Updates of the APGrid PMA Yoshio Tanaka APGrid PMA, Chair Grid Technology Research Center, AIST, Japan
APGrid CAs (accredited, 1/3) • Australia • APACGrid CA • Accredited in Nov. 2005 • Started the operation in Feb. 2006 • Audited in March 2006 • David Bannon, Graham Jenkins, Chris Kendrick • Issues certificates for LCG • China • IHEP CA • Accredited in May 2005 (already in operation) • Audited in December 2005 • profile of the root cert. has been changed • Gongxing Sun, Gang Chen, Fan HuaXiang • Issues certificates for LCG • CNIC / SDG CA • Accredited in Dec. 2005. • Not yet in operation • Going to launch a new CA • hierarchical CA • need to be accredited again • Kai Nan, Morrise Xu,
APGrid CAs (accredited, 2/3) • Japan • AIST GRID CA • Accredited in Sep. 2004 • Started the operation in March 2005 • Audited in March 2005 • Yoshio Tanaka, + 5 staffs • NAREGI CA • Accredited in Nov. 2005 • Started the operation in Feb. 2006 • Not yet audited • Masataka Kanamori, + 4 staffs • KEK Grid CA • Accredited in Jan. 2006 • Started the operation in Feb. 2006 • Not yet audited • Takashi Sasaki, + 2~3 staffs • Issues certificates for LCG
APGrid CAs (accredited, 3/3) • Korea • KISTI GRID CA • Accredited in Aug. 2004. (already in operation) • Not yet audited • Sangwan Kim, Jae-hyuck Kwak • Issues certificates for LCG • Taiwan • ASGCC CA • Operated by Academia Sinica Grid Computing Center • Accredited in Sep. 2004. (already in operation) • Audited in Aug. 2005 • Eric Yen, C.C. Chang, + 1~2 operators • Issues certificates for LCG • NCHC Grid CA • Operated by National Cener for High-performance Computing • Accredited in Feb. 2006 • Not yet in operation • Alex Wu, Weicheng Huang, + 1~2 operators
APGrid CAs (under review, planned) • Singapore • NGO CA • will be operated by National Grid Office and Netrust Inc. • CP/CPS under review • will issue certificates for LCG • Thailand • NECTEC CA • will be operated by National Electronics and Computer Technology Center • drafting CP/CPS • Thai National Grid Center (will be accredited as a new member) • will be operated by Thai National Grid Center • drafting CP/CPS • USA • PRAGMA CA • will be operated by SDSC • planning to be a catch-all CA for PRAGMA members • drafting CP/CPS
APGrid CAs (general membership) • China • Univ. of Hong Kong • India • Univ. of Hyderabad • Japan • Osaka Univ. • Malaysia • Univ. Sains Malaysia
APGridPMA: Status & Activities • Accreditation of CAs • 9 accredited CAs • AIST, APAC, ASGCC, CNIC, IHEP, KEK, KISTI, NAREGI, NCHC • 7 CAs are in operation • CNIC/SDG will change the structure and will be re-accredited • Audit • AIST, APAC, ASGCC, IHEP have been audited by the other CAs. • Regular (monthly) VTC. • Brief status reports of each CA • In-depth report of a CA • Decisions • Examination for accreditation of a CA • Approval of charter, minimum CA requirements, etc. • Open discussions • (physical) face-to-face meeting (at least) once per year. • 1st face-to-face meeting was in Dec. 2005, Beijing. • 2nd meeting will be in Oct. 15, 2006, Osaka, Japan.
Some Updates • Next chair • Yoshio Tanaka (continue) • CA Monitoring page using Nagios • http://www.apgridpma.org/nagios/ • Shows status of all IGTF-accredited CAs • Modified script (read configuration from .info file) • Next F2F meeting • October 15, Osaka, Japan (co-located with PRAGMA Workshop)
Some Updates (cont’d) • Issues to be discussed • Accreditation of NGO/Netrust CA • Some information are confidential • Too short validity period of CRL • Netrust CA agreed with disclosing audit report to the APGrid PMA auditors • Accreditation of CNIC/SDG CA • hierarchical CA • IGTF CA distribution from the APGrid PMA • Will need to limit the number of CAs per region • Japanese universities will build UPKI • China has some national/international Grid project • Need to consider hierarchical structure of PMAs
Proposed audit items • NAREGI PKI WG has subjectively selected criteria for auditing Grid CAs. • based on • AICPA/CICA WebTrustSM/TM Program for Certification Authority • minimum CA requirements of APGrid PMA and EUGrid PMA • Web Trust • WebTrust is a seal awarded to web sites that consistently adhere to certain business standards established by the Canadian Institute of Chartered Accountants (CICA.ca) and the American Institute of Certified Public Accountants (AICPA). • In the program, “Web Trust Principles and Criteria for Certification Authorities” lists criteria for CAs. • may too much for Grid CAs.
Audit checklist • Simply pickup items from WebTrustSM/TM criteria based on minimum CA requirements. • The number of criteria:
Rough procedures for auditing • Pre examination (few days) • Review all available documents • CP/CPS, User’s manual, Operational manual, CRL, CA Certificate, etc. • Prepare score sheet • Main examination (half day) • Interview to CA staffs • Detailed flow of identifying end entities and issuing certificates • How accesses to the CA private key is controlled • Inspection of equipments • CA server, CA room, backup media, archived logs, a safe box, etc. • Post examination (half day) • Draft and send an audit report • The audited CA is requested to send a report on plans for the improvements in 1 week