HEPKI Common Policy Framework

By Russell Palmer,2014-06-18 10:34
14 views 0
HEPKI Common Policy Framework


    HEPKI Common Policy Framework

    DRAFT: v0.0005

    The purpose of this table, and the companion comparison of commercial CPs, is to provide a tool for development of a compatible Higher Education Certificate Policy statement. The goal is to be able to map “trust” between at least the Federal CA environment and the HEPKI environment. Ideally, it will be possible to map trust even further to include the European academic and research community as well as commercial CA operations.

    The Federal Bridge CA (FBCA) policy is from the draft dated 10/23/00. It is authored by Dr. Richard Guida, Chair of the Federal Public Key Infrastructure Steering Committee, and Mr. Joseph Mettle of the National Security Agency (NSA) together with a large working group.

The EuroPKI Certificate Policy is from Version 1.1 (DRAFT 3) dated July 2000.

The structure of this table and the various sections is derived primarily from IETF RFC 2527: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework”

    by S. Chokhani and W. Ford. Additional sections derive from the FBCA policy and from discussions within the HEPKI working group.

v1.5 Page 1 of 243




    This component identifies This Certificate Policy (CP) No First Order This Certificate Policy (CP) This Certificate Policy (CP) EuroPKI is a no-profit 1. INTRODUCTION and introduces the set of statement defines the Differences defines five certificate defines five certificate organization established to provisions, and indicates terms and conditions under (NFOD) policies for use by the policies for use by the create and develop a pan-the types of entities and which a Certificate Higher Education Bridge Federal Bridge Certification European public-key applications for which the Authority (CA) that issues Certification Authority Authority (FBCA) to infrastructure (PKI). It has specification is targeted. Public Key Certificates (HEBCA) to facilitate facilitate Agency CA its roots in the PKI

    (PKC) that reference the Institution CA interoperability with the established by the ICE-TEL

    policy object identifier (OID) interoperability with the FBCA and with other project and further

    for this CP must operate. HEBCA and with other Agency PKI domains. The developed by the ICE-CAR

    Operation includes Institution PKI domains. five policies represent four one. Both these projects

    management of the PKCs it The five policies represent different assurance levels were funded by the

    issues and management of four different assurance (Rudimentary, Basic, European Commission

    its own infrastructure. The levels (Rudimentary, Basic, Medium, and High) for under the Telematics for

    term “issues” in this context Medium, and High) for public key digital Research programme.

    refers to the process of public key digital certificates, plus one The structure of this digitally signing with its certificates, plus one assurance level used document is according to private key a structured assurance level used strictly for testing purposes RFC 2527 [1]. Therefore digital object conforming to strictly for testing purposes (Test). The word there are some sections the ISO X.509, version 3 or (Test). The word “assurance” used in this CP that are maintained for compatible PKC format. “assurance” used in this CP means how well a relying compatibility, although they means how well a Relying party can be certain of the One or more companion do not apply exactly to the Party can be certain of the identity binding between Certification Practice services offered by identity binding between the public key and the Statement(s) (CPS) must EuroPKI. Appendix 1 the public key and the individual whose subject be defined for each CA provides a glossary of individual whose subject name is cited in the operating under this CP. terms used in this name is cited in the certificate. In addition, it Such a statement must document. It is mainly certificate. In addition, it also reflects how well the articulate how the CA based on [1]. also reflects how well the relying party can be certain implements the provisions Relying Party can be that the individual whose Within this document the of this policy. certain that the individual subject name is cited in the words “MUST”, “MUST

    whose subject name is certificate is controlling the A CA conforming to this NOT”, “REQUIRED”,

    cited in the certificate is use of the private key that policy MAY be stand-alone “SHALL”, “SHALL NOT”,

    controlling the use of the corresponds to the public or it MAY be part of a “SHOULD”, “SHOULD

    private key that key in the certificate. Public Key Infrastructure NOT”, “RECOMMENDED”,

    corresponds to the public (PKI) hierarchy. In the “MAY”, “OPTIONAL” are to The FBCA supports key in the certificate. latter case, any subordinate be interpreted as in RFC interoperability among

    v1.5 Page 2 of 243




    CA, defined as a CA for Federal Agency PKI 2119 [2]. The HEBCA supports which the conforming CA domains in a peer to peer interoperability among In this document the signs an authority fashion. The FBCA will Higher Education PKI expression “conforming certificate, must adopt this issue a certificate only to domains in a peer to peer CA” is used to indicate a CP or one that is consistent those Agency CAs fashion. The HEBCA will CA whose behaviour is with all of the provisions of determined by the owning issue a certificate only to conforming to the set of this CP. agency (called “Principal those Institution CAs provisions specified in this CAs”). The FBCA, or a CA determined by the owning document. This CP is structured in that interoperates with the institution (called “Principal accordance with RFC 2527 FBCA, may also issue CAs”). The HEBCA, or a [1]. Within this document certificates to individuals CA that interoperates with the words “MUST”, “MUST who operate the FBCA. the HEBCA, may also issue NOT”, “REQUIRED”, The FBCA certificates certificates to individuals “SHALL”, “SHALL NOT”, issued to Agency Principal who operate the HEBCA. “SHOULD”, “SHOULD CAs act as a conduit of The HEBCA certificates NOT”, “RECOMMENDED”, trust. The FBCA does not issued to Institution “MAY”, “OPTIONAL” are to add to and should not Principal CAs act as a be interpreted as in RFC subtract from trust conduit of trust. The 2119 [2]. relationships existing HEBCA does not add to between the transacting and should not subtract parties as established from trust relationships through the Federal PKI existing between the Policy Authority (FPKIPA). transacting parties as

    established through the At their discretion, agencies Higher Education PKI may elect to interoperate Policy Authority among themselves without (HEPKIPA). using the FBCA. Those

    agencies that elect to do so At their discretion, may nonetheless employ institutions may elect to levels of assurance that interoperate among mimic those set forth in the themselves without using FBCA CP. However, the HEBCA. Those FBCA CP Object Identifiers institutions that elect to do (OIDs) may be used only so may nonetheless by agencies that employ levels of assurance interoperate with the FBCA. that mimic those set forth in v1.5 Page 3 of 243




    the HEBCA CP. However, Any use of or reference to HEBCA CP Object this FBCA CP outside the Identifiers (OIDs) may be purview of the FPKIPA is used only by institutions completely at the using that interoperate with the parties’ risk. Further, HEBCA. Any use of or unless specifically reference to this HEBCA approved by the FPKIPA, CP outside the purview of an Agency shall not assert the HEPKIPA is completely the FBCA CP OIDs in any at the using party’s risk. certificates the Agency CA Further, unless specifically issues, except in the approved by the HEPKIPA, “policyMappings” field an Institution shall not establishing an equivalency assert the HEBCA CP between an FBCA OID and OIDs in any certificates the an OID in the Agency CA’s

    Institution CA issues, CP. When used in the except in the “policyMappings” field, the “policyMappings” field Agency may only employ establishing an equivalency the OIDs after a policy between an HEBCA OID mapping determination is and an OID in the made by the FPKIPA Institution CA’s CP. When allowing their use.

    used in the This FBCA CP is consistent “policyMappings” field, the with the Internet Institution may only employ Engineering Task Force the OIDs after a policy (IETF) Public Key mapping determination is Infrastructure X.509 (IETF made by the HEPKIPA PKIX) RFC 2527, allowing their use. Certificate Policy and

    Certification Practice This HEBCA CP is

    consistent with the Internet Statement Framework.

    Engineering Task Force The terms and provisions (IETF) Public Key of this FBCA CP shall be Infrastructure X.509 (IETF interpreted under and PKIX) RFC 2527, governed by applicable Certificate Policy and Federal law. The United

    v1.5 Page 4 of 243




    Certification Practice States Government

    Statement Framework. disclaims any liability that

    may arise from the use of The terms and provisions this FBCA CP. of this HEBCA CP shall be

    interpreted under and

    governed by applicable

    U.S. law. The HEPKIPA

    disclaims any liability that

    may arise from the use of

    this HEBCA CP.

    v1.5 Page 5 of 243




    NFOD N/A This subcomponent This CP defines a set of This document describes a 1.1 Overview provides a general requirements that helps to set of rules that indicates introduction to the determine the viability and the applicability of a specification. applicability of a PKC certificate issued by a

    issued by a conforming CA conforming CA to its

    to its community of users, community of users and/or

    subject entities, and/or class of application with

    class of applications. common security

    requirements. This CP MAY be used by a

    PKC Relying Party to help A certificate policy MAY be

    in deciding whether a used by a certificate user to

    certificate, and the binding help in deciding whether a

    therein, is sufficiently certificate, and the binding

    trustworthy for a particular therein, is sufficiently

    application. trustworthy for a particular

    application. An X.509 Any PKC issued by a Version 3 certificate issued conforming CA MUST by a conforming CA contain a valid reference to SHOULD contain a the applicable CP. This CP reference to this certificate may be referenced only if policy. More detailed the CA is in compliance information about the with all aspects of this practices which a certificate policy. conforming CA employs in

    its operations in issuing Every conforming CA

    certificates can be found in MUST make available its

    the Certification Practice own CPS(s) in order to

    Statements (CPS). provide information to

    potential clients of the CA Every conforming CA and Relying Parties about MUST issue its own CPS in the underlying technical, order to provide information procedural and legal to potential clients of the foundations which are not CA about the underlying otherwise specified in this technical, procedural and policy. legal foundations which are

    v1.5 Page 6 of 243




    not specified in this policy. A Relying Party MUST

    interpret and agree to the

    provisions of this CP and

    associated CPS before

    acting on any PKC issued

    by a CA referencing this


    v1.5 Page 7 of 243




    [Not in 2527] Any CA that intends to refer HEBCA certificates contain FBCA certificates contain a 1.1.1 Certificate Policy (CP) to this CP in a PKC that it a registered certificate registered certificate policy

    issues MUST digitally sign policy object identifier object identifier (OID),

    a copy of this document, (OID), which may be used which may be used by a

    using SHA-1 and RSA, and by a Relying Party to Relying Party to decide

    make the signed copy decide whether a certificate whether a certificate is

    available at the URI is trusted for a particular trusted for a particular

    specified in the appropriate purpose. The party that purpose. The party that

    PKC Extensions field. registers the OID (in this registers the OID (in this

    case, the HEPKIPA) also case, the U.S.

    publishes the CP, for Government) also

    examination by Relying publishes the CP, for

    Parties. Each certificate examination by relying

    issued by the HEBCA will, parties. Each certificate

    in the “policyMappings” issued by the FBCA will, in

    extension field and in the “policyMappings”

    whatever other fashion is extension field and in

    determined by the HEBCA whatever other fashion is

    Operational Authority (OA) determined by the FBCA

    (described in section OA to be necessary for to be necessary for interoperability, reflect what

    interoperability, reflect what mappings the FPKIPA

    mappings the HEPKIPA determines shall exist

    determines shall exist between the FBCA CP and

    between the HEBCA CP the affected Agency CP.

    and the affected

    Institution’s CP.

    [Not in 2527] This CP states what The HEBCA CP states The FBCA CP states what 1.1.2 Relationship Between the assurance can be placed in what assurance can be assurance can be placed in FBCA CP and the FBCA CPS a certificate issued by the placed in a certificate a certificate issued by the

    conforming CA. The issued by the HEBCA. The FBCA. The FBCA CPS

    associated CPS states how HEBCA CPS states how states how the FBCA

    the CA establishes that the HEBCA establishes establishes that assurance.

    assurance. that assurance.

    [Not in 2527] The levels of assurance of The levels of assurance of The levels of assurance of 1.1.3 Relationship Between the

    v1.5 Page 8 of 243




    FBCA CP and the Agency CP the certificates issued the certificates issued the certificates issued under this CP are mapped under the HEBCA CP are under the FBCA CP are by the Bridge PMA to the mapped by the HEPKIPA mapped by the FPKIPA to levels of assurance of the to the levels of assurance the levels of assurance of certificates issued by other of the certificates issued by the certificates issued by CAs. The policy mapping Institution CAs. The policy Agency CAs. The policy information is placed into mappings information is mappings information is the certificates issued by placed into the certificates placed into the certificates the Bridge CA, or otherwise issued by the HEBCA, or issued by the FBCA, or published or used by the otherwise published or otherwise published or CA (described in section used by the HEBCA OA used by the FBCA OA so as to facilitate (described in section (described below) so as to interoperability. so as to facilitate facilitate interoperability.


    [Not in 2527] [DO WE NEED TO The current version of this The current version of this 1.1.4 Interoperation with CAs CONSTRAIN CROSS CP does not provide for CP does not provide for External to this Policy Domain CERTIFICATION BELOW interoperability through the interoperability through the THE TOP LEVEL?] HEBCA between Higher FBCA between Federal

    Education PKI domains Agency PKI domains and

    and those of parties who those of parties external to

    are external to Higher the Federal government.

    Education and who have Such interoperability will be

    no relationship with established when directed

    HEPKIPA. Such by the FPKIPA and will

    interoperability will be require changes to this CP

    established when directed to address issues

    by the HEPKIPA and will associated with liability and

    require changes to this CP other matters.

    to address issues Nonetheless, it is the

    associated with liability and ultimate intent of the

    other matters. FPKIPA to make the FBCA

    Nonetheless, it is the available to support

    ultimate intent of the interoperability between

    HEPKIPA to make the Federal and non-Federal

    HEBCA available to entities. Moreover,

    support interoperability interoperability with entities

    v1.5 Page 9 of 243




    between Higher Education external to the Federal

    and non-Higher Education government for purposes of

    entities. Moreover, technical testing may be

    interoperability with entities performed when directed,

    external to Higher and in a fashion

    Education for purposes of determined by, the

    technical testing may be FPKIPA.

    performed when directed

    by, and in a fashion

    determined by, the

    HEPKIPA, employing the

    “Test” level of assurance.

    v1.5 Page 10 of 243

Report this document

For any questions or suggestions please email