[caops-wg] Issues with the Audit Guidelines Document GFD 169

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Thu Oct 28 03:56:37 CDT 2010 

Hi,

David O'Callaghan wrote on 27.10.2010 14:44:
> Hi,
> 
> Ar 27.10.10 13:20, scríobh Reimer Karlsen-Masur, DFN-CERT:
>> cool, many thanks, I will check the PDF later this week.
>>
>> Question to David O'Callaghan: Do you have any additional immediate obvious
>> bug fix requests regarding GFD.169 that you wish to resolve now? Or are your
>> issues more with the audit spreadsheet available from the eugridpma website?
> 
> The only one that springs to mind is:
> 
> Section 3.2.1 (5) An RA must validate the association of the certificate
> signing request.
> 
> I don't understand the requirement (as someone familiar with PKI and as a
> native English speaker!), and the audit guidelines document does not
> explain, but just repeats it as a question "How does an RA validate the
> association of the certificate signing request?"
> 
> I think the audit point should clarify the meaning of "the association":
> 
>  * Does it mean the association between subscriber's identity and the CSR?
>  * Does it mean the association between the identity vetting performed by
> the RA and the CSR?
>  * Does it mean the association between the private key and the public key
> in the CSR?
>  * (or, less likely) Does it mean the subscriber's organization?
> 
> This requirement comes from section 3.1 of the Classic AP v4.3, so perhaps
> my comment should be directed at that document.

since this is a quote from the IGTF-AP-Classic, I don't see this to be fixed
in GFD.169 now. We should enhance the hint on how to check this requirement
in a real life CA. I guess this needs to be addressed in the next edition of
GFD.169, not in a "bug fix" release. And yes, if some clarification is
needed on the semantics of this requirement, IGTF-AP-Classic should be
enhanced in this respect as well.

At Yoshio: Actually the RA section 3.2.1 in GFD.169 includes audit cases RA
(5) and (6) as well as section 3.2.2 contains audit cases RA (5) and (6).
The cases are different though, resulting in 12 RA audit cases all together
when fixed. Other than that I see some general issues that CAOPS should
consider with the next edition of GFD.169, not as a bug fix, see below.

> Beyond that, I would need to spend some time to look at the updated document
> and my notes from preparing for my EU Grid PMA Self Audit.

Generally - and I am re-iterating on this idea - I find GFD.169 is too
tightly bound to IGTF-AP-Classic v4.1. The check list is specific to
IGTF-AP-Classic v4.1, even the general text (in section 2.6) is referencing
IGTF-AP-Classic v4.1. And the current IGTF-AP-Classic stands at version 4.3.
I suggest in the next edition of GFD.169 to split the check list out into a
separate appendix or into a separate document. This way the audit guidelines
are applicable to all IGTF-APs.

Also since the IGTF/Grid-PMAs are requiring and promoting the self audits,
the Grid-PMAs, ie. the AP owners/editors, not CAOPS, should think about
releasing a matching audit check list with each new approved version of
their owned APs. Also each audit case should reference the AP section it was
taken from. That way the version mismatch between check list and actual AP
and the type of AP and resulting confusions that we are observing now should
be a thing of the past.

Thanks

Reimer
-- 
18. DFN Workshop "Sicherheit in vernetzten Systemen"
am 15./16. Februar 2011 im Grand Hotel Elysee in Hamburg

Call-for-Papers: <https://www.dfn-cert.de/veranstaltungen/workshop.html>
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team),   Phone   +49 40 808077-615

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-580
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstr. 5,   20097 Hamburg/Germany,   CEO: Dr. Klaus-Peter Kossakowski

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5952 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/caops-wg/attachments/20101028/0af3f799/attachment.bin

More information about the caops-wg mailing list