Hi, David O'Callaghan wrote on 27.10.2010 14:44:
Hi,
Ar 27.10.10 13:20, scríobh Reimer Karlsen-Masur, DFN-CERT:
cool, many thanks, I will check the PDF later this week.
Question to David O'Callaghan: Do you have any additional immediate obvious bug fix requests regarding GFD.169 that you wish to resolve now? Or are your issues more with the audit spreadsheet available from the eugridpma website?
The only one that springs to mind is:
Section 3.2.1 (5) An RA must validate the association of the certificate signing request.
I don't understand the requirement (as someone familiar with PKI and as a native English speaker!), and the audit guidelines document does not explain, but just repeats it as a question "How does an RA validate the association of the certificate signing request?"
I think the audit point should clarify the meaning of "the association":
* Does it mean the association between subscriber's identity and the CSR? * Does it mean the association between the identity vetting performed by the RA and the CSR? * Does it mean the association between the private key and the public key in the CSR? * (or, less likely) Does it mean the subscriber's organization?
This requirement comes from section 3.1 of the Classic AP v4.3, so perhaps my comment should be directed at that document.
since this is a quote from the IGTF-AP-Classic, I don't see this to be fixed in GFD.169 now. We should enhance the hint on how to check this requirement in a real life CA. I guess this needs to be addressed in the next edition of GFD.169, not in a "bug fix" release. And yes, if some clarification is needed on the semantics of this requirement, IGTF-AP-Classic should be enhanced in this respect as well. At Yoshio: Actually the RA section 3.2.1 in GFD.169 includes audit cases RA (5) and (6) as well as section 3.2.2 contains audit cases RA (5) and (6). The cases are different though, resulting in 12 RA audit cases all together when fixed. Other than that I see some general issues that CAOPS should consider with the next edition of GFD.169, not as a bug fix, see below.
Beyond that, I would need to spend some time to look at the updated document and my notes from preparing for my EU Grid PMA Self Audit.
Generally - and I am re-iterating on this idea - I find GFD.169 is too tightly bound to IGTF-AP-Classic v4.1. The check list is specific to IGTF-AP-Classic v4.1, even the general text (in section 2.6) is referencing IGTF-AP-Classic v4.1. And the current IGTF-AP-Classic stands at version 4.3. I suggest in the next edition of GFD.169 to split the check list out into a separate appendix or into a separate document. This way the audit guidelines are applicable to all IGTF-APs. Also since the IGTF/Grid-PMAs are requiring and promoting the self audits, the Grid-PMAs, ie. the AP owners/editors, not CAOPS, should think about releasing a matching audit check list with each new approved version of their owned APs. Also each audit case should reference the AP section it was taken from. That way the version mismatch between check list and actual AP and the type of AP and resulting confusions that we are observing now should be a thing of the past. Thanks Reimer -- 18. DFN Workshop "Sicherheit in vernetzten Systemen" am 15./16. Februar 2011 im Grand Hotel Elysee in Hamburg Call-for-Papers: <https://www.dfn-cert.de/veranstaltungen/workshop.html> -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-580 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski