NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale...

NECTEC-GOC CANECTEC-GOC CASelf AuditSelf Audit

7th APGrid PMA Face-to-Face meeting

March 8th, 2010

Sornthep Vannarat

Large-Scale Simulation Research LaboratoryLarge-Scale Simulation Research Laboratory National Electronics and Computer Technology Center,

Thailand

2

Outlines

»NECTEC-GOC CA

»Self Audit» Certification Authority» Registration Authority

»Summary

3

OverviewOverview» NECTEC-GOC CA operates by Large-

Scale Simulation Research Laboratory» Accredited by APGrid PMA in October 2006» Compilation in Classic AP version 4.2

» Certificates for the collaborators related to NECTEC Grid Computing research.

» Initial lifetime» 10 years, until January 2017

» Software» OpenCA software version 0.9.6

4

System ArchitectureSystem Architecture

» OpenCA

» Online interface (RA)» Used by EE for certificate requests» Used by RAs for request confirmations

» Offline (CA)» CA machine kept in safe deposit box

accessible to CA staff only» Data transfer achieve USB» Data backup performed after each operation

5

Certificates StatusCertificates Status» Total: 105 issued certificates

» User: 61» Host: 44

» Valid: 71 certificates» User: 53» Host: 18

» Expired: 34 certificates» User: 8» Host: 26

» Revoked: none

6

SELF AUDITSELF AUDIT

7

Materials used of auditingMaterials used of auditing» The following documents are referred:

» Guidelines for auditing Grid CAs version 1.0 December 11th 2009

» NECTEC-GOC CA CP/CPS version 1.1 (RFC 2527) August 2009

» NECTEC-GOC CA CP/CPS new version (RFC 3647 unapproved)» CA Repository

http://gridca.hpcc.nectec.or.th» CA Certificate, CRL, End-Entity certificates» Other document described as published on the web

repository Certificate application procedure Certificate renew and revocation procedure

8

Materials used of auditingMaterials used of auditing

» The following are the subjects of the inspection:» CA room» RA and CA machines» Backup media of the CA private key and its place» Media storage of archived logs and other documents and

their place e.g. safe deposit box» Logs of RA and CA servers» Records of operation of the RA and CA» Access log to the CA room

9

CANo immediate change (1)

1 CP/CPS (3) Network of RAAlready in new version (6)

1 (6) all versions of CP/CPS on web1 (7) RFC 36473 (15) CA pass phrase backup in offline media 3 (17) CA key change3 (18) CA key change overlap5 (24) CA react to revocation request

To be added to new version (3)5 (25) Revocation request (subscriber obligation)7 (42) Re-verification for rekeying9 (47) Annual operational audit

Not relevant (2)3 (16) online CA log 7 (41) renewal of key in HW token

10

RAAlready in new version (3)

1 (3) Secure ID validation for non-personal certificate1 (4) Authorization of host/service certificate1 (5) Association of CSR for host/service certificate

To be added to new version (2)1 (7) CSR bounded to ID vetting3 (11) How to inform CA/RA about EE status change

Question (1)1 (6) Identify retaining

11

SELF AUDIT RESULTS: SELF AUDIT RESULTS: CERTIFICATION AUTHORITYCERTIFICATION AUTHORITY

12

1. CP/CPS1. CP/CPS» (3) There should be a single end-entity issuing CA with a

wide network of RA.» Score: B» Status: The CP/CPS describes that a single end-entity

issuing CA with one RA operator.» Practice: Currently, there is one RA operator, only, since

the user community is still small.

13

1. CP/CPS1. CP/CPS

» (6) All the CP/CPS under which valid certificates are issued must be available on the web.» Score: B» Status:

The CP/CPS does not describe that all the versions of CP/CPS under which valid certificates are issued must be available on the web.

All versions (two) of CP/CPS are available on the web

» Solution: The new version of CP/CPS has described that all CP/CPS under

which valid certificates are issued has been published on the web.

14

1. CP/CPS1. CP/CPS

15

3. CA Key3. CA Key» (15) The pass phrase of the encrypted private key must also

be kept on offline media, separated from the encrypted private keys and guarded in a secure location where only the authorized personnel of the CA have access. Alternatively, another documented procedure that is equally secure may be used.» Score: B» Status: The current CP/CPS does not describe about the

backup of pass phrase.» Solution: The procedure appears in the new version of

CP/CPS which describes that the pass phrase is kept in a sealed envelop.

16

3. CA Key3. CA Key

» (16) The on-line CA architecture must provide for a log of issued certificates and signed revocations. The log should be tamper-protected.» Score: X » Status: Cloud not evaluate.» Practice: The CA system is completely offline.

17

3. CA Key3. CA Key» (17) When the CA’s cryptographic data needs to be

changed, such a transition shall be managed; from the time of distribution of the new cryptographic data, only the new key will be used for certificate signing purposes.» Score: C» Status: The CP/CPS does not describe about transition of

the CA’s cryptographic data. » Solution: The new version of CP/CPS describes that when

the CA’s cryptographic data is changed, from the time of new cryptographic data distribution, only the new CA certificate will be used for certificate signing purpose.

18

3. CA Key3. CA Key» (18) The overlap of the old and new keys must be at least the

longest time an end-entity certificate can be valid. The older but still valid certificate must be available to verify old signatures – and the secret key to sign CRLs – until all the certificates signed using the associated private key have also expired.» Score: C» Status: The CP/CPS does not describe how to handle such

situations.» Solution: The new version of CP/CPS describes that the overlap

of the old and new CA certificate must be at least the longest time an end-entity certificate can be valid (1 year). The old CA certificate will be valid and available to verify old signatures and the secret key to sign CRLs until all the certificates signed using the associated private key have also expired.

19

5. Certificate Revocation5. Certificate Revocation

» (24) The CA must react as soon as possible, but within one working day, to any revocation request received.» Score: B» Status: The current CP/CPS does not specify the time

period to react to revocation requests.» Solution: The procedure is described in the new version

of CP/CPS that the CA should process the certificate revocation request within one working day after receiving the request.

20

5. Certificate Revocation5. Certificate Revocation» (25) Subscribers must request revocation of its certificate as

soon as possible, but within one working day after detection of:- he/she lost or compromised the private key pertaining to the

certificate,- The data in the certificate are no longer valid.

» Score: B» Status: CP/CPS does not include EE obligation to

requesting revocation of she/he lost or compromised the private key or any data in the certificate is no longer valid.

» Solution: Will be added in the new version of CP/CPS.

21

7. End Entity Certificates and keys7. End Entity Certificates and keys

» (41) Certificates associated with a private key residing solely on hardware token may be renewed for a period of up to 5 years (for equivalent RSA key lengths of 2048 bits) or 3 years (for equivalent RSA key lengths of 1024 bits).» Score: X» Status: Cloud not evaluate.» Practice: This CA does not support renewal.

22

7. End Entity Certificates and keys7. End Entity Certificates and keys

» (42) Certificates must not be renewed or re-keyed for more than 5 years without a form of auditable and eligibility verification, and this procedure must be described in the CP/CPS.» Score: C» Status: The CP/CPS does not describe about re-

verification and authentication of identity processes required for entities on or prior to 5 years from the original or initial identity authentication.


23

9. Audits9. Audits

» (47) Every CA should perform operational audits of the CA/RA staff at least once per year.» Score: C» Status: The CP/CPS does not require that the CA

performs operational audit. The CA has never performed operational audit.


24

SELF AUDIT RESULTS:SELF AUDIT RESULTS:REGISTRATION REGISTRATION AUTHORITYAUTHORITY

25

1. Entity Identification1. Entity Identification

» (3) In case of non-personal certificate requests, an RA should validate the identity and eligibility of the person in charge of the specific entities using a secure method.» Score: C» Status: The CP/CPS does not describe that the RA

validates the identity of a person requesting a host/service certificate. But we check for valid certificate.

» Solution: The procedure is described in the new version of CP/CPS that the person requesting a host/service certificate must be a valid subscriber of NECTEC-GOC CA.

26


» (4) For host and service certificate requests, an RA should ensure that the requestor is appropriately authorized by the owner of the associated FQDN or the responsible administrator of the machine to use the FQDN identifiers asserted in the certificate.» Score: C» Status: The CP/CPS does not describe that an RA ensures

that the requestor is appropriately authorized by the owner of the FQDN. However, RA practices the procedure below.

» Solution: The procedure is described in the new version of CP/CPS that the RA operator must proves of such authorization, such as by an official letter or by setting a certain information in the DNS record of that domain.

27


» (5) An RA must validate the association of the certificate signing request.» Score: C» Status: The CP/CPS does not describe the RA ensures that

the requestor is appropriately authorized by the owner of the FQDN. However, RA practices the procedure below.

» Solution: The procedure is described in the new version of CP/CPS: requestor = valid user, FQDN in CSR = in application form, e-mail in CSR = in application form and in user

certificate

28

1. Entity Identification1. Entity Identification» (6) The CA or RA should have documented evidence on retaining the

same identity over time.» Question to PMA as follows:

Does this mean the identify of user should be retained? If the same individual, using the same name, belonging to the same organization, re-

applies for a personal certificate, the certificate should have the same "subject name" as the one issued earlier?

If the same individual, using the same name, belonging to a *different* organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?

If the same individual, using a *different* name, but still belonging to the same organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?

If the same individual, using a *different* name, belonging to a *different* organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?

If a *different* individual, but happen to use the same name, belonging to the same organization, applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?

29


» (7) The certificate request submitted for certification must be bound to the act of identity vetting.» Score: C» Status: The current and the new version of CP/CPS does

not describe this.» Solution: Will be added in the new version of CP/CPS that

the RA operator checks whether the email specified in the application form matches that in the CSR. The certificate will be delivered via this email address.

30

3. RA to CA communications3. RA to CA communications

» (11) The CP/CPS should describe how the RA or CA is informed of changes that may affect the status of the certificate.» Score: C» Status: The CP/CPS has no description on how the CA or

the RA is informed of any changes.» Solution: Will be added in the new version of CP/CPS that

the user must inform any changes that may affect the status of the certificate to RA and CA operators.

31

SummarySummary

» Total number of items: 68

» Results:» 50 As - Good» 6 Bs - Recommendation (minor changes)» 9 Cs - Recommendation (major changes)» 2 Xs - Cloud not evaluate (N/A)

» Changes:» Improving CP/CPS; no critical effects on

current/immediate operation

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale...

Documents

Transcript of NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale...