Upload
ariel-walker
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
NECTEC-GOC CANECTEC-GOC CASelf AuditSelf Audit
7th APGrid PMA Face-to-Face meeting
March 8th, 2010
Sornthep Vannarat
Large-Scale Simulation Research LaboratoryLarge-Scale Simulation Research Laboratory National Electronics and Computer Technology Center,
Thailand
2
Outlines
»NECTEC-GOC CA
»Self Audit» Certification Authority» Registration Authority
»Summary
3
OverviewOverview» NECTEC-GOC CA operates by Large-
Scale Simulation Research Laboratory» Accredited by APGrid PMA in October 2006» Compilation in Classic AP version 4.2
» Certificates for the collaborators related to NECTEC Grid Computing research.
» Initial lifetime» 10 years, until January 2017
» Software» OpenCA software version 0.9.6
4
System ArchitectureSystem Architecture
» OpenCA
» Online interface (RA)» Used by EE for certificate requests» Used by RAs for request confirmations
» Offline (CA)» CA machine kept in safe deposit box
accessible to CA staff only» Data transfer achieve USB» Data backup performed after each operation
5
Certificates StatusCertificates Status» Total: 105 issued certificates
» User: 61» Host: 44
» Valid: 71 certificates» User: 53» Host: 18
» Expired: 34 certificates» User: 8» Host: 26
» Revoked: none
6
SELF AUDITSELF AUDIT
7
Materials used of auditingMaterials used of auditing» The following documents are referred:
» Guidelines for auditing Grid CAs version 1.0 December 11th 2009
» NECTEC-GOC CA CP/CPS version 1.1 (RFC 2527) August 2009
» NECTEC-GOC CA CP/CPS new version (RFC 3647 unapproved)» CA Repository
http://gridca.hpcc.nectec.or.th» CA Certificate, CRL, End-Entity certificates» Other document described as published on the web
repository Certificate application procedure Certificate renew and revocation procedure
8
Materials used of auditingMaterials used of auditing
» The following are the subjects of the inspection:» CA room» RA and CA machines» Backup media of the CA private key and its place» Media storage of archived logs and other documents and
their place e.g. safe deposit box» Logs of RA and CA servers» Records of operation of the RA and CA» Access log to the CA room
9
CANo immediate change (1)
1 CP/CPS (3) Network of RAAlready in new version (6)
1 (6) all versions of CP/CPS on web1 (7) RFC 36473 (15) CA pass phrase backup in offline media 3 (17) CA key change3 (18) CA key change overlap5 (24) CA react to revocation request
To be added to new version (3)5 (25) Revocation request (subscriber obligation)7 (42) Re-verification for rekeying9 (47) Annual operational audit
Not relevant (2)3 (16) online CA log 7 (41) renewal of key in HW token
10
RAAlready in new version (3)
1 (3) Secure ID validation for non-personal certificate1 (4) Authorization of host/service certificate1 (5) Association of CSR for host/service certificate
To be added to new version (2)1 (7) CSR bounded to ID vetting3 (11) How to inform CA/RA about EE status change
Question (1)1 (6) Identify retaining
11
SELF AUDIT RESULTS: SELF AUDIT RESULTS: CERTIFICATION AUTHORITYCERTIFICATION AUTHORITY
12
1. CP/CPS1. CP/CPS» (3) There should be a single end-entity issuing CA with a
wide network of RA.» Score: B» Status: The CP/CPS describes that a single end-entity
issuing CA with one RA operator.» Practice: Currently, there is one RA operator, only, since
the user community is still small.
13
1. CP/CPS1. CP/CPS
» (6) All the CP/CPS under which valid certificates are issued must be available on the web.» Score: B» Status:
The CP/CPS does not describe that all the versions of CP/CPS under which valid certificates are issued must be available on the web.
All versions (two) of CP/CPS are available on the web
» Solution: The new version of CP/CPS has described that all CP/CPS under
which valid certificates are issued has been published on the web.
14
1. CP/CPS1. CP/CPS
15
3. CA Key3. CA Key» (15) The pass phrase of the encrypted private key must also
be kept on offline media, separated from the encrypted private keys and guarded in a secure location where only the authorized personnel of the CA have access. Alternatively, another documented procedure that is equally secure may be used.» Score: B» Status: The current CP/CPS does not describe about the
backup of pass phrase.» Solution: The procedure appears in the new version of
CP/CPS which describes that the pass phrase is kept in a sealed envelop.
16
3. CA Key3. CA Key
» (16) The on-line CA architecture must provide for a log of issued certificates and signed revocations. The log should be tamper-protected.» Score: X » Status: Cloud not evaluate.» Practice: The CA system is completely offline.
17
3. CA Key3. CA Key» (17) When the CA’s cryptographic data needs to be
changed, such a transition shall be managed; from the time of distribution of the new cryptographic data, only the new key will be used for certificate signing purposes.» Score: C» Status: The CP/CPS does not describe about transition of
the CA’s cryptographic data. » Solution: The new version of CP/CPS describes that when
the CA’s cryptographic data is changed, from the time of new cryptographic data distribution, only the new CA certificate will be used for certificate signing purpose.
18
3. CA Key3. CA Key» (18) The overlap of the old and new keys must be at least the
longest time an end-entity certificate can be valid. The older but still valid certificate must be available to verify old signatures – and the secret key to sign CRLs – until all the certificates signed using the associated private key have also expired.» Score: C» Status: The CP/CPS does not describe how to handle such
situations.» Solution: The new version of CP/CPS describes that the overlap
of the old and new CA certificate must be at least the longest time an end-entity certificate can be valid (1 year). The old CA certificate will be valid and available to verify old signatures and the secret key to sign CRLs until all the certificates signed using the associated private key have also expired.
19
5. Certificate Revocation5. Certificate Revocation
» (24) The CA must react as soon as possible, but within one working day, to any revocation request received.» Score: B» Status: The current CP/CPS does not specify the time
period to react to revocation requests.» Solution: The procedure is described in the new version
of CP/CPS that the CA should process the certificate revocation request within one working day after receiving the request.
20
5. Certificate Revocation5. Certificate Revocation» (25) Subscribers must request revocation of its certificate as
soon as possible, but within one working day after detection of:- he/she lost or compromised the private key pertaining to the
certificate,- The data in the certificate are no longer valid.
» Score: B» Status: CP/CPS does not include EE obligation to
requesting revocation of she/he lost or compromised the private key or any data in the certificate is no longer valid.
» Solution: Will be added in the new version of CP/CPS.
21
7. End Entity Certificates and keys7. End Entity Certificates and keys
» (41) Certificates associated with a private key residing solely on hardware token may be renewed for a period of up to 5 years (for equivalent RSA key lengths of 2048 bits) or 3 years (for equivalent RSA key lengths of 1024 bits).» Score: X» Status: Cloud not evaluate.» Practice: This CA does not support renewal.
22
7. End Entity Certificates and keys7. End Entity Certificates and keys
» (42) Certificates must not be renewed or re-keyed for more than 5 years without a form of auditable and eligibility verification, and this procedure must be described in the CP/CPS.» Score: C» Status: The CP/CPS does not describe about re-
verification and authentication of identity processes required for entities on or prior to 5 years from the original or initial identity authentication.
» Solution: Will be added in the new version of CP/CPS.
23
9. Audits9. Audits
» (47) Every CA should perform operational audits of the CA/RA staff at least once per year.» Score: C» Status: The CP/CPS does not require that the CA
performs operational audit. The CA has never performed operational audit.
» Solution: Will be added in the new version of CP/CPS.
24
SELF AUDIT RESULTS:SELF AUDIT RESULTS:REGISTRATION REGISTRATION AUTHORITYAUTHORITY
25
1. Entity Identification1. Entity Identification
» (3) In case of non-personal certificate requests, an RA should validate the identity and eligibility of the person in charge of the specific entities using a secure method.» Score: C» Status: The CP/CPS does not describe that the RA
validates the identity of a person requesting a host/service certificate. But we check for valid certificate.
» Solution: The procedure is described in the new version of CP/CPS that the person requesting a host/service certificate must be a valid subscriber of NECTEC-GOC CA.
26
1. Entity Identification1. Entity Identification
» (4) For host and service certificate requests, an RA should ensure that the requestor is appropriately authorized by the owner of the associated FQDN or the responsible administrator of the machine to use the FQDN identifiers asserted in the certificate.» Score: C» Status: The CP/CPS does not describe that an RA ensures
that the requestor is appropriately authorized by the owner of the FQDN. However, RA practices the procedure below.
» Solution: The procedure is described in the new version of CP/CPS that the RA operator must proves of such authorization, such as by an official letter or by setting a certain information in the DNS record of that domain.
27
1. Entity Identification1. Entity Identification
» (5) An RA must validate the association of the certificate signing request.» Score: C» Status: The CP/CPS does not describe the RA ensures that
the requestor is appropriately authorized by the owner of the FQDN. However, RA practices the procedure below.
» Solution: The procedure is described in the new version of CP/CPS: requestor = valid user, FQDN in CSR = in application form, e-mail in CSR = in application form and in user
certificate
28
1. Entity Identification1. Entity Identification» (6) The CA or RA should have documented evidence on retaining the
same identity over time.» Question to PMA as follows:
Does this mean the identify of user should be retained? If the same individual, using the same name, belonging to the same organization, re-
applies for a personal certificate, the certificate should have the same "subject name" as the one issued earlier?
If the same individual, using the same name, belonging to a *different* organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?
If the same individual, using a *different* name, but still belonging to the same organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?
If the same individual, using a *different* name, belonging to a *different* organization, re-applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?
If a *different* individual, but happen to use the same name, belonging to the same organization, applies for a personal certificate, the certificate should have a different "subject name" as the one issued earlier?
29
1. Entity Identification1. Entity Identification
» (7) The certificate request submitted for certification must be bound to the act of identity vetting.» Score: C» Status: The current and the new version of CP/CPS does
not describe this.» Solution: Will be added in the new version of CP/CPS that
the RA operator checks whether the email specified in the application form matches that in the CSR. The certificate will be delivered via this email address.
30
3. RA to CA communications3. RA to CA communications
» (11) The CP/CPS should describe how the RA or CA is informed of changes that may affect the status of the certificate.» Score: C» Status: The CP/CPS has no description on how the CA or
the RA is informed of any changes.» Solution: Will be added in the new version of CP/CPS that
the user must inform any changes that may affect the status of the certificate to RA and CA operators.
31
SummarySummary
» Total number of items: 68
» Results:» 50 As - Good» 6 Bs - Recommendation (minor changes)» 9 Cs - Recommendation (major changes)» 2 Xs - Cloud not evaluate (N/A)
» Changes:» Improving CP/CPS; no critical effects on
current/immediate operation