status: Cloud not evaluate. » Practice: This CA does not support renewal.

22 7. End Entity Certificates and keys » (42) Certificates must not be renewed or re-keyed for more than 5 years without a form of auditable and eligibility verification, and this procedure must be described in the CP/CPS. » Score: C » Status: The CP/CPS does not describe about re-verification and authentication of identity processes required for entities on or prior to 5 years from the original or initial identity authentication. » Solution: Will be added in the new version of CP/CPS.

23 9. Audits » (47)Every CA should perform operational audits of the CA/RA staff at least once per year. » Score: C » Status: The CP/CPS does not require that the CA performs operational audit. The CA has never performed operational audit. » Solution: Will be added in the new version of CP/CPS.

24 SELF AUDIT RESULTS: REGISTRATION AUTHORITY

25 1. Entity Identification » (3) In case of non-personal certificate requests, an RA should validate the identity and eligibility of the person in charge of the specific entities using a secure method. » Score: C » Status: The CP/CPS does not describe that the RA validates the identity of a person requesting a host/service certificate. But we check for valid certificate. » Solution: The procedure is described in the new version of CP/CPS that the person requesting a host/service certificate must be a valid subscriber of NECTEC-GOC CA.

26 1. Entity Identification » (4) For host and service certificate requests, an RA should ensure that the requestor is appropriately authorized by the owner of the associated FQDN or the responsible administrator of the machine to use the FQDN identifiers asserted in the certificate. » Score: C » Status: The CP/CPS does not describe that an RA ensures that the requestor is appropriately authorized by the owner of the FQDN. However, RA practices the procedure below. » Solution: The procedure is described in the new version of CP/CPS that the RA operator must proves of such authorization, such as by an official letter or by setting a certain information in the DNS record of that domain.

27 1. Entity Identification » (5) An RA must validate the association of the certificate signing request. » Score: C » Status: The CP/CPS does not describe the RA ensures that the requestor is appropriately authorized by the owner of the FQDN. However, RA practices the procedure below. » Solution: The procedure is described in the new version of CP/CPS:  requestor = valid user,  FQDN in CSR = in application form,  in CSR = in application form and in user certificate

28 1. Entity Identification » (6) The CA or RA should have documented evidence on retaining the same identity over time. » Question to PMA as follows:  Does this mean the identify of user should be retained?  If the same individual, using the same name, belonging to the same organization, re-applies for a personal certificate, the certificate should have the same "subject name" as the one issued earlier?  If the same individual, using the same name, belonging to a *different* organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?  If the same individual, using a *different* name, but still belonging to the same organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?  If the same individual, using a *different* name, belonging to a *different* organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?  If a *different* individual, but happen to use the same name, belonging to the same organization, applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?

29 1. Entity Identification » (7) The certificate request submitted for certification must be bound to the act of identity vetting. » Score: C » Status: The current and the new version of CP/CPS does not describe this. » Solution: Will be added in the new version of CP/CPS that the RA operator checks whether the specified in the application form matches that in the CSR. The certificate will be delivered via this address.

30 3. RA to CA communications » (11) The CP/CPS should describe how the RA or CA is informed of changes that may affect the status of the certificate. » Score: C » Status: The CP/CPS has no description on how the CA or the RA is informed of any changes. » Solution: Will be added in the new version of CP/CPS that the user must inform any changes that may affect the status of the certificate to RA and CA operators.

31 Summary » Total number of items: 68 » Results: » 50 As - Good » 6 Bs - Recommendation (minor changes) » 9 Cs - Recommendation (major changes) » 2 Xs - Cloud not evaluate (N/A) »Changes : »Improving CP/CPS; no critical effects on current/immediate operation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.