1 Page de signatures électroniques / Electronic Signatures Page Information Documentaire / Document Information Titre / Title : Auteur / Author : Reference : This document has been digitally signed and timestamped. To verify signatures validity, please refer to procedure and tools available on web site By default, signatures validity is unknown. The? icon is present on each signature. After verification, the? icon disappears if signature is valid. Last product update: july Tous droits réservés Thales Alenia Space All rights reserved
2 Page laissée blanche intentionnellement Blank page intentionally left Tous droits réservés Thales Alenia Space All rights reserved
3 01/07/2006 ISSUE : 02 PAGE : 1 Total Pages : 52 THALES ALENIA SPACE CENTRALIZED SIGNATURE: CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT Rédigé par/written by E. GENOTELLE Approbation/Approved TAS PKI Manager Responsabilité-Service-Société Responsibility-Office-Company E. BOURDEAU IS/ES R. ROSSIGNOL IS/IT Security PL. NAUT IS/ES/PS G. MAIONE Quality Entité Emettrice : DSI / SI/P (détentrice de l original) : GED LA TRACE DE VALIDATION EST DONNEE PAR LE WORKFLOW GED
4 ISSUE : 02 PAGE : 2 ENREGISTREMENT DES EVOLUTIONS / CHANGE RECORDS ISSUE DATE : DESCRIPTION DES EVOLUTIONS : CHANGE RECORD REDACTEUR AUTHOR 01 10/12/2004 First issue Genotelle 02 01/07/2006 Taking into account Thales Alenia Space organization Genotelle Certificate hash algorithm is now SHA-1 03 Thales Alenia Space H. DERREY
5 ISSUE : 02 PAGE : 3 TABLE DES MATIERES / TABLE OF CONTENTS 1. OBJET / OBJECT DOMAINE D'APPLICATION / APPLICABILITY TERMINOLOGIE ET DOCUMENTATION / TERMINOLOGY AND DOCUMENTATION DOCUMENTS APPLICABLES / APPLICABLE DOCUMENTS DOCUMENTS DE REFERENCE / REFERENCE DOCUMENTS TERMINOLOGIE / TERMINOLOGY ABREVIATIONS / ABBREVIATIONS CONVENTIONS INTRODUCTION OVERVIEW NEEDS AND CONSTRAINTS OVERVIEW TASCS PRINCIPLES ET ARCHITECTURE OVERVIEW IDENTIFICATION COMMUNITY AND APPLICABILITY Certification authorities Registration authorities End entities Applicability CONTACT DETAILS Specification administration organization Contact person Person determining CPS suitability for the policy GENERAL PROVISIONS [PROV] OBLIGATIONS CA obligations RA obligations Subscriber obligations Relying party obligations Repository obligations TASCS Service obligations LIABILITY CA liability RA liability FINANCIAL RESPONSIBILITY INTERPRETATION AND ENFORCEMENT Governing law Severability, survival, merger, notice Dispute resolution procedures FEES Certificate issuance or renewal fees Certificate access fees Revocation or status information access fees Fees for other services such as policy information Refund policy PUBLICATION AND REPOSITORY Publication of CA information Frequency of publication... 21
6 ISSUE : 02 PAGE : Access controls Repositories COMPLIANCE AUDIT Frequency of entity compliance audit Identity/qualifications of auditor Auditor's relationship to audited party Topics covered by audit Actions taken as a result of deficiency Communication of results CONFIDENTIALITY Types of information to be kept confidential Types of information not considered confidential Disclosure of certificate revocation/suspension information Release to law enforcement officials Release as part of civil discovery Disclosure upon owner's request Other information release circumstances INTELLECTUAL PROPERTY RIGHTS IDENTIFICATION AND AUTHENTICATION [AUTH] INITIAL REGISTRATION Types of names Need for names to be meaningful Rules for interpreting various name forms Uniqueness of names Name claim dispute resolution procedure Recognition, authentication and role of trademarks Method to prove possession of private key Authentication of organization identity Authentication of individual identity AUTHENTICATION FOR RENEWAL AFTER PERIOD OF VALIDITY (ROUTINE REKEY) REKEY AFTER REVOCATION REVOCATION REQUEST OPERATIONAL REQUIREMENTS [OPER] CERTIFICATE APPLICATION CERTIFICATE ISSUANCE CERTIFICATE ACCEPTANCE CERTIFICATE SUSPENSION AND REVOCATION Circumstances for revocation Who can request revocation Procedure for revocation request Revocation request grace period Circumstances for suspension Who can request suspension Procedure for suspension request Limits on suspension period CRL issuance frequency CRL checking requirements On-line revocation/status checking availability On-line revocation checking requirements Other forms of revocation advertisements available Checking requirements for other forms of revocation Advertisements... 31
7 ISSUE : 02 PAGE : Special requirements rekey compromise SECURITY AUDIT PROCEDURES Types of event recorded Frequency of processing log Retention period for audit log Protection of audit log Audit log backup procedures Audit collection system (internal vs external) Notification to event-causing subject Vulnerability assessments RECORDS ARCHIVAL Types of event recorded Retention period for archive Protection of archives Archive backup procedures Requirements for time-stamping of records Archive collection system (internal or external) Procedures to obtain and verify archive information KEY CHANGEOVER COMPROMISE AND DISASTER RECOVERY Computing resources, software, and/or data are corrupted Entity public key is revoked Entity key is compromised Secure facility after a natural or other type of disaster CA TERMINATION PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS [PSEC] PHYSICAL CONTROLS Site location and construction Physical access Power and air conditioning Water exposures Fire prevention and protection Media storage Waste disposal Off-site backup PROCEDURAL CONTROLS Trusted roles Number of persons required per task Identification and authentication for each role PERSONNEL CONTROLS Background, qualifications, experience, and clearance requirements Background check procedures Training requirements Retraining frequency and requirements Job rotation frequency and sequence Sanctions for unauthorized actions Contracting personnel requirements Documentation supplied to personnel TECHNICAL SECURITY CONTROLS [TSEC] KEY PAIR GENERATION AND INSTALLATION Key pair generation Private key delivery to entity... 41
8 ISSUE : 02 PAGE : Public key delivery to certificate issuer CA public key delivery to users Key sizes Public key parameters generation Parameter quality checking Hardware/software key generation Key usage purposes PRIVATE KEY PROTECTION Standards for cryptographic module Private key (n out of m) multi-person control Private key escrow Private key backup Private key archival Private key entry into cryptographic module Method of activating private key Method of deactivating private key Method of destroying private key OTHER ASPECTS OF KEY PAIR MANAGEMENT Public key archival Usage periods for the public and private keys ACTIVATION DATA Activation data generation and installation Activation data protection Other aspects of activation data COMPUTER SECURITY CONTROLS Specific computer security technical requirements Computer security rating LIFE CYCLE TECHNICAL CONTROLS System development controls Security management controls Life cycle security ratings NETWORK SECURITY CONTROLS CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS CERTIFICATE AND CRL PROFILES [PROF] CERTIFICATE PROFILE Version Certificate extensions Algorithm object identifiers Name forms no stipulation Name constraints Certificate policy Object Identifier Usage of Policy Constraints extension Policy qualifiers syntax and semantics Processing semantics for the critical certificate policy extension CRL PROFILE Version number(s) CRL and CRL entry extensions SPECIFICATION ADMINISTRATION [SPEC] SPECIFICATION CHANGE PROCEDURES Items That Can Change Without Notification Changes With Notification PUBLICATION AND NOTIFICATION POLICIES...52
9 ISSUE : 02 PAGE : CPS APPROVAL PROCEDURES...52 LISTE DES FIGURES / LIST OF FIGURES Figure 1: TASCS architecture overview Figure 2 Method of activating private key... 45
10 ISSUE : 02 PAGE : 8 1. OBJET / OBJECT In order to provide a digital signature system integrated to its document management systems, Thales Alenia Space has decided to deploy a Public Key Infrastructure. The deployment of any public key infrastructure requires the definition of a certificate policy and a certification policy statement. This document describes the principles of the Thales Alenia Space signature Certification Policy in order to highlight the rights, duties, commitments and responsibilities of each members involved in PKI. This document is based on RFC 2527 document model. 2. DOMAINE D'APPLICATION / APPLICABILITY Tous sites Cannes Kourou Nanterre Toulouse Valence 3. TERMINOLOGIE ET DOCUMENTATION / TERMINOLOGY AND DOCUMENTATION 3.1 DOCUMENTS APPLICABLES / APPLICABLE DOCUMENTS Id Référence Issue Titre TI1 REF-ASPI-TI-1-F 2/- DIRECTIVE RELATIVE AU PROCESSUS TRAITEMENT DE L'INFORMATION TI2 REF-ASPI-TI-2-F 2/- LE PROCESSUS TRAITEMENT DE L'INFORMATION GEDSIG-SP TIGED-ASP-SP-16 1/- GEDSIG SPECIFICATIONS GEDPKI-SP GED-ASP-SP-979 1/- GEDPKI SPECIFICATIONS 3.2 DOCUMENTS DE REFERENCE / REFERENCE DOCUMENTS Id Référence Issue Titre RFC1321 RFC 1321 The MD5 Message-Digest Algorithm RFC2459 RFC 2459 Internet X.509 Public Key Infrastructure RFC2527 RFC2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework X501 X.501 ITU-T Recommendation X.501: Information Technology - Open Systems Interconnection - The Directory: Models, X509 X.509 ITU-T Recommendation X.509 (1997 E): Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, June 1997.
11 ISSUE : 02 PAGE : TERMINOLOGIE / TERMINOLOGY Activation Data Private data, other than keys, that are required to access cryptographic modules. Authority A list of revoked sub-cas and CAs Certificates published by the current Revocation List Thales Alenia Space Root CA. (ARL) Certificate A digital certificate is a signed data structure that binds one or more attributes of an entity with its corresponding public key. By being signed by a recognized and trusted authority (i.e. the Certification Authority) a digital certificate provides assurance that a particular public key belongs to a specific entity (and that the entity possesses the corresponding private key). The certificate format is in accordance with ITU Recommendation X.509. Certificate are documents that define the rules, procedures and practices to be Policies (CP) and employed in the use, administration and management of certificates within Certification a PKI environment. The CP contains rules and obligations to be fulfilled. Practice The CPS describes the concrete processes implemented to respect these Statements (CPS) rules. Certificate Revocation List (CRL) Certification Authority (CA) Certification Authorization Certificate repository Cross-Certificate Data Integrity Department Digital Signature A list maintained by a Certification Authority of the certificates which it has issued that have been revoked before their natural expiry time. Certification Authorities are the people, processes and tools responsible for the creation, issue and management of public-key certificates used within a PKI. Authorization for a Subscriber to request an Thales Alenia Space Certificate. A database or other storage component, which is accessible to all users of a PKI, within which public-key certificates, certificate revocation information and policy information can be held. A certificate used to establish a trust relationship between two Certification Authorities. Each CA certifies the public key of the other CA and trusts the certificates that have been issued by the other CA as its own issued certificates. Assurance that the data are unchanged from creation to reception. A department is a subset of any organization identified by Thales Alenia Space HQ. The result of a transformation of a message by means of a cryptographic system using keys such that a person who has the initial message can determine: - Whether the transformation was created using the key that corresponds to the signer s key and
12 ISSUE : 02 PAGE : 10 - Whether the message has been altered since the transformation was made Employee End-Entity Entity FIPS Issuing CA ITSEC Key Pair MD5 Object Identifier (OID) Organization PIN Policy Policy (PA) Private Key Public Key Authority Public Key Infrastructure (PKI) PKI client software PKI-enabled applications An employee is any person employed by an Thales Alenia Space unit. An Entity that uses the keys and Certificates created within the PKI for purposes other than the management of these keys and Certificates. An End-Entity may be a Subscriber or a Relying-Party. Any autonomous element within the Public Key Infrastructure. This may be a CA, an RA or an End-Entity. Federal Information Processing Standards. In the context of a particular certificate, the issuing CA is the CA that signed and issued the certificate. Information Security Technology Evaluation Criteria a Public Key and the corresponding Private Key One of the message digest algorithms developed by RSA Data Security, Inc. The unique alphanumeric/numeric identifier registered according to the ISO registration standard to reference a specific object or object class. In the Thales Alenia Space PKI it is used to identify uniquely each of the 2 policies and cryptographic algorithms supported. An Thales Alenia Space organization identified by Thales Alenia Space HQ. Personal Identity Number a secret code that can be used as activation data Certificate Policies and Certification Practice Statements are policy documents that define the procedures and practices to be applied in the use, the administration and the management of certificates within a PKI. An Thales Alenia Space body responsible for setting, implementing, and administering policy decisions regarding CP and CPS throughout the Thales Alenia Space PKI. The key kept secret by its owner. Associated with the corresponding Public Key within a Key Pair. The key is included in the Certificate and is published. Matching with its Private Key to form a Key Pair. A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and keys. Client-side software required to ensure that PKI-entities are able to make full use of the key and digital certificate management services of a PKI (e.g. key creation, automatic key update and refreshment) Software applications which have been modified to enable their use within a PKI. Typically this involves modifying an application so that it becomes compatible with the use of digital certificates (e.g. to authenticate a remote user and authenticate itself to a remote user)
13 ISSUE : 02 PAGE : 11 PKI Operator System A person with the following roles: - Configuration and maintenance of the CA system hardware and software, - Configuration of CA Security policies, - Commencement and cessation of CA services PKI Administrator with the following roles : - Management of the Subscriber initialization process - Creation, renewal or revocation of certificates - Distribution of tokens (where applicable) Registration Authority (RA) Relying Party Root CA Routine Rekey SHA-1 Sponsor Sub CA Subscriber Trusted CA Registration Authorities are the people, the processes and the tools that are responsible for authenticating the identity of new entities (users or computing devices) requiring certificates from CAs. They act as agents of CAs (and can carry out some of the functions of a CA if required). Entity trusting the Certificates signed by the Thales Alenia Space Internal CA to, but not limited to, authenticate Digital Signatures, to check documents integrity or to encrypt communications to the Certificate subject. The self signed CA signing the sub CAs (for instance the Internal or B to B CA) Certificates. Procedure which is used to generate a new key-pair for an entity as the previous key-pair is about to expire.. One of the message digest algorithms In the Thales Alenia Space PKI, a sponsor is a department or an employee s manager that has nominated a specific individual or organization to be issued with a certificate. A CA, which Certificate is signed by the Root CA Private Key. Individual or application to whom the CA has issued a signature A CA recognized by the Thales Alenia Space Internal CA as issuing Certificates respecting satisfying standards of quality and security. 3.4 ABREVIATIONS / ABBREVIATIONS ARL CA CMA CPS CRL DMS DN DSA I&A LDAP ISO OID PKI Authority Revocation List Certification Authority Certificate Manufacturing Authority Certification Practice Statement Certificate Revocation List Document Management System Distinguished Name Digital signature algorithm Identification and Authentication Lightweight Directory Access Protocol International Standards Organization Object Identifier Public Key Infrastructure
14 ISSUE : 02 PAGE : 12 PMA Policy Management Authority RA Registration Authority X.500 The ITU-T (International Telecommunication Union-T) standard that establishes a distributed, hierarchical directory protocol organized by country, region, Organization, etc. 3.5 CONVENTIONS Paragraphs preceded by symbol "F" gives information of how to satisfy requirements specified just above. 4. INTRODUCTION 4.1 OVERVIEW This document contains the rules governing the use of Thales Alenia Space centralized signature certificates among those parties involved in the Public Key Infrastructure described by this policy, namely PKI service provider and end entities. PKI Service Provider is consisted of : Policy Management Authority, Issuing Certification Authorities, Registration Authorities and Repositories End Entities are consisted of : Certificate Holders and Authorized Relying Parties This document describes the roles, responsibilities, and relationships of the PKI Service Providers and End Entities (collectively Participants ), and the rules and requirements for the issuance, acquisition, management, and use of TASCS Certificates to verify Digital Signatures. This document also describes the practices TASCS follows in issuing and managing certificate, and to inform potential users of TASCS certificates about what they need to know prior to relying on TASCS-issued certificates. 4.2 NEEDS AND CONSTRAINTS OVERVIEW Thales Alenia Space provides to all its employees a service allowing to digitally sign very easily electronic documents. This signature service, called Thales Alenia Space Centralized Signature (TASCS) service shall be integrated to Thales Alenia Space business tools, such as its document management system.
15 ISSUE : 02 PAGE : 13 This signature service must be very simple to deploy, to maintain, to administrate and to use, taking into account the large employees number. The TASCS must be implemented with the international norms representing state of the art. 4.3 TASCS PRINCIPLES ET ARCHITECTURE OVERVIEW Digital signature relies on X.509 certificates delivered by a PKI. Because classical certificate enrollment process may be tedious for this purpose and not satisfy Thales Alenia Space requirements, TASCS service relies on a PKI called TASCS PKI, issuing automatically and centralizing certificates for all Thales Alenia Space users according to TAS common directory (SIPRO). Thales Alenia Space SIPRO users SIPRO Thales Alenia Space Centralized Signature CA Thales Alenia Space Centralized Signature Service Secure Certificate Store Thales Alenia Space DMS users DMS Figure 1: TASCS architecture overview When signing, users do not have to request a certificate, nor have a specific signature tool. The TASCS service relies on a dedicated PKI, named TASCS (Thales Alenia Space Centralized Signature) PKI, automatically creating and renewing certificates and keys for all Thales Alenia Space internal users. When creating certificates, TASCS CA gets information on users (name, address, status, ) from the TAS common directory (SIPRO). SIPRO is updated by human resource team. It is supposed to contain the most up-to-date and reliable information.
16 ISSUE : 02 PAGE : 14 TASCS CA stores users certificates and keys in a secure certificate store. This store is only accessed by TASCS service that uses keys only when signing a document after authenticating the users for each signature apposition. 4.4 IDENTIFICATION An Object IDentifier (OID) will be included upon identification by the Policy Authority. 4.5 COMMUNITY AND APPLICABILITY This certificate policy has satisfied the general public key certificate needs and constraints of Thales Alenia Space for digital signature Certification authorities A CA operating under this policy is responsible for: Creating and Signing certificates binding Subscribers with their digital signature keys, Promulgating certificate status through CRLs, Ensuring adherence with this certificate policy. A CA ensures that there is at least one Certificate and CRL repository associated with this policy Registration authorities As far as certificates are automatically created for users (cf. 4.3), there is no RA. This section is not applicable End entities Subscribers within TASCS PKI are issued to Thales Alenia Space users referenced and activated in Thales Alenia Space Common directory (SIPRO). TASCS service is available from Thales Alenia Space site Applicability This CPS applies to all TASCS PKI participants, including Thales Alenia Space users, customers, resellers and relying parties involved in document signature process.
17 ISSUE : 02 PAGE : 15 TASCS certificates are only used for digital signature. Applications using these certificates are: TASCS service for signature apposition signature verification tools 4.6 CONTACT DETAILS Specification administration organization The Thales Alenia Space Corporate Information System Security Officer (ISSO) is responsible for this document and for applying this CP and CPS Contact person The contact person for this policy is the Thales Alenia Space ISSO Person determining CPS suitability for the policy The Thales Alenia Space ISSO is responsible for determining CPS suitability for this policy. 5. GENERAL PROVISIONS [PROV] 5.1 OBLIGATIONS CA obligations Reference PKI-SP0007-PROV-001 : A CA will operate in accordance with its Certificate Practice Statement (CPS), with this Certificate Policy (CP), and with Thales Alenia Space standards when issuing and managing the keys. Reference PKI-SP0007-PROV-002 : The CA will ensure that the RA operating on its behalf will comply with the relevant provisions of this CP concerning the operation of RA. Reference PKI-SP0007-PROV-003 : A CA shall take all reasonable measures to ensure that Subscribers are aware of their respective rights and obligations regarding the operation and management of any keys, certificates, or End- Entity hardware and software used in connection with the PKI. Reference PKI-SP0007-PROV-004 : A CA must:
18 ISSUE : 02 PAGE : 16 Publish this document, Have in place mechanisms and procedures to ensure subscribers are aware of and agree to abide by the stipulations in this document Ensure that its certification services are in accordance with this document Notification of revocation of certificates Reference PKI-SP0007-PROV-005 : A CA must make CRLs available to a Subscriber or Relying Party in accordance with Section Accuracy of representations Reference PKI-SP0007-PROV-006 : A CA will provide to each Subscriber notice of the Subscriber s rights and obligations under this Certificate Policy. Such notice will include a description of the permitted uses of certificates issued under this CP, the Subscriber s obligations concerning key protection, and procedures for communication between the Subscriber and the RA, including communication of changes in service delivery or changes to this policy. Such notice will also indicate procedures to address suspected key compromise, certificate or key renewal, service cancellation, and resolution of disputes. F At certificate generation time, the CA takes information from TAS common directory (SIPRO) which contains the most reliable information on Subscribers (first name, last name, address, status). SIPRO is updated every day with information coming from Human Resource management tool. The CA checks every day the validity of the Subscriber information. It compares information from TAS common directory and the generated certificates. The checked information are information in certificate subject of the subscriber (cf. 10.1). If there is a difference, CA automatically renews the certificate for this user. Reference PKI-SP0007-PROV-007 : A CA will ensure that any notice includes a description of a Relying Party s obligations with respect of use, verification, and validation of certificates Time between request for a certificate and the issue thereof Not applicable.
19 ISSUE : 02 PAGE : Revocation and renewal of certificates Reference PKI-SP0007-PROV-008 : A CA will ensure that procedures concerning the expiry, revocation, or re-issue of a certificate will be compliant with the relevant provisions of this CP and will be expressly stated in its CPS, the Subscriber Agreement, or any other applicable document outlining the terms and conditions of the certificate use. Reference PKI-SP0007-PROV-009 : A CA will also ensure that notice of revocation of a certificate will be posted to the CRL within the time limits stated in and The address of the CRL must be defined in the certificate Protection of private keys Reference PKI-SP0007-PROV-010 : A CA will ensure that its private keys and its activation data are protected in accordance with Sections 4 and 9. Reference PKI-SP0007-PROV-011 : A CA will ensure that the private keys that it holds or stores, and the activation data are protected in accordance with Sections 7 and 9. Reference PKI-SP0007-PROV-012 : A CA will ensure that any private keys for the confidentiality of a Subscriber that have been backed-up or archived are protected in accordance with Section Restrictions on the use of an issuing CA's private key Reference PKI-SP0007-PROV-013 : A CA will ensure that its certificate signing private key is used only to sign certificates and CRLs. A CA may issue certificates to Subscribers. A CA may also recognize other CAs when expressly authorized by the Thales PA RA obligations Not applicable.
20 ISSUE : 02 PAGE : Subscriber obligations Reference PKI-SP0007-PROV-014 : The Subscriber is obliged to enter into an agreement or abide by an acceptable use policy which outlines the terms and conditions of use of the certificates and keys, including permitted applications and purposes. This agreement may be read during signature process Accuracy of representations Not applicable Protection of subscriber private key and key token Not applicable Restrictions on use of private keys by subscribers Reference PKI-SP0007-PROV-015 : The Subscriber will use the keys and certificates only for the purposes authorized by this policy. F This requirement is conformed in so far as only TASCS service accesses subscriber private keys Notification if private keys are compromised Reference PKI-SP0007-PROV-016 : If a Subscriber suspects that a private key has been compromised, he or she must immediately notify the CA in the manner Relying party obligations The rights and the obligations of a Relying Party who is a member of this PKI are covered by this policy Use of certificates for appropriate purpose Reference PKI-SP0007-PROV-017 : Before using a Subscriber s certificate, a Relying Party must ensure that it is appropriate for the intended use.