national institute of advanced industrial science and technology brief status report of aist grid ca...
TRANSCRIPT
National Institute of Advanced Industrial Science and Technology
Brief status report ofAIST GRID CA
APGridPMA Meeting @ SingaporeSeptember 16
Yoshio Tanaka Yoshio Tanaka ([email protected])([email protected])
Information Technology Research Information Technology Research InstituteInstitute
AIST,AIST, Japan Japan
Issued certificates
User certificates: 154 (136)User certificates: 154 (136)Valid: 32 (31)Invalid (revoked or expired): 122 (105)
Host certificates: 2204 (1706)Host certificates: 2204 (1706)Valid: 397 (509)Invalid (revoked or expired): 1647 (1197)
LDAP certificates: 264 (262)LDAP certificates: 264 (262)Valid: 33 (33)Invalid (revoked or expired): 231 (229)
At first
Grid Technology Research Center Grid Technology Research Center completed its term in last March (Jan. completed its term in last March (Jan. 2002 to Mar. 2008).2002 to Mar. 2008).
Since April, we belong to Information Since April, we belong to Information Technology Research Institute.Technology Research Institute.
Replaced “Grid Technology Research Replaced “Grid Technology Research Center” to “Information Technology Center” to “Information Technology Research Institute” in CP/CPS.Research Institute” in CP/CPS.
Results of self-auditing: Score B
(22)(22)Certificate revocation can be requested by users, the Certificate revocation can be requested by users, the registration authorities, and the CA. Others can request registration authorities, and the CA. Others can request revocation if they can sufficiently prove compromise or revocation if they can sufficiently prove compromise or exposure of the associated private key.exposure of the associated private key.
The CP/CPS does not describe that “others can request revocation.”
4.4.2 Who can request revocationSubscribers, the AIST GRID RA and the AIST GRID CA can request revocation.Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.
Results of self-auditing: Score B
(23)(23)The CA must react as soon as possible, but within one The CA must react as soon as possible, but within one working day, to any revocation request received.working day, to any revocation request received.
The CP/CPS does not describe “but within one working day.”
4.4.4 Revocation request grace period AIST GRID CA will processes revocation as soon as it receives the request, but at least within one working day. The revocation information will be published to the AIST GRID PKI repository.
Results of self-auditing: Score B
(24)(24)An end entity must request revocation of its certificate as An end entity must request revocation of its certificate as soon as possible, but within one working day after detection soon as possible, but within one working day after detection of…of…
The CP/CPS does not describe “but within one working day.”
2.1.3 End entity, host administrator obligation…- Instruct the CA to revoke the certificate promptly, but at least within one working day, upon any actual or suspected loss, disclosure, or other compromise of the subscriber’s private key.
Results of self-auditing: Score B
(43)(43)Certificates (and private keys) managed in a software token Certificates (and private keys) managed in a software token should only be re-keyed, not renewed.should only be re-keyed, not renewed.
(45)(45)Certificates may be renewed or re-keyed for more than 5 Certificates may be renewed or re-keyed for more than 5 years without a form of identity and eligibility verification, years without a form of identity and eligibility verification, and this procedure must be described in the CP/CPS.and this procedure must be described in the CP/CPS.
The CP/CPS does not clearly distinguish re-key and renew.
3.2 Routine RekeyEnrollment request is necessary if the certificate is expired. AIST GRID CA does not allow to re-issue a new end-entity certificate using the same key pair with an issued certificate. End-entity certificates may be rekeyed for less than 5 years without a form of identity and eligibility verification. If an end-entity certificate has been rekeyed for 5 years, the initial identity vetting procedures defined in CPS[3.1 Initial registration] are required.
Results of self-auditing: Score C
(15)(15) When the CA’s cryptographic data needs to be changed, such a transition shall When the CA’s cryptographic data needs to be changed, such a transition shall be managed; from the time of distribution of the new cryptographic data, only be managed; from the time of distribution of the new cryptographic data, only the new key will be used for certificate signing purposes. the new key will be used for certificate signing purposes.
(16)(16) The overlap of the old and new key must be at least the longest time an end-The overlap of the old and new key must be at least the longest time an end-entity certificate can be valid. The older but still valid certificate must be entity certificate can be valid. The older but still valid certificate must be available to verify old signatures – and the secret key to sign CRLs – until all available to verify old signatures – and the secret key to sign CRLs – until all the certificates signed using the associated private key have also expired.the certificates signed using the associated private key have also expired.
The CP/CPS does not describe the transition procedure
3.2 Routine RekeyWhen the root CA Certificate will be expired, AIST GRID CA will issue a new root CA Certificate at least one year before the expiration. From the time of distribution of the new CA Certificate, only the new key will be used for certificate signing purposes. The older but still valid certificate must be available to verify old signatures – and the secret key to sign CRLs – until all the certificates signed using the associated private key have also expired.
Results of self-auditing: Score C
(25)(25)Revocation requests must be properly authenticated.Revocation requests must be properly authenticated.
Authentication of revocation requests descried in the CP/CPS is applicable only for the following case:
A user, who has a valid certificate and corresponding private key, requests revocation of her/his/host certificate.
3.4 Revocation requestIf a revocation request of a certificate is made by the owner of the certificate and the owner has a corresponding private key, the revocation request is authenticated by possession of the private key. Otherwise, revocation request is authenticated by the RA either by face-to-face meeting, phone call or exchanging emails.
Last one
AIST GRID CA Certificate was valid for 5 yearsAIST GRID CA Certificate was valid for 5 years
AIST GRID CA will change the validity period of the AIST GRID CA will change the validity period of the root CA certificate to 20 years.root CA certificate to 20 years.
Assigned a new OIDAssigned a new OID4.7 CA certificate validityCA will stop to sign new user certificates by its private key before it is shorten than user certificates. CA certificate validity is 20years.
1.3.6.1.4.1.18936.1.11.1.3 Certification Practices Statements1.3.6.1.4.1.18936.1.11.3 CA Certificate Policy