Hi Reimer and all, I have checked the guidelines documents (GFD.169.pdf and .doc version 10 which is available on GridForge), and .doc files in my note PC. I understand that this inconsistency is definitely due to by my careless mistakes. 1. .doc version on Grid Forge (AuditGuidelines-Jan20_2010.doc) is not the latest version. This file does not include table of contents. I have the newer version (dated April 13) which includes the table of contents. But I did not upload this .doc file on the GridForge. This is my first mistake. 2. Unfortunately, when I inserted the table of contents, I made a mistake for numbering auditing items. I unintentionally deleted the number for item (7). But I converted the .doc file to PDF and submitted the PDF file for OGF Editor for publication as GFD.169. This is my second mistake and the reason of the problem which Reimer pointed out as below:
PDF is missing a numbering of an audit case. The section numbering in the PDF is different from the one in the word doc. But immediately after section heading "3.1.2. CA System" in the PDF the case number (7) for "The CA computer where the signing of the certificates..." is missing. Inserting the
I have fixed the two problems (missing item (7) and redundancy of items (50) and (51). The .doc file of the revised version 1.1 is uploaded on the GridForge. PDF version is attached in this email. It would be appreciated if you check the document so that we can confirm the document is ok before asking OGF Editors to replace GFD.169. Thanks, -- Yoshio Tanaka (yoshio.tanaka@aist.go.jp) http://ninf.apgrid.org/ http://www.apgridpma.org/ From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de> Subject: Issues with the Audit Guidelines Document GFD 169 Date: Thu, 21 Oct 2010 14:45:24 +0200 Message-ID: <4CC035E4.3030803@dfn-cert.de>
Hi Yoshio, hi EUGridPMA list, hi CAOPS-WG,
while working with the Audit Guidelines Document (GFD 169) I came across some surprising issues:
The PDF offered from <http://www.ogf.org/documents/GFD.169.pdf> dated from 19.04.2010 differs from the latest .doc version available from <https://forge.gridforum.org/sf/go/doc4858> which is called version 10 dated from 20.01.2010. Both documents self-claim that they are each version 1.0.
Aside some minor differences like release dates, table of contents, etc the PDF is missing a numbering of an audit case. The section numbering in the PDF is different from the one in the word doc. But immediately after section heading "3.1.2. CA System" in the PDF the case number (7) for "The CA computer where the signing of the certificates..." is missing. Inserting the number (7) here will introduce an off-by-one error for current numbers (7) to (48) being (8) to (49) after the correction.
Case (49) in the current(!) PDF is actually redundant to case (50)i. and needs to be deleted. The requirement quoted in case (49) is no longer included in the IGTF-AP-Classic v4.3 and v4.2 document. Instead it became part of case (50)i. which is to be found in section 6 of the IGTF-AP-Classic document.
This latter bug is also found in the .doc(!) version from 19.01.2010 except that the case numbering here is different again. Case (50) is the redundant requirement to be deleted so that cases (51) to (56) are off-by-one which need to be renumbered to (50) to (55) once the redundant case is deleted.
Be aware that the Auditing Template document (audit check-list) available from <https://www.eugridpma.org/guidelines/classic> does not match its audit case numbers to any of the above (PDF & .doc) GFD 169 document's case numbers.
That indeed got me so confused that I started to look into these issues.
How can we go about getting GFD 169 fixed? I did not see any bug reporting mechanism on the OGF site....
Thanks
Reimer -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-580 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski