Hi, I've been reading this version and here are my comments. Overall I think that this is an excellent and very thorough document, and a general adoption of auditing across the PMAs will be a welcome development. My main criticism of the document as it stands is that RA paperwork as defined in the Classic AP section 3.1 should itself be audited in any auditing process, if not by an external auditor then by the CA themselves. The RAs are the potentially weakest link of a PKI as they are charged with the ongoing verification of identity, a process that can easily fail over time as this process involves human interaction. I think that any external auditing of a CA should check random RA records to verify the paperwork, or alternatively ask the CA whether they have implemented a procedure for checking this. In the latter case, I would suggest an additional item in Section 4. of the RA section: "The CA is responsible for ensuring that RAs continue to fulfill their obligations" and the method could be: "Does the CA have any process in place for ensuring the RAs fulfill their obligations?" Other points: - The Abstract and Introduction could be reworded so as not to duplicate text. I'm also wary of introducing the concept of a VO in these sections, and I don't see the link with a VO and the real institution running the CA. I'd be happy to assist in rewording these sections if needed. - In the introduction, it may also be useful to suggest who the target audience of the document is, and suggest who may be qualified to conduct an audit. Clearly it is not sufficient to know the Classic AP - it needs to be done by somebody who is familiar with Grid CAs. - Item 54. The current wording implies that the PMA and Federation is being audited in checking that information is being re-distributed. It should be changed to something like: "Is the CA providing this information for re-distribution?" - Item 1 in the RA Section has an open-ended method, and it is unhelpful for the auditor in not providing an indication to what the desired answer is. I'd suggest changing it to: "Is the role of the RA defined?" Matt -----Original Message----- From: caops-wg-bounces@ogf.org on behalf of Christos Kanellopoulos Sent: Tue 10/16/2007 10:42 PM To: CAOPS-WG Subject: [caops-wg] New version of Audit Guidelines document Hi all, this morning Yoshio uploaded a new version (1.0b4) of the "Guidelines for auditing Grid CAs" document on GridForge [1]. This document is considered to be in it's final stages, so please do read the document and comment on it. For those in Seattle, see you in a few minutes at the CAOPS session [1]: https://forge.gridforum.org/sf/go/doc4858 -- Christos Kanellopoulos Grid Operations Center, Aristotle University of Thessaloniki University Campus, GR 541 24, Building 22D, Office 4'6B Tel. +302310998988 Fax. +302310994309 http://www.grid.auth.gr

Hi all, Have there been any updates to the Audit Guidelines document, or any response to comments I made to this list on 18/10? If I recall the plan was for the next version to be around now. Matt -----Original Message----- From: caops-wg-bounces@ogf.org [mailto:caops-wg-bounces@ogf.org] On Behalf Of Christos Kanellopoulos Sent: 16 October 2007 21:43 To: CAOPS-WG Subject: [caops-wg] New version of Audit Guidelines document Hi all, this morning Yoshio uploaded a new version (1.0b4) of the "Guidelines for auditing Grid CAs" document on GridForge [1]. This document is considered to be in it's final stages, so please do read the document and comment on it. For those in Seattle, see you in a few minutes at the CAOPS session [1]: https://forge.gridforum.org/sf/go/doc4858 -- Christos Kanellopoulos Grid Operations Center, Aristotle University of Thessaloniki University Campus, GR 541 24, Building 22D, Office 4'6B Tel. +302310998988 Fax. +302310994309 http://www.grid.auth.gr