KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen

1
KFKI RMKI CA ReviewEUGridPMA May 26-28,
Copenhagen

• Szabolcs Hernáth
• MTA KFKI RMKI
• hernath_at_sunserv.kfki.hu
• pki.kfki.hu

2
Overview

• Background History
• Present Status Future Plans
• Self-assessment Issues
• Lessons learned Suggestions
• Discussion

3
1. Background History

• Why 2 CAs in Hungary?
• - Community needed the service in 2004
• - NREN CA (NIIF) was planned, but no progress or
  roadmap
• - RMKI had 90 of LCG users resources
• EUGridPMA in Brussels, Sept. 2004
• - KFKI RMKI CA presented
• - PMA demanded community agreement to preempt a
  2 CA situation
• Dec. 2004 Community agreement presented
• - Hungarian grid community will endorse KFKI
  RMKI CA until the NIIF CA can setup an RA at KFKI
  campus
• - PMA accepted the agreement, KFKI RMKI CA
  accredited
• - started production in Jan. 2005
• Recent progress in the setup of NIIF RA

4
2. Present Status

• Reliable operation on Debian/OpenCA
• Stats
• - All issued 230 (6 for testing)
• - Revoked 126 (none compromised)
• - Valid 47 (14 user, 33 host)
• - All host 145 (68 DNs, even less idenities)
• - All user 79 (50 DNs, even less identities)
• - All CRLs 120 (1 overdue ?)
• NIIF RA progress
• - RA secure admin interface deployed tested
  (based on tokens)
• - User web interface in development
• - IdP for NIIF AAI Federation in deployment (for
  user preauth)
• - RA contract in preparation

5
3. Future Plans

• NIIF RA in production later this year
• Will probably keep the CA for local purposes
• - will rekey or extend the root
• - could produce new CP/CPS
• After the NIIF RA is in production, will replace
  all grid certs
• Need to leave the club ?

6
4. Self-assessment

• Work in progress, preliminary results
• Major issues CA
• (5) CP/CPS is RFC 2527 D/D
• (7) Secure environment, access control log D/D
• (9) Secure environment undocumented/unaudited D
• (11) CA key protection B/D
• (50) Operational audit D/D
• (51) List of personnel D
• Major Issues RA
• (2) Identity vetting (user) B/C
• (3) Identity vetting (host) A/C
• (4) FQDN ownership B/C
• (10) Record archival in auditable form C

7
5. Other Issues

• Insufficient resources
• No long-term planning (was not expected)
• Missing operational documents
• Too many hats
• Rescheduled paperwork

8
6. Recommendations

• More is less
• - specify everything as strict as possible
• - write all operational documents before
  production
• Operational audit/review ASAP (before production)
• Separation of GRID namespace is recommended
• Accreditation profile version should be recorded
  on accreditation
• Audit guidelines updates for AP changes?
  (versions for each AP version?)
• Separate audit guidelines for different APs?

9

• Thankyou !