1 / 6

Proposals for auditing

Proposals for auditing. Yoshio Tanaka (yoshio.tanaka@aist.go.jp) Grid Technology Research Center, AIST, Japan. How do we accredit/certify/audit authorities?. A regional PMA should accredit CAs re-certify CAs coordinate peer-review (peer-audit) of CAs Questions How a CA is audited?

whigham
Download Presentation

Proposals for auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proposals for auditing Yoshio Tanaka (yoshio.tanaka@aist.go.jp) Grid Technology Research Center, AIST, Japan

  2. How do we accredit/certify/audit authorities? • A regional PMA should • accredit CAs • re-certify CAs • coordinate peer-review (peer-audit) of CAs • Questions • How a CA is audited? • criteria for audit • audit processes • Should PMA be audited? • how?

  3. Proposed audit items • NAREGI PKI WG has subjectively selected criteria for auditing Grid CAs. • based on • AICPA/CICA WebTrustSM/TM Program for Certification Authority • minimum CA requirements of APGrid PMA and EUGrid PMA • Web Trust • WebTrust is a seal awarded to web sites that consistently adhere to certain business standards established by the Canadian Institute of Chartered Accountants (CICA.ca) and the American Institute of Certified Public Accountants (AICPA). • In the program, “Web Trust Principles and Criteria for Certification Authorities” lists criteria for CAs. • may too much for Grid CAs.

  4. Criteria in the WebTrustSM/TM • Principle 1: CA Business Practices Disclosure • The certification authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices • Principle 2: Service Integrity • The certification authority maintains effective controls to provide reasonable assurance that: • Subscriber information was properly authenticated (for the registration activities performed by ABC-CA) and • The integrity of keys and certificates it manages is established and protected throughout their life cycles.

  5. Criteria in the WebTrustSM/TM (cont’d) • Principle 3: CA Environmental Controls • The certification authority maintains effective controls to provide reasonable assurance that: • Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA's business practices disclosure; • The continuity of key and certificate life cycle management operations is maintained; and • CA systems development, maintenance, and operation are properly authorized and performed to maintain CA systems integrity.

  6. Plans and proposals • AIST GRID CA will be audited by NAREGI CA according to the proposed criteria for audit in March 29. • evaluate its appropriateness • APGrid PMA will audit production-level CAs based on the proposed criteria • The proposed criteria for audit can be a starting point to establish common criteria for Grid CAs. • will circulate the proposed criteria to the CAOPs ML • may provide documents if needed • comments and discussions are welcome

More Related