NCHC CA Status Report VTC meeting WeiYu Chen

CA Members Redution n CA manager : n. Manage all CA tasks and approve

Current status n. No major changes since the last F 2 F meeting. Total

Self Audit • Using guidelines for Auditing Grid CAs version 1. 0 4

CA-(37) n The CA should make a reasonable effort to make sure that subscribers

CA-(25) n Subscribers must request revocation as soon as possible, but within one working

RA-(6) n The CA or RA should have documented evidence on retaining the same

CA-(16) n The on-line CA architecture must provide for a log of issued certificates

Updated CPS - V 1. 1. 6 n http: //ca. goc. nchc. org. tw/nchcca/CPS.

Slides: 11

Download presentation

NCHC CA Status Report VTC meeting Wei-Yu Chen (waue@nchc. org. tw) National Center for High-performance Computing, Taiwan Oct. 12, 2010

CA Members Redution n CA manager : n. Manage all CA tasks and approve CA and RA operators n CA Operator : n. Maintain the CA signing server and web server n RA Operator : n. Check subscribers' information and approve them CA Manager CA Operator * Huei-Shan, Chen Wei-Yu, Chen * Wei-Yu, Chen Yao-Tsung, Wang RA Operator * => Know the passphrase 2

Current status n. No major changes since the last F 2 F meeting. Total Number of issued certificates of 2010 User CA Host Total Certificate VALID 25 35 60 Revoked 3 6 9 EXPIRED 26 10 36 3

Self Audit • Using guidelines for Auditing Grid CAs version 1. 0 4

Summary n Auditing. Spreadsheet. xls n IGTF classic profile: IGTF-AP-classic-4 -2 n Mark n A: 67 n B: 1 n C: 2 n N/A: 1 5

CA-(37) n The CA should make a reasonable effort to make sure that subscribers realize the importance of properly protecting their private data n. B n NCHC CA let subscriber revoke certificate if security issues suspected. And we should make a reasonable effort to make sure that subscribers realize the importance of properly protecting their private data. 6

CA-(25) n Subscribers must request revocation as soon as possible, but within one working day after detection of loss or compromise of the private key pertaining to the certificate, or if the data in the certificate is no longer valid. n. C n In section 4. 9. 1, CP/CPS describe "subscriber must request his/her certificate revocation when security problems are suspected" but no AS SOON AS POSSIBLE. We will add this statement into CP/CPS 7

RA-(6) n The CA or RA should have documented evidence on retaining the same identity over time. n. C n The DN is unique for a person because the name appending 6 length random number is included in 3. 1. 5 but not 7. 1. 4. We would fix in CP/CPS. 8

CA-(16) n The on-line CA architecture must provide for a log of issued certificates and revocations. The log should be tamper-protected. n N/A n NCHC is off-line CA architecture, but every logs are available and archived and the minimum retention period is 3 years. 9

Updated CPS - V 1. 1. 6 n http: //ca. goc. nchc. org. tw/nchcca/CPS. html n 1. 2 – change OID is 1. 3. 6. 1. 4. 1. 23308. 1. 1. 1. 6 n 4. 9. 1 - Subscriber must request his/her certificate revocation as soon as possible when … n 7. 1. 4 CN=[the name of applicant with 6 random number] 10

Thank You 11