90 likes | 169 Views
Auditing of a Certification Authority. Patrick Cain, CISA, CISM The Cooper-Cain Group, Inc. The Parties of a Digital Transaction. Originator of the ‘bits’ Aka, Originator, Signer, Alice Receiver of the ‘bits’ Aka, Recipient, Verifier, Bob Both parties may rely on digital certificates
E N D
Auditing of a Certification Authority Patrick Cain, CISA, CISM The Cooper-Cain Group, Inc
The Parties of a Digital Transaction • Originator of the ‘bits’ • Aka, Originator, Signer, Alice • Receiver of the ‘bits’ • Aka, Recipient, Verifier, Bob • Both parties may rely on digital certificates • Proper receiver ID is nice if a contract is based on a digital signature or one is using encryption • The receiver may base his business processes on how a CA fills in certificates. • How can we tell if a CA is doing what we want?
General Plan • The Certificate Policy (CP) is the public rules that govern a PKI. • This may be handed down from on high or developed by a CA/OA. • The Certificate Practice Statement defines ‘how’ the PKI meets its obligations in the CP. • The CPS may or may not be publicly available. Portions may not be available to all subscribers. • An independent party should be able to verify the PKI’s compliance with the CP.
The Purpose of An Audit • To show compliance with a CP or CPS • Superior CA needs assurance you comply • Customers/Users/EE/(lawyers) may want assurance • Good PR • Show insurers or regulators you comply with laws • There is no ‘standard’ PKI audit • Audits to show compliance with superior entity • Fed Bridge CA • Web/Sys Trust, Truste • Verisign class n, n+1, n*n • SAS70 audit to show your policies match operations • ISO17799 audit to show you have a security plan
A Process • The ABA InfoSec Committee generated guidance on what goes into CPs and CPS’ and how to accurately audit a PKI. • Annex C of the PKI Assessment Guidelines • The goal is to get the lawyers, regulators, insurers, customers, and lawyers to agree that the output of the PKI is acceptable before the PKI starts cranking out stuff
Prerequisites for a CA evaluation • a threat and risk assessment (TRA) should be conducted; • a documented Certificate Policy is required. • (Adherence of the Certificate Policy to the IETF PKIX Part Framework is recommended;) • a supporting Certification Practice Statement is required. • Adherence of the Certification Practice Statement to the IETF PKIX Part 4 framework is recommended; and • a written assertion, by the operational authority, to assert that it has appropriately designed and implemented certification practices to reasonably achieve the requirements of the Certificate Policy and that such certification practices have operated with sufficient effectiveness, during some defined period of time.
The Audit Process • Planning • Generate Controls Table for the CPS • Operating authority buys into controls table • Read docs; talk to people; get documentation; do a site visit • Generate draft report • Receive comments on report from auditte • Finalize report
Is an Audit Painful? • The CP, CPs, and procedures must exist • ‘virtual documents’ don’t cut it • These docs should already be approved and tested • If you pass the audit then change the procedures….. • An audit is for a point-in-time • They get to be redone periodically • If the audit discovers discrepancies: • They can/may be fixed on the fly and noted in the auditor’s report • You and the auditor work together on this…
More Information • The ABA Digital Signature Guidelines • The ABA PKI Assessment Guide http://www.abanet.org/scitech/ec/isc/ Patrick Cain, CISA, CISM pcain@coopercain.com The Cooper-Cain Group, Inc www.coopercain.com