Neutralus Certification Practices Statement

Transcription

1 Neutralus Certification Practices Statement Version 2.8 April, 2013 INDEX INDEX INTRODUCTION Overview Policy Identification Community & Applicability Contact Details References Definitions GENERAL PROVISIONS Obligations CA Obligations RA Obligations Subscriber Obligations Relying Party Obligations Liabilities Financial Responsibility Interpretation and Enforcement Fees Certificate Issuance or Renewal Fees Certificate Access Fees Revocation Information Access Fee Publication and Repository Publication of CA Information Frequency of Publication Access Controls Compliance Audit Security Audit Financial Audit IDENTIFICATION AND AUTHENTICATION Initial Registration Identity Tasks...8 Address Confirmation Certificate Renewal Revocation Request Refusal to Issue a Certificate OPERATIONAL REQUIREMENTS Certificate Application Certificate Issuance...10

2 4.3 Certificate Acceptance Certificate Revocation Circumstances for Revocation Who Can Request Revocation Procedure for Revocation Request Revocation Request Grace Period CRL Issuance Frequency On-line Revocation Checking Requirements Records Archival Types of Records Archived Retention Period for Archive Protection of Archive Archive Backup Procedures Key Change-over Compromise and Disaster Recovery Disaster Recovery Plan CA Termination PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS Physical Controls Procedural Controls Personnel Controls TECHNICAL SECURITY CONTROLS Key Pair Generation and Installation Private Key Protection Other Aspects of Key Pair Management Computer Security Controls Network Security Controls CERTIFICATE AND CRL PROFILES Certificate Profiles CRL Profile SPECIFICATION ADMINISTRATION Specification Change Procedures Specification Status...13

3 1.0 INTRODUCTION This document outlines the basis on which Neutralus, a division of ABILTY Network, Inc (ABILITY), issues standard certificates to users of the Neutralus Certification Authority (CA). 1.1 OVERVIEW Public Key Certificates (certificates) are issued under application-specific or customer-specific policies. A policy is a set of rules that indicates the applicability of a certificate to a particular community with common security and auditing requirements. The policy may be used to help decide whether the certificate is sufficiently trustworthy for a particular application. A user can evaluate the identity verification performed on the owner of a certificate to reassure himself or herself that the owner is the person named in the certificate. The Neutralus Certificate Authority is a root CA. It creates certificates from certificate requests approved by designated Neutralus Registration Authorities (RAs). A Neutralus RA signs all user requests for certificates and is a subordinate to the Root CA. Both the CA & RA use public key encryption in managing certificates. Public key encryption is a method for encrypting information in such a way that the Public Key used to encrypt the information is different from the Private Key used to decrypt the information. The matching Public and Private Keys are referred to as a key pair and both keys are required. 1.2 POLICY IDENTIFICATION This Certificate Practice Statement (CPS) is administered by Neutralus and is maintained at the Neutralus Certificate Management web site ( 1.3 COMMUNITY & APPLICABILITY This CPS assists subscribers of Neutralus and relying parties using Neutralus certificates as part of a process of secure communications. This CPS does not apply to certificates issued by any CA other than Neutralus. Typically, certificate subscribers and users need to assure themselves that the identity of their communication partners has been adequately verified. Refer to Section 3 for details on the verification process used for certificates issued under this CPS. 1.4 CONTACT DETAILS This CPS is administered by: ABILTY Network, Inc. Neutralus Division th Street North, Suite 900A Minneapolis, MN REFERENCES [ABA]: Digital Signature Guidelines, Information Security Committee, Electronic and Information Technology Division, Section of Science and Technology, American Bar Association, August 1, [PKIX4]: S. Chokhani, W. Ford, Internet X.509 Public Infrastructure Certificate Policy and Certificate Practices Framework.

4 1.6 DEFINITIONS In this CPS, definitions from ABA documentation on digital signatures are used or have been tailored to Neutralus usage. Authentication Private Key: a Private Key used by the Subscriber to digitally sign a message. CA: a Certification Authority. Certificate: a data structure that (1) identifies the Certification Authority issuing it; (2) names or otherwise identifies its Subscriber; (3) contains a Public Key that corresponds to a Private Key under the control of the Subscriber; (4) identifies its period of validity; and (5) contains a certificate serial number and is digitally signed by the CA issuing it. Certification Authority (CA): a Certification Authority is the entity that Authorizes and issues a certificate. The CA performs the following functions: (1) identifies and authenticates the intended Subscriber to be named in the certificate; (2) verifies that the Subscriber possesses the Private Key that corresponds to the Public Key that will be listed in the certificate and (3) creates and digitally signs the certificate. For this CPS, Neutralus is the body responsible for generating and certifying the Public Key certificates. Certificate Users: third parties that receive or rely on cryptographic keys to authenticate themselves, or another Certificate User, and/or to protect confidential information. Certification Request: an electronic document containing the details of the certificates that are to be created by the CA, completed and digitally signed by the Registration Agent (RA), and sent by the RA to the CA. Certificate Revocation List (CRL): a time-stamped list of revoked certificates that have been digitally signed by the Certification Authority. Certificate Practice Statement (CPS): a certificate practice statement is a statement of practices that a Certification Authority employs in issuing and revoking certificates, and that provides access to same. Confidentiality Private Key: a Private Key used by the Subscriber in the process of ciphering the contents of a message. Confirm: to ascertain through appropriate inquiry and investigation. CPS: Certificate Practice Statement. CRL: Certificate Revocation List. Emergency Key Recovery: a method for retrieving private confidentiality keys from the archive in an emergency. Key Pair: in an asymmetric cryptosystem, a Private Key and its mathematically related Public Key, having the property that the Public Key can verify a digital signature that the Private Key creates. The Public Key is distributed within a certificate issued by the CA. PIN: the Personal Identification Number self-selected and used by the Subscriber to import the Private Key into its own software package.

5 Policy: a definition of those terms and procedures, issued by the RA and the CA relating to a Private Key, Public Key, password and Public Key certificate issued to a user. The parties may vary the policy by mutual agreement from time to time. Private Key: part of a Subscriber s Key Pair that is held by the Subscriber, protected by a password, and not made available to anyone else. Public Key: part of a Subscriber s Key Pair, which is contained in the Subscriber s Public Key certificate, and is distributed to other users. Public Key Certificate: an electronic document generated by the CA, which is signed with the CA s Private Key, and which contains a Subscriber s Public Key and details of its ownership. RA: Registration Authority. Registration Authority: the component of Neutralus Directory CA that provides the user interface and business logic for issuing and administering user certificates. RAs are subordinate to the root and subordinate CAs, and there can be any number of RAs in a Neutralus Directory CA solution. Relying Party: a person who has received a certificate and a digital signature verifiable with reference to a Public Key listed in the certificate, and who is in a position to rely on them. Repository: a trustworthy system for storing and retrieving certificates or other information relevant to certificates. Revoke a Certificate: to permanently end the operational period of a certificate from a specified time. Root CA: the top most Certification Authority in a trust hierarchy. Root CA certificates are self-signed and can only be checked for authenticity against authorized published external sources. Subscriber: a person who (1) is the person named or identified in a certificate issued to such person and (2) holds a Private Key that corresponds to a Public Key listed in that certificate. A Subscriber is the person being issued Private Keys and/or certificates under the terms of this CPS. Subscriber Organization: is the organization that the Subscriber works for. Trustworthy System: computer hardware, software, and procedures that (1) are reasonably secure from intrusion and misuse; (2) provide a reasonably reliable level of availability, reliability, and correct operation; (3) are reasonably suited in performing their intended functions; and (4) adhere to generally accepted security principles. Valid Certificate: a certificate that (1) a Certification Authority has issued; (2) has been accepted by the listed Subscriber; (3) has not expired; and (4) has not been revoked. A certificate is not valid until it is issued by a Certification Authority and has been accepted by the Subscriber. 2.0 GENERAL PROVISIONS 2.1 OBLIGATIONS Neutralus is responsible for all aspects of the issuance and management of a Neutralus certificate, including control over the actual certificate manufacturing process, publication of the certificate, revocation of the certificate (if reasonably necessary), and for ensuring that all aspects of the services, operations, and infrastructure related to Neutralus certificates are performed in accordance with the policies and procedures outlined in this document.

6 2.1.1 CA Obligations By issuing a certificate to a Subscriber, Neutralus certifies to the Subscriber, and to all qualified relying parties who depend on the information contained in the certificate during its period of validity and in accordance with this CPS, that: Neutralus shall issue and revoke certificates in accordance with this CPS when required. Neutralus shall only create certificates for individuals and servers if their certificate application has been submitted by a Neutralus-certified RA. There shall be no known misrepresentations of fact in the certificate known to Neutralus and Neutralus shall take reasonable steps to confirm the accuracy of the information in the certificate. Neutralus shall accurately transcribe information provided by the Subscriber in the certificate application to the certificate. The Subscriber s Public and Private Key constitute a functional Key Pair. The Subscriber holds the Private Key that corresponds to the Public Key listed in his/her certificate. Neutralus shall promptly publish the Subscriber s certificate in Neutralus repository. Neutralus has a trustworthy system to generate, issue, and publish the certificate RA Obligations The RA shall be responsible for performing the following functions: Processing certificate requests and issuing certificates to Subscribers. Requesting certificates to the CA for a Subscriber that has been verified in accordance with Section 3 of this CPS. Ensuring that the Private Keys and PINs (if used) are not obtained by third parties prior to being accepted by the Subscriber. Complying with this CPS, and ensuring that the subscribers to whom the RA issues certificates also comply with this CPS. Issuing a new certificate to a Subscriber who suspects their keys may have become compromised, after checking the Subscriber s identity, and requesting of the CA a revocation of the Subscriber certificate in question. Issuing a copy of the CPS and CP to each Subscriber if requested Subscriber Obligations The Subscriber shall: Provide accurate information to the RA during the certificate application process. Immediately notify the RA of any changes in the information supplied in the application request. Acknowledge, by accepting the certificate, that all information provided during the certificate application process and included on the certificate is true. Use the certificate for purposes authorized by, and consistent with, the CP. Ensure that the Key Pair is not used in any transaction that is a violation of applicable law. Immediately request that their certificate be revoked under any instance in which a Key Pair is compromised, lost, or suspected to be lost.

7 Indemnify Neutralus for any loss to any person arising from failure to protect his/her Private Key and from the use of his/her Private Key by another person Relying Party Obligations A Relying Party has the right to rely on any certificate for digital signatures during the period of validity of the certificate if: The purpose for which the certificate was used was appropriate under the terms specified in the certificate under this CPS and CP. 2.2 LIABILITIES The Neutralus liability and warranty statements are contained in the CP. 2.3 FINANCIAL RESPONSIBILITY The Neutralus liability statement is contained in the CP. 2.4 INTERPRETATION AND ENFORCEMENT This CPS was prepared in accordance with the CP. 2.5 FEES Neutralus offers two classes of certificates: Personal Certificates and Server Certificates. All certificate classes are based upon the X.509v3 model recommended by the International Telecommunications Union (ITU). Personal Certificates will be used to authenticate certain information relating to the individual applicant. Server Certificates are used to authenticate servers to each other and/or to Internet certificate holders. Examples of their usage are authentication, access to a server or other facilities, and user authentication. The following paragraphs identify the current fees charged by Neutralus. Fees are subject to change over time at Neutralus sole discretion Certificate Issuance or Renewal Fees Current fees are contained in individual contracts between Neutralus and the Subscriber organization Certificate Access Fees No access fees are charged at this time Revocation Information Access Fee No access fees are charged at this time. 2.6 PUBLICATION AND REPOSITORY Publication of the Neutralus repository will occur only when required to satisfy trading partner requirements. Modifications or additions to the Neutralus CA information will be published as repository changes. Any changes to the Neutralus certificates issued are immediately reflected in the repository.

8 2.6.1 Publication of CA Information Neutralus shall publish the following information in its repository: All certificates that are issued. Certificate revocation information for all certificates that are issued. This CPS. Other relevant information relating to Neutralus certificates Frequency of Publication All information to be published in the Neutralus repository shall be published promptly after such information is available. Certificates will be published promptly upon acceptance of requests by the applicant. Information relating to the revocation of a certificate can be found in Section Access Controls The repository will be available to Subscribers, Relying Parties, and CAs who are cross-certified with Neutralus upon request. Read-only access shall be granted to this CPS and the Public Key of our CA. 2.7 COMPLIANCE AUDIT Security Audit Upon subscriber request, and at subscriber expense, Neutralus will submit to a security compliance audit by an independent, nationally recognized security audit organization that is qualified to perform a security audit on a CA and that has demonstrated significant experience on both general computer security and Public Key cryptographic technology. The purpose of this audit would be to demonstrate compliance with this CPS and to demonstrate the quality of the Neutralus system and services Financial Audit Initially and once-a-year thereafter, Neutralus will submit to a financial audit in accordance with Generally Accepted Accounting Practices (GAAP) by an independent accounting firm that is qualified to perform a financial audit. 3.0 IDENTIFICATION AND AUTHENTICATION 3.1 INITIAL REGISTRATION To obtain a Server Certificate or Personal Certificate, a Neutralus-authorized RA requires a completed sales order.

9 3.1.1 Tasks Prior to the issuance of a Server Certificate or Personal Certificate to a new customer, the RA performs specific tasks. The type of certificate requested determines the tasks performed. The following table summarizes the process for each certificate type: Verification Process Personal Certificate Server Certificate 1 Address Confirmation Yes Yes 2 Domain Name Confirmation No Yes Address Confirmation Personal Certificates are delivered via in an encrypted state to the address identified by the customer during the sales process. Server Certificates are issued after exchange with the customer using the address identified by the customer during the sales process. Domain Name Confirmation Server Certificates include the domain name of the subject organization and are installed by ABILITY staff on server identified by that domain name. 3.2 CERTIFICATE RENEWAL All certificates issued under this policy expire after the time period specified in the certificate, and this time will vary on a contractual basis. When the certificate expires, Neutralus will cease to certify its validity. 3.3 REVOCATION REQUEST Certificates may be revoked as discussed in Section 4.4.

10 3.4 REFUSAL TO ISSUE A CERTIFICATE Neutralus may refuse to issue a certificate for an application request or renewal request at the sole discretion of Neutralus without incurring any liability for loss or damages arising from the refusal. 4.0 OPERATIONAL REQUIREMENTS 4.1 CERTIFICATE APPLICATION An applicant must complete the Certificate Application to initiate the certificate application process. 4.2 CERTIFICATE ISSUANCE To issue a certificate, Neutralus generates a certificate request and logs it, generates the certificate, and places it in the Neutralus repository. Personal Certificates are delivered in an encrypted state via to the subscriber. The passphrase required to decrypt and install the Personal Certificate is supplied via mailed hard copy or via fax. Server Certificates are delivered via an encrypted connection to the subscriber s server by ABILITY authorized staff. 4.3 CERTIFICATE ACCEPTANCE The certificate is accepted upon installation. Once accepted by the applicant, the certificate is usable. 4.4 CERTIFICATE REVOCATION Only the Subscriber or the CA may revoke a certificate in accordance with approved procedures Circumstances for Revocation The Subscriber may initiate the certificate revocation process by notifying Neutralus of the need to revoke a certificate at any time after acceptance of the certificate. The CA may revoke a certificate for the following reasons. The Subscriber has: Informed the CA that his/her Private Key has been compromised. Requested revocation of the certificate Who Can Request Revocation The Subscriber or issuing RA initiates the certificate revocation process. Neutralus may revoke a certificate if it reasonably believes that the secrecy of the Private Key has been compromised or that the certificate was erroneously issued Procedure for Revocation Request The Subscriber or the issuing RA must provide his/her name, address and certificate Serial number to a Neutralus representative Revocation Request Grace Period There will be no grace period. Certificate revocation is immediate and irreversible.

11 4.4.5 CRL Issuance Frequency The CRL will be updated in the Neutralus repository when new revocations are performed. The repository will indicate the date and time of the most recent update On-line Revocation Checking Requirements The CRL list is available on the Neutralus Certificate Management Site, accessible through any web browser. 4.5 RECORDS ARCHIVAL Types of Records Archived The following data and files are archived: All computer security audit data All certificate application data All certificates, CRLs, and certificate status records generated Key histories All CPS documents Retention Period for Archive Archives of key and certificate information will be retained for seven years Protection of Archive The archived information will be encrypted and copied to storage media. It will also be physically protected from environmental threats and physical theft or destruction Archive Backup Procedures Backup procedures are in place so that a complete set of the backup archives will be readily available in the event of the loss or destruction of the primary archives. 4.6 KEY CHANGE-OVER The CA s signing key pair shall have an operational lifetime of no more than twenty years. At the end of nineteen years, a new key pair shall be generated. The private signing key of the new key pair shall be used to generate all new certificates and any necessary CRLs. The old private signing key shall be used only to generate CRLs. 4.7 COMPROMISE AND DISASTER RECOVERY Disaster Recovery Plan Neutralus maintains a backup of all critical files and can restore CA systems in the event of damage or destruction.

12 4.8 CA TERMINATION In the event that the CA terminates operations, all Subscribers and Relying Parties will be promptly notified. In addition, any CAs who are cross certified will be notified. All certificates issued by the RA and CA will be revoked. 5.0 PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS Neutralus has implemented commercially sound security controls to restrict access to the hardware and software used in providing CA services. 5.1 PHYSICAL CONTROLS Neutralus resides in a building that is physically secured. Access to Neutralus facilities, RA areas, and Computer Rooms housing the CA servers requires a unique key, which is given only to authorized personnel. Access is restricted based on job function. 5.2 PROCEDURAL CONTROLS Neutralus has implemented commercially acceptable security controls to restrict access to the facility, sections of the facility, hardware and software, databases and files, and any external cryptographic hardware modules or tokens used in provide services. 5.3 PERSONNEL CONTROLS Access to the Neutralus CA is tightly controlled. All ABILITY staff that have access to the Neutralus CA are required to meet high standards of integrity. Employees who have direct access to the CA are required to pass a criminal background check provided by a third-party organization. Employees who have access to Subscriber-provided data, certificates, servers and operating systems are restricted based upon job function. The principle of least privilege is exercised throughout. Employee access is granted to the facility, computer systems, and databases in a controlled manner based on job function. Furthermore, employees are subject to investigations, close supervision, and periodic security awareness training. 6.0 TECHNICAL SECURITY CONTROLS 6.1 KEY PAIR GENERATION AND INSTALLATION Neutralus generates a 2048-bit Key Pair for the signing certificates used by the CA using the RSA algorithm. Personal Certificates and Server Certificates are created with 1024-bit Key Pairs. The generation of all Neutralus Public/Private Key Parts is performed directly on a workstation that has never been attached to a network. 6.2 PRIVATE KEY PROTECTION Neutralus has provided generally accepted practices for safeguarding the CA s Private Keys. The CA s signing Private Keys shall not be escrowed. Upon termination of the Private Signing Key (expiration or revocation of a certificate), all copies of the Private Key shall be securely destroyed. 6.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT The following statement describes other Key Pair issues:

13 Subscriber Key Pair must be replaced in accordance with the validity periods specified in the applicable certificate profile. The CA Signing Key shall only be used for signing certificates and CRLs. 6.4 COMPUTER SECURITY CONTROLS Neutralus uses computers systems having a high level of trust, and all CA systems are not connected to a network and are kept in locked, secured facilities. All system data is backed up on a periodic schedule and stored off-site in accordance with approved operating procedures. 6.5 NETWORK SECURITY CONTROLS Neutralus signing servers are not connected to a network. Certificate Requests are moved from the Neutralus network to the Neutralus signing servers using removable media, and the resulting certificates and CRLs are also moved from the signing servers to the Neutralus network using removable media. 7.0 CERTIFICATE AND CRL PROFILES 7.1 CERTIFICATE PROFILES All certificates will be issued in the X.509 version 3 format. These certificates will include a reference to the Neutralus Certificate Management site to indicate that this CPS governs that particular certificate. The certificate profile may be amended from time to time, including the addition of new certificate profiles. 7.2 CRL PROFILE The CRLs are issued in the X.509 version 2 format, in both DER (Distinguished Encoding Rules) and PEM (Privacy Enhanced Mail) formats. 8.0 SPECIFICATION ADMINISTRATION 8.1 SPECIFICATION CHANGE PROCEDURES The details of this CPS may be varied in writing by the CA from time to time. Updates to the CPS will be published as defined in Section 8.2. After each change, the version number and date will be updated. 8.2 SPECIFICATION STATUS Changes to this CPS shall become effective 30 days after final publication on the Web. Such changes to the CPS shall be deemed accepted by, and are binding on, all Subscribers and Relying Parties following the effective date of any applicable CPS change.