AEGIS Certification Authority Dušan Radovanović University of Belgrade

Зарегистрируйтесь, чтобы просмотреть полный документ!

AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Overview l l l Approved June 2007 Issues certificates to Serbian GRID community https: //aegis-ca. rcub. bg. ac. rs CP/CPS and root cert updated January 2009 to reflect TLD change Changed to SHA 2 Extended the lifetime of root cert in March 2017 40 th EUGrid. PMA meeting, May 2017, Ljubljana

CA operation l l l CA operated by the staff of 2 Currently RA’s Online web interface operated on main web server Offline certs signing Simple. PKI software Security 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Certificates l Total Issued: 1055 l Total revoked: 102 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Self Audit l Guidelines for auditing Grid CA’s v 1. 0. l. C – 2 l. B– 3 l. X– 1 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Self Audit – CP/CPS 4. - B l Whenever there is a change in the CP/CPS the O. I. D. of the document must change and the major changes must be announced to the responsible PMA and approved before signing any certificates under the new CP/CPS. l Practice: Every change is announced to the PMA, but this procedure is not documented in CP/CPS l Solution: Will add this procedure to CP/CPS l 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Self Audit – EE certificates/keys 40. - B l Each host certificate must be linked to a single network entity. l Practice: CP/CPS does not describe how each host certificate is linked to a single entity. l Solution: CP/CPS will be updated to describe this l 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Self Audit – EE certificates/keys 41. / 49. - X l The authority shall issue X. 509 certificates to end entities based on cryptographic data generated by the applicant, or based on cryptographic data that is be held only by the applicant on a secure hardware token. l Practice: We do not have support for hardware tokens l Question: Should we add this in CP/CPS? l 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Self Audit – Audits 53. - B l Every CA must perform operational audits of the CA/RA staff at least once per year. l Practice: We do not have an auditing manual and do not audit RA’s. l Question: Should the manual be written, or published on-line? Should the RA’s keep the identification verification documents, or send them to CA? l 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Self Audit – Privacy 61. - C l Accredited CAs must define a privacy and data release policy compliant with the relevant national legislation. The CA is responsible for recording, at the time of validation, sufficient information regarding the subscribers to identify the subscriber. The CA is not required to release such information unless provided by a valid legal request according to national laws applicable to that CA. l 18 th EUGrid. PMA meeting, Jan 2010, Dublin

Self Audit – Privacy Practice: CP/CPS does not define data release policy because there was no law defining this at the time of writing the original CPCPS. l Solution: Law now exists, so this can be updated. l 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Self Audit – RA 8. - C l The CP/CPS should describe how the RA or CA is informed of changes that may affect the status of the certificate. l Practice: CP/CPS does not define this l Solution: This procedure will be defined in CP/CPS l 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Self Audit – Conclusion l Implement changes to the CP/CPS – Changes from self audit – Changes suggested from reviewers – Revise and update the whole CP/CPS to the new classic AP 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Thank you! 40 th EUGrid. PMA meeting, May 2017, Ljubljana

Скачать презентацию AEGIS Certification Authority Dušan Radovanović University of Belgrade

5d5ec6db93bf50cf8db1508ed9429913.ppt

Количество слайдов: 14