[caops-wg] Issues with the Audit Guidelines Document GFD 169

Yoshio Tanaka yoshio.tanaka at aist.go.jp
Thu Oct 28 04:11:10 CDT 2010 

Hi David and Reimer,

Thank you very much for valuable comments.
We will discuss this at the CAOPs in this afternoon.

Best Regards,

--
Yoshio Tanaka (yoshio.tanaka at aist.go.jp)
http://ninf.apgrid.org/
http://www.apgridpma.org/


From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur at dfn-cert.de>
Subject: Re: Issues with the Audit Guidelines Document GFD 169
Date: Thu, 28 Oct 2010 10:56:37 +0200
Message-ID: <4CC93AC5.7010803 at dfn-cert.de>

> Hi,
> 
> David O'Callaghan wrote on 27.10.2010 14:44:
> > Hi,
> > 
> > Ar 27.10.10 13:20, scríobh Reimer Karlsen-Masur, DFN-CERT:
> >> cool, many thanks, I will check the PDF later this week.
> >>
> >> Question to David O'Callaghan: Do you have any additional immediate obvious
> >> bug fix requests regarding GFD.169 that you wish to resolve now? Or are your
> >> issues more with the audit spreadsheet available from the eugridpma website?
> > 
> > The only one that springs to mind is:
> > 
> > Section 3.2.1 (5) An RA must validate the association of the certificate
> > signing request.
> > 
> > I don't understand the requirement (as someone familiar with PKI and as a
> > native English speaker!), and the audit guidelines document does not
> > explain, but just repeats it as a question "How does an RA validate the
> > association of the certificate signing request?"
> > 
> > I think the audit point should clarify the meaning of "the association":
> > 
> >  * Does it mean the association between subscriber's identity and the CSR?
> >  * Does it mean the association between the identity vetting performed by
> > the RA and the CSR?
> >  * Does it mean the association between the private key and the public key
> > in the CSR?
> >  * (or, less likely) Does it mean the subscriber's organization?
> > 
> > This requirement comes from section 3.1 of the Classic AP v4.3, so perhaps
> > my comment should be directed at that document.
> 
> since this is a quote from the IGTF-AP-Classic, I don't see this to be fixed
> in GFD.169 now. We should enhance the hint on how to check this requirement
> in a real life CA. I guess this needs to be addressed in the next edition of
> GFD.169, not in a "bug fix" release. And yes, if some clarification is
> needed on the semantics of this requirement, IGTF-AP-Classic should be
> enhanced in this respect as well.
> 
> At Yoshio: Actually the RA section 3.2.1 in GFD.169 includes audit cases RA
> (5) and (6) as well as section 3.2.2 contains audit cases RA (5) and (6).
> The cases are different though, resulting in 12 RA audit cases all together
> when fixed. Other than that I see some general issues that CAOPS should
> consider with the next edition of GFD.169, not as a bug fix, see below.
> 
> > Beyond that, I would need to spend some time to look at the updated document
> > and my notes from preparing for my EU Grid PMA Self Audit.
> 
> Generally - and I am re-iterating on this idea - I find GFD.169 is too
> tightly bound to IGTF-AP-Classic v4.1. The check list is specific to
> IGTF-AP-Classic v4.1, even the general text (in section 2.6) is referencing
> IGTF-AP-Classic v4.1. And the current IGTF-AP-Classic stands at version 4.3.
> I suggest in the next edition of GFD.169 to split the check list out into a
> separate appendix or into a separate document. This way the audit guidelines
> are applicable to all IGTF-APs.
> 
> Also since the IGTF/Grid-PMAs are requiring and promoting the self audits,
> the Grid-PMAs, ie. the AP owners/editors, not CAOPS, should think about
> releasing a matching audit check list with each new approved version of
> their owned APs. Also each audit case should reference the AP section it was
> taken from. That way the version mismatch between check list and actual AP
> and the type of AP and resulting confusions that we are observing now should
> be a thing of the past.
> 
> Thanks
> 
> Reimer
> -- 
> 18. DFN Workshop "Sicherheit in vernetzten Systemen"
> am 15./16. Februar 2011 im Grand Hotel Elysee in Hamburg
> 
> Call-for-Papers: <https://www.dfn-cert.de/veranstaltungen/workshop.html>
> --
> Dipl.-Inform. Reimer Karlsen-Masur (PKI Team),   Phone   +49 40 808077-615
> 
> DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-580
> Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
> Sachsenstr. 5,   20097 Hamburg/Germany,   CEO: Dr. Klaus-Peter Kossakowski
>

More information about the caops-wg mailing list