1. AEGIS Certification Authority
Dušan Radovanović
University of Belgrade Computer Centre
40th EUGridPMA meeting, May 2017, Ljubljana

2. 40th EUGridPMA meeting, May 2017, Ljubljana
Overview
Approved June 2007
Issues certificates to Serbian GRID community
CP/CPS and root cert updated January 2009 to reflect TLD change
Changed to SHA2
Extended the lifetime of root cert in March 2017
40th EUGridPMA meeting, May 2017, Ljubljana

3. 40th EUGridPMA meeting, May 2017, Ljubljana
CA operation
CA operated by the staff of 2
Currently RA’s
Online web interface operated on main web server
Offline certs signing
SimplePKI software
Security
40th EUGridPMA meeting, May 2017, Ljubljana

4. 40th EUGridPMA meeting, May 2017, Ljubljana
Certificates
Total Issued: 1055
Total revoked: 102
40th EUGridPMA meeting, May 2017, Ljubljana

5. 40th EUGridPMA meeting, May 2017, Ljubljana
Self Audit
Guidelines for auditing Grid CA’s v1.0.
C – 2
B – 3
X – 1
40th EUGridPMA meeting, May 2017, Ljubljana

6. 40th EUGridPMA meeting, May 2017, Ljubljana
Self Audit – CP/CPS
4. - B
Whenever there is a change in the CP/CPS the O.I.D. of the document must change and the major changes must be announced to the responsible PMA and approved before signing any certificates under the new CP/CPS.
Practice: Every change is announced to the PMA, but this procedure is not documented in CP/CPS
Solution: Will add this procedure to CP/CPS
40th EUGridPMA meeting, May 2017, Ljubljana

7. Self Audit – EE certificates/keys
40. - B
Each host certificate must be linked to a single network entity.
Practice: CP/CPS does not describe how each host certificate is linked to a single entity.
Solution: CP/CPS will be updated to describe this
40th EUGridPMA meeting, May 2017, Ljubljana

8. Self Audit – EE certificates/keys
41. / X
The authority shall issue X.509 certificates to end entities based on cryptographic data generated by the applicant, or based on cryptographic data that is be held only by the applicant on a secure hardware token.
Practice: We do not have support for hardware tokens
Question: Should we add this in CP/CPS?
40th EUGridPMA meeting, May 2017, Ljubljana

9. 40th EUGridPMA meeting, May 2017, Ljubljana
Self Audit – Audits
53. - B
Every CA must perform operational audits of the CA/RA staff at least once per year.
Practice: We do not have an auditing manual and do not audit RA’s.
Question: Should the manual be written, or published on-line? Should the RA’s keep the identification verification documents, or send them to CA?
40th EUGridPMA meeting, May 2017, Ljubljana

10. 18th EUGridPMA meeting, Jan 2010, Dublin
Self Audit – Privacy
61. - C
Accredited CAs must define a privacy and data release policy compliant with the relevant national legislation. The CA is responsible for recording, at the time of validation, sufficient information regarding the subscribers to identify the subscriber. The CA is not required to release such information unless provided by a valid legal request according to national laws applicable to that CA.
18th EUGridPMA meeting, Jan 2010, Dublin

11. 40th EUGridPMA meeting, May 2017, Ljubljana
Self Audit – Privacy
Practice: CP/CPS does not define data release policy because there was no law defining this at the time of writing the original CP\CPS.
Solution: Law now exists, so this can be updated.
40th EUGridPMA meeting, May 2017, Ljubljana

12. 40th EUGridPMA meeting, May 2017, Ljubljana
Self Audit – RA
8. - C
The CP/CPS should describe how the RA or CA is informed of changes that may affect the status of the certificate.
Practice: CP/CPS does not define this
Solution: This procedure will be defined in CP/CPS
40th EUGridPMA meeting, May 2017, Ljubljana

13. Self Audit – Conclusion
Implement changes to the CP/CPS
Changes from self audit
Changes suggested from reviewers
Revise and update the whole CP/CPS to the new classic AP
40th EUGridPMA meeting, May 2017, Ljubljana

14. 40th EUGridPMA meeting, May 2017, Ljubljana
Thank you!
40th EUGridPMA meeting, May 2017, Ljubljana