1

ASGCCA Self-Audit Report

APGridPMAJinny Chien

March 08 2008

2

Outline

• ASGCCA basic audit Information

• ASGCCA Audit Score list

• The Detailed Audit Report

• Summary & Further Plan

3

ASGCCA Self-Audit Info

• Time : March 2008• Place : Academia Sinica• Staff : Jinny Chien, Min Tsai, Felix Lee and Eric

Yen• The relevant document: CP/CPS, CA cert, EE cert ,

Host cert and any other document available for the auditors

• Others : CA room, CA machine etc….

4

A List of Marks for Auditing

• According to the result of the examination and each item can be scored from A to D, and X as below.• A : Good

• B : Recommendation (minor change)

• C : Recommendation (major change)

• D : Advice (must change)

• X : Could not evaluate (N/A)

5

ASGCCA Self-Audit Status

• Full items are 71

• During this evaluation, ASGCCA got the following scores.• Score A (Good): 57 / 71

• Score B (minor change): 10 / 71

• Score C (major change): 2 / 71

• Score D (must change): 1 / 71

• Score X (N/A): 1 / 71

• The following reports only included score B to score X

6

The Audit Report Format

Score ASGCCA gets the score at this item

Diagnosis Check the relevant documents

Status The status of ASGCCA now

Solution The improvability of ASGCCA

Evaluation: The items of the auditing checklist

7

Self-Audit Detailed Report(1)

Score B

Diagnosis ASGCCA CP/CPS

Status The ASGCCA CP/CPS is structured in RFC 2527

Solution

(In progress)

We plan to modify current the CP/CPS this year and the new CP/CPS will follow RFC 3647.

Evaluation: The CP/CPS document is structured in RFC 3647

8

Self-Audit Detailed Report(2)

Score D

Diagnosis ASGCCA CA certificate and CRL

Status CA’s cert and CRL describe the signature algorithm is MD5. (MD5 must not be used in particular)

Solution

(In progress)

Use another signature algorithm such as SHA1 and add it at the annual CA schedule

Evaluation: The message digests of the certificate and CRLs generated

9

Self-Audit Detailed Report(3)

Score B

Diagnosis CA certificate and EE certificates

Status CA cert and EE cert are compliant with the current Grid Certificate Profile but there is MD5 problem must be resolved.

Solution

(In progress)

Use another signature algorithm such as SHA1 and add it at the annual CA schedule

Evaluation: CA cert and EE cert must comply with the IGTF and OGF profile

10

Self-Audit Detailed Report(4)

Score B

Diagnosis ASGCCA CRLs

Status No description in the current CP/CPS and we use CRL version 1

Solution

(In Progress )

Check the CRL profile and modify the current CP/CPS.

Evaluation: The CRLs must be compliant with RFC 3280 and use version 2(recommended)

11

Self-Audit Detailed Report(5)

Score C

Diagnosis ASGCCA CP/CPS

Status ASGCCA CP/CPS does not describe the transition procedure

Solution

(Done)

We modified the current CP/CPS and added this information to the version 2.1

Evaluation: The CP/CPS described the transition of the CA’s cryptographic data

12

Self-Audit Detailed Report(6)

Score A

Diagnosis ASGCCA CA certificate

Status Old and New ASGCCA CA life time are not longer than 20 years. However, our CP/CPS is only states 5 years limit.

Solution

(Done)

We modified the current CP/CPS and added this information to the version 2.1

Evaluation: The CA lifetime must be no longer than 20 years

13

Self-Audit Detailed Report(7)

Score B

Diagnosis certificates

Status We have re-key procedures which are described on the CA web page but not in the CP/CPS

Solution

(Done)

We modified the current CP/CPS and added this information to the version 2.1

Evaluation: The rekey process described to the CP/CPS

14

Self-Audit Detailed Report(8)

Score B

Diagnosis Audits and CP/CPS

Status There are more information about the compliance audit but no information describing how we audit RAs

Solution

(Done)

We modified the current CP/CPS and added this information to the version 2.1

Evaluation: The CA perform operational audits of CA/RA at the regular time

15

Self-Audit Detailed Report(9)

Score B

Diagnosis Host certificate

Status Users directly access the secure web page to generate FQDNs . Then CA will verify this request with RAs.

Solution

(Done)

User -> RA -> CA

This information must add to the version 2.1

Evaluation: How does the RA verify the FQDN of the host certificate

16

Self-Audit Detailed Report(10)

Score B

Diagnosis CA and RA

Status ASGCCA uses signed mails between CA and RA but there is no information to the current CP/CPS and only on the web

Solution

(Done)

Added the details to the draft version 2.1

Evaluation: The secure communication between CA and RA

17

Summary & Further Plan

• ASGCCA will resolve the following problems in 2008

1. MD5 problem on all certificates from ASGCCA

2. The CP/CPS is compliant with RFC 3647

3. CRL profile is compliant with RFC 3280

4. Publish new version CP/CPS

18

Reference

• ASGCCA web http://ca.grid.sinica.edu.tw

• The current CP/CPShttp://ca.grid.sinica.edu.tw/publication/index.php#CP/CPS

• The revised CP/CPS version 2.1

• The Audit Report

19

Any Question?

Thanks for the listening