1.1.1 Additional requirements for Trusted Root Issuer CAs Appropriate Certificate Usage Prohibited Certificate Usage...

Transcription

1

2 1.1.1 Additional requirements for Trusted Root Issuer CAs Certification Authorities ( Issuer CAs ) Registration Authorities Subscribers Relying Parties Other Participants Appropriate Certificate Usage Prohibited Certificate Usage Organization Administering the Document Contact Person Person Determining CP Suitability for the Policy CP Approval Procedures Types of Names Need for Names to be Meaningful Anonymity or Pseudonymity of Subscribers Rules for Interpreting Various Name Forms Uniqueness of Names Recognition, Authentication, and Role of Trademarks Method to Prove Possession of Private Key Authentication of Organization Identity Authentication of Individual identity Non Verified Subscriber Information Validation of Authority Criteria for Interoperation Authentication of Domain Name Identification and Authentication for Routine Re-key Identification and Authentication for Reissuance after Revocation Re-verification and Revalidation of Identity When Certificate Information Changes Identification and Authentication for Re-key After Revocation Who Can Submit a Certificate Application Enrollment Process and Responsibilities... 27

3 4.2.1 Performing Identification and Authentication Functions Approval or Rejection of Certificate Applications Time to Process Certificate Applications CA Actions during Certificate Issuance Notifications to Subscriber by the CA of Issuance of Certificate Conduct Constituting Certificate Acceptance Publication of the Certificate by the CA Notification of Certificate Issuance by the CA to Other Entities Subscriber Private Key and Certificate Usage Relying Party Public Key and Certificate Usage Circumstances for Certificate Renewal Who May Request Renewal Processing Certificate Renewal Requests Notification of New Certificate Issuance to Subscriber Conduct Constituting Acceptance of a Renewal Certificate Publication of the Renewal Certificate by the CA Notification of Certificate Issuance by the CA to Other Entities Circumstances for Certificate Re-Key Who May Request Certification of a New Public Key Processing Certificate Re-Keying Requests Notification of New Certificate Issuance to Subscriber Conduct Constituting Acceptance of a Re-Keyed Certificate Publication of the Re-Keyed Certificate by the CA Notification of Certificate Issuance by the CA to Other Entities Circumstances for Certificate Modification Who May Request Certificate Modification Processing Certificate Modification Requests Notification of New Certificate Issuance to Subscriber Conduct Constituting Acceptance of Modified Certificate Publication of the Modified Certificate by the CA Notification of Certificate Issuance by the CA to Other Entities Circumstances for Revocation Who Can Request Revocation Procedure for Revocation Request Revocation Request Grace Period Time Within Which CA Must Process the Revocation Request Revocation Checking Requirements for Relying Parties CRL Issuance Frequency Maximum Latency for CRLs On-Line Revocation/Status Checking Availability On-Line Revocation Checking Requirements Other Forms of Revocation Advertisements Available Special Requirements Related to Key Compromise Circumstances for Suspension Who Can Request Suspension Procedure for Suspension Request Limits on Suspension Period Operational Characteristics Service Availability Operational Features End of Subscription... 33

4 Key Escrow and Recovery Policy and Practices Session Key Encapsulation and Recovery Policy and Practices Site Location and Construction Physical Access Power and Air Conditioning Water Exposures Fire Prevention and Protection Media Storage Waste Disposal Off-Site Backup Trusted Roles Number of Persons Required per Task Identification and Authentication for Each Role Roles Requiring Separation of Duties Qualifications, Experience, and Clearance Requirements Background Check Procedures Training Requirements Retraining Frequency and Requirements Job Rotation Frequency and Sequence Sanctions for Unauthorized Actions Independent Contractor Requirements Documentation Supplied to Personnel Types of Events Recorded Frequency of Processing Log Retention Period for Audit Log Protection of Audit Log Audit Log Backup Procedures Audit Collection System (Internal vs. External) Notification to Event-Causing Subject Vulnerability Assessments Types of Records Archived Retention Period for Archive Protection of Archive Archive Backup Procedures Requirements for Time-Stamping of Records Archive Collection System (Internal or External) Procedures to Obtain and Verify Archive Information Incident and Compromise Handling Procedures Computing Resources, Software, and/or Data Are Corrupted Entity Private Key Compromise Procedures Business Continuity Capabilities After a Disaster Key Pair Generation Private Key Delivery to Subscriber Public Key Delivery to Certificate Issuer CA Public Key Delivery to Relying Parties Key Sizes... 40

5 6.1.6 Public Key Parameters Generation and Quality Checking Key Usage Purposes (as per X.509 v3 Key Usage Field) Cryptographic Module Standards and Controls Private Key (n out of m) Multi-Person Control Private Key Escrow Private Key Backup Private Key Archival Private Key Transfer Into or From a Cryptographic Module Private Key Storage on Cryptographic Module Method of Activating Private Key Method of Deactivating Private Key Method of Destroying Private Key Cryptographic Module Rating Public Key Archival Certificate Operational Periods and Key Pair Usage Periods Activation Data Generation and Installation Activation Data Protection Other Aspects of Activation Data Specific Computer Security Technical Requirements Computer Security Rating System Development Controls Security Management Controls Lifecycle Security Controls Version Number(s) Certificate Extensions Algorithm Object Identifiers Name Forms Name Constraints Certificate Policy Object Identifier Usage of Policy Constraints Extension Policy Qualifiers Syntax and Semantics Processing Semantics for the Critical Certificate Policies Extension Version Number(s) CRL and CRL Entry Extensions Version Number(s) OCSP Extensions Certificate Issuance or Renewal Fees... 45

6 9.1.2 Certificate Access Fees Revocation or Status Information Access Fees Fees for Other Services Refund Policy Insurance Coverage Other Assets Insurance or Warranty Coverage for End Entities Scope of Confidential Information Information Not Within the Scope of Confidential Information Responsibility to Protect Confidential Information Privacy Plan Information Treated as Private Information Not Deemed Private Responsibility to Protect Private Information Notice and Consent to Use Private Information Disclosure Pursuant to Judicial or Administrative Process Other Information Disclosure Circumstances CA Representations and Warranties RA Representations and Warranties Subscriber Representations and Warranties Relying Party Representations and Warranties Exclusion of Certain Elements of Damages Indemnification by an Issuer CA Indemnification by Subscribers Indemnification by Relying Parties Term Termination Effect of Termination and Survival Procedure for Amendment Notification Mechanism and Period Circumstances Under Which OID Must be Changed Compelled Attacks Entire Agreement Assignment Severability Enforcement (Attorney s Fees and Waiver of Rights) CA Chaining Agreement PKI Infrastructure review Subscriber CA implementation Ongoing requirements and audits... 53

7 GlobalSign and the GlobalSign Logo are registered trademarks of GMO GlobalSign K.K.

8 Policy Administration Alternative languages versions may be available to aid Relying Parties and Subscribers in their understanding of this CP, however, in the event of any inconsistency, the English version shall control). "named set of rules that indicates the applicability of a Digital Certificate to a particular community and/or class of application with common security requirements" (RFC 3647 obsoletes RFC 2527). No stipulation Acknowledgements (Previously known as Root Sign) what is to be adhered to how the Certification Authority adheres to the Certificate Policy (i.e. the entity which provides the Subscriber its Certificate) Issuing CA

9 Trusted Root Trusted Root TPM Collectively Root R1 to R6 and the TPM/TPM ECC Roots are referred to as the GlobalSign CA Root Certificates

10 Policy Administration.

11 Issuing Authority or Issuer CA

12 Subscriber Applicant

13 o o o o o o

14 o

15 Domain Names

16

17

18

19

20

21

22 Profile.

23 Profile.

24 Registration of Identity Proofing Requirements

25

26

27

28

29

30

31

32

33

34

35 expert knowledge, experience and qualifications

36

37

38 (threat evolution, vulnerability evolution, etc.). (for example, revocation and Certificate status information).

39 o o

40

41 2048 bit keys Generated prior to 2003 using RSA may be used for 25 years due to limited usage due to key size restrictions within hardware, root stores and operating systems.

42

43

44

45

46

47

48

49 o o o o o o

50

51

52

53