DOC

CERTIFICATE POLICY CP-1 FOR DIGITAL SIGNATURE AND PUBLIC KEY

By Alan Cook,2014-05-07 15:23
7 views 0
CERTIFICATE POLICY CP-1 FOR DIGITAL SIGNATURE AND PUBLIC KEY

    D R A F T

______________________________________________________

    CERTIFICATE POLICY CP-1 FOR FMS PUBLIC KEY CERTIFICATES

    IN UNCLASSIFIED ENVIRONMENTS

    Prepared by

    Draft 0.2 7 May 2010 _________________________________________________________

     Certificate Policy CP1 for FMS Public Key Certificates in Unclassified Environments

    TABLE OF CONTENTS

Section Page

    TABLE OF CONTENTS ............................................................................................................................... I ACKNOWLDEGEMENTS .......................................................................................................................... V DEFINITIONS ............................................................................................................................................. VI ABBREVIATIONS ...................................................................................................................................... IX 1. INTRODUCTION................................................................................................................................. 1 1.1 OVERVIEW ...................................................................................................................................... 1 1.2 CERTIFICATE POLICY IDENTIFICATION .................................................................................... 1

    1.2.1 Certificate Policy Name ............................................................................................................ 1

    1.2.2 Object Identifier: {to be supplied} ............................................................................................. 2

    1.2.3 Certificate References to This Policy ........................................................................................ 2 1.3 CERTIFICATE TYPES AND INTENDED USE ................................................................................. 2

    1.3.1 Identity Certificates .................................................................................................................. 2

    1.3.2 Separation of Certificates and Keys by Intended Use ................................................................ 2

    1.4 COMMUNITY AND APPLICABILITY ............................................................................................. 3

    1.4.1 Community ................................................................................................................................ 3

    1.4.2 Applicability ............................................................................................................................. 3

    1.4.3 Registration of CA Names ......................................................................................................... 4

     1.5 INTERSITE TRUST AGREEMENTS AND CROSS-CERTIFICATION............................................. 4

    1.5.1 Intersite Trust Agreements ........................................................................................................ 4

    1.5.2 Intra-organization Cross-Certification ...................................................................................... 4

    1.5.3 Conditions for Use of Certificates by Cross-Certified CAs ........................................................ 4

    2. GENERAL PROVISIONS.................................................................................................................... 5 2.1 LIABILITY, OWNERSHIP, AND DISCLAIMERS ............................................................................ 5

    2.2 ROLES AND OBLIGATIONS ........................................................................................................... 5

    2.2.1 Certification Authority (CA) ...................................................................................................... 5

    2.2.2 Registration Authority ............................................................................................................... 6

    2.2.3 Subscriber ................................................................................................................................. 7

    2.2.4 Sponsor ..................................................................................................................................... 8

    2.2.5 Relying Party ............................................................................................................................ 9 2.3 PUBLICATION AND REPOSITORIES ............................................................................................. 9

    2.3.1 Publication of CA Information .................................................................................................. 9

    2.3.2 Method of Publication ............................................................................................................... 9

    2.3.3 Frequency of Publication .......................................................................................................... 9

    2.3.4 Access Controls ...................................................................................................................... 10 2.4 COMPLIANCE AUDIT ................................................................................................................... 10

    2.5 CONFIDENTIALITY ...................................................................................................................... 10

    2.5.1 Normal Operation ................................................................................................................... 10

    2.5.2 Exceptions for Encrypted Data Recovery ................................................................................ 10

    2.5.3 Exceptions for Conveying Private Keys to End Entities ........................................................... 10

    53454453.doc - 5/7/10 Page i

Certificate Policy CP-1 for FMS Public Key Certificates in Unclassified Environments

2.5.4 Exceptions for Diagnosing and Troubleshooting Problems...................................................... 10

    3. IDENTIFICATION AND AUTHENTICATION ............................................................................... 12

     REGISTRATION .............................................................................................................. 12 3.1 INITIAL3.1.1 Subject Naming in Certificates ................................................................................................ 12 3.1.2 Uniqueness of Subject Names .................................................................................................. 13 3.1.3 Method to Prove Possession of Private Key……………………………………………………………13 3.1.4 Authentication of Individual Identity ....................................................................................... 13 3.1.5 Authentication of Organization Identity .................................................................................. 13 3.1.6 Authentication of Computers and Machines as End Entities .................................................... 13

    3.2 ROUTINE RE-KEY ......................................................................................................................... 13 4. OPERATIONAL REQUIREMENTS ................................................................................................ 15 4.1 CERTIFICATE APPLICATION AND ISSUANCE .......................................................................... 15

    4.2 CERTIFICATE ACCEPTANCE ...................................................................................................... 15

    4.3 CERTIFICATE SUSPENSION AND REVOCATION ...................................................................... 15

    4.3.1 Reasons for Revocation ........................................................................................................... 15 4.3.2 Revocation Requests ............................................................................................................... 15 4.3.3 Certificate Suspension............................................................................................................. 16 4.3.4 Certificate Verification ........................................................................................................... 16 4.4 SECURITY AUDIT PROCEDURES ................................................................................................ 17

    4.5 RECORDS ARCHIVAL ................................................................................................................... 17 4.6 KEY LIFETIMES AND CHANGEOVERS ....................................................................................... 17

    4.6.1 CA Keys .................................................................................................................................. 17 4.6.2 End Entity Keys ...................................................................................................................... 17 4.7 CA COMPROMISE AND DISASTER RECOVERY......................................................................... 18

    4.8 CA TERMINATION ........................................................................................................................ 18 5. PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS ...................................

    5.1 PHYSICAL SECURITY CONTROLS ..................................................................................................... 19

    5.1.1 Physical Security Controls for Certification Authorities .......................................................... 20

    5.1.2 Physical Security Controls for Registration Authorities........................................................... 20

    5.1.3 Physical Security Controls for End entities ............................................................................. 20 5.2 PROCEDURAL CONTROLS ........................................................................................................... 20

    5.2.1 Trusted Roles .......................................................................................................................... 20 5.2.2 Number of Persons Required per Task .................................................................................... 21 5.2.3 Identification and Authentication for Each Role...................................................................... 22

    5.3 PERSONNEL SECURITY CONTROLS .................................................................................... 22

    5.3.1 Personnel Security Controls for Certification Authorities........................................................ 22

    5.3.2 Personnel Security Controls for Registration Authorities ........................................................ 22

    5.3.3 Personnel Security Controls for End Entities .......................................................................... 22 6. TECHNICAL SECURITY CONTROLS ........................................................................................... 23

    6.1 KEY PAIR GENERATION AND INSTALLATION ......................................................................... 23

    6.1.1 Key Pair Generation ............................................................................................................... 23 6.1.2 Private Key Delivery to Entity ................................................................................................ 23 6.1.3 Public Key Delivery to Certificate Issuer ................................................................................ 23 6.1.4 CA Public Key Delivery to Users ............................................................................................ 23 6.1.5 Key Parameters....................................................................................................................... 24 6.1.6 Key Usage............................................................................................................................... 24 Page ii 53454453.doc - 5/7/10

     Certificate Policy CP1 for FMS Public Key Certificates in Unclassified Environments

6.2 PRIVATE KEY PROTECTION ....................................................................................................... 24

    6.2.1 Standards for Cryptographic Modules ..................................................................................... 24

    6.2.2 Private Key Multi-Person Control ........................................................................................... 24

    6.2.3 Private Key, Backup, and Archival ......................................................................................... 25

    6.2.4 Private Key Activation and Entry into Hardware Cryptographic Modules ............................... 25

    6.2.5 Method of Deactivating and Destroying Private Key ............................................................... 25

    6.3 ACTIVATION DATA (PASSWORDS) ............................................................................................ 25

    6.4 COMPUTER SECURITY CONTROLS ............................................................................................ 26

    6.5 NETWORK SECURITY CONTROLS .............................................................................................. 26

    6.6 CRYPTO ENGINEERING CONTROLS .......................................................................................... 26

    6.7 LIFE CYCLE TECHNICAL CONTROLS ........................................................................................ 26

    6.7.1 System Development Controls ................................................................................................. 26

    6.7.2 Security Management Controls ............................................................................................... 27

    6.7.3 Life Cycle Security Assurance ................................................................................................. 27 7. CERTIFICATE AND CRL PROFILES............................................................................................. 28 7.1 CERTIFICATE FORMAT VERSIONS AND PROFILES ................................................................. 28

    7.2 POLICY OBJECT IDENTIFIER ...................................................................................................... 28

    7.3 SIGNATURE ALGORITHM OBJECT IDENTIFIERS ..................................................................... 28

    7.4 USE OF NAME FIELDS .................................................................................................................. 28

    7.5 NAME CONSTRAINTS AND NAME FORMS FOR NAME CONSTRAINTS ................................. 28

    7.6 CERTIFICATE EXTENSIONS POPULATED AND THEIR CRITICALITY .................................... 28

    7.7 USE OF POLICY CONSTRAINTS................................................................................................... 29

    7.8 POLICY QUALIFIERS .................................................................................................................... 29 7.9 CRL AND CRL ENTRY EXTENSIONS POPULATED AND THEIR CRITICALITY ....................... 29

    8. CERTIFICATE POLICY ADMINISTRATION AND CHANGE CONTROL ................................ 30

    8.1 CERTIFICATE POLICY CHANGE PROCEDURES ........................................................................ 30

    8.2 ADMINISTRATIVE POINTS OF CONTACT .................................................................................. 30

    REFERENCES............................................................................................................................................. 31 53454453.doc - 5/7/10 Page iii

Certificate Policy CP-1 for FMS Public Key Certificates in Unclassified Environments

This page intentionally left blank.

Page iv 53454453.doc - 5/7/10

Certificate Policy CP1 for FMS Public Key Certificates in Unclassified Environments

ACKNOWLDEGEMENTS

53454453.doc - 5/7/10 Page v

Certificate Policy CP-1 for FMS Public Key Certificates in Unclassified Environments

    DEFINITIONS

Activation data: Data (other than keys) required for operating hardware or software cryptographic

    modules. Examples include personal identification numbers (PINs), passwords, and pass phrases.

Authentication: The process of establishing identity based on the possession of a trusted credential.

    Authority Revocation List (ARL): A list of cross-certificates previously issued by the subject CA that have been subsequently compromised or otherwise invalidated.

Certificate: A public key certificate

    Certification Authority:

    Certification Authority Administrator (CAA): An entity responsible for issuing, signing (certifying), and managing public key certificates (sometimes referred to as a certificate authority.)

    Certificate Authority Workstation (CAW): The computer system or systems that process certification authority software and/or have access to the CA private keys, end entity keys, or end entity public keys

    prior to certification.

Certification path: [TBD]

Certificate Policy (CP): A “named set of rules that indicates the applicability of a certificate to a

    particular community and/or class of application with common security requirements” [X509].

    Certification Practices Statement (CPS): A statement of the practices that a CA employs for operating the CA in compliance with a certificate policy.

    Certificate Revocation List (CRL): A list of certificates previously issued by the subject CA that have been subsequently compromised or otherwise invalidated.

Cross-certificate: A certificate issued by the subject CA certifying the public key of another CA.

Data integrity: Cryptographically secure assurance that no change has occurred in a document,

    message, data file, or data transmission.

Decryption private key: A private key used to decrypt data or session keys encrypted by the

    corresponding public key. In the context of this document, the public key is presumed to be contained

    and conveyed by an encryption certificate.

    Distinguished Name: [Use x.500 definition]

FMS community: The US Department of Treasury, Financial Management Service (FMS), or any

    person or organization operating under the authority and direction of the FMS, either directly or

    Page vi 53454453.doc - 5/7/10

     Certificate Policy CP1 for FMS Public Key Certificates in Unclassified Environments

through a contractual relationship.

    Domain (of a CA): The scope of authority of a CA, generally limited to RAs and end entities registered with or certified by the CA.

    Encryption certificate: A certificate containing and conveying a public key used to encrypt electronic messages, files, documents, data transmissions, etc., or to establish a session key for those purposes.

End Entity (EE): A person computer system or a communications device that is a subject or user of a

    certificate, but is not a CA or RA. An end entity is a subscriber, a relying party, or both.

Entity: A CA, RA, or end entity.

    Government information: Defined by Office of Management and Budget (OMB) Circular A-130 as all information created, collected, processed, disseminated, or disposed of by or for the Federal

    government.

    Identity certificate: A certificate issued for the purpose of binding the identity of the subject (as stated in the certificate) to a public key issued to that subject. In X.509 certificates, the identity of the subject

    is equivalent to the Distinguished Name of the subject.

    Intersite Trust Agreement: An agreement between sites for allowing cross-site use of certificates.

Key: A value supplied to a cryptographic algorithm to encrypt or decrypt data.

Key materials: A tangible representation of a key. Examples include a key stored in computer memory,

    computer disk, smart card, or other key carrier.

PKI: See public key infrastructure.

Policy Certification Authority (PCA): A FMS entity that formulates policy, and oversees the operation

    of public key infrastructures within the FMS, as specified in the FMS Telecommunications Manual,

    Chapter 9, “Policy for the Use of Public Key Cryptography and Key Management.

Policy Management Authority (PMA): (This group needs to be formed) A FMS committee with

    representatives from organizations operating CAs within the FMS, as specified in the FMS

    Telecommunications Manual, Chapter ?, “Policy for the Use of Public Key Cryptography and Key

    Management.

Private key: The portion of a public-private key pair known only to the holder.

Public key: The portion of a public-private key pair that may be publicly known or distributed without

    reducing the security of the cryptography system. In the context of this Policy, public keys (after initial

    issuance) are always distributed through the use of public key certificates.

53454453.doc - 5/7/10 Page vii

Certificate Policy CP-1 for FMS Public Key Certificates in Unclassified Environments

    Public key certificate: The public key portion of a public-private key pair, that has been digitally signed by a CA, thereby certifying the validity and data integrity of the public key contained in the

    certificate, in accordance with the applicable certificate policy.

    Public key algorithm: A cryptographic algorithm in which the encryption and decryption functions are divided between a pair of mathematically related keys. In some common public key algorithms (e.g.,

    RSA), the encryption/decryption functions are reciprocal, i.e., either key of the pair can be used to

    encrypt or decrypt, with the other key able to decrypt or encrypt respectively.

    Public key infrastructure (PKI): A system for using public key cryptography and providing a trusted mechanism for distributing and managing public keys through the appropriate use of certificates.

    Registration Authority (RA): A person or other entity operating under the authority of a CA that is responsible for identification and authentication of certificate subjects and other duties as assigned in

    the site CPS.

Relying party: Any user or recipient of a certificate that acts in reliance on that certificate. In this

    document, the terms “certificate user” and “relying party” are used interchangeably.

Session key: A key, typically for a symmetric algorithm, established between communicating parties

    for subsequent encryption/decryption of electronic messages, files, documents, data transmissions, etc.

    Its use is generally limited to that purpose and a single transaction or session.

    Signature verification certificate: A certificate containing and conveying a public key used to verify a digital signature created by the associated signing private key. Also called a verification certificate.

Signing private key: A private key used to create digital signatures.

Sponsor: A person or organization with which the subscriber is affiliated (e.g., as an employee, user of

    service, or customer).

Subject: An entity that has been issued a certificate by the subject CA in compliance with this Policy,

    and whose public key and distinguished name are certified in the certificate.

Subject end entity: An end entity that is the subject of a certificate.

Subscriber: See Subject.

    Symmetric algorithm: An cryptographic algorithm in which data is encrypted and decrypted using the same key.

    Page viii 53454453.doc - 5/7/10

Report this document

For any questions or suggestions please email
cust-service@docsford.com