1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.
-
Upload
stephany-maxcy -
Category
Documents
-
view
215 -
download
0
Transcript of 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.
![Page 1: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/1.jpg)
1
ASGCCA Self-Audit Report
APGridPMAJinny Chien
March 08 2008
![Page 2: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/2.jpg)
2
Outline
• ASGCCA basic audit Information
• ASGCCA Audit Score list
• The Detailed Audit Report
• Summary & Further Plan
![Page 3: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/3.jpg)
3
ASGCCA Self-Audit Info
• Time : March 2008• Place : Academia Sinica• Staff : Jinny Chien, Min Tsai, Felix Lee and Eric
Yen• The relevant document: CP/CPS, CA cert, EE cert ,
Host cert and any other document available for the auditors
• Others : CA room, CA machine etc….
![Page 4: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/4.jpg)
4
A List of Marks for Auditing
• According to the result of the examination and each item can be scored from A to D, and X as below.• A : Good
• B : Recommendation (minor change)
• C : Recommendation (major change)
• D : Advice (must change)
• X : Could not evaluate (N/A)
![Page 5: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/5.jpg)
5
ASGCCA Self-Audit Status
• Full items are 71
• During this evaluation, ASGCCA got the following scores.• Score A (Good): 57 / 71
• Score B (minor change): 10 / 71
• Score C (major change): 2 / 71
• Score D (must change): 1 / 71
• Score X (N/A): 1 / 71
• The following reports only included score B to score X
![Page 6: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/6.jpg)
6
The Audit Report Format
Score ASGCCA gets the score at this item
Diagnosis Check the relevant documents
Status The status of ASGCCA now
Solution The improvability of ASGCCA
Evaluation: The items of the auditing checklist
![Page 7: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/7.jpg)
7
Self-Audit Detailed Report(1)
Score B
Diagnosis ASGCCA CP/CPS
Status The ASGCCA CP/CPS is structured in RFC 2527
Solution
(In progress)
We plan to modify current the CP/CPS this year and the new CP/CPS will follow RFC 3647.
Evaluation: The CP/CPS document is structured in RFC 3647
![Page 8: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/8.jpg)
8
Self-Audit Detailed Report(2)
Score D
Diagnosis ASGCCA CA certificate and CRL
Status CA’s cert and CRL describe the signature algorithm is MD5. (MD5 must not be used in particular)
Solution
(In progress)
Use another signature algorithm such as SHA1 and add it at the annual CA schedule
Evaluation: The message digests of the certificate and CRLs generated
![Page 9: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/9.jpg)
9
Self-Audit Detailed Report(3)
Score B
Diagnosis CA certificate and EE certificates
Status CA cert and EE cert are compliant with the current Grid Certificate Profile but there is MD5 problem must be resolved.
Solution
(In progress)
Use another signature algorithm such as SHA1 and add it at the annual CA schedule
Evaluation: CA cert and EE cert must comply with the IGTF and OGF profile
![Page 10: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/10.jpg)
10
Self-Audit Detailed Report(4)
Score B
Diagnosis ASGCCA CRLs
Status No description in the current CP/CPS and we use CRL version 1
Solution
(In Progress )
Check the CRL profile and modify the current CP/CPS.
Evaluation: The CRLs must be compliant with RFC 3280 and use version 2(recommended)
![Page 11: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/11.jpg)
11
Self-Audit Detailed Report(5)
Score C
Diagnosis ASGCCA CP/CPS
Status ASGCCA CP/CPS does not describe the transition procedure
Solution
(Done)
We modified the current CP/CPS and added this information to the version 2.1
Evaluation: The CP/CPS described the transition of the CA’s cryptographic data
![Page 12: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/12.jpg)
12
Self-Audit Detailed Report(6)
Score A
Diagnosis ASGCCA CA certificate
Status Old and New ASGCCA CA life time are not longer than 20 years. However, our CP/CPS is only states 5 years limit.
Solution
(Done)
We modified the current CP/CPS and added this information to the version 2.1
Evaluation: The CA lifetime must be no longer than 20 years
![Page 13: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/13.jpg)
13
Self-Audit Detailed Report(7)
Score B
Diagnosis certificates
Status We have re-key procedures which are described on the CA web page but not in the CP/CPS
Solution
(Done)
We modified the current CP/CPS and added this information to the version 2.1
Evaluation: The rekey process described to the CP/CPS
![Page 14: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/14.jpg)
14
Self-Audit Detailed Report(8)
Score B
Diagnosis Audits and CP/CPS
Status There are more information about the compliance audit but no information describing how we audit RAs
Solution
(Done)
We modified the current CP/CPS and added this information to the version 2.1
Evaluation: The CA perform operational audits of CA/RA at the regular time
![Page 15: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/15.jpg)
15
Self-Audit Detailed Report(9)
Score B
Diagnosis Host certificate
Status Users directly access the secure web page to generate FQDNs . Then CA will verify this request with RAs.
Solution
(Done)
User -> RA -> CA
This information must add to the version 2.1
Evaluation: How does the RA verify the FQDN of the host certificate
![Page 16: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/16.jpg)
16
Self-Audit Detailed Report(10)
Score B
Diagnosis CA and RA
Status ASGCCA uses signed mails between CA and RA but there is no information to the current CP/CPS and only on the web
Solution
(Done)
Added the details to the draft version 2.1
Evaluation: The secure communication between CA and RA
![Page 17: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/17.jpg)
17
Summary & Further Plan
• ASGCCA will resolve the following problems in 2008
1. MD5 problem on all certificates from ASGCCA
2. The CP/CPS is compliant with RFC 3647
3. CRL profile is compliant with RFC 3280
4. Publish new version CP/CPS
![Page 18: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/18.jpg)
18
Reference
• ASGCCA web http://ca.grid.sinica.edu.tw
• The current CP/CPShttp://ca.grid.sinica.edu.tw/publication/index.php#CP/CPS
• The revised CP/CPS version 2.1
• The Audit Report
![Page 19: 1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.](https://reader034.fdocuments.in/reader034/viewer/2022051415/56649ca15503460f9495f4f3/html5/thumbnails/19.jpg)
19
Any Question?
Thanks for the listening