Policies Flashcards

1
Q

CP vs. CPS

A
  • Address the same set of topics
  • Primary difference: the focus of their provisions
    -> CP: States requirements and standards imposed by the PKI (“What participants must do”)
    -> CPS: States how to meet the requirements stated in the CP (“How to perform functions and implement controls”)
  • Additional difference: Their scope of coverage
    -> CP: Best serves as the vehicle for communicating minimum operating guidelines that must be met by interoperating PKIs. Generally applies to multiple CAs/organizations/domains
    -> CPS: Applies only to a single CA/organization . Not generally a vehicle to facilitate interoperation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Set of provisions

A

Collection of practice and/or policy statements, spanning a range of standard topics for use in expressing a CP or CPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Contents of a set of provisions

A
  1. Introduction
  2. Publication and repository responsibilities
  3. Identification and authentication
  4. Certificate life-cycle operational requirements
  5. Facility, management, and operational controls
  6. Technical security controls
  7. Certificate, CRL, and OCSP profiles
  8. Compliance audit and other assessments
  9. Other business and legal matters
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Set of provisions: Introduction

A
  • PKI participants: CA, RA, subscribers, relying parties, other participants
  • Certificate usage: Appropriate certificate uses, prohibited certificate uses
  • Policy administration: Organization administering the document, contact person, person determining CPS suitability for the policy, CPS approval procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Set of provisions: Publication and repository responsibilities

A
  • Repositories
  • Publication of certification information
  • Time or frequency of publication
  • Access controls on repositories
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Set of provisions: Identification and authentication

A
  • Naming:
    -> Types of names, need for names to be meaningful
    -> anonymity or pseudonymity of subscribers
    -> uniqueness of names
    -> recognition, authentication, role of trademarks
  • Initial identity validation:
    -> method to prove possession of private key
    -> authentication of organization identity or individual identity
    -> non-verified subscriber information
    -> validation of authority
    -> criteria for interoperation
  • Identification and authentication for re-key requests:
    -> I&A for routine re-key
    -> I&A for re-key after revocation
  • Identification and authentication for revocation request
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Set of provisions: Certificate life-cycle operational requirements: certificate application/issuance

A
  • Certificate application
    -> Who can submit a certificate application
    -> Enrollment process and responsibilities
  • Certificate application processing
    -> Performing identification and authentication functions
    -> Approval or rejection of certificate applications
    -> Time to process certificate applications
  • Certificate issuance
    -> CA actions during certificate issuance
    -> Notification to subscriber by the CA of issuance of certificate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Set of provisions: Certificate life-cycle operational requirements: certificate acceptance/usage

A
  • Certificate acceptance
    -> Conduct constituting certificate acceptance
    -> Publication of the certificate by the CA
    -> Notification of certificate issuance by the CA to other entities
  • Key pair and certificate usage
    -> Subscriber private key and certificate usage
    -> Relying party public key and certificate usage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Set of provisions: Certificate life-cycle operational requirements: certificate renewal

A
  • Certificate renewal
    -> Circumstance for certificate renewal
    -> Who may request renewal
    -> Processing certificate renewal requests
    -> Notification of new certificate issuance to subscriber
    -> Conduct constituting acceptance of a renewal certificate
    -> Publication of the renewal certificate by the CA
    -> Notification of certificate issuance by the CA to other entities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Set of provisions: Certificate life-cycle operational requirements: certificate re-key

A
  • Certificate re-key:
    -> Circumstance for certificate re-key
    -> Who may request certification of a new public key
    -> Processing certificate re-keying requests
    -> Notification of new certificate issuance to subscriber
    -> Conduct constituting acceptance of a re-keyed certificate
    -> Publication of the re-keyed certificate by the CA
    -> Notification of certificate issuance by the CA to other entities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Set of provisions: Certificate life-cycle operational requirements: certificate modification

A
  • Certificate modification:
    -> Circumstance for certificate modification
    -> Who may request certificate modification
    -> Processing certificate modification requests
    -> Notification of new certificate issuance to subscriber
    -> Conduct constituting acceptance of modified certificate
    -> Publication of the modified certificate by the CA
    -> Notification of certificate issuance by the CA to other entities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Set of provisions: Certificate life-cycle operational requirements: certificate revocation

A
  • Certificate revocation and suspension:
    -> Circumstances for revocation
    -> Who can request revocation
    -> Procedure for revocation request
    -> Revocation request grace period
    -> Time within which CA must process the revocation request
    -> Revocation checking requirement for relying parties
    -> CRL issuance frequency
    -> Maximum latency for CRLs
    -> Online revocation/status checking availability
    -> Online revocation checking requirements
    -> Other forms of revocation advertisements available
    -> Special requirements re-key compromise
    -> Circumstances for suspension
    -> Who can request suspension
    -> Procedure for suspension request
    -> Limits on suspension period
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Set of provisions: Certificate life-cycle operational requirements: certificate status services, key escrow and recovery

A
  • Certificate status services:
    -> Operational characteristics
    -> Service availability
    -> Optional features
  • End of subscription
  • Key escrow and recovery
    -> Key escrow and recovery policy and practices
    -> Session key encapsulation and recovery policy and practices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Set of provisions: Facility, management, and operational controls: Physical controls

A
  • Site location and construction
  • Physical access
  • Power and air conditioning
  • Water exposure
  • Fire prevention and protection
  • Media storage
  • Waste disposal
  • Off-site backup
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Set of provisions: Facility, management, and operational controls: Procedural controls

A
  • Trusted roles, number of persons required per task
  • Identification and authentication for each role
  • Roles requiring separation of duties
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Set of provisions: Facility, management, and operational controls: Personnel controls

A
  • Qualifications, experience, and clearance requirements
  • Background check procedures
  • Training requirements
  • Retraining frequency and requirements
  • Job rotation frequency and sequence
  • Sanctions for unauthorized actions
  • Independent contractor requirements
  • Documentations supplied to personnel
17
Q

Set of provisions: Facility, management, and operational controls: Audit logging procedures

A
  • Types of events recorded
  • Frequency of processing log
  • Retention period for audit log
  • Protection of audit log
  • Audit log backup procedures
  • Audit collection system (internal vs. external)
  • Notification to event-causing subject
  • Vulnerability assessments
18
Q

Set of provisions: Facility, management, and operational controls: Records archival

A
  • Types of records archived
  • Retention period for archive
  • Protection of archive
  • Archive backup procedures
  • Requirements for time-stamping of records
  • Archive collection system (internal or external)
  • Procedures to obtain and verify archive information
  • Key changeover
19
Q

Set of provisions: Facility, management, and operational controls: Compromise and disaster recovery

A
  • Incident and compromise handling procedures
  • Computing resources, software, and/or data are corrupted
  • Entity private key compromise procedures
  • Business continuity capabilities after a disaster
  • CA or RA termination
20
Q

Set of provisions: Technical security controls: Key pair generation and installation

A
  • Key pair generation
  • Private key delivery to subscriber
  • Public key delivery to certificate issuer
  • CA public key delivery to relying parties
  • Key sizes
  • Public key parameters generation and quality checking
  • Key usage purposes
21
Q

Set of provisions: Technical security controls: Private key protection and cryptographic module engineering controls

A
  • Cryptographic module standards and controls
  • Private key multi-person control
  • Private key escrow
  • Private key backup
  • Private key archival
  • Private key transfer into or from a cryptographic module
  • Private key storage on cryptographic module
  • Method of activating private key
  • Method of deactivating private key
  • Method of destroying private key
  • Cryptographic module rating
22
Q

Set of provisions: Certificate, CRL, and OCSP profiles: Certificate profile

A
  • Version number(s)
  • Certificate extensions
  • Algorithm object identifiers
  • Name forms
  • Name constraints
  • Certificate policy object identifier
  • Usage of Policy Constraints extension
  • Policy qualifiers syntax and semantics
  • Processing semantics for the critical Certificate Policies extension
23
Q

Set of provisions: Certificate, CRL, and OCSP profiles: CRL profile

A
  • Version number(s)
  • CRL and CRL entry extensions
24
Q

Set of provisions: Certificate, CRL, and OCSP profiles: OCSP profile

A
  • Version number(s)
  • OCSP extensions
25
Q

Set of provisions: Other business and legal matters

A
  • Fees
  • Financial responsibility
  • Confidentiality of business information
  • Privacy of personal information
  • Intellectual property rights
  • Representations and warranties
  • Disclaimers of warranties
  • Limitations of liability
  • Indemnities
  • Term and termination
  • Individual notices and communications with participants
  • Amendments
  • Dispute resolution provisions
  • Governing law
  • Compliance with applicable law
  • Miscellaneous provisions
  • Other provisions
26
Q

X.509 certificate extension: Certificate Policies

A
  • Sequence of one or more policy information terms
  • Policy information term: a policy identifier (as OID) + optional policy qualifiers
  • In end-entity certificates: Indicates the policy under which the certificate has been issued and the purposes for which the certificate may be used
  • In CA certificates:
    -> Limits the set of policies for certification paths which include this certificate
    -> Circumvention of limitation: by use of special policy “anyPolicy”
27
Q

Certificate Policy

A

A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements

28
Q

Certification practice statement

A

A statement of the practices that a CA employs in issuing, managing, revoking, and renewing or re-keying certificates

29
Q

How are policies enforced by the PKI?

A
  • Policies are enforced by the PKI through:
    -> Selecting standards, parameters, hardware
    -> Monitoring behaviour of involved parties
    -> Reacting on infringement of the policy
30
Q

Set of provisions: Technical security controls: Other

A
  • Other aspects of key pair management
    -> Public key archival
    -> Certificate operational periods and key pair usage periods
  • Activation data
  • Computer security controls
  • Life cycle technical controls
  • Network security controls
  • Timestamping
31
Q

Set of provisions: Compliance audit and other assessments

A
  • Frequency or circumstances of assessment
  • Identity/qualifications of assessor
  • Assessor’s relationship to assessed entity
  • Topics covered by assessment
  • Actions taken as a result of deficiency
  • Communication of results
32
Q

X.509 certificate extensions: Certificate Policies

A
  • Sequence of one or more policy information terms (a policy identifier (as OID) + optional policy qualifiers)
  • In end-entity certificates: Indicates the policy under which the certificate has been issued and the purposes for which the certificate may be used
  • In CA certificates:
    -> Limits the set of policies for certification paths which include this certificate
    -> Circumvention of limitation: by use of special policy “anyPolicy”