KFKI RMKI CA ReviewEUGridPMA May 26-28, Copenhagen

Szabolcs HernáthMTA KFKI RMKI

hernath@sunserv.kfki.hupki.kfki.hu

Overview

• Background & History• Present Status & Future Plans• Self-assessment & Issues• Lessons learned & Suggestions• Discussion…

1. Background & History

• Why 2 CAs in Hungary?

- Community needed the service in 2004

- NREN CA (NIIF) was planned, but no progress or roadmap

- RMKI had ~90% of LCG users & resources• EUGridPMA in Brussels, Sept. 2004:

- KFKI RMKI CA presented

- PMA demanded community agreement to preempt a 2 CA situation

• Dec. 2004: Community agreement presented

- Hungarian grid community will endorse KFKI RMKI CA until the NIIF CA can setup an RA at KFKI campus

- PMA accepted the agreement, KFKI RMKI CA accredited

- started production in Jan. 2005• Recent progress in the setup of NIIF RA

2. Present Status

• Reliable operation on Debian/OpenCA• Stats:

- All issued: 230 (6 for testing)

- Revoked: 126 (none compromised)

- Valid: 47 (14 user, 33 host)

- All host: 145 (68 DNs, even less idenities)

- All user: 79 (50 DNs, even less identities)

- All CRLs: 120 (1 overdue )• NIIF RA progress:

- RA secure admin interface deployed & tested (based on tokens)

- User web interface in development

- IdP for NIIF AAI Federation in deployment (for user preauth)

- RA contract in preparation

3. Future Plans

• NIIF RA in production later this year• Will probably keep the CA for local purposes

- will rekey or extend the root

- could produce new CP/CPS• After the NIIF RA is in production, will replace all grid certs• Need to leave the club …

4. Self-assessment

• Work in progress, preliminary results• Major issues: CA

(5) CP/CPS is RFC 2527 D/D

(7) Secure environment, access control & log D/D

(9) Secure environment undocumented/unaudited D

(11) CA key protection B/D

(50) Operational audit D/D

(51) List of personnel D• Major Issues: RA

(2) Identity vetting (user) B/C

(3) Identity vetting (host) A/C

(4) FQDN ownership B/C

(10) Record archival in auditable form C

5. Other Issues

• Insufficient resources• No long-term planning (was not expected)• Missing operational documents• Too many hats• ‘Rescheduled’ paperwork

6. Recommendations

• More is less:

- specify everything as strict as possible

- write all operational documents before production• Operational audit/review ASAP (before production)• Separation of GRID namespace is recommended• Accreditation profile version should be recorded on accreditation• Audit guidelines updates for AP changes? (versions for each AP

version?)• Separate audit guidelines for different APs?

Thankyou !