1 / 17

Piecing Together a Best Practice Policy for Certification Authorities

This document addresses the challenges faced by novice CA managers in creating consistent, compliant policies. It emphasizes positive practices and offers solutions to streamline the policy-writing process. The goal is to improve efficiency, reduce reviewer iterations, and enhance accreditation processes.

lee
Télécharger la présentation

Piecing Together a Best Practice Policy for Certification Authorities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Template Profile Jens Jensen, STFC RAL GridNet2/ UK e-Science CA OGF22 Boston

  2. The Problem CA policy CA practice statement CA PRACTICE MINREQ Best Practice Check consistency

  3. New Policies • Usually written by novice CA mgr • Using bits from other CP/CPSes • Accentuate the positive • All the good bits get copied around • Eliminate the negative • All the bad bits get copied around

  4. Problem • Policies become inconsistent • Don’t satisfy minimal requirements • Need many iterations with reviewer • Bad for CA manager • Bad for reviewer

  5. Common Examples • RA checking CRL • 4.5.2 MUST at time of reliance • 4.9.6 MUST at time of reliance • 9.6.4: “according to their satisfaction” • Email both confidential and not • Flood protection at 1.2 metres on 1st floor

  6. Is it a big problem? • We already cover half the world • But there is another half

  7. Proposed Solution? • Working group on Template Profile • Jens, David G, Milan, Anders, Vinod, David O'C, Mike, Sergey, Hardi • Get the “best” bits from policies • Living document – but needs an editor • Reviewers best to write/contrib • Become an IGTF document

  8. Status • …er, not really started yet • Amsterdam meeting Jan 2008

  9. Piecing it together • Easier to set up new CP/CPS • Too easy? • Easier to get it right sooner • Often many, many, iterations are req’d • Greatly delays Accreditation

  10. Operational Reviews • TAGPMA are leading in this area • Template for operational review • But a reviewer still needs to read the CP/CPS!! • Quicker if many bits known to be good • APGridPMA auditing for accreditation • Yoshio’s auditing procedure

  11. Operational Reviews • Highlight: • Which bits are canonical • Which bits are based on guides • Which bits are changed since previous version

  12. Piecing it together • Delaying Accreditation is bad • Reviewers are already overloaded • (Not necessarily with reviews but with real life jobs) • Time consuming for new CAs • Get new CAs in early (PMAs) • Not after the policy is written

  13. Pieceing it together • Not aiming for machine parseable • Or should we? • (Chadwick, Coghlan/O’Callaghan) • TAGPMA guide to writing CP/CPS

  14. RFC 3647

  15. What about existing CAs • Leave alone, for now • Some not satisfying minreqs • Minreqs change, too • Mythical six months to update

  16. Back on track…? • Urgent changes - Aggressive option • Do it in six months or else • Medium urgency • Address with next CP/CPS change • At least before next PMA presentation • Lower urgency • Discuss at next presentation

  17. Summary • Template profile • Approved text for sections where it makes sense • Approved guidelines (cf TAGPMA) for other sections • Open bits • Get new CAs in early

More Related