Certificate Policy for VoIP

Transcription

1 Certificate Policy for VoIP October 2002 Stephan Grill

2 Current Situation VoIP Project Security in Telecommunication Two different types of certificates are in use VoIP end-user certificate (trust mark netcustomer) Gatekeeper certificate Content of the Certificate X.509 V3 Certificates contains no VoIP-specific information Name (mandatory) address (optionally) Certificates are SW-based

3 Terminology Certificate Policy (CP) A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. based on ETSI TS Certification Practice Statement (CPS) A statement of the practices which a certification authority employs in issuing certificates. More detailed than CP Based on RFC

4 mark netcustomer Certificate Policy - Overview Objective facilitates that the ITSP is the sole contact to the customer very user-friendly (not much interaction with the VoIP user) medium security level based on A-Trust trust mark certificate policy does not support secure signatures according to the EU directive/austrian Signature Law focuses on the requirements of the Austrian Signature Law facilitates that the ITSP will act as a registration authority of the TSP

5 mark netcustomer Certificate Policy - Content 1. Introduction 2. Obligations and Liabilities 1. of A-Trust verifies the content of the certificate according to the policy of the ITSP 2. of the Certificate Holder 3. of the Certificate Verifier 3. Requirements for the Provision of Certification Services 1. Certification Practice Statement 2. Administration of the Keys for the Provision of Certification Services 3. Lifecycle of the Certificate 4. A-Trust Administration 5. Organizational Provisions 4. Annex

6 mark netcustomer Certificate Policy - Content 3. Requirements for the Provision of Certification Services 1. Certification Practice Statement 2. Administration of the Keys for the Provision of Certification Services (A-Trust Keys) 1. Generation 2. Storage 3. Distribution of Public Keys 4. Disclosure of Keys 5. Purpose 6. End of Validity Period 7. Administration and Life Cycle of the HSM 8. Generation of Keys for Certificate Holders 9. Security of the trust mark Keys 3. Lifecycle of the Certificate 4. A-Trust Administration 5. Organizational Provisions

7 mark netcustomer Certificate Policy - Content 3. Requirements for the Provision of Certification Services 1. Certification Practice Statement 2. Administration of the Keys for the Provision of Certification Services (A- Trust Keys) 3. Lifecycle of the Certificate 1. Registration of the Certificate Holder Verification of registration information according to the policy of the ITSP Key pair generation by RA 2. Extension of the Validity Period of the Certificate and Reissuance The validity period will not be extended 3. Generation of the Certificate Content/Format of the Certificate 4. Publication of the Terms of Contract 5. Publication of the Certificate 6. Revocation A certificate can be revoked by the ITSP if the subscription to the net service is canceled by the certificate holder 4. A-Trust Administration 5. Organizational Provisions

8 mark netcustomer Certificate Policy - Content 3. Requirements for the Provision of Certification Services 1. Certification Practice Statement 2. Administration of the Keys for the Provision of Certification Services (A- Trust Keys) 3. Lifecycle of the Certificate 4. A-Trust Administration 1. Security Management 2. Classification and Administration of Information 3. Personnel Security Measures 4. Physical and Organizational Security Measures 5. Operations Management 6. Access Administration 7. Development and Maintenance of Trustworthy Systems 8. Maintenance of an Undisturbed Operation and Handling of Incidents 9. Cessation of Activities 10. Compliance with Legal Regulations 11. Storage of Information for trust mark netcustomer Certificates 5. Organizational Provisions

9 mark netcustomer Certificate Policy Recommended changes 2.4 Haftung address vs. VoIP address Security of trust mark keys PIN required when VoIP client SW is started Requirements on the VoIP SW? 3.3 Certificate Life Cycle Registration Process Description of the registration process Which information ought to be verified by the RA? Certificate Renewal Billing is done by ITSP Certificate Which information ought to go into the certificate? Suspension and Revocation The VoIP provider is allowed to perform a revocation

10 mark vsc Certification Practice Statement Certification Practice Statement (based on RFC 2527) Recommended changes 3 Identifizierung und Authentisierung 6 Technische Sicherheitsvorkehrungen 7 Profile von Zertifikaten und Widerrufslisten (CRL)