20080813: Testing Communication with CA Operators
On August 13, 2008, the IGTF RAT performed a test of the registered email addresses for all IGTF CAs.
Request To CA Operators
Subject: IGTF request -- please reply
Date: Wed, 13 Aug 2008 12:47:19 -0500
Certificate Authority Operators,
On behalf of the International Grid Trust Federation Risk Assessment
Team (IGTF RAT), I request your response to this message within one
business day. Please reply as follows:
The XXXX CA acknowledges the IGTF RAT request.
CA hash(es): YYYYYYYY, ZZZZZZZZ
replacing "XXXX" with the name of your CA and replacing "YYYYYYYY,
ZZZZZZZZ" with a list of hash values identifying your CA(s), i.e., the
value(s) used for the YYYYYYYY.0 and YYYYYYYY.signing_policy files for
your CA. Sites that operate multiple IGTF CAs should reply with the
hash value for each CA they operate; sites that operate only one IGTF
CA should reply with only one hash value. The hash values will help
us to identify which CAs have replied.
For example:
The NCSA CA acknowledges the IGTF RAT request.
CA hash(es): 9b95bbf2, f2e89fe3
Please reply to both jbasney@ncsa.uiuc.edu and igtf-rat@eugridpma.org.
Thank you for your prompt response.
Additional background information:
The International Grid Trust Federation Risk Assessment Team (IGTF
RAT) was recently established with the responsibility for assessing
risk and setting time and deadlines for response and action for
concerns and vulnerabilities (such as the recent Debian OpenSSL key
generation issue identified as CVE-2008-0166). To be effective, the
IGTF RAT must have the ability to communicate promptly with IGTF CA
operators. The EUGridPMA has established one business day as the
expected response time for requests from the IGTF RAT. This message
is intended to test the registered email addresses for the IGTF CAs.
More information about the IGTF RAT is available at:
https://tagpma.es.net/wiki/bin/view/IGTF-RAT
Regards,
Jim Basney
On behalf of the IGTF RAT
Jim resent the request Mon, 18 Aug 2008 09:23:13 -0500
to the 12 CAs who had not yet responded.
Results
Overall results were as follows:
- 57 (75% of 76) CAs responded within one day.
- 60 (79% of 76) CAs responded within two days.
- 73 (96% of 76) CAs responded within one week.
- 76 (100%) CAs responded within one month.
- 8 (10.5% of 76) CAs responded within one hour.
- Two CAs (Grid-Ireland and INFN) sent automated trouble ticket acknowledgements.
- BCCing the CA addresses caused 4 CAs to hold the message for list moderator approval because "Message has implicit destination". It also caused the message to be held by DFN's spam filter. We should avoid using BCC in the future and instead just use Reply-To.
- Updates to contact addresses for some CAs will appear in the next IGTF release.
Per CA results are recorded in the following table:
| CA hash | CA alias | Replied within how many days? | Notes |
|---|
| 03aa0ecb | BEGrid | 6 | |
| 0a12b607 | UGRID | 1 | 1:25pm |
| 0a2bac92 | BrGrid | 1 | 2nd CA to respond (1:14pm). 2nd response received 6:58pm. |
| 1149214e | DFN-GridGermany-Root | 5 (or 1) | Initial message was marked as spam because of BCC. Responded to 2nd message within one hour. |
| 11b4a5a2 | LIPCA | 1 | 4:43am |
| 12a1d8c2 | CNRS-Grid-FR | 1 | 2:32am |
| 1691b9ba | TRGrid | 1 | 2:10am |
| 16da7552 | NIKHEF | 1 | 2:17pm |
| 1c3f2ca8 | DOEGrids | 1 | 2:50pm |
| 1d879c6c | CERN-TCA | 1 | 1:13am |
| 1e12d831 | APAC | 1 | 6:13pm |
| 1e43b9cc | Grid-Ireland | 1 | Trouble ticket acknowledgement at 1:15pm: [goc.cs.tcd.ie #2872]. Response at 4:48am. |
| 1f0e8352 | NorduGrid | 1 | 3rd CA to respond (1:18pm). |
| 1f3834d0 | RomanianGRID | 1 | 3:39pm |
| 2418a3f3 | BG-ACAD-CA | 1 | 7:29pm |
| 24c3ccde | UNAMgrid-ca | 7 | 5:06pm Tue |
| 28a58577 | HellasGrid-Root | 1 | 1:32pm |
| 295adc19 | REUNA-ca | 1 | 5:05pm |
| 2a237f16 | BalticGrid | 1 | 2:39am |
| 2f3fadf6 | INFN-CA-2006 | 1 | "your request has been assigned the ticket number [INFN CA #20959]". Response at 3:31am. |
| 304cf809 | SWITCHslcs | 1 | 6:36am |
| 3232b9bc | MREN-CA | 29 | "mail server responded: 5.7.1 mren-ca@ac.me recipient blocked". Tried lidija@ac.me instead according to http://mren-ca.ac.me/CA-RA.php at Thu, 14 Aug 2008 22:27:58 -0500. Response received Thu Sep 11. |
| 34a509c3 | CNRS-Projets | 1 | 2:32am |
| 34f8e29c | DFN-GridGermany-User | 5 (or 1) | Initial message was marked as spam because of BCC. Responded to 2nd message within one hour. |
| 367b75c3 | UKeScienceCA-2007 | 1 | 3:03am. |
| 393f7863 | AEGIS | 1 | 5:36am. (Could not verify hash.) |
| 3d5be7bc | SiGNET-CA | 1 | 3:02pm and 3:27am |
| 468d15b3 | SEE-GRID | 1 | 1:32pm |
| 47d3d1a0 | SWITCH-Personal-2007 | 1 | 6:52am |
| 55994d72 | RDIG | 3 | 4:13am Sat |
| 566bf40f | EstonianGrid | 1 | 2:39am |
| 5e5501f3 | RMKI | 6 | 2:56pm Mon |
| 617ff41b | KEK | 1 | 10:00pm |
| 6e3b436b | AustrianGrid | 1 | 4:22pm |
| 6fee79b0 | IUCC | 28 | Response received from Eddie Aronovich on Sep 10. Need to update contact info. |
| 722e5071 | KISTI-2007 | 9 | Received an automated email response all in Korean with a URL. When opening the URL (https://mail.gridcenter.or.kr/mailman/confirm/ca/bba8de0dc4c207c533fff01827be72d6c96390a9): "The certificate for mail.gridcenter.or.kr has expired." The URL page is all in Korean. I had a choice between two buttons. I clicked the one on the left. Maybe that canceled the request, so I resent the message directly (1:14pm). Response received 7:40pm Thu Aug 21. |
| 7721d4d3 | PRAGMA-UCSD | 1 | "Your mail to 'Pragma-ucsd-ca' Is being held until the list moderator can review it for approval. The reason it is being held: Message has implicit destination". 4:16pm response. |
| 7b2d086c | SwissSign-Root | 1 | 6:52am |
| 7b54708e | MaGrid | 6 | |
| 7d0d064a | MARGI | 1 | 10:17am |
| 82b36fca | HellasGrid-CA-2006 | 1 | 1:32pm |
| 8a047de1 | NECTEC | 2 | 1:31am Fri |
| 8a661490 | PolishGrid | 5 | 3:27am Mon. 15 August is bank holiday in Poland. |
| 98ef0ee5 | UKeScienceRoot-2007 | 1 | 3:03am |
| 9b59ecad | CESNET | 1 | First CA to respond (12:56pm). |
| 9b95bbf2 | NCSA-mics | 1 | 2:44pm |
| 9cd75e87 | ASGCCA-2007 | 1 | "Your mail to 'Ca' Is being held until the list moderator can review it for approval. The reason it is being held: Message has implicit destination". Replied 3:35am and 3:37am. |
| 9dd23746 | pkIRISGrid | 1 | 2:08am |
| a317c467 | AIST | 1 | 5:11pm |
| a87d9192 | NAREGI | 2 | 3:19am Fri |
| a9082267 | LACGridCA | 1 | 1:20pm. 2nd response received 6:58pm. |
| afe55e66 | CyGrid | 6 | 2:58am Tue |
| b2771d44 | CNIC | 1 | 8:22pm. Also: "The message to zhaoh@cnic.cn is bounced because : User not found" - It is caused by missing mail box and has been corrected. 15:09pm Fri |
| b7bcb7b2 | UNLPGrid | 1 | 8:24am |
| ba2f39ca | IHEP | 6 | 9:19pm Mon (after Yoshio sent the request) |
| bffbd7d0 | GridCanada | 1 | 1:31am |
| c4435d12 | SWITCH | 1 | 6:52am |
| c48c63f3 | SDG | 1 | 8:22pm. Also: "The message to zhaoh@cnic.cn is bounced because : User not found" - It is caused by missing mail box and has been corrected. 15:09pm Fri |
| cc800af0 | NIIF | 1 | 3:42am |
| ce33db76 | IRAN-GRID | 1 | 3:35am |
| cf4ba8c8 | CNRS | 1 | 2:32am |
| d0b701c0 | SWITCHgrid-Root | 1 | 6:36am |
| d0c2a341 | ArmeSFo | 2 | 5:10am Fri |
| d1737728 | NGO-Netrust | 3 | 1:39am Sat |
| d1b603c3 | ESnet | 1 | 2:50pm |
| d254cc30 | CERN-Root | 1 | 1:13am |
| d2a353a5 | PK-Grid | 1 | 6:42am |
| dd4b34ea | GermanGrid | 1 | 4:05am |
| e13e0fcf | SlovakGrid | 5 | 5:06am Mon. "Your mail to 'ca.ui' with the subject Is being held until the list moderator can review it for approval. The reason it is being held: Message has implicit destination". "We failed to response in time due to vacation time." |
| e36e7a72 | SwissSign-Bronze | 1 | 6:52am |
| e9d08b40 | SwissSign-Silver | 1 | 6:52am |
| eebc7717 | SWITCH-Server-2007 | 1 | 6:52am |
| f2e89fe3 | NCSA-slcs | 1 | 2:44pm |
| f5ead794 | PK-Grid-2007 | 1 | 6:42am |
| fe102e03 | DFN-GridGermany-Server | 5 (or 1) | Initial message was marked as spam because of BCC. Responded to 2nd message within one hour. |
| ff94d436 | SRCE | 1 | 4:50am |
to top