Embed Size (px)
Citation preview
National Institute of Advanced Industrial Science and Technology
Proposals for auditing
Yoshio Tanaka ([email protected])Yoshio Tanaka ([email protected])Grid Technology Research Center,Grid Technology Research Center,
AIST,AIST, Japan Japan
How do we accredit/certify/audit authorities?
A regional PMA shouldA regional PMA shouldaccredit CAsre-certify CAscoordinate peer-review (peer-audit) of CAs
QuestionsQuestionsHow a CA is audited?
criteria for auditcriteria for auditaudit processes
Should PMA be audited?how?
Proposed audit items
NAREGI PKI WG has subjectively selected criteria for auditinNAREGI PKI WG has subjectively selected criteria for auditing Grid CAs.g Grid CAs.
based on AICPA/CICA WebTrustSM/TM Program for Certification Authorityminimum CA requirements of APGrid PMA and EUGrid PMA
Web TrustWeb TrustWebTrust is a seal awarded to web sites that consistently adhere to certain business standards established by the Canadian Institute of Chartered Accountants (CICA.ca) and the American Institute of Certified Public Accountants (AICPA). In the program, “Web Trust Principles and Criteria for Certification Authorities” lists criteria for CAs.
may too much for Grid CAs.
Criteria in the WebTrustSM/TM
Principle 1: CA Business Practices DisclosurePrinciple 1: CA Business Practices DisclosureThe certification authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices
Principle 2: Service IntegrityPrinciple 2: Service IntegrityThe certification authority maintains effective controls to provide reasonable assurance that:
Subscriber information was properly authenticated (for the registration activities performed by ABC-CA) andThe integrity of keys and certificates it manages is established and protected throughout their life cycles.
Criteria in the WebTrustSM/TM (cont’d)
Principle 3: CA Environmental ControlsPrinciple 3: CA Environmental ControlsThe certification authority maintains effective controls to provide reasonable assurance that:
Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA's business practices disclosure; The continuity of key and certificate life cycle management operations is maintained; andCA systems development, maintenance, and operation are properly authorized and performed to maintain CA systems integrity.
Plans and proposals
AIST GRID CA will be audited by NAREGI CA according to thAIST GRID CA will be audited by NAREGI CA according to the proposed criteria for audit in March 29.e proposed criteria for audit in March 29.
evaluate its appropriatenessAPGrid PMA will audit production-level CAs based on the prAPGrid PMA will audit production-level CAs based on the proposed criteriaoposed criteriaThe proposed criteria for audit can be a starting point to esThe proposed criteria for audit can be a starting point to establish common criteria for Grid CAs.tablish common criteria for Grid CAs.
will circulate the proposed criteria to the CAOPs MLmay provide documents if neededcomments and discussions are welcome
