CESNET CA Basic Level Certificate Policy

Version 2.0

2005


Table of Contents

1. INTRODUCTION
1.1. Overview
1.2. Identification
1.2.1. Certificate Policy Name
1.2.2. Object Identifiers
1.3. Community and Applicability
1.3.1. Certification authorities
1.3.2. Registration authorities
1.3.3. End entities
1.3.4. Applicability
1.4. Contact Details
1.4.1. Specification administration organization
1.4.2. Contact person
1.4.3. Person determining CPS suitability for the policy
2. GENERAL PROVISIONS
2.1. Obligations
2.1.1. CA obligations
2.1.2. RA obligations
2.1.3. Subscriber obligations
2.1.4. Relying party obligations
2.1.5. Repository obligations
2.2. Liability
2.2.1. CA liability
2.2.2. RA liability
2.3. Financial responsibility
2.3.1. Indemnification by relying parties
2.3.2. Fiduciary relationships
2.3.3. Administrative processes
2.4. Interpretation and Enforcement
2.4.1. Governing law
2.4.2. Severability, survival, merger, notice
2.4.3. Dispute resolution procedures
2.5. Fees
2.5.1. Certificate issuance or renewal fees
2.5.2. Certificate access fees
2.5.3. Revocation or status information access fees
2.5.4. Fees for other services such as policy information
2.5.5. Refund policy
2.6. Publication and Repository
2.6.1. Publication of CA information
2.6.2. Frequency of publication
2.6.3. Access controls
2.6.4. Repositories
2.7. Compliance audit
2.7.1. Frequency of entity compliance audit
2.7.2. Identity/qualifications of auditor
2.7.3. Auditor's relationship to audited party
2.7.4. Topics covered by audit
2.7.5. Actions taken as a result of deficiency
2.7.6. Communication of results
2.8. Confidentiality
2.8.1. Types of information to be kept confidential
2.8.2. Types of information not considered confidential
2.8.3. Disclosure of certificate revocation/suspension information
2.8.4. Release to law enforcement officials
2.8.5. Release as part of civil discovery
2.8.6. Disclosure upon owner's request
2.8.7. Other information release circumstances
2.9. Intellectual Property Rights
3. IDENTIFICATION AND AUTHENTICATION
3.1. Initial Registration
3.1.1. Types of names
3.1.2. Need for names to be meaningful
3.1.3. Rules for interpreting various name forms
3.1.4. Uniqueness of names
3.1.5. Name claim dispute resolution procedure
3.1.6. Recognition, authentication and role of trademarks
3.1.7. Method to prove possession of private key
3.1.8. Authentication of organization identity
3.1.9. Authentication of individual identity
3.2. Routine Rekey
3.3. Rekey after Revocation
3.4. Revocation Request
4. OPERATIONAL REQUIREMENTS
4.1. Certificate Application
4.2. Certificate Issuance
4.3. Certificate Acceptance
4.4. Certificate Suspension and Revocation
4.4.1. Circumstances for revocation
4.4.2. Who can request revocation
4.4.3. Procedure for revocation request
4.4.4. Revocation request grace period
4.4.5. Circumstances for suspension
4.4.6. Who can request suspension
4.4.7. Procedure for suspension request
4.4.8. Limits on suspension period
4.4.9. CRL issuance frequency (if applicable)
4.4.10. CRL checking requirements
4.4.11. On-line revocation/status checking availability
4.4.12. On-line revocation checking requirements
4.4.13. Other forms of revocation advertisements available
4.4.14. Checking requirements for other forms of revocation advertisements
4.4.15. Special requirements re key compromise
4.5. Security Audit Procedures
4.5.1. Types of event recorded
4.5.2. Frequency of processing log
4.5.3. Retention period for audit log
4.5.4. Protection of audit log
4.5.5. Audit log backup procedures
4.5.6. Audit collection system (internal vs external)
4.5.7. Notification to event-causing subject
4.5.8. Vulnerability assessments
4.6. Records Archival
4.6.1. Types of event recorded
4.6.2. Retention period for archive
4.6.3. Protection of archive
4.6.4. Archive backup procedures
4.6.5. Requirements for time-stamping of records
4.6.6. Archive collection system (internal or external)
4.6.7. Procedures to obtain and verify archive information
4.7. Key changeover
4.8. Compromise and Disaster Recovery
4.8.1. Computing resources, software, and/or data are corrupted
4.8.2. Entity public key is revoked
4.8.3. Entity key is compromised
4.8.4. Secure facility after a natural or other type of disaster
4.9. CA Termination
5. PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS
5.1. Physical Controls
5.1.1. Site location and construction
5.1.2. Physical access
5.1.3. Power and air conditioning
5.1.4. Water exposures
5.1.5. Fire prevention and protection
5.1.6. Media storage
5.1.7. Waste disposal
5.1.8. Off-site backup
5.2. Procedural Controls
5.2.1. Trusted roles
5.2.2. Number of persons required per task
5.2.3. Identification and authentication for each role
5.3. Personnel Controls
5.3.1. Background, qualifications, experience, and clearance requirements
5.3.2. Background check procedures
5.3.3. Training requirements
5.3.4. Retraining frequency and requirements
5.3.5. Job rotation frequency and sequence
5.3.6. Sanctions for unauthorized actions
5.3.7. Contracting personnel requirements
5.3.8. Documentation supplied to personnel
6. TECHNICAL SECURITY CONTROLS
6.1. Key Pair Generation and Installation
6.1.1. Key pair generation
6.1.2. Private key delivery to entity
6.1.3. Public key delivery to certificate issuer
6.1.4. CA public key delivery to users
6.1.5. Key sizes
6.1.6. Public key parameters generation
6.1.7. Parameter quality checking
6.1.8. Hardware/software key generation
6.1.9. Key usage purposes (as per X.509 v3 key usage field)
6.2. Private Key Protection
6.2.1. Standards for cryptographic module
6.2.2. Private key (n out of m) multi-person control
6.2.3. Private key escrow
6.2.4. Private key backup
6.2.5. Private key archival
6.2.6. Private key entry into cryptographic module
6.2.7. Method of activating private key
6.2.8. Method of deactivating private key
6.2.9. Method of destroying private key
6.3. Other Aspects of Key Pair Management
6.3.1. Public key archival
6.3.2. Usage periods for the public and private keys
6.4. Activation Data
6.4.1. Activation data generation and installation
6.4.2. Activation data protection
6.4.3. Other aspects of activation data
6.5. Computer Security Controls
6.5.1. Specific computer security technical requirements
6.5.2. Computer security rating
6.6. Life Cycle Technical Controls
6.6.1. System development controls
6.6.2. Security management controls
6.6.3. Life cycle security ratings
6.7. Network Security Controls
6.8. Cryptographic Module Engineering Controls
7. CERTIFICATE AND CRL PROFILES
7.1. Certificate Profile
7.1.1. Version number(s)
7.1.2. Certificate extensions
7.1.3. Algorithm object identifiers
7.1.4. Name forms
7.1.5. Name constraints
7.1.6. Certificate policy Object Identifier
7.1.7. Usage of Policy Constraints extension
7.1.8. Policy qualifiers syntax and semantics
7.1.9. Processing semantics for the critical certificate policy extension
7.2. CRL Profile
7.2.1. Version number(s)
7.2.2. CRL and CRL entry extensions
8. SPECIFICATION ADMINISTRATION
8.1. Specification change procedures
8.2. Publication and notification policies
8.3. CPS approval procedures
Glossary
References
A. Key words for use in RFCs to Indicate Requirement Levels