1 asgcca self-audit report apgridpma jinny chien march 08 2008
TRANSCRIPT
1
ASGCCA Self-Audit Report
APGridPMAJinny Chien
March 08 2008
2
Outline
• ASGCCA basic audit Information
• ASGCCA Audit Score list
• The Detailed Audit Report
• Summary & Further Plan
3
ASGCCA Self-Audit Info
• Time : March 2008• Place : Academia Sinica• Staff : Jinny Chien, Min Tsai, Felix Lee and Eric
Yen• The relevant document: CP/CPS, CA cert, EE cert ,
Host cert and any other document available for the auditors
• Others : CA room, CA machine etc….
4
A List of Marks for Auditing
• According to the result of the examination and each item can be scored from A to D, and X as below.• A : Good
• B : Recommendation (minor change)
• C : Recommendation (major change)
• D : Advice (must change)
• X : Could not evaluate (N/A)
5
ASGCCA Self-Audit Status
• Full items are 71
• During this evaluation, ASGCCA got the following scores.• Score A (Good): 57 / 71
• Score B (minor change): 10 / 71
• Score C (major change): 2 / 71
• Score D (must change): 1 / 71
• Score X (N/A): 1 / 71
• The following reports only included score B to score X
6
The Audit Report Format
Score ASGCCA gets the score at this item
Diagnosis Check the relevant documents
Status The status of ASGCCA now
Solution The improvability of ASGCCA
Evaluation: The items of the auditing checklist
7
Self-Audit Detailed Report(1)
Score B
Diagnosis ASGCCA CP/CPS
Status The ASGCCA CP/CPS is structured in RFC 2527
Solution
(In progress)
We plan to modify current the CP/CPS this year and the new CP/CPS will follow RFC 3647.
Evaluation: The CP/CPS document is structured in RFC 3647
8
Self-Audit Detailed Report(2)
Score D
Diagnosis ASGCCA CA certificate and CRL
Status CA’s cert and CRL describe the signature algorithm is MD5. (MD5 must not be used in particular)
Solution
(In progress)
Use another signature algorithm such as SHA1 and add it at the annual CA schedule
Evaluation: The message digests of the certificate and CRLs generated
9
Self-Audit Detailed Report(3)
Score B
Diagnosis CA certificate and EE certificates
Status CA cert and EE cert are compliant with the current Grid Certificate Profile but there is MD5 problem must be resolved.
Solution
(In progress)
Use another signature algorithm such as SHA1 and add it at the annual CA schedule
Evaluation: CA cert and EE cert must comply with the IGTF and OGF profile
10
Self-Audit Detailed Report(4)
Score B
Diagnosis ASGCCA CRLs
Status No description in the current CP/CPS and we use CRL version 1
Solution
(In Progress )
Check the CRL profile and modify the current CP/CPS.
Evaluation: The CRLs must be compliant with RFC 3280 and use version 2(recommended)
11
Self-Audit Detailed Report(5)
Score C
Diagnosis ASGCCA CP/CPS
Status ASGCCA CP/CPS does not describe the transition procedure
Solution
(Done)
We modified the current CP/CPS and added this information to the version 2.1
Evaluation: The CP/CPS described the transition of the CA’s cryptographic data
12
Self-Audit Detailed Report(6)
Score A
Diagnosis ASGCCA CA certificate
Status Old and New ASGCCA CA life time are not longer than 20 years. However, our CP/CPS is only states 5 years limit.
Solution
(Done)
We modified the current CP/CPS and added this information to the version 2.1
Evaluation: The CA lifetime must be no longer than 20 years
13
Self-Audit Detailed Report(7)
Score B
Diagnosis certificates
Status We have re-key procedures which are described on the CA web page but not in the CP/CPS
Solution
(Done)
We modified the current CP/CPS and added this information to the version 2.1
Evaluation: The rekey process described to the CP/CPS
14
Self-Audit Detailed Report(8)
Score B
Diagnosis Audits and CP/CPS
Status There are more information about the compliance audit but no information describing how we audit RAs
Solution
(Done)
We modified the current CP/CPS and added this information to the version 2.1
Evaluation: The CA perform operational audits of CA/RA at the regular time
15
Self-Audit Detailed Report(9)
Score B
Diagnosis Host certificate
Status Users directly access the secure web page to generate FQDNs . Then CA will verify this request with RAs.
Solution
(Done)
User -> RA -> CA
This information must add to the version 2.1
Evaluation: How does the RA verify the FQDN of the host certificate
16
Self-Audit Detailed Report(10)
Score B
Diagnosis CA and RA
Status ASGCCA uses signed mails between CA and RA but there is no information to the current CP/CPS and only on the web
Solution
(Done)
Added the details to the draft version 2.1
Evaluation: The secure communication between CA and RA
17
Summary & Further Plan
• ASGCCA will resolve the following problems in 2008
1. MD5 problem on all certificates from ASGCCA
2. The CP/CPS is compliant with RFC 3647
3. CRL profile is compliant with RFC 3280
4. Publish new version CP/CPS
18
Reference
• ASGCCA web http://ca.grid.sinica.edu.tw
• The current CP/CPShttp://ca.grid.sinica.edu.tw/publication/index.php#CP/CPS
• The revised CP/CPS version 2.1
• The Audit Report
19
Any Question?
Thanks for the listening