1. Status of Auditing Guidelines Document OGF27@Banff Oct. 15 Yoshio Tanaka, AIST

2. No progress since public comments… Public comments: March 2 nd to April 1 st, 2009. Nine comments were submitted, four of them were just I support this document.

3. Review comments (1/5) Technical – the included checklist (chapter 3 "Auditing checklist") is a list against an old outdated Classic AP. Update is needed to reflect the current (Classic) AP – also the document does not state that it must be updated when there is a newer version of the Classic AP available than it references – the "Auditing checklist" would be of more use if it is split out into a separate referenced document or appendix in spreadsheet format; this way it is easier to create additional spreadsheets for the other IGTF-APs and include them as appendix or external reference as well Layout nit-picks: – all bullets of bulleted lists should be standard bullet dots – for smoother reading all the text paragraphs should be printed justified

4. Review Comments (2/5) I used an earlier version of this document during an audit of the DOEGrids CA, and the first thing we did was to create a spread sheet of the check list. I would keep the current form which is more readable and add a reference document that has it in spread sheet form where the auditors would have space to add their comments. The addition of the rfc 2527 paragraph numbers is helpful for those CAs that have not updated their CPS. Would it be possible to add a reference to the IGTF Audit checklist for Grid CAs Version 4.1. I didn't find it starting from the IGTF home page.

5. Review Comments (3/5) In reality there is a need for one spreadsheet per Authentication Profile: Classic, MICS & SLCS. Keeping and more important maintaining up- to date information duplicated in two or more documents in different formats is a lot of effort.

6. Review Comments (4/5) I think that this document presents valuable information for the grid operation community. I support this document. Below is minor comment: – The checklist (15) defines how to keep the pass phrase of the encrypted private key, but the evaluation method describes an evaluation method for the CA private key backup. – There is a TYPO, "??", in the table of the checklist (23).

7. Review Comments (5/5) I used a preliminary version of this document a year ago while performing an internal audit (self-review) of the KFKI RMKI CA, and found it very useful. Some minor comments: – this document should come in many flavours, one for each AP. Each of those should bear the version of the corresponding AP in their name – consequently, the Auditing Guideline documents should be revised & updated every time the corresponding AP changes (i.e. following every PMA meeting:) – I agree on the usefulness of spreadsheet versions – two short remarks on particular checklist items: Is there a single CA organization per country, large region or international organization? This should rather be discussed within the PMAs, and in some cases could be hard to judge/assess for an external auditor. (52) How is the procedure of auditing described in the CP/CPS? (for RFC 3647) This might seem out of place here as this is the very document that describes such an audit - CPS documents, on the other hand, are written against APs, RFCs and minimum requirements, and may or may not comply with anything written here abut the specifics of an audit. Perhaps the audit requirements / specifications described in a CPS (if there are any) could be recorded in the pre-examination phase of an audit?