Presentation is loading. Please wait.

Presentation is loading. Please wait.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Published byAriel Walker Modified over 8 years ago

Similar presentations

Presentation on theme: "NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale."— Presentation transcript:

1 NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale Simulation Research Laboratory National Electronics and Computer Technology Center, Thailand

2 2 Outlines » NECTEC-GOC CA » Self Audit » Certification Authority » Registration Authority » Summary

3 3 Overview » NECTEC-GOC CA operates by Large-Scale Simulation Research Laboratory » Accredited by APGrid PMA in October 2006 » Compilation in Classic AP version 4.2 » Certificates for the collaborators related to NECTEC Grid Computing research. » Initial lifetime » 10 years, until January 2017 » Software » OpenCA software version 0.9.6

4 4 System Architecture » OpenCA » Online interface (RA) » Used by EE for certificate requests » Used by RAs for request confirmations » Offline (CA) » CA machine kept in safe deposit box accessible to CA staff only » Data transfer achieve USB » Data backup performed after each operation

5 5 Certificates Status » Total: 105 issued certificates » User: 61 » Host: 44 » Valid: 71 certificates » User: 53 » Host: 18 » Expired: 34 certificates » User: 8 » Host: 26 » Revoked: none

6 6 SELF AUDIT

7 7 Materials used of auditing » The following documents are referred: » Guidelines for auditing Grid CAs version 1.0  December 11 th 2009 » NECTEC-GOC CA CP/CPS version 1.1 (RFC 2527)  August 2009 » NECTEC-GOC CA CP/CPS new version (RFC 3647 unapproved) » CA Repository  http://gridca.hpcc.nectec.or.th » CA Certificate, CRL, End-Entity certificates » Other document described as published on the web repository  Certificate application procedure  Certificate renew and revocation procedure

8 8 Materials used of auditing » The following are the subjects of the inspection: » CA room » RA and CA machines » Backup media of the CA private key and its place » Media storage of archived logs and other documents and their place e.g. safe deposit box » Logs of RA and CA servers » Records of operation of the RA and CA » Access log to the CA room

9 9 CA No immediate change (1) 1 CP/CPS (3) Network of RA Already in new version (6) 1 (6) all versions of CP/CPS on web 1 (7) RFC 3647 3 (15) CA pass phrase backup in offline media 3 (17) CA key change 3 (18) CA key change overlap 5 (24) CA react to revocation request To be added to new version (3) 5 (25) Revocation request (subscriber obligation) 7 (42) Re-verification for rekeying 9 (47) Annual operational audit Not relevant (2) 3 (16) online CA log 7 (41) renewal of key in HW token

10 10 RA Already in new version (3) 1 (3) Secure ID validation for non-personal certificate 1 (4) Authorization of host/service certificate 1 (5) Association of CSR for host/service certificate To be added to new version (2) 1 (7) CSR bounded to ID vetting 3 (11) How to inform CA/RA about EE status change Question (1) 1 (6) Identify retaining

11 11 SELF AUDIT RESULTS: CERTIFICATION AUTHORITY

12 12 1. CP/CPS » (3) There should be a single end-entity issuing CA with a wide network of RA. » Score: B » Status: The CP/CPS describes that a single end-entity issuing CA with one RA operator. » Practice: Currently, there is one RA operator, only, since the user community is still small.

13 13 1. CP/CPS » (6) All the CP/CPS under which valid certificates are issued must be available on the web. » Score: B » Status:  The CP/CPS does not describe that all the versions of CP/CPS under which valid certificates are issued must be available on the web.  All versions (two) of CP/CPS are available on the web » Solution:  The new version of CP/CPS has described that all CP/CPS under which valid certificates are issued has been published on the web.

14 14 1. CP/CPS » (7) The CP/CPS documents should be structured as defined in RFC 2527 3647. » Score: B » Status: The current CP/CPS is structured as defined in RFC 2527. » Solution: Currently, the new version of CP/CPS which conform with RFC 3647 has been drafted but it unapproved from APGrid PMA

15 15 3. CA Key » (15) The pass phrase of the encrypted private key must also be kept on offline media, separated from the encrypted private keys and guarded in a secure location where only the authorized personnel of the CA have access. Alternatively, another documented procedure that is equally secure may be used. » Score: B » Status: The current CP/CPS does not describe about the backup of pass phrase. » Solution: The procedure appears in the new version of CP/CPS which describes that the pass phrase is kept in a sealed envelop.

16 16 3. CA Key » (16) The on-line CA architecture must provide for a log of issued certificates and signed revocations. The log should be tamper- protected. » Score: X » Status: Cloud not evaluate. » Practice: The CA system is completely offline.

17 17 3. CA Key » (17) When the CA’s cryptographic data needs to be changed, such a transition shall be managed; from the time of distribution of the new cryptographic data, only the new key will be used for certificate signing purposes. » Score: C » Status: The CP/CPS does not describe about transition of the CA’s cryptographic data. » Solution: The new version of CP/CPS describes that when the CA’s cryptographic data is changed, from the time of new cryptographic data distribution, only the new CA certificate will be used for certificate signing purpose.

18 18 3. CA Key » (18) The overlap of the old and new keys must be at least the longest time an end-entity certificate can be valid. The older but still valid certificate must be available to verify old signatures – and the secret key to sign CRLs – until all the certificates signed using the associated private key have also expired. » Score: C » Status: The CP/CPS does not describe how to handle such situations. » Solution: The new version of CP/CPS describes that the overlap of the old and new CA certificate must be at least the longest time an end-entity certificate can be valid (1 year). The old CA certificate will be valid and available to verify old signatures and the secret key to sign CRLs until all the certificates signed using the associated private key have also expired.

19 19 5. Certificate Revocation » (24) The CA must react as soon as possible, but within one working day, to any revocation request received. » Score: B » Status: The current CP/CPS does not specify the time period to react to revocation requests. » Solution: The procedure is described in the new version of CP/CPS that the CA should process the certificate revocation request within one working day after receiving the request.

20 20 5. Certificate Revocation » (25) Subscribers must request revocation of its certificate as soon as possible, but within one working day after detection of: - he/she lost or compromised the private key pertaining to the certificate, - The data in the certificate are no longer valid. » Score: B » Status: CP/CPS does not include EE obligation to requesting revocation of she/he lost or compromised the private key or any data in the certificate is no longer valid. » Solution: Will be added in the new version of CP/CPS.

21 21 7. End Entity Certificates and keys » (41) Certificates associated with a private key residing solely on hardware token may be renewed for a period of up to 5 years (for equivalent RSA key lengths of 2048 bits) or 3 years (for equivalent RSA key lengths of 1024 bits). » Score: X » Status: Cloud not evaluate. » Practice: This CA does not support renewal.

22 22 7. End Entity Certificates and keys » (42) Certificates must not be renewed or re-keyed for more than 5 years without a form of auditable and eligibility verification, and this procedure must be described in the CP/CPS. » Score: C » Status: The CP/CPS does not describe about re-verification and authentication of identity processes required for entities on or prior to 5 years from the original or initial identity authentication. » Solution: Will be added in the new version of CP/CPS.

23 23 9. Audits » (47)Every CA should perform operational audits of the CA/RA staff at least once per year. » Score: C » Status: The CP/CPS does not require that the CA performs operational audit. The CA has never performed operational audit. » Solution: Will be added in the new version of CP/CPS.

24 24 SELF AUDIT RESULTS: REGISTRATION AUTHORITY

25 25 1. Entity Identification » (3) In case of non-personal certificate requests, an RA should validate the identity and eligibility of the person in charge of the specific entities using a secure method. » Score: C » Status: The CP/CPS does not describe that the RA validates the identity of a person requesting a host/service certificate. But we check for valid certificate. » Solution: The procedure is described in the new version of CP/CPS that the person requesting a host/service certificate must be a valid subscriber of NECTEC-GOC CA.

26 26 1. Entity Identification » (4) For host and service certificate requests, an RA should ensure that the requestor is appropriately authorized by the owner of the associated FQDN or the responsible administrator of the machine to use the FQDN identifiers asserted in the certificate. » Score: C » Status: The CP/CPS does not describe that an RA ensures that the requestor is appropriately authorized by the owner of the FQDN. However, RA practices the procedure below. » Solution: The procedure is described in the new version of CP/CPS that the RA operator must proves of such authorization, such as by an official letter or by setting a certain information in the DNS record of that domain.

27 27 1. Entity Identification » (5) An RA must validate the association of the certificate signing request. » Score: C » Status: The CP/CPS does not describe the RA ensures that the requestor is appropriately authorized by the owner of the FQDN. However, RA practices the procedure below. » Solution: The procedure is described in the new version of CP/CPS:  requestor = valid user,  FQDN in CSR = in application form,  e-mail in CSR = in application form and in user certificate

28 28 1. Entity Identification » (6) The CA or RA should have documented evidence on retaining the same identity over time. » Question to PMA as follows:  Does this mean the identify of user should be retained?  If the same individual, using the same name, belonging to the same organization, re-applies for a personal certificate, the certificate should have the same "subject name" as the one issued earlier?  If the same individual, using the same name, belonging to a *different* organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?  If the same individual, using a *different* name, but still belonging to the same organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?  If the same individual, using a *different* name, belonging to a *different* organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?  If a *different* individual, but happen to use the same name, belonging to the same organization, applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?

29 29 1. Entity Identification » (7) The certificate request submitted for certification must be bound to the act of identity vetting. » Score: C » Status: The current and the new version of CP/CPS does not describe this. » Solution: Will be added in the new version of CP/CPS that the RA operator checks whether the email specified in the application form matches that in the CSR. The certificate will be delivered via this email address.

30 30 3. RA to CA communications » (11) The CP/CPS should describe how the RA or CA is informed of changes that may affect the status of the certificate. » Score: C » Status: The CP/CPS has no description on how the CA or the RA is informed of any changes. » Solution: Will be added in the new version of CP/CPS that the user must inform any changes that may affect the status of the certificate to RA and CA operators.

31 31 Summary » Total number of items: 68 » Results: » 50 As - Good » 6 Bs - Recommendation (minor changes) » 9 Cs - Recommendation (major changes) » 2 Xs - Cloud not evaluate (N/A) »Changes : »Improving CP/CPS; no critical effects on current/immediate operation

Download ppt "NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale."

Similar presentations

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.

Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

Similar presentations

Ads by Google