Review reportsof APAC GRID CA

            reviewers:  Eric Yen (Academia Sinica)
                        Jae-Hyuck Kwak (KISTI)

1. Identity: 
  - there's no O.I.D. for this document. 

2. End Entity:
  - no clear description of end entity. It may cause name space conflict. 
  - But it has been mentioned in "Authentication of Individual Identity" section.

3. CA and RA Obligations:
  - For CA, it may better to add works about
    (1) accept/confirm certificate request
    (2) accept/confirm revocation request
    (3) publish issued certificate
    (4) publish CRL
		
  - For RA
    (1) authenticate the identity of the person requesting a certificate
    (2) confirm validation to CA

4. Subscriber Obligations:
  - confirm and adhere to the CP/CPS

5. Compliance Audit
  - Is (would) "external auditing" one of the requirement in APPMA?

6. Uniqueness of Names
  - But if in the case that two people with the same common name work in the same Organization, even Organization Unit?  We do have this case in ASGC :-)

7. Authentication of Individual Identity
  - This section may more focus on the "way" to authenticate subscriber.
  - should specify what kind of information is archived for this CA system

8.  Records Archival
  - It may be better to add
    (1) CA server system log (boot/shutdown, message...)
    (2) CA web server system log

  - should specify what kind of information is archived for this CA system

9. End Entity Certificates and Keys
  - no description about the minimum length of the user/host key (should be 1024 bits)
  - no description about the maximum lifetime of the user/host certificate (should be 1 year)
  - user should protect his private key with a pass phrase at least 12 characters long (no description)
  - need to clarify any user certificate should not be shared


10. CA key
  - There's no clear description about CA key size(at least 2048 bits).
  - There's no clear description about passphrase length(at least 15 characters)
  - copies of the encrypted private key should be kept on offline mediums in secure places where access is controlled or not (no description)

11. CA System
  - the CA system must be a dedicated machine (no clear description)

12. CRL
  - CRL lifetime must be no more that 30 days. (31 days in this document)
  - New CRL should be issued 7 days before expiration. (4 days in this document)
  - New CRL should be issued immediately after a revocation. (no discription)