Policies Flashcards
CP vs. CPS
- Address the same set of topics
- Primary difference: the focus of their provisions
-> CP: States requirements and standards imposed by the PKI (“What participants must do”)
-> CPS: States how to meet the requirements stated in the CP (“How to perform functions and implement controls”) - Additional difference: Their scope of coverage
-> CP: Best serves as the vehicle for communicating minimum operating guidelines that must be met by interoperating PKIs. Generally applies to multiple CAs/organizations/domains
-> CPS: Applies only to a single CA/organization . Not generally a vehicle to facilitate interoperation
Set of provisions
Collection of practice and/or policy statements, spanning a range of standard topics for use in expressing a CP or CPS
Contents of a set of provisions
- Introduction
- Publication and repository responsibilities
- Identification and authentication
- Certificate life-cycle operational requirements
- Facility, management, and operational controls
- Technical security controls
- Certificate, CRL, and OCSP profiles
- Compliance audit and other assessments
- Other business and legal matters
Set of provisions: Introduction
- PKI participants: CA, RA, subscribers, relying parties, other participants
- Certificate usage: Appropriate certificate uses, prohibited certificate uses
- Policy administration: Organization administering the document, contact person, person determining CPS suitability for the policy, CPS approval procedures
Set of provisions: Publication and repository responsibilities
- Repositories
- Publication of certification information
- Time or frequency of publication
- Access controls on repositories
Set of provisions: Identification and authentication
- Naming:
-> Types of names, need for names to be meaningful
-> anonymity or pseudonymity of subscribers
-> uniqueness of names
-> recognition, authentication, role of trademarks - Initial identity validation:
-> method to prove possession of private key
-> authentication of organization identity or individual identity
-> non-verified subscriber information
-> validation of authority
-> criteria for interoperation - Identification and authentication for re-key requests:
-> I&A for routine re-key
-> I&A for re-key after revocation - Identification and authentication for revocation request
Set of provisions: Certificate life-cycle operational requirements: certificate application/issuance
- Certificate application
-> Who can submit a certificate application
-> Enrollment process and responsibilities - Certificate application processing
-> Performing identification and authentication functions
-> Approval or rejection of certificate applications
-> Time to process certificate applications - Certificate issuance
-> CA actions during certificate issuance
-> Notification to subscriber by the CA of issuance of certificate
Set of provisions: Certificate life-cycle operational requirements: certificate acceptance/usage
- Certificate acceptance
-> Conduct constituting certificate acceptance
-> Publication of the certificate by the CA
-> Notification of certificate issuance by the CA to other entities - Key pair and certificate usage
-> Subscriber private key and certificate usage
-> Relying party public key and certificate usage
Set of provisions: Certificate life-cycle operational requirements: certificate renewal
- Certificate renewal
-> Circumstance for certificate renewal
-> Who may request renewal
-> Processing certificate renewal requests
-> Notification of new certificate issuance to subscriber
-> Conduct constituting acceptance of a renewal certificate
-> Publication of the renewal certificate by the CA
-> Notification of certificate issuance by the CA to other entities
Set of provisions: Certificate life-cycle operational requirements: certificate re-key
- Certificate re-key:
-> Circumstance for certificate re-key
-> Who may request certification of a new public key
-> Processing certificate re-keying requests
-> Notification of new certificate issuance to subscriber
-> Conduct constituting acceptance of a re-keyed certificate
-> Publication of the re-keyed certificate by the CA
-> Notification of certificate issuance by the CA to other entities
Set of provisions: Certificate life-cycle operational requirements: certificate modification
- Certificate modification:
-> Circumstance for certificate modification
-> Who may request certificate modification
-> Processing certificate modification requests
-> Notification of new certificate issuance to subscriber
-> Conduct constituting acceptance of modified certificate
-> Publication of the modified certificate by the CA
-> Notification of certificate issuance by the CA to other entities
Set of provisions: Certificate life-cycle operational requirements: certificate revocation
- Certificate revocation and suspension:
-> Circumstances for revocation
-> Who can request revocation
-> Procedure for revocation request
-> Revocation request grace period
-> Time within which CA must process the revocation request
-> Revocation checking requirement for relying parties
-> CRL issuance frequency
-> Maximum latency for CRLs
-> Online revocation/status checking availability
-> Online revocation checking requirements
-> Other forms of revocation advertisements available
-> Special requirements re-key compromise
-> Circumstances for suspension
-> Who can request suspension
-> Procedure for suspension request
-> Limits on suspension period
Set of provisions: Certificate life-cycle operational requirements: certificate status services, key escrow and recovery
- Certificate status services:
-> Operational characteristics
-> Service availability
-> Optional features - End of subscription
- Key escrow and recovery
-> Key escrow and recovery policy and practices
-> Session key encapsulation and recovery policy and practices
Set of provisions: Facility, management, and operational controls: Physical controls
- Site location and construction
- Physical access
- Power and air conditioning
- Water exposure
- Fire prevention and protection
- Media storage
- Waste disposal
- Off-site backup
Set of provisions: Facility, management, and operational controls: Procedural controls
- Trusted roles, number of persons required per task
- Identification and authentication for each role
- Roles requiring separation of duties
Set of provisions: Facility, management, and operational controls: Personnel controls
- Qualifications, experience, and clearance requirements
- Background check procedures
- Training requirements
- Retraining frequency and requirements
- Job rotation frequency and sequence
- Sanctions for unauthorized actions
- Independent contractor requirements
- Documentations supplied to personnel
Set of provisions: Facility, management, and operational controls: Audit logging procedures
- Types of events recorded
- Frequency of processing log
- Retention period for audit log
- Protection of audit log
- Audit log backup procedures
- Audit collection system (internal vs. external)
- Notification to event-causing subject
- Vulnerability assessments
Set of provisions: Facility, management, and operational controls: Records archival
- Types of records archived
- Retention period for archive
- Protection of archive
- Archive backup procedures
- Requirements for time-stamping of records
- Archive collection system (internal or external)
- Procedures to obtain and verify archive information
- Key changeover
Set of provisions: Facility, management, and operational controls: Compromise and disaster recovery
- Incident and compromise handling procedures
- Computing resources, software, and/or data are corrupted
- Entity private key compromise procedures
- Business continuity capabilities after a disaster
- CA or RA termination
Set of provisions: Technical security controls: Key pair generation and installation
- Key pair generation
- Private key delivery to subscriber
- Public key delivery to certificate issuer
- CA public key delivery to relying parties
- Key sizes
- Public key parameters generation and quality checking
- Key usage purposes
Set of provisions: Technical security controls: Private key protection and cryptographic module engineering controls
- Cryptographic module standards and controls
- Private key multi-person control
- Private key escrow
- Private key backup
- Private key archival
- Private key transfer into or from a cryptographic module
- Private key storage on cryptographic module
- Method of activating private key
- Method of deactivating private key
- Method of destroying private key
- Cryptographic module rating
Set of provisions: Certificate, CRL, and OCSP profiles: Certificate profile
- Version number(s)
- Certificate extensions
- Algorithm object identifiers
- Name forms
- Name constraints
- Certificate policy object identifier
- Usage of Policy Constraints extension
- Policy qualifiers syntax and semantics
- Processing semantics for the critical Certificate Policies extension
Set of provisions: Certificate, CRL, and OCSP profiles: CRL profile
- Version number(s)
- CRL and CRL entry extensions
Set of provisions: Certificate, CRL, and OCSP profiles: OCSP profile
- Version number(s)
- OCSP extensions
Set of provisions: Other business and legal matters
- Fees
- Financial responsibility
- Confidentiality of business information
- Privacy of personal information
- Intellectual property rights
- Representations and warranties
- Disclaimers of warranties
- Limitations of liability
- Indemnities
- Term and termination
- Individual notices and communications with participants
- Amendments
- Dispute resolution provisions
- Governing law
- Compliance with applicable law
- Miscellaneous provisions
- Other provisions
X.509 certificate extension: Certificate Policies
- Sequence of one or more policy information terms
- Policy information term: a policy identifier (as OID) + optional policy qualifiers
- In end-entity certificates: Indicates the policy under which the certificate has been issued and the purposes for which the certificate may be used
- In CA certificates:
-> Limits the set of policies for certification paths which include this certificate
-> Circumvention of limitation: by use of special policy “anyPolicy”
Certificate Policy
A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements
Certification practice statement
A statement of the practices that a CA employs in issuing, managing, revoking, and renewing or re-keying certificates
How are policies enforced by the PKI?
- Policies are enforced by the PKI through:
-> Selecting standards, parameters, hardware
-> Monitoring behaviour of involved parties
-> Reacting on infringement of the policy
Set of provisions: Technical security controls: Other
- Other aspects of key pair management
-> Public key archival
-> Certificate operational periods and key pair usage periods - Activation data
- Computer security controls
- Life cycle technical controls
- Network security controls
- Timestamping
Set of provisions: Compliance audit and other assessments
- Frequency or circumstances of assessment
- Identity/qualifications of assessor
- Assessor’s relationship to assessed entity
- Topics covered by assessment
- Actions taken as a result of deficiency
- Communication of results
X.509 certificate extensions: Certificate Policies
- Sequence of one or more policy information terms (a policy identifier (as OID) + optional policy qualifiers)
- In end-entity certificates: Indicates the policy under which the certificate has been issued and the purposes for which the certificate may be used
- In CA certificates:
-> Limits the set of policies for certification paths which include this certificate
-> Circumvention of limitation: by use of special policy “anyPolicy”
