Policies Flashcards
CP vs. CPS
- Address the same set of topics
- Primary difference: the focus of their provisions
-> CP: States requirements and standards imposed by the PKI (“What participants must do”)
-> CPS: States how to meet the requirements stated in the CP (“How to perform functions and implement controls”) - Additional difference: Their scope of coverage
-> CP: Best serves as the vehicle for communicating minimum operating guidelines that must be met by interoperating PKIs. Generally applies to multiple CAs/organizations/domains
-> CPS: Applies only to a single CA/organization . Not generally a vehicle to facilitate interoperation
Set of provisions
Collection of practice and/or policy statements, spanning a range of standard topics for use in expressing a CP or CPS
Contents of a set of provisions
- Introduction
- Publication and repository responsibilities
- Identification and authentication
- Certificate life-cycle operational requirements
- Facility, management, and operational controls
- Technical security controls
- Certificate, CRL, and OCSP profiles
- Compliance audit and other assessments
- Other business and legal matters
Set of provisions: Introduction
- PKI participants: CA, RA, subscribers, relying parties, other participants
- Certificate usage: Appropriate certificate uses, prohibited certificate uses
- Policy administration: Organization administering the document, contact person, person determining CPS suitability for the policy, CPS approval procedures
Set of provisions: Publication and repository responsibilities
- Repositories
- Publication of certification information
- Time or frequency of publication
- Access controls on repositories
Set of provisions: Identification and authentication
- Naming:
-> Types of names, need for names to be meaningful
-> anonymity or pseudonymity of subscribers
-> uniqueness of names
-> recognition, authentication, role of trademarks - Initial identity validation:
-> method to prove possession of private key
-> authentication of organization identity or individual identity
-> non-verified subscriber information
-> validation of authority
-> criteria for interoperation - Identification and authentication for re-key requests:
-> I&A for routine re-key
-> I&A for re-key after revocation - Identification and authentication for revocation request
Set of provisions: Certificate life-cycle operational requirements: certificate application/issuance
- Certificate application
-> Who can submit a certificate application
-> Enrollment process and responsibilities - Certificate application processing
-> Performing identification and authentication functions
-> Approval or rejection of certificate applications
-> Time to process certificate applications - Certificate issuance
-> CA actions during certificate issuance
-> Notification to subscriber by the CA of issuance of certificate
Set of provisions: Certificate life-cycle operational requirements: certificate acceptance/usage
- Certificate acceptance
-> Conduct constituting certificate acceptance
-> Publication of the certificate by the CA
-> Notification of certificate issuance by the CA to other entities - Key pair and certificate usage
-> Subscriber private key and certificate usage
-> Relying party public key and certificate usage
Set of provisions: Certificate life-cycle operational requirements: certificate renewal
- Certificate renewal
-> Circumstance for certificate renewal
-> Who may request renewal
-> Processing certificate renewal requests
-> Notification of new certificate issuance to subscriber
-> Conduct constituting acceptance of a renewal certificate
-> Publication of the renewal certificate by the CA
-> Notification of certificate issuance by the CA to other entities
Set of provisions: Certificate life-cycle operational requirements: certificate re-key
- Certificate re-key:
-> Circumstance for certificate re-key
-> Who may request certification of a new public key
-> Processing certificate re-keying requests
-> Notification of new certificate issuance to subscriber
-> Conduct constituting acceptance of a re-keyed certificate
-> Publication of the re-keyed certificate by the CA
-> Notification of certificate issuance by the CA to other entities
Set of provisions: Certificate life-cycle operational requirements: certificate modification
- Certificate modification:
-> Circumstance for certificate modification
-> Who may request certificate modification
-> Processing certificate modification requests
-> Notification of new certificate issuance to subscriber
-> Conduct constituting acceptance of modified certificate
-> Publication of the modified certificate by the CA
-> Notification of certificate issuance by the CA to other entities
Set of provisions: Certificate life-cycle operational requirements: certificate revocation
- Certificate revocation and suspension:
-> Circumstances for revocation
-> Who can request revocation
-> Procedure for revocation request
-> Revocation request grace period
-> Time within which CA must process the revocation request
-> Revocation checking requirement for relying parties
-> CRL issuance frequency
-> Maximum latency for CRLs
-> Online revocation/status checking availability
-> Online revocation checking requirements
-> Other forms of revocation advertisements available
-> Special requirements re-key compromise
-> Circumstances for suspension
-> Who can request suspension
-> Procedure for suspension request
-> Limits on suspension period
Set of provisions: Certificate life-cycle operational requirements: certificate status services, key escrow and recovery
- Certificate status services:
-> Operational characteristics
-> Service availability
-> Optional features - End of subscription
- Key escrow and recovery
-> Key escrow and recovery policy and practices
-> Session key encapsulation and recovery policy and practices
Set of provisions: Facility, management, and operational controls: Physical controls
- Site location and construction
- Physical access
- Power and air conditioning
- Water exposure
- Fire prevention and protection
- Media storage
- Waste disposal
- Off-site backup
Set of provisions: Facility, management, and operational controls: Procedural controls
- Trusted roles, number of persons required per task
- Identification and authentication for each role
- Roles requiring separation of duties