HEPKI Common Policy Framework

By Russell Palmer,2014-06-18 10:34
13 views 0
HEPKI Common Policy Framework


    HEPKI Common Policy Framework

    DRAFT: v0.0005

    The purpose of this table, and the companion comparison of commercial CPs, is to provide a tool for development of a compatible Higher Education Certificate Policy statement. The goal is to be able to map “trust” between at least the Federal CA environment and the HEPKI environment. Ideally, it will be possible to map trust even further to include the European academic and research community as well as commercial CA operations.

    The Federal Bridge CA (FBCA) policy is from the draft dated 10/23/00. It is authored by Dr. Richard Guida, Chair of the Federal Public Key Infrastructure Steering Committee, and Mr. Joseph Mettle of the National Security Agency (NSA) together with a large working group.

The EuroPKI Certificate Policy is from Version 1.1 (DRAFT 3) dated July 2000.

The structure of this table and the various sections is derived primarily from IETF RFC 2527: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework”

    by S. Chokhani and W. Ford. Additional sections derive from the FBCA policy and from discussions within the HEPKI working group.

v1.5 Page 1 of 243




    This component identifies This Certificate Policy (CP) No First Order This Certificate Policy (CP) This Certificate Policy (CP) EuroPKI is a no-profit 1. INTRODUCTION and introduces the set of statement defines the Differences defines five certificate defines five certificate organization established to provisions, and indicates terms and conditions under (NFOD) policies for use by the policies for use by the create and develop a pan-the types of entities and which a Certificate Higher Education Bridge Federal Bridge Certification European public-key applications for which the Authority (CA) that issues Certification Authority Authority (FBCA) to infrastructure (PKI). It has specification is targeted. Public Key Certificates (HEBCA) to facilitate facilitate Agency CA its roots in the PKI

    (PKC) that reference the Institution CA interoperability with the established by the ICE-TEL

    policy object identifier (OID) interoperability with the FBCA and with other project and further

    for this CP must operate. HEBCA and with other Agency PKI domains. The developed by the ICE-CAR

    Operation includes Institution PKI domains. five policies represent four one. Both these projects

    management of the PKCs it The five policies represent different assurance levels were funded by the

    issues and management of four different assurance (Rudimentary, Basic, European Commission

    its own infrastructure. The levels (Rudimentary, Basic, Medium, and High) for under the Telematics for

    term “issues” in this context Medium, and High) for public key digital Research programme.

    refers to the process of public key digital certificates, plus one The structure of this digitally signing with its certificates, plus one assurance level used document is according to private key a structured assurance level used strictly for testing purposes RFC 2527 [1]. Therefore digital object conforming to strictly for testing purposes (Test). The word there are some sections the ISO X.509, version 3 or (Test). The word “assurance” used in this CP that are maintained for compatible PKC format. “assurance” used in this CP means how well a relying compatibility, although they means how well a Relying party can be certain of the One or more companion do not apply exactly to the Party can be certain of the identity binding between Certification Practice services offered by identity binding between the public key and the Statement(s) (CPS) must EuroPKI. Appendix 1 the public key and the individual whose subject be defined for each CA provides a glossary of individual whose subject name is cited in the operating under this CP. terms used in this name is cited in the certificate. In addition, it Such a statement must document. It is mainly certificate. In addition, it also reflects how well the articulate how the CA based on [1]. also reflects how well the relying party can be certain implements the provisions Relying Party can be that the individual whose Within this document the of this policy. certain that the individual subject name is cited in the words “MUST”, “MUST

    whose subject name is certificate is controlling the A CA conforming to this NOT”, “REQUIRED”,

    cited in the certificate is use of the private key that policy MAY be stand-alone “SHALL”, “SHALL NOT”,

    controlling the use of the corresponds to the public or it MAY be part of a “SHOULD”, “SHOULD

    private key that key in the certificate. Public Key Infrastructure NOT”, “RECOMMENDED”,

    corresponds to the public (PKI) hierarchy. In the “MAY”, “OPTIONAL” are to The FBCA supports key in the certificate. latter case, any subordinate be interpreted as in RFC interoperability among

    v1.5 Page 2 of 243




    CA, defined as a CA for Federal Agency PKI 2119 [2]. The HEBCA supports which the conforming CA domains in a peer to peer interoperability among In this document the signs an authority fashion. The FBCA will Higher Education PKI expression “conforming certificate, must adopt this issue a certificate only to domains in a peer to peer CA” is used to indicate a CP or one that is consistent those Agency CAs fashion. The HEBCA will CA whose behaviour is with all of the provisions of determined by the owning issue a certificate only to conforming to the set of this CP. agency (called “Principal those Institution CAs provisions specified in this CAs”). The FBCA, or a CA determined by the owning document. This CP is structured in that interoperates with the institution (called “Principal accordance with RFC 2527 FBCA, may also issue CAs”). The HEBCA, or a [1]. Within this document certificates to individuals CA that interoperates with the words “MUST”, “MUST who operate the FBCA. the HEBCA, may also issue NOT”, “REQUIRED”, The FBCA certificates certificates to individuals “SHALL”, “SHALL NOT”, issued to Agency Principal who operate the HEBCA. “SHOULD”, “SHOULD CAs act as a conduit of The HEBCA certificates NOT”, “RECOMMENDED”, trust. The FBCA does not issued to Institution “MAY”, “OPTIONAL” are to add to and should not Principal CAs act as a be interpreted as in RFC subtract from trust conduit of trust. The 2119 [2]. relationships existing HEBCA does not add to between the transacting and should not subtract parties as established from trust relationships through the Federal PKI existing between the Policy Authority (FPKIPA). transacting parties as

    established through the At their discretion, agencies Higher Education PKI may elect to interoperate Policy Authority among themselves without (HEPKIPA). using the FBCA. Those

    agencies that elect to do so At their discretion, may nonetheless employ institutions may elect to levels of assurance that interoperate among mimic those set forth in the themselves without using FBCA CP. However, the HEBCA. Those FBCA CP Object Identifiers institutions that elect to do (OIDs) may be used only so may nonetheless by agencies that employ levels of assurance interoperate with the FBCA. that mimic those set forth in v1.5 Page 3 of 243




    the HEBCA CP. However, Any use of or reference to HEBCA CP Object this FBCA CP outside the Identifiers (OIDs) may be purview of the FPKIPA is used only by institutions completely at the using that interoperate with the parties’ risk. Further, HEBCA. Any use of or unless specifically reference to this HEBCA approved by the FPKIPA, CP outside the purview of an Agency shall not assert the HEPKIPA is completely the FBCA CP OIDs in any at the using party’s risk. certificates the Agency CA Further, unless specifically issues, except in the approved by the HEPKIPA, “policyMappings” field an Institution shall not establishing an equivalency assert the HEBCA CP between an FBCA OID and OIDs in any certificates the an OID in the Agency CA’s

    Institution CA issues, CP. When used in the except in the “policyMappings” field, the “policyMappings” field Agency may only employ establishing an equivalency the OIDs after a policy between an HEBCA OID mapping determination is and an OID in the made by the FPKIPA Institution CA’s CP. When allowing their use.

    used in the This FBCA CP is consistent “policyMappings” field, the with the Internet Institution may only employ Engineering Task Force the OIDs after a policy (IETF) Public Key mapping determination is Infrastructure X.509 (IETF made by the HEPKIPA PKIX) RFC 2527, allowing their use. Certificate Policy and

    Certification Practice This HEBCA CP is

    consistent with the Internet Statement Framework.

    Engineering Task Force The terms and provisions (IETF) Public Key of this FBCA CP shall be Infrastructure X.509 (IETF interpreted under and PKIX) RFC 2527, governed by applicable Certificate Policy and Federal law. The United

    v1.5 Page 4 of 243