Presentation is loading. Please wait.

Presentation is loading. Please wait.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Published byIsabell Lovins Modified over 9 years ago

Similar presentations

Presentation on theme: "CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F."— Presentation transcript:

1 CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong (kevin@cnic.ac.cn) Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F Meeting @ ASGC March 08, 2010

2 Overview CNIC Grid CA/SDG CA Self Audit Conclusion

3 CNIC Grid CA CNIC is an institute of CASCNIC is an institute of CAS CNIC Grid CACNIC Grid CA –The security infrastructure of CNIC Grid –Root CA CNIC Grid CA RepositoryCNIC Grid CA Repository –http://ca.grid.cn/ http://ca.grid.cn/ –CP/CPS –Introduction –Manual CA CertificateCA Certificate –20 years validity --- 2006-2-27 2026-2-27 –Only issues sub-CA certificate and CA servers and operators certificates

4 SDG CA Scientific Data Grid (SDG)Scientific Data Grid (SDG) –Scientific Data Grid (SDG) is an application grid based on scientific data resources sharing and collaboration. SDG CASDG CA –the SDG security infrastructure –The subordinate CA of CNIC Grid CA SDG CA Repository CP/CPSSDG CA Repository CP/CPS –http://ca.sdg.grid.cn/ –CP/CPS –Introduction –Manual SDG CA CertificateSDG CA Certificate –20 years validity --- 2006-2-27 2016-2-27 Type of certificatesType of certificates –Person –Host –Service Approved by APGridPMA in July 2006

5 CNIC Grid/SDG CA staff operators Kevin Dong Kai Nan Kevin Dong Yihua Zheng Yueda Wang Huabiao Li All staff Administrator: Kevin Dong

6 Hardware CA serverCA server –DELL GX620 P4 CPU 3.20GHz, Red Hat Linux AS4 –Offline, no connection to any other network –UPS is supplied RA serverRA server –DELL GX620 P4 CPU 3.20GHz, Red Hat Linux AS4 –connected to the Internet Only the necessary ports for RA operation are opened. Other ports are filtered by the firewall. –UPS is supplied Web server (repository)Web server (repository) –The same machine as RA Server –connected to the Internet Same as RA Server –UPS is supplied

7 Sofeware OpenCA CertUtitily Tool –Generate CSR

8 Physical Access CA roomCA room –Located in the CNIC machine room. –Limited person can enter. Security OfficerSecurity Officer CA OperatorsCA Operators Other CNIC administratorsOther CNIC administrators –Doors equipped with fingerprint recognition system. –Monitored by the CCTV Physical accessPhysical access –The CA operator is not allowed to access the CA machines alone and need to do so with the other CA operator. –If the CA operator needs to access the CA machines alone, he must notify the fact to the user administrator by Emails before and after entering the room. –All events about the access to the machines must be recorded in the paper sheets prepared in the room. The events include the names of CA operators, date and time of entering/leaving the room, and the purpose of the access to the machine. –The filled sheets will be kept in the dedicated safe box.

9 1. Generate keypair and CSR locally and upload the CSR to RA or Fill the form and generate CSR automatically and send to RA(web page)RA 2. Identified by in- person interview or official document User Admin. CA Operator 3. Instruct CA operators to accept the request RA server CA server 7. Copy the CSR to CA server 8. Issue the certificate with proper validity 9. Copy the certificate to USB key 12. Send successful issuing mail and CRIN mail 4. Approve the CSR 5. Copy the CSR to USB disk 6. Give the USB key to other CA operator 10. Copy the certificate to RA server 11. Publish the certificate User Workflow of Issuing Certificates

10 Current status of SDG CA Number of issued certificatesNumber of issued certificates –by Mar. 07, 2010 20062007 200820092010Total User Certificate575045462200 Service Certificate1019141145 Host Certificate49812134 Total717867594279

11 Current status of SDG CA by Mar. 07, 2010)Current Status (by Mar. 07, 2010) Valid Certificate50 Expired Certificate199 Revoked Certificate30 Total279

12 Current status of CNIC Grid CA Number of issued certificatesNumber of issued certificates –by Mar. 07, 2010 20062007 200820092010Total Sub-CA Certificate 100001 Host Certificate111104 Total211105

13 Current status of CNIC Grid CA Valid Certificate2 Expired Certificate3 Revoked Certificate0 Total5 by Mar. 07, 2010)Current Status (by Mar. 07, 2010)

14 Self Audit SDG CA –CP/CPS 1.8->1.9 –CRL Profile 1.3->1.4 CNIC Grid CA –CP/CPS 1.4->1.5 –CRL Profile 1.2->1.3 AuditingSpreadsheet.xls –IGTF classic profile: IGTF-AP-classic-4-2 –Special thanks to Yoshio

15 Summary Marks –A: 66 –B: 3 –C: 2 –D: 0

16 RA - (4) RA should ensure that the requester is appropriately authorized by the owner of the associated FQDN or the responsible administrator of the machine to use the FQDN identifiers asserted in the certificate. –In section 4.3.1, the role to ensure the FQDN will be defined in CP/CPS. –B

17 RA - (6) The CA or RA should have documented evidence on retaining the same identity over time. –It is obvious that the DN is unique for a person because the email or FQDN is included. Now it is defined in section 3.2.3 –C

18 CA - (16) The on-line CA architecture must provide for a log of issued certificates and revocations. The log should be tamper- protected. –The logs are available and archived. We will make logs tamper-protected. –C

19 CA - (27),(32) The authority must publish CRLs, and these CRLs should be compliant with RFC5280. –In section 2 and section 4.9.8, "the repository of certificates and CRLs are available at http://ca.sdg.grid.cn/" though RFC 5280 is not explicitly defined in CP/CPS. The RFC 5280 will be defined in the CP/CPS. –B

20 CA - (45) Identity validation records must be kept at least as long as there are valid certificates based on such a validation. –The identity validation records are kept at least as long as there are valid certificates based on such a validation. But it is not mentioned in CP/CPS. We will add in section 5.4.3. –B

21 Conclusion Positive Update of CP/CPS and CRL profile –Done –Release soon

22 Thanks!

Download ppt "CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.
CNIC Grid/SDG CA Updates 2 nd APGrid PMA meeting, October 15, 2006 Morrise Xu NTARL, CNIC, China.

CNIC Grid/SDG CA Updates 2 nd APGrid PMA meeting, October 15, 2006 Morrise Xu NTARL, CNIC, China.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien F2F Meeting 8 th March 2010.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien F2F Meeting 8 th March 2010.
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier.

DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr. 2009 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

Similar presentations

Ads by Google