Presentation is loading. Please wait.

Presentation is loading. Please wait.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Published byAlban Horn Modified over 8 years ago

Similar presentations

Presentation on theme: "18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia."— Presentation transcript:

1 18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia

2 18 th EUGridPMA, Dublin / SRCE CA Self Audit Overview  SRCE CA  Self Audit  Certification Authority  Registration Authority  Conclusion

3 18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA

4 18 th EUGridPMA, Dublin / SRCE CA Self Audit Overview  Established in May 2006  Certificates for the Croatian academic and research community  Public web site: http://ra.srce.hr  Email address: srce-ca@srce.hr  Approved by EUGridPMA in July 2006  Classic AP 4.0

5 18 th EUGridPMA, Dublin / SRCE CA Self Audit Organization  CA & RA @ SRCE  Three staff members: Hrvoje Sute, Emir Imamagic, Dobrisa Dobrenic  Two lightweight RAs  ETFOS (Faculty of Electrical Engineering in Osijek, Croatia), Goran Martinovic  FESB (University of Split Faculty of Electrical Engineering, Mechanical Engineering and Naval Architecture), Dubravko Balic

6 18 th EUGridPMA, Dublin / SRCE CA Self Audit System Architecture  OpenCA  Online interface (RA)  Used by EE for certificate requests  Used by RAs for request confirmations  Deployed on institute’s main web server  Offline (CA)  Hard drives kept in safe accessible to CA staff only  Data transfer achieve USB  Data backup performed after each operation

7 18 th EUGridPMA, Dublin / SRCE CA Self Audit Certificates  Total: 364 issued certificates  Host: 161  User: 201  Valid: 133 certificates  Host: 60  User: 73  Revoked: 63  Host: 40 (mainly retired machines)  User: 23 (mainly forgotten passphrase and accidentally deleted private keys)

8 18 th EUGridPMA, Dublin / SRCE CA Self Audit CP/CPS Update  Version 1.1  November 20 th 2009  Updated EE & CA extensions  Made compliant with Grid Certificate Profile

9 18 th EUGridPMA, Dublin / SRCE CA Self Audit SELF AUDIT

10 18 th EUGridPMA, Dublin / SRCE CA Self Audit Versions  Guidelines for auditing Grid CAs version 1.0  November 11 th 2009  SRCE CA CP/CPS version 1.1  November 20 th 2009

11 18 th EUGridPMA, Dublin / SRCE CA Self Audit Summary  Total number of items: 68  Marks:  C: 2  B: 3  X: 1  A: 62  There are few As with comment/question

12 18 th EUGridPMA, Dublin / SRCE CA Self Audit CERTIFICATION AUTHORITY

13 18 th EUGridPMA, Dublin / SRCE CA Self Audit CP/CPS  B – 1.4  Item description: Whenever there is a change in the CP/CPS the O.I.D. of the document must change and the major changes must be announced to the responsible PMA and approved before signing any certificates under the new CP/CPS.  Status: Procedure is not explicitly defined in CP/CPS.  Practice: Updated CP/CPS is published to EUGridPMA before issuing new certificate.  Solution: Will be added in the next CP/CPS update.

14 18 th EUGridPMA, Dublin / SRCE CA Self Audit CP/CPS  C – 1.6  Item description: The CP/CPS documents should be structured as defined in RFC 3647.  Status: CP/CPS is structured as defined in RFC 2527.  Solution: Currently we do not have resources to perform such major update. Current CP/CPS defines well our practices. We can consider updating in future if strongly requested from PMA and Relying Parties.

15 18 th EUGridPMA, Dublin / SRCE CA Self Audit CA System  A – 2.10  Item description: The secure environment must be documented and approved by the PMA, and that document or an approved audit thereof must be available to the PMA.  Comment: System is partially described in CP/CPS in sections, documentation is available on site's Wiki pages. Is this sufficient?

16 18 th EUGridPMA, Dublin / SRCE CA Self Audit Certificate Revocation  A – 5.23  Item description: Certificate revocation can be requested by end- entities, registration authorities, and the CA. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.  Comment: Section 4.4.2 defines that revocation can be requested by EE, RA and any other entity providing evidence. Section 1.3.2 defines that SRCE CA manages the functions of its RA. Is this sufficient?

17 18 th EUGridPMA, Dublin / SRCE CA Self Audit Certificate Revocation  B – 5.25  Item description: Subscribers must request revocation of its certificate as soon as possible, but within one working day after detection of he/she lost or compromised the private key pertaining to the certificate, the data in the certificate are no longer valid.  Status: CP/CPS doesn’t define one working day deadline.  Comment: This requirement was added in classic AP 4.1.  Solution: Will be added in the next CP/CPS update.

18 18 th EUGridPMA, Dublin / SRCE CA Self Audit End Entity Certificates and Keys  C – 7.38  Item description: The end-entity certificates must comply with the Grid Certificate Profile as defined by the Open Grid Forum GFD.125. The policyIdentifier must include the OID for Authentication Profile under which the Certification Authority has been accredited. For Classic AP, OID is 1.2.840.113612.5.2.2.1.  Status: This is not defined in CP/CPS.  Comment: This requirement was added in classic AP 4.2.  Solution: Will be added in the next CP/CPS update.

19 18 th EUGridPMA, Dublin / SRCE CA Self Audit End Entity Certificates and Keys  X – 5.41  Item description: Certificates associated with a private key residing solely on hardware token may be renewed for a validity period of up to 5 years (for equivalent RSA key lengths of 2048 bits) or 3 years (for equivalent RSA key lengths of 1024 bits).  Comment: CA does not support keys residing on hardware tokens.

20 18 th EUGridPMA, Dublin / SRCE CA Self Audit Records Archival  B – 8.45  Item description: These records must be kept for at least three years, where the identity validation records must be kept at least as long as there are valid certificates based on such a validation.  Status: CP/CPS does not define archiving identity validation record.  Practice: We make photocopies of IDs and store them permanently in safe deposit.  Comment: This requirement was added in classic AP 4.1.  Solution: Will be added in the next CP/CPS update.

21 18 th EUGridPMA, Dublin / SRCE CA Self Audit REGISTRATION AUTHORITY

22 18 th EUGridPMA, Dublin / SRCE CA Self Audit Records and Archival  A – 2.11  Item description: The RA must record and archive all requests and confirmations.  Comment: All RAs use central OpenCA instance which archives all requests and confirmations.

23 18 th EUGridPMA, Dublin / SRCE CA Self Audit Conclusion  CA certificate renewal is this year  Update of CP/CPS will be done at the same time  The proposed changes  Changes proposed by reviewers  Changes in classic AP 4.3

24 18 th EUGridPMA, Dublin / SRCE CA Self Audit Thank You! Questions?

Download ppt "18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia."

Similar presentations

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.

Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr. 2009 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

Similar presentations

Ads by Google