1 / 9

KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen

KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen. Szabolcs Hernáth MTA KFKI RMKI hernath@sunserv.kfki.hu pki.kfki.hu. Overview. Background & History Present Status & Future Plans Self-assessment & Issues Lessons learned & Suggestions Discussion…. 1. Background & History.

kelton
Download Presentation

KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. KFKI RMKI CA ReviewEUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI hernath@sunserv.kfki.hu pki.kfki.hu

  2. Overview • Background & History • Present Status & Future Plans • Self-assessment & Issues • Lessons learned & Suggestions • Discussion…

  3. 1. Background & History • Why 2 CAs in Hungary? - Community needed the service in 2004 - NREN CA (NIIF) was planned, but no progress or roadmap - RMKI had ~90% of LCG users & resources • EUGridPMA in Brussels, Sept. 2004: - KFKI RMKI CA presented - PMA demanded community agreement to preempt a 2 CA situation • Dec. 2004: Community agreement presented - Hungarian grid community will endorse KFKI RMKI CA until the NIIF CA can setup an RA at KFKI campus - PMA accepted the agreement, KFKI RMKI CA accredited - started production in Jan. 2005 • Recent progress in the setup of NIIF RA

  4. 2. Present Status • Reliable operation on Debian/OpenCA • Stats: - All issued: 230 (6 for testing) - Revoked: 126 (none compromised) - Valid: 47 (14 user, 33 host) - All host: 145 (68 DNs, even less idenities) - All user: 79 (50 DNs, even less identities) - All CRLs: 120 (1 overdue ) • NIIF RA progress: - RA secure admin interface deployed & tested (based on tokens) - User web interface in development - IdP for NIIF AAI Federation in deployment (for user preauth) - RA contract in preparation

  5. 3. Future Plans • NIIF RA in production later this year • Will probably keep the CA for local purposes - will rekey or extend the root - could produce new CP/CPS • After the NIIF RA is in production, will replace all grid certs • Need to leave the club  …

  6. 4. Self-assessment • Work in progress, preliminary results • Major issues: CA (5) CP/CPS is RFC 2527 D/D (7) Secure environment, access control & log D/D (9) Secure environment undocumented/unaudited D (11) CA key protection B/D (50) Operational audit D/D (51) List of personnel D • Major Issues: RA (2) Identity vetting (user) B/C (3) Identity vetting (host) A/C (4) FQDN ownership B/C (10) Record archival in auditable form C

  7. 5. Other Issues • Insufficient resources • No long-term planning (was not expected) • Missing operational documents • Too many hats • ‘Rescheduled’ paperwork

  8. 6. Recommendations • More is less: - specify everything as strict as possible - write all operational documents before production • Operational audit/review ASAP (before production) • Separation of GRID namespace is recommended • Accreditation profile version should be recorded on accreditation • Audit guidelines updates for AP changes? (versions for each AP version?) • Separate audit guidelines for different APs?

  9. Thankyou !

More Related