ANNUAL INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI (

Transcription

1 Title ANNUAL INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Customer Aristotle University of PKI ( ) To WHOM IT MAY CONCERN Date 20 June 2013 Annual Independent Audit Report for Aristotle University of PKI Page 1 of 7

2 To whom it may concern, This is an official document to declare the following facts upon request by The Aristotle University of PKI ( Aristotle University of PKI is a trusted third-party entity that certifies the identities of network users and servers affiliated with it. The first Aristotle University of PKI began in 2001 from the Network Operations Center. After seven years of successful operation and having published more than digital certificates, the Infrastructure was upgraded in order to support new features some of which are listed below Usage of special crypto-devices (etokens) for the signing process of digital certificates including special parameters for secure logon of University Staff to computers that handle sensitive data (eg grades) but also for Faculty members that securely transmit exam grades to the School's or Faculty's registrar Support for distributed Certification and Registration Authorities through a new framework of policies and procedures Participation to the broader Hellenic Academic and Research Institutions Certification Authority - HARICA in order for the academic and research community of Greece to fully utilize the numerous benefits of digital certificates which are the unobstructed secure exchange, and document encryption of sensitive information etc. 1. Deventum has been selected by AUTH as the auditor for the electronic certificate services provided by AUTH PKI. 2. AUTH PKI has been audited by our company under the standards and technical specifications based on ETSI TS v on March 2011 [7] and this is the required annual audit re-evaluation. 3. AUTH PKI has disclosed its Certification Authorities public key, certificate life cycle management business and information privacy practices in its Certification Practice Statement and provided such services in accordance with its disclosed practices, 4. AUTH PKI also maintains effective controls to ensure that: i) Subscriber information is properly authenticated. ii) The integrity of keys and certificates it manages are established and protected thought their life cycles iii) Subscriber and relying party information is restricted to authorized qualified personnel. iv) The continuity of key and certificate life cycle management operations is properly ensured. v) Trustworthy systems and products are used which are protected against modification and maintain the technical and cryptographic security of the processes supported by them vi) CA systems development maintenance and operations are properly authorized and performed to maintain CA systems integrity. Annual Independent Audit Report for Aristotle University of PKI Page 2 of 7

3 According to the ETSI TS , Electronic Signatures and Infrastructures Policy requirements for Certification Authorities. Based on our audit and the source code audit of the website, scripts and procedural documents we specifically can conclude that AUTH PKI personnel was found qualified and able to perform proper changes to ensure the security of the website ( ) as well as prepared on all issues described by the ETSI TS v requirements. Data center migration and AUTH-NOC merge During the last months we monitored a secure transition from the older datacenter space of the AUTH PKI to a new better equipped datacenter space, as in 2013, AUTH NOC was merged along with other central University ICT Centers to form the Information Technology (IT) Center, a new University Directorate, that is now responsible for the Public Key Infrastructure of Aristotle University of along with all other University IT operations. The following changes/additions are implemented and included in the CP/CPS documentation of the authority. As described on the new CP/CPS under section Certification Authorities two subordinate Certificate Authorities are defined: One (1) subordinate Certification Authority for the entities that belong to the Library and Information Centre, limited to the lib.auth.gr suffix. One (1) subordinate Certification Authority for the entities that belong to the School of Physics, limited to the physics.auth.gr suffix. Under section on Device/Service Certificates the authority describes that, The name of the device certificate (FQDN DNS) must correspond to the Subject Alternate Name SAN field, Prior CN characteristic, thus declaring CN field as optional. On Revocation checking requirements for relying parties under section the authority following the CA/B Forum Baseline Requirements updates the CP/CPS documentation and provides the URLs listed below for software vendors, which provides a valid certificate which provides a revoked certificate which provides an expired certificate. Complying with the Appendix C User Agent Verification of CA/B Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v1.1. Moreover on (Certificate Revocation List), CRL issuance frequency, under section 4.9.7, AUTH PKI enforces a new policy where, The CRL of CAs that issue Sub CAs, will be issued at least every twelve (12) months. The CRL will be in effect for twelve (12) months. In case of a subca revocation, an updated CRL will be issued immediately. Annual Independent Audit Report for Aristotle University of PKI Page 3 of 7

4 In case of secret key exposure or of any other important security compromise incident, for example a sub CA revocation, an updated Certificate Revocation List must be published within 24 hours from the revocation timestamp. Annual Independent Audit Report for Aristotle University of PKI Page 4 of 7

5 Conclusion Based on our audit on the procedures and policy as well as on the code audit performed again over the web site, scripts and functions of the CA we concluded that AUTH PKI is compliant with the ETSI TS technical specifications, as non-qualified Certificate Authority, issuing non-qualified certifications. Although it meets the technical requirements for qualified CAs, same as last year, AUTH PKI chose not to be qualified because all issued certificates are used only for academic and educational purposes. No financial transactions will take place with certificates issued by AUTH PKI unless otherwise specified in a sub CA with a separate CP/CPS. This annual Audit Report is based on the requirements and guidelines specifically described on ETSI TS and does not include any professional opinion whatsoever as regards to the quality of the services rendered by AUTH PKI, nor of their suitability for the specific objectives of any subscriber, beyond the ETSI TS criteria for Certification Authorities that are covered herein. Due to limitations inherent to the control systems themselves, there may be undetected errors or instances of fraud. Moreover, the reaching of any conclusions in periods subsequent to the date of our report, based on our statements, is subject to the risk that there may be: 1. Changes in the source code, controls or the established system, 2. Changes in processing requirements, 3. Changes brought about by the passage of time itself, or 4. That the degree of compliance for policies or procedures may alter the validity of our conclusions. Annual Independent Audit Report for Aristotle University of PKI Page 5 of 7

6 INDEX 1. Certification Policy and Certification Practices Statement for the Hellenic Academic and Research Institutions Public Key Infrastructure, 2. UNIVERSITY ADMINISTRATION, 3. AUTH PKI procedures and regulations, PKI Disaster Recovery Plan by Dimitris Zacharopoulos. 4. Authentication of individual person identity EN.pdf, section 3 paragraph 2 subsection ETSI TS technical specification Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing qualified certificates. 6. The Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures. 7. AUTH PKI Audit report 2012, Annual Independent Audit Report for Aristotle University of PKI Page 6 of 7

7 This Audit Report has been prepared for Deventum by: Nicolas Krassas, CISSP Certification Number: Dimitrios Stergiou, CISA Certification Number: , CISSP Certification Number: , CISM Certification Number: Dimitrios Papapetros, CISA Certification Number: Nicolas Krassas, CISSP 20 June 2013 Annual Independent Audit Report for Aristotle University of PKI Page 7 of 7