Presentation is loading. Please wait.

Presentation is loading. Please wait.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

Published byPrudence Thompson Modified over 8 years ago

Similar presentations

Presentation on theme: "TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM"— Presentation transcript:

1 TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM feyza@ulakbim.gov.tr, onurt@ulakbim.gov.tr ) feyza@ulakbim.gov.tronurt@ulakbim.gov.tr

2 General information Current status of CA (updates & statististics) Self-auditing results What has been done so far after auditing? Conclusion Overview 2 September 12-14 EUGridPMA Marrakesh Meeting

3 TR-Grid CA is a traditional X.509 PKI CA with an offline issuing CA configuration. It was accredited at 5th EUGridPMA Meeting in Poznan, in September 2005. It provides x509 certificates for academic research and educational activities in Turkey: So far only used by TRUBA users and hosts in grid activities. From TR-GRID(Turkish National Grid Infrastructure) to TRUBA(Turkish Sience e-Infrastructure) It is located in Ankara and managed by TUBITAK- ULAKBIM.Introduction 3September 12-14 EUGridPMA Marrakesh Meeting

4 TR-Grid CA self-audit was presented in Amsterdam, in January 2008 CP/CPS had been re-written in RFC 3647 All necessary corrections/clarifications had been done in CP/CPS Openssl configuration updated/corrected The online CA repository updatedUpdates 4September 12-14 EUGridPMA Marrakesh Meeting

5 ●TR-Grid CA root certificate was re-generated in September 2009. ●With the same key, the new validation dates and new extensions ●The following reference documents were used: ●IGTF-AP-Classic v4.2 ●Grid Certificate Profile (GFD.125) ●CP/CPS updated. ●Openssl configuration updated to guarantee that all certificates and CRLs issued with the accurate profile. ●The information on TACAR was updated. Updates - 2 5September 12-14 EUGridPMA Marrakesh Meeting

6 CA: So far around 990 certificates issued. So far around 200 certificates revoked. Currently, about 200 valid user certificates available. Currently, about 30 valid host certificates available. RA: Currently there are 4 RA centers: 1 main + 3 regional Ankara (main), Kayseri, Adana, Denizli. Identity validation is performed by video conference where geographical location of the subject is remote. Statistics 6September 12-14 EUGridPMA Marrakesh Meeting

7 ●Guidelines for auditing Grid CAs version 1.1 (October 28, 2010) is used. ●Reference documents: ●IGTF-AP-Classic v4.3 ●Grid Certification Profile (GFD.125) ●Private Key Protection Guideline v1.1 (September 21, 2010) General Auditing Impression: ●There are some issues which should be in different sections in CP/CPS. ●Certificates and CRLs are issued properly as stated in references. ●The archives of the all records are not well organised, they need to be in an auditable form. Self Auditing 7September 12-14 EUGridPMA Marrakesh Meeting

8 52 items with score A (good) 10 items with score B (minor change) 1 items with score C (major change) 0 items with score D 3 item with N/A Self Auditing Results 8September 12-14 EUGridPMA Marrakesh Meeting

9 3.2.1. Records Archival (12) – The CA is responsible for maintaining an archive of these records in an auditable form Documentation is OK but it is not well organised in practical. All records are stored in different areas –Especially e-mails Action: All records will be organised in an auditable form at the end of this year. C – major change 9September 12-14 EUGridPMA Marrakesh Meeting

10 3.1.2 CA System(7) –The CA system is a dedicated machine, but this is placed in section 6.1.1 in CP/CPS. Action: It has been added to section 6.5.1 too. 3.1.6 CRL(29,30) –The CA issue a new CRL at least 7 days before expiration, but this is placed in section 2.3 in CP/CPS. –The new CRL issued immediately after a revocation, but it is placed in section 2.3 in CP/CPS. Action: It has been added to section 4.9.9 too. B – minor change 10September 12-14 EUGridPMA Marrakesh Meeting

11 3.1.6 CRL(32) –The CRLs are compliant with RFC 3280 which was the obsoleted version of the 5280. Action: The CRL structure and extensions are checked. They are compliant with RFC 5280. It has been corrected in CP/CPS document. 3.1.7 End Entity Certificates and Keys(40,42) –Certificates are re-keyed and this is placed in web page of the CA, but it is not placed in an user manual. –Certificates must not be re-keyed consecutively for 5 years without identity verification is applied in practice, but does not exist in a user manual. Action: It will be added to the wiki page as an user manual. B – minor change 11September 12-14 EUGridPMA Marrakesh Meeting

12 3.1.12 Compromise and Disaster Recovery(55) –The CA must have compromise and disaster recovery procedure. The compromise procedure is placed in section 5.7.1, but disaster recovery is not. Action: The disaster recovery procedures are added to the CP/CPS document. 3.2.1. RA Entity Identification (1,4) –The role of RA are described in different sections. –The RA should ensure that the requestor is appropriately authorized by the owner of the associated FQDN. Action: They have been added to the section 4.1.2 B – minor change 12September 12-14 EUGridPMA Marrakesh Meeting

13 3.2.1. RA Entity Identification (6) –CA or RA have documented evidence on retaining the same identity over time. This has been done in practical, but does not exist in section 5.5.1 Action: It has been added to the section 5.5.1 B – minor change 13September 12-14 EUGridPMA Marrakesh Meeting

14 ●All corrections/clarifications have been done in CP/CPS. ●The wiki page is designed to be updated for local users as an user manual ●We have started to collect e-mail logs to organise. First actions done after auditing.. 14September 12-14 EUGridPMA Marrakesh Meeting

15 Auditing document is really useful and comprehensive enough for its purpose Auditing was a good chance to address the recommendations of Grid Certificate Profile. Each self-audit is an experience chance to corrected the CP/CPS document and certificate profiles. chance to follow the improvements Conclusion 15September 12-14 EUGridPMA Marrakesh Meeting

Download ppt "TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM"

Similar presentations

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr. 2009 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar. 2010 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

Similar presentations

Ads by Google