[caops-wg] New version of Audit Guidelines document

[Viljoen, MJ (Matthew)]

Hi,

I've been reading this version and here are my comments.  Overall I think that this is an excellent and very thorough document, and a general adoption of auditing across the PMAs will be a welcome development.

My main criticism of the document as it stands is that RA paperwork as defined in the Classic AP section 3.1 should itself be audited in any auditing process, if not by an external auditor then by the CA themselves.  The RAs are the potentially weakest link of a PKI as they are charged with the ongoing verification of identity, a process that can easily fail over time as this process involves human interaction.

I think that any external auditing of a CA should check random RA records to verify the paperwork, or alternatively ask the CA whether they have implemented a procedure for checking this.  In the latter case, I would suggest an additional item in Section 4. of the RA section:

"The CA is responsible for ensuring that RAs continue to fulfill their obligations"

and the method could be: 

"Does the CA have any process in place for ensuring the RAs fulfill their obligations?"

Other points:

- The Abstract and Introduction could be reworded so as not to duplicate text.  I'm also wary of introducing the concept of a VO in these sections, and I don't see the link with a VO and the real institution running the CA.  I'd be happy to assist in rewording these sections if needed.

- In the introduction, it may also be useful to suggest who the target audience of the document is, and suggest who may be qualified to conduct an audit.  Clearly it is not sufficient to know the Classic AP - it needs to be done by somebody who is familiar with Grid CAs.

- Item 54. The current wording implies that the PMA and Federation is being audited in checking that information is being re-distributed.  It should be changed to something like:

"Is the CA providing this information for re-distribution?"

- Item 1 in the RA Section has an open-ended method, and it is unhelpful for the auditor in not providing an indication to what the desired answer is.  I'd suggest changing it to:

"Is the role of the RA defined?"


Matt


-----Original Message-----
From: caops-wg-bounces at ogf.org on behalf of Christos Kanellopoulos
Sent: Tue 10/16/2007 10:42 PM
To: CAOPS-WG
Subject: [caops-wg] New version of Audit Guidelines document
 

Hi all,

this morning Yoshio uploaded a new version (1.0b4) of the "Guidelines  
for auditing Grid CAs" document on GridForge [1]. This document is  
considered to be in it's final stages, so please do read the document  
and comment on it.

For those in Seattle, see you in a few minutes at the CAOPS session

[1]: https://forge.gridforum.org/sf/go/doc4858

--
Christos Kanellopoulos

Grid Operations Center, Aristotle University of Thessaloniki
University Campus, GR 541 24, Building 22D, Office 4'6B
Tel. +302310998988 Fax. +302310994309 http://www.grid.auth.gr