[caops-wg] Issues with the Audit Guidelines Document GFD 169

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Thu Oct 21 07:45:24 CDT 2010 

Hi Yoshio,
hi EUGridPMA list,
hi CAOPS-WG,

while working with the Audit Guidelines Document (GFD 169) I came across
some surprising issues:

The PDF offered from <http://www.ogf.org/documents/GFD.169.pdf> dated from
19.04.2010 differs from the latest .doc version available from
<https://forge.gridforum.org/sf/go/doc4858> which is called version 10 dated
from 20.01.2010. Both documents self-claim that they are each version 1.0.

Aside some minor differences like release dates, table of contents, etc the
PDF is missing a numbering of an audit case. The section numbering in the
PDF is different from the one in the word doc. But immediately after section
heading "3.1.2. CA System" in the PDF the case number (7) for "The CA
computer where the signing of the certificates..." is missing. Inserting the
number (7) here will introduce an off-by-one error for current numbers (7)
to (48) being (8) to (49) after the correction.

Case (49) in the current(!) PDF is actually redundant to case (50)i. and
needs to be deleted. The requirement quoted in case (49) is no longer
included in the IGTF-AP-Classic v4.3 and v4.2 document. Instead it became
part of case (50)i. which is to be found in section 6 of the IGTF-AP-Classic
document.

This latter bug is also found in the .doc(!) version from 19.01.2010 except
that the case numbering here is different again. Case (50) is the redundant
requirement to be deleted so that cases (51) to (56) are off-by-one which
need to be renumbered to (50) to (55) once the redundant case is deleted.

Be aware that the Auditing Template document (audit check-list) available
from <https://www.eugridpma.org/guidelines/classic> does not match its audit
case numbers to any of the above (PDF & .doc) GFD 169 document's case numbers.

That indeed got me so confused that I started to look into these issues.

How can we go about getting GFD 169 fixed? I did not see any bug reporting
mechanism on the OGF site....

Thanks

Reimer
-- 
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team),   Phone   +49 40 808077-615

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-580
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstr. 5,   20097 Hamburg/Germany,   CEO: Dr. Klaus-Peter Kossakowski

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5952 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/caops-wg/attachments/20101021/aea4ef4b/attachment.bin

More information about the caops-wg mailing list