How To Issue A Certificate On A Cablelabs Device (Cablelabs) To A Certificate Request Agent (Cra)



Similar documents
Security and Security Certificates for OpenADR systems. Background. Content:

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

CableLabs DIGITAL CERTIFICATE AUTHORIZATION AGREEMENT For Devices Built in Compliance with the DOCSIS 3.0 and 3.1 Specifications

Euro-PacketCable Certificate Requirements

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Certification Practice Statement

Equens Certificate Policy

TELSTRA RSS CA Subscriber Agreement (SA)

HKUST CA. Certification Practice Statement

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

Gandi CA Certification Practice Statement

Managing SSL Security in Multi-Server Environments

Extended Validation SSL

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate on Aladdin etoken (Personal eid)

Technical Certificates Overview

Check Point FDE integration with Digipass Key devices

Ericsson Group Certificate Value Statement

Comodo Certification Practice Statement

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

HMRC Secure Electronic Transfer (SET)

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Ford Motor Company CA Certification Practice Statement

Boundary Encryption.cloud Deployment Process Overview

StartCom Certification Authority

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Symantec Managed PKI Service for Windows Service Description

The name of the Contract Signer (as hereinafter defined) duly authorized by the Applicant to bind the Applicant to this Agreement is.

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Entrust Managed Services PKI

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

ELECTRONIC RECORDS DISCLOSURE AND AGREEMENT READ AND SCROLL DOWN PLEASE READ THIS AGREEMENT CAREFULLY AND KEEP A COPY FOR YOUR RECORDS.

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

BUSINESS ONLINE BANKING AGREEMENT

KIBS Certification Practice Statement for non-qualified Certificates

Exploring ADSS Server Signing Services

GlobalSign Digital IDs for Adobe AIR Code Signing

Danske Bank Group Certificate Policy

Symantec AntiVirus Corporate Edition Patch Update

How To Manage A Password Protected Digital Id On A Microsoft Pc Or Macbook (Windows) With A Password Safehouse (Windows 7) On A Pc Or Ipad (Windows 8) On An Ipad Or Macintosh (Windows 9)

White Paper. Simplify SSL Certificate Management Across the Enterprise

PostSignum CA Certification Policy applicable to qualified personal certificates

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Certification Practice Statement

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

PrivateServer HSM Integration with Microsoft IIS

Microsoft Dynamics GP 2010

Canadian Pharmaceutical Distribution Network Certificate Authority Services Agreement. In this document:

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Extended Validation SSL

Securing Adobe PDFs. Adobe - Certified Document Services Registration Authority (RA) Training. Enterprise Security. ID Verification Services

Wildcard and SAN: Understanding multi-use SSL Certificates

Enterprise Vault.cloud Deployment Checklist

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

SSL.com Certification Practice Statement

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Technical Description. DigitalSign 3.1. State of the art legally valid electronic signature. The best, most secure and complete software for

Defending the Internet of Things

Savitribai Phule Pune University

Microsoft Dynamics GP Release. Workflow Administrator s Guide

ENROLMENT GUIDE FOR MCACert

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

How To Secure An Rsa Authentication Agent

Symantec External Certificate Authority Key Recovery Practice Statement (KRPS)

GlobalSign Enterprise PKI Support. GlobalSign Enterprise Solution EPKI Administrator Guide v2.4

Intel Active Management Technology Embedded Host-based Configuration in Intelligent Systems

EuropeanSSL Secure Certification Practice Statement

Symantec Managed PKI Service Deployment Options

PDF Signer User Manual

Transnet Registration Authority Charter

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

DIGIPASS CertiID. Getting Started 3.1.0

CyberSource PayPal Services Implementation Guide

Using Entrust certificates with VPN

Simplify SSL Certificate Management Across the Enterprise

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

Globe Hosting Certification Authority Globe Hosting, Inc. 501 Silverside Road, Suite 105, Wilmington, DE 19809, County of New Castle, United States

ARTL PKI. Certificate Policy PKI Disclosure Statement

TR-GRID CERTIFICATION AUTHORITY

Intel vpro Technology. How To Purchase and Install Symantec* Certificates for Intel AMT Remote Setup and Configuration

Certification Practice Statement of CERTUM s Certification Services

Online (Internet) Banking Agreement and Disclosure

TATA CONSULTANCY SERVICES LIMITED CERTIFYING AUTHORITY REQUEST FORM FOR CLASS-3 CERTIFICATE SERVER / DEVICE CERTIFICATE

WHITE PAPER SPON. Archive Migration: Opportunities and Risks. Published February An Osterman Research White Paper.

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Electronic Check Services

Encryption. Administrator Guide

Transcription:

CableLabs Certificate Issuance Process Notice This document is furnished by Cable Television Laboratories, Inc. (CableLabs) in an AS IS basis. CableLabs does not provide any representation or warranty, express or implied, regarding its accuracy, completeness, infringement of intellectual property, or fitness for a particular purpose. CableLabs is not responsible for any liability of any nature whatsoever resulting from or arising out of use or reliance upon this document by any party. Copyright 2005 Cable Television Laboratories, Inc. rights reserved. All

Document Status Sheet Document Title: CableLabs Certificate Issuance Process Revision History: 03/22/2004 Draft 04/12/2004 V1 6/28/2005 V2 3/03/2006 V3 12/08/2010 V4 Date: December 8, 2010 12/9/2010 CableLabs i

Contents 1 INTRODUCTION... 1 1.1 Document Purpose... 1 1.2 CableLabs Device Public Key Infrastructure... 1 1.2.1 Root CA... 2 1.2.2 First-tier CA... 2 2 DOCUMENTS AND CONTACT INFORMATION... 3 2.1 CableLabs Documents... 3 2.2 CableLabs Contacts... 3 2.2.1 Certificate Issuance Service Contact... 3 2.2.2 Technical Contact... 3 2.2.3 Legal Contact... 3 3 MFG CRA ISSUANCE PROCESS... 4 3.1 Introduction... 4 3.2 Authorization... 6 3.3 CRA Issuance... 7 3.4 MFG CRA Issuance Schedule... 8 3.5 Device Certificate requests via the CRA... 8 12/9/2010 CableLabs ii

1 INTRODUCTION 1.1 Document Purpose This document describes the digital certificate issuance process of device certificates via the Manufacturer (MFG) Certificate Requesting Agent (CRA). 1.2 CableLabs Device Public Key Infrastructure CableLabs manages specifications (e.g., DOCSIS, PacketCable, CableHome, and OpenCable ) that require embedding digital certificates in devices at the time of manufacture. These certificates provide the basis for a number of security services including data confidentiality, content integrity, and device authentication. For example, a digital certificate, embedded into a cable service device (e.g., Cable Modem, Media Terminal Adapter, or Set Top Box), prevents the pirating of cable services by allowing the Cable Service Provider to authenticate the device requesting services. In order for a certificate to be in compliance with CableLabs specifications, it must properly chain up to the appropriate CableLabs Root Certification Authority (CA) as defined by the specifications. At present, CableLabs has five active Root CAs, four of these roots (i.e., the DOCSIS Root CA, MTA Root CA, CableLabs MFG Root CA, and the Service Provider Root CA) issue device certificates. Figure 1 illustrates the major components of the CableLabs Device Public Key Infrastructure (PKI). The Root CA is the apex of the PKI which issued the first-tier CA certificates to Manufacturers in the legacy distributed architecture and now issues firsttier CA certificates of the CableLabs hosted CAs in the centralized architecture. CableLabs no longer issues first-tier CAs to Manufacturers. In the centralized architecture, Manufacturers receive their device certificates via a webbased Certificate Requesting Agent (CRA). The certificate profiles for the CableLabs PKI are defined in the applicable CableLabs specification (e.g., DOCSIS, PacketCable, CableHome, and OpenCable ). Manufacturers, by requesting device certificates and handling the corresponding private keys, become part of the CableLabs PKI. Before receipt of production device certificates, CableLabs requires that manufacturers execute a Digital Certificate Authorization Agreement (DCAA), which governs the Manufacturer s practice for requesting certificates and their handling of the corresponding private keys. CableLabs is migrating its PKI from the distributed to the centralized architecture and is employing the following policies: MFGs with existing CAs may continue to use their CAs to meet the certificate needs for existing specifications that allow the use of MFG CAs (e.g., DOCSIS 1.x, 2.0) MFGs with existing CAs may opt to receive all their device certificates from a hosted CA via a web-based CRA. MFGs with existing CAs for one project (e.g., DOCSIS) that would like to obtain certificates for another CableLabs project (e.g., PacketCable) will need to receive the new project s device certificates from a hosted CA via a CRA. 12/9/2010 CableLabs 1

MFGs with existing CAs that have been compromised or that need to replace their existing CA will be migrated to the appropriate hosted CA. MFGs without existing CAs will receive device certificates from the appropriate hosted CA via a CRA. MFGs with an existing DOCSIS CA that are building a product for DOCSIS 3.0 must pass an audit in order to continue to use their existing CA or they may switch to the web-based CRA. Figure 1: CableLabs PKI Hierarchy 1.2.1 CableLabs Root Certification Authority (Root CA) The Root CA is used to issue first-tier CA certificates. Symantec Corporation operates the CableLabs Root CAs on behalf of CableLabs. 1.2.2 First-tier CA First-tier CA (i.e., a hosted CA or a MFG CA) certificates must chain up to the Root CA. Under the distributed (legacy) PKI architecture, a vendor chooses whether to operate their CA, or have a third party operate the CA on their behalf. For the centralized PKI architecture, Manufacturers request device certificates from the CableLabs Hosted CAs via the MFG CRA. 12/9/2010 CableLabs 2

2 DOCUMENTS AND CONTACT INFORMATION 2.1 CableLabs Documents The following documents can be found at http://www.cablelabs.com: 1. CableLabs Certificate Issuance Process (This Document) 2. CableLabs Digital Certificate Authorization Agreement 3. CableLabs Project Specifications 4. Public Key Certificates for CableLabs Root CAs 2.2 CableLabs Contacts 2.2.1 Certificate Issuance Service Contact Tara Gratz Digital Certificate Account Coordinator Cable Television Laboratories, Inc. 858 Coal Creek Circle Louisville, CO 80027-9750 Tel: (303) 661-3320 Fax: (303) 664-8131 Email: t.gratz@cablelabs.com 2.2.2 Technical Contact Oscar Marcia Vice President, Security Cable Television Laboratories, Inc. 858 Coal Creek Circle Louisville, CO 80027-9750 Tel: 303-661-3350 Fax: 303-664-8170 Email: o.marcia@cablelabs.com 2.2.3 Legal Contact Simon L. Krauss Sr. Counsel Cable Television Laboratories, Inc. 858 Coal Creek Circle Louisville, CO 80027-9750 Tel: (303) 661-3836 Fax: (303) 661-9199 Email: s.krauss@cablelabs.com 12/9/2010 CableLabs 3

3 MFG CRA ISSUANCE PROCESS 3.1 Introduction The CableLabs web-based CRA has the capability to issue device certificates in bulk with very low attendant cost to Manufacturers throughout the certificate management lifecycle. The following diagram presents a high level view of the CableLabs CRA: Figure 2 MFG CRA Overview In the centralized architecture, the manufacturer uses a standard web browser and hardware token (e.g., USB token) to connect to the CableLabs Hosted CA's web interface. Via this interface, the Manufacturer may request device certificates and pick up batched signed certificates. Optionally, a manufacturer can specify that issued certificates be delivered via postal mail on a CD-ROM. The CRA will not require any deployment at the manufacturer's site, other than the installation of the lightweight standalone client software needed to decrypt download file content. Therefore, immediate setup for a Manufacturer to request and receive device certificates is realized. Figure 3 illustrates the process for issuance of a Manufacturer CRA under the appropriate Root. The process consists of two sequences, Authorization and Issuance. Section 3.2 describes the authorization steps, and section 3.3 describes the issuance steps. 12/9/2010 CableLabs 4

AUTHORIZATION ISSUANCE (1) Vendor submits Digital Certificate Authorization Agreement to CableLabs (2a) CableLabs notifies vendor that request has been rejected (5) Symantec authenticates Vendor and delivers the CRA startup Kit Verified (2) CableLabs reviews Vendor's submission Approve Reject (6) Symantec delivers CRA startup kit to the Vendor (3) Vendor submits customer profile, Naming Document and Payment to CableLabs (4) CableLabs authorizes vendor to receive CRA Startup Kit (7) Vendor requests the Administrator Certificate (8) CRA is operational and available for certificate requests Figure 3: Manufacturer CRA Flow 12/9/2010 CableLabs 5

3.2 Authorization Step 1 Manufacturers wishing to enroll in the CRA service must execute a CableLabs Digital Certificate Authorization Agreement (DCAA), including completion of the customer profile and naming document. Manufacturers must submit a signed DCAA to the CableLabs Legal Contact listed in 2.2.1. The agreement can be sent via facsimile or email. Step 2 CableLabs will review the submission and either accept or reject it. Step 2a If the submission is rejected, CableLabs will notify the vendor s Legal Contact and provide a reason for the rejection. The vendor may go back to step one after the reason for rejection has been addressed. Step 3 CableLabs will authorize a Manufacturer to receive a CRA once CableLabs has received an executed agreement, a complete customer profile and naming document, and received payment for the first year s maintenance. Step 4 CableLabs notifies Symantec of vendors authorized to receive a CRA startup kit. 12/9/2010 CableLabs 6

3.3 CRA Issuance Step 5 Symantec will authenticate and verify the identity of the manufacturer as follows: First, Symantec will verify that the corporate and administrator contacts are, in fact, employees of the company; either by speaking with them or another verifier, i.e., receptionist. Delays may be caused if we are not able to reach the employee(s) or if a potential verifier will not, or cannot verify employment or if the manufacturer is located outside the US, there are sometimes delays with customs for the shipment of the CRA startup kit (mentioned below). Second, Symantec will look up the Dun and Bradstreet number to assure that the address and name of the company are the same as that under which they enrolled. A delay may be caused if there are any discrepancies in the address information. In most instances, Verification and Authentication can be accomplished within 24-48 hours. However as stated above, some situations may occur that may cause delays. Step 6 Symantec delivers the CRA startup kit (A blank hardware token (e.g., a USB token) and instructions on how to request the Administrator s certificate) to the Administrator(s) specified by the vendor in the customer profile. Step 7 The manufacturer installs the token reader and drivers and is directed to an enrollment page that generates the private key and provisions the administrator certificate onto the token. The Administrator Certificate will be used to authenticate the Administrator to the CA web interface and to upload certificate request files. Step 8 The CRA system is now operational. The manufacturer s designated Administrator(s) may now request device certificate (see section 3.5). 12/9/2010 CableLabs 7

3.4 MFG CRA Issuance Schedule CRA startup kits are delivered to the Manufacturer five business days after completion of Symantec s authentication process. Figure 4 illustrates the sequence of events required to obtain a MFG CRA. MFGs authorized to receive a CRA must initiate the process at least one to two months before the scheduled certification wave submission date the MFG plans to attend. Figure 4 MFG CRA Issuance Process 3.5 Device Certificate requests via the CRA Once the Manufacturer is enrolled for the CRA service, the Manufacturer s Administrator may request device certificates using the process described in this section. 12/9/2010 CableLabs 8

Figure 5 Device Certificate Request Process Certificate Request Process (See Figure 5): 1. Manufacturer issues a Purchase Order (PO) for the number of certificates it wishes to purchase. CableLabs sends advance invoice to manufacturer. 2. Once payment is received, CableLabs authorizes Symantec to load the number of purchased certificates onto the account. 3. The Administrator authenticates to the CA web page. The communication to this web page is encrypted and authenticated using the key and certificate on the Administrator s token. The Administrator may request the number of certificates up to but not exceeding the number of certificate the Manufacturer has purchased. The Administrator receives an acknowledgement of the request and is presented with a numbered receipt that identifies this particular request. 4. The CA checks the request against the number of certificates authorized by CableLabs for the Manufacturer. If the manufacturer has not exceeded its limit, the CA generates the certificates (and optionally keys) based on the information contained in the request. If fulfilling the entire request would exceed the Manufacturer s limit, then the CA will only generate certificates up to the Manufacturer s limit. 12/9/2010 CableLabs 9

5. Once the request is complete, the CA informs the Administrator, via email, that their request has been completed. The response file is delivered to the manufacturer via one of the following mechanisms: a. Certificate response is placed on an access-controlled website. The Administrator is sent the URL where this batch of certificates may be picked up. Access to this URL is protected via client and server authenticated TLS and requires the correct manufacturers administrator certificate for access. b. Or, the CA burns the encrypted response onto a CD-ROM, which is sent via postal mail to the address listed as the Administrator s address in the customer profile. 6. If the manufacturer has asked the CA to generate the key pairs, the certificate request response is encrypted by the CA into a binary PKCS#7 envelope. The response is decrypted using a lightweight client utility and the manufacturer s key on the token. Responses to certificate requests submitted as PKCS#10 certificate requests, will contain only certificates, thus will not be encrypted. Manufacturer can now embed the device certificates and corresponding private key into compliant cable service devices. 12/9/2010 CableLabs 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information