1 / 14

APAC CA Self Audit and status update

This self-audit and status update provides information on the APAC Certification Authority, including its software, staff, issued certificates, and compliance with auditing guidelines.

francist
Download Presentation

APAC CA Self Audit and status update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sam Morrison sam.morrison@arcs.org.au ARCS APAC CA Self Auditand status update

  2. Info • APAC Certification Authority • Classic CA Profile • Accredited Feb 2006 • Lifetime 10 years – Expires 2016 • Now run by ARCS, CA Location - Melbourne AUS • Software • OpenCA (old version)

  3. Status • People • 3 CA Staff (Sam, Andy, Russell) • 47 RA Operators • Issued (to date) • 942 User • 1294 Host

  4. Current Valid Certificates • User : 179 • Web Server : 329 • RA Operators: 37 • Total 544 (2 CA Operators)

  5. Issuing Trend

  6. Self Audit • Using guidelines for Auditing Grid CAs version 1.0

  7. 46 - B • The profile of the end entity certificates must also comply with the current IGTF and OGF certificate profile guidelines before being included in any distribution of certificates. • CPS wasn't changed to show changes to End Entity certs in relation to extra OIDs • Certificates were changed just not reflected in CPS

  8. B - 56 A list of CA and RA personal should be maintained and verified at least once per year. • CA Staff have changed • Manager changed from David Bannon to myself. (section 1.3) • RA Operator list needs to be verified more frequently

  9. 38 - C • The message digests of the certificates and CRLs must be generated by a trustworthy mechanism, like SHA1 (in particular, MD5 must not be used). • Still using MD5 (1 of a couple Cas still out there) • Still working on modifying software to deal with this.

  10. 17 - D • The pass phrase of the encrypted private key must also be kept on off-line media, separated from the encrypted private keys and guarded in a secure location where only the authorised personnel of the CA have access.  Alternatively, another documented procedure that is equally secure may be used. • Wasn't the case. (Was destroyed when we replaced safes) • Is now back in place

  11. X - 8 • The CP/CPS documents should be structured as defined in RFC 3647. • Still use 2527 • No plan to change

  12. X - 49 • Certificates associated with a private key residing solely on hardware token may be renewed for a validity period of up to 5 years (for equivalent RSA key lengths of 2048 bits) or 3 years (for equivalent RSA key lengths of 1024 bits). • Don't provide specific support for hardware tokens

  13. Self Audit Summary • 71 As • 2 Bs • 1 C • 1 D • 2 Xs

  14. Updated CPS - V1.5 • http://wiki.arcs.org.au/bin/view/Main/CaPolicy_1_5 • 1.1 – Change APAC to ARCS • 1.3 – Change manager to Sam Morrison, Change APAC to ARCS • 1.4 – Change contact email • 7.1.2 – Add New OIDs to certificate extentions

More Related