1. NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting 27.01.2009 Nicosia Tamás Máray maray@niif.humaray@niif.hu NIIF Institute

2. 27.01.2009.15th EUGridPMA meeting - Nicosia2 Agenda General information Current status of CA – statistics Results of the self-audit Actions taken Future plans

3. 27.01.2009.15th EUGridPMA meeting - Nicosia3 General Information NIIF CA is an X.509 PKI CA with online CA infrastructure (Sun CMS + HSM: Chrysalis Luna crypto HW) It was accredited by the EUGridPMA in 2005 January during the Marseille meeting It provides free X.509 user and host certificates mainly for the academic user community (research and higher education) in Hungary but also for some companies participating in EU FP projects Located in Budapest, operated by NIIF Institute (the Hungarian NREN)

4. 27.01.2009.15th EUGridPMA meeting - Nicosia4 Current Status of CA As of yesterday: –617 CERTs are issued in total –183 CERTs are valid –394 CERTs are expired –40 CERTs are revoked About 15% of all the CERTs are for hosts, 85% for users

5. 27.01.2009.15th EUGridPMA meeting - Nicosia5 The Self-Audit What it meant to be: A thoroghful review of –the operation of the CA, –the documents, –the identification process involving the entire staff responsible for running the CA Review is based on Yoshio Tanaka’s “Guidelines for auditing Grid CAs version 1.0-b6” published in September 2008

6. 27.01.2009.15th EUGridPMA meeting - Nicosia6 Results Very serious problems were not detected. Issues found: –Operational manual is missing –The CPS/CP documents are still organised according to RFC 2527 –Q10: The secure environment is documented only in Hungarian (NIIF’s internal regulation documents, ISO 9001:2008, ISO/IEC 27001:2005) therefore it is not available to the PMA Score: B –Q17 and Q18: root key renewal process is not satisfyingly addressed. Discussion of the overlap issue is missing… Score: B

7. 27.01.2009.15th EUGridPMA meeting - Nicosia7 Results (cont.) Issues found: –Q32: multiple, simultaneous revocations have not been tested yet… Score: X –Q43: FQDN is not included in the SubjectAlternativeName in host certificates Score: B(?) –Q53: yearly operational audit of the CA/RA staff was not a practice before (though a regular, internal NIIF service reporting procedure is implemented) Score: B –Q62: disaster recovery procedure is not described in CPS/CP (though a general procedure description do exist for the NIIF as a whole) Score: C

8. 27.01.2009.15th EUGridPMA meeting - Nicosia8 Actions taken An audit report was prepared, giving answer to *all* the audit questions Moreover, decisions were made about: Simplifying the certification request process (leaving out the requirement of the “project manager’s” approval of the request from the Pre-Authorisation phase) –Done Simplifying the operation (quitting the former log server, archiving the logs directly from the TCB) –Done Simplifying the documentation work (CPS/CP are only published in English, Hungarian version is not maintained anymore) –Done Modifying the CPS/CP documents accordingly –Done. (Version 1.4 is prepared.)

9. 27.01.2009.15th EUGridPMA meeting - Nicosia9 Future Plans Preparation of the operation manual Preparation of the CA’s disaster recovery plan Reorganising CPS/CPs according to RFC 3647 Including FQDN in the SubjectAlternativeName in host certificates(?) Implementing a yearly operational audit of the CA

10. Thank you!