We, certSIGN, are waiting for the formal document assessing the closure of all the minor non-conformities by the LSTI auditor, and we will publish this report immediately.
As requested by Wayne, we present more details on the minor non-conformity no.1, GEN-6.5.1-04.
In the audit detailed report LSTI auditors stated on **GEN-6.5.1-04: The CA key pair used for signing certificates shall be created under, at least, dual control**, the following:
CA keys were generated by personnel in trusted roles under dual control, and an external witness was involved. The CARL was also generated by two persons in trusted roles. Some issues could however be noticed during the audit, which led to the following deviation: Deviation no 1: A full traceability of the usage of the PKI’s secrets is not guaranteed:
- The inventory of the secrets is not complete nor up to date (e.g. credentials (PIN codes) or backups of CA private keys are not explicitely identified, some secrets were allocated to the wrong persons in the inventory);
- No measures are in place to follow precisely the usage of each secret;
- The CISO can technically accede to all individual safes, thus potentially to all secrets of the PKI at the same time, without generating any retained records and without any oversee from a second person in a trusted role.
certSIGN details on this issue:
Since we started the operations, we have detailed info and records of the HSM cards allocations and on their usage.
To activate one key, we require the simultaneous presence of two distinct persons, with trusted roles, one of them with access to HSM cards and one with access to the CA Admin System interface.
Being with trusted roles, all these persons are trusted persons, named and verified with management roles attributes.
The HSM cards are protected by PINs and are permanently stored in mini-safe with access codes.
The mini-safe access is CCTV monitored. To access the card readers an operator need to pass through three access-controlled doors, each CCTV monitored.
Outside working hours access is done only with preliminary scheduling and approval.
A dedicated security person permanently monitors the security measures implementation. This person keeps the updated inventory of the HSM cards and of their allocated persons and monitor in real-time the access through all the doors, getting notifications on any CA key activation/usage. On any event the actions are done according to the internal instructions.
Our corrective measures for this are the following:
* We started to keep a separate inventory for all secrets recording the actual owner and each change of ownership
* all secrets that are used daily will be followed at destination (that is in the application) by recording their usage in the application logs.
* a second register was created for usage of the master key of the mini-safe boxes. The person that will know the code of the master mini-safe box will not have access to the room of the mini-safe boxes. Therefore, all accesses to the master mini-safe box will mandatory be obtained through the cooperation of two persons. Access to the master mini-safe box and usage of the master key will be recorded in the register. A procedure is in place and communicated to secrets owners.
Thank you
Gabriel Petcu