< draft-ietf-pkix-ipki-new-rfc2527-01.txt   draft-ietf-pkix-ipki-new-rfc2527-02.txt >
PKIX Working Group S. Chokhani (CygnaCom Solutions, Inc.) PKIX Working Group S. Chokhani (Orion Security Solutions, Inc.)
Internet Draft W. Ford (VeriSign, Inc.) Internet Draft W. Ford (VeriSign, Inc.)
R. Sabett (Cooley Godward LLP) Obsoletes: 2527 R. Sabett (Cooley Godward LLP)
C. Merrill (McCarter & English, LLP) C. Merrill (McCarter & English, LLP)
S. Wu (Infoliance, Inc.) S. Wu (Infoliance, Inc.)
Expires in six months from January 3, 2002 Expires in six months from April 22, 2003
Internet X.509 Public Key Infrastructure Internet X.509 Public Key Infrastructure
Certificate Policy and Certification Practices Framework Certificate Policy and Certification Practices Framework
< draft-ietf-pkix-ipki-new-rfc2527-01.txt > < draft-ietf-pkix-ipki-new-rfc2527-02.txt >
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026. Internet-Drafts are working documents of of Section 10 of RFC2026. Internet-Drafts are working documents of
the Internet Engineering Task Force (IETF), its areas, and its working the Internet Engineering Task Force (IETF), its areas, and its working
groups. Note that other groups may also distribute working documents groups. Note that other groups may also distribute working documents
as Internet-Drafts. as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of 6 months Internet-Drafts are draft documents valid for a maximum of 6 months
skipping to change at page 1, line 42 skipping to change at page 1, line 42
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
To view the entire list of current Internet-Drafts, please check the To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Copyright (C) The Internet Society 2001. All Rights Reserved. Copyright (C) The Internet Society 2003. All Rights Reserved.
Abstract Abstract
This document presents a framework to assist the writers of This document presents a framework to assist the writers of
certificate policies or certification practice statements for certificate policies or certification practice statements for
participants within public key infrastructures, such as participants within public key infrastructures, such as
certification authorities, policy authorities, and communities of certification authorities, policy authorities, and communities of
interest that wish to rely on certificates. In particular, the interest that wish to rely on certificates. In particular, the
framework provides a comprehensive list of topics that potentially framework provides a comprehensive list of topics that potentially
(at the writer's discretion) need to be covered in a certificate (at the writer's discretion) need to be covered in a certificate
policy or a certification practice statement. This document is policy or a certification practice statement. This document is
being submitted to the RFC Editor with a request for publication as being submitted to the RFC Editor with a request for publication as
an Informational RFC that will supercede RFC 2527 [CPF]. an Informational RFC that will supersede RFC 2527 [CPF].
TABLE OF CONTENTS TABLE OF CONTENTS
1. INTRODUCTION 3 1. INTRODUCTION 3
1.1 BACKGROUND 3 1.1 BACKGROUND 3
1.2 PURPOSE 5 1.2 PURPOSE 5
1.3 SCOPE 5 1.3 SCOPE 5
2. DEFINITIONS 6 2. DEFINITIONS 6
3. CONCEPTS 8 3. CONCEPTS 8
3.1 CERTIFICATE POLICY 8 3.1 CERTIFICATE POLICY 8
3.2 CERTIFICATE POLICY EXAMPLES 10 3.2 CERTIFICATE POLICY EXAMPLES 10
3.3 X.509 CERTIFICATE FIELDS 10 3.3 X.509 CERTIFICATE FIELDS 10
3.3.1 Certificate Policies Extension 10 3.3.1 Certificate Policies Extension 10
3.3.2 Policy Mappings Extension 11 3.3.2 Policy Mappings Extension 11
3.3.3 Policy Constraints Extension 12 3.3.3 Policy Constraints Extension 12
3.3.4 Policy Qualifiers 12 3.3.4 Policy Qualifiers 12
3.4 CERTIFICATION PRACTICE STATEMENT 13 3.4 CERTIFICATION PRACTICE STATEMENT 13
3.5 RELATIONSHIP BETWEEN CP AND CPS 14 3.5 RELATIONSHIP BETWEEN CP AND CPS 14
3.6 RELATIONSHIP AMONG CPs, CPSs, AGREEMENTS, AND 3.6 RELATIONSHIP AMONG CPs, CPSs, AGREEMENTS, AND
OTHER DOCUMENTS 15 OTHER DOCUMENTS 15
3.7 SET OF PROVISIONS 17 3.7 SET OF PROVISIONS 17
4. CONTENTS OF A SET OF PROVISIONS 19 4. CONTENTS OF A SET OF PROVISIONS 19
4.1 INTRODUCTION 19 4.1 INTRODUCTION 19
4.1.1 Overview 19 4.1.1 Overview 19
4.1.2 Document Name and Identification 20 4.1.2 Document Name and Identification 20
4.1.3 PKI Participants 20 4.1.3 PKI Participants 20
4.1.4 Certificate usage 21 4.1.4 Certificate usage 21
4.1.5 Policy Administration 21 4.1.5 Policy Administration 21
4.1.6 Definitions and acronyms 21 4.1.6 Definitions and acronyms 21
4.2 PUBLICATION AND REPOSITORY RESPONSIBILITIES 21 4.2 PUBLICATION AND REPOSITORY RESPONSIBILITIES 21
4.3 IDENTIFICATION AND AUTHENTICATION (I&A) 22 4.3 IDENTIFICATION AND AUTHENTICATION (I&A) 22
4.3.1 Naming 22 4.3.1 Naming 22
4.3.2 Initial Identity Validation 22 4.3.2 Initial Identity Validation 22
4.3.3 I&A for Re-key Requests 23 4.3.3 I&A for Re-key Requests 23
4.3.4 I&A for Revocation Requests 23 4.3.4 I&A for Revocation Requests 23
4.4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS 24 4.4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS 24
4.4.1 Certificate Application 24 4.4.1 Certificate Application 24
4.4.2 Certificate Application Processing 24 4.4.2 Certificate Application Processing 24
4.4.3 Certificate Issuance 24 4.4.3 Certificate Issuance 24
4.4.4 Certificate Acceptance 25 4.4.4 Certificate Acceptance 25
4.4.5 Key Pair and Certificate Usage 25 4.4.5 Key Pair and Certificate Usage 25
4.4.6 Certificate Renewal 26 4.4.6 Certificate Renewal 26
4.4.7 Certificate Re-key 26 4.4.7 Certificate Re-key 26
4.4.8 Certificate Modification 27 4.4.8 Certificate Modification 27
4.4.9 Certificate Revocation and Suspension 27 4.4.9 Certificate Revocation and Suspension 27
4.4.10 Certificate Status Services 28 4.4.10 Certificate Status Services 28
4.4.11 End of Subscription 28 4.4.11 End of Subscription 28
4.4.12 Key Escrow and Recovery 29 4.4.12 Key Escrow and Recovery 29
4.5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS 29 4.5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS 29
4.5.1 Physical Security Controls 29 4.5.1 Physical Security Controls 29
4.5.2 Procedural Controls 30 4.5.2 Procedural Controls 30
4.5.3 Personnel Controls 30 4.5.3 Personnel Controls 30
4.5.4 Audit Logging Procedures 31 4.5.4 Audit Logging Procedures 31
4.5.5 Records Archival 31 4.5.5 Records Archival 31
4.5.6 Key Changeover 32 4.5.6 Key Changeover 32
4.5.7 Compromise and Disaster Recovery 32 4.5.7 Compromise and Disaster Recovery 32
4.5.8 CA or RA Termination 33 4.5.8 CA or RA Termination 33
4.6 TECHNICAL SECURITY CONTROLS 33 4.6 TECHNICAL SECURITY CONTROLS 33
4.6.1 Key Pair Generation and Installation 33 4.6.1 Key Pair Generation and Installation 33
4.6.2 Private Key Protection and Cryptographic 4.6.2 Private Key Protection and Cryptographic
Module Engineering Controls 34 Module Engineering Controls 34
4.6.3 Other Aspects of Key Pair Management 36 4.6.3 Other Aspects of Key Pair Management 36
4.6.4 Activation Data 36 4.6.4 Activation Data 36
4.6.5 Computer Security Controls 36 4.6.5 Computer Security Controls 36
4.6.6 Life Cycle Security Controls 37 4.6.6 Life Cycle Security Controls 37
4.6.7 Network Security Controls 37 4.6.7 Network Security Controls 37
4.6.8 Timestamping 37 4.6.8 Timestamping 37
4.7 CERTIFICATE, CRL, AND OCSP PROFILES 37 4.7 CERTIFICATE, CRL, AND OCSP PROFILES 37
4.7.1 Certificate Profile 37 4.7.1 Certificate Profile 37
4.7.2 CRL Profile 38 4.7.2 CRL Profile 38
4.7.3 OCSP Profile 38 4.7.3 OCSP Profile 38
4.8 COMPLIANCE AUDIT AND OTHER ASSESSMENT 38 4.8 COMPLIANCE AUDIT AND OTHER ASSESSMENT 38
4.9 OTHER BUSINESS AND LEGAL MATTERS 39 4.9 OTHER BUSINESS AND LEGAL MATTERS 39
4.9.1 Fees 40 4.9.1 Fees 40
4.9.2 Financial Responsibility 40 4.9.2 Financial Responsibility 40
4.9.3 Confidentiality of Business Information 40 4.9.3 Confidentiality of Business Information 40
4.9.4 Privacy of Personal Information 41 4.9.4 Privacy of Personal Information 41
4.9.5 Intellectual Property Rights 41 4.9.5 Intellectual Property Rights 41
4.9.6 Representations and Warranties 41 4.9.6 Representations and Warranties 41
4.9.7 Disclaimers of Warranties 42 4.9.7 Disclaimers of Warranties 42
4.9.8 Limitations of Liability 42 4.9.8 Limitations of Liability 42
4.9.9 Indemnities 42 4.9.9 Indemnities 42
4.9.10 Term and Termination 42 4.9.10 Term and Termination 42
4.9.11 Individual notices and communications 4.9.11 Individual notices and communications
with participants 43 with participants 43
4.9.12 Amendments 43 4.9.12 Amendments 43
4.9.13 Dispute Resolution Procedures 44 4.9.13 Dispute Resolution Procedures 44
4.9.14 Governing Law 44 4.9.14 Governing Law 44
4.9.15 Compliance with Applicable Law 44 4.9.15 Compliance with Applicable Law 44
4.9.16 Miscellaneous Provisions 44 4.9.16 Miscellaneous Provisions 44
4.9.17 Other Provisions 45 4.9.17 Other Provisions 45
5. OUTLINE OF A SET OF PROVISIONS 45 5. SECURITY CONSIDERATIONS 45
6. ACKNOWLEDGMENTS 51 6. OUTLINE OF A SET OF PROVISIONS 45
7. REFERENCES 52 7. COMPARISON TO RFC 2527 52
8. AUTHORS' ADDRESSES 53 8. ACKNOWLEDGMENTS 77
NOTES 53 9. REFERENCES 78
LIST OF ACRONYMS 54 10. AUTHORS' ADDRESSES 78
NOTES 79
LIST OF ACRONYMS 80
----------------------------------------------------------------- -----------------------------------------------------------------
1. INTRODUCTION 1. INTRODUCTION
1.1 BACKGROUND 1.1 BACKGROUND
In general, a public-key certificate (hereinafter "certificate") In general, a public-key certificate (hereinafter "certificate")
binds a public key held by an entity (such as person, organization, binds a public key held by an entity (such as person, organization,
account, device, or site) to a set of information that identifies account, device, or site) to a set of information that identifies
skipping to change at page 4, line 45 skipping to change at page 4, line 48
A Version 3 X.509 certificate may contain a field declaring that one A Version 3 X.509 certificate may contain a field declaring that one
or more specific certificate policies apply to that certificate or more specific certificate policies apply to that certificate
[ISO1]. According to X.509, a certificate policy (CP) is "a named [ISO1]. According to X.509, a certificate policy (CP) is "a named
set of rules that indicates the applicability of a certificate to a set of rules that indicates the applicability of a certificate to a
particular community and/or class of applications with common particular community and/or class of applications with common
security requirements." A CP may be used by a relying party to help security requirements." A CP may be used by a relying party to help
in deciding whether a certificate, and the binding therein, are in deciding whether a certificate, and the binding therein, are
sufficiently trustworthy and otherwise appropriate for a particular sufficiently trustworthy and otherwise appropriate for a particular
application. The CP concept is an outgrowth of the policy statement application. The CP concept is an outgrowth of the policy statement
concept developed for Internet Privacy Enhanced Mail [PEM1] and concept developed for Internet Privacy Enhanced Mail [PEM1] and
expanded upon in [BAU1]. expanded upon in [BAU1]. The legal and liability aspects presented
in Section 4.9 are outcome of a collaborative effort between IETF
PKIX working group and the American Bar Association (ABA) members
who have worked on legal acceptance of digital signature and role of
PKI in that acceptance.
A more detailed description of the practices followed by a CA in A more detailed description of the practices followed by a CA in
issuing and otherwise managing certificates may be contained in a issuing and otherwise managing certificates may be contained in a
certification practice statement (CPS) published by or referenced by certification practice statement (CPS) published by or referenced by
the CA. According to the American Bar Association Information the CA. According to the American Bar Association Information
Security Committee's Digital Signature Guidelines (hereinafter Security Committee's Digital Signature Guidelines (hereinafter
"DSG")(1) and the Information Security Committee's PKI Assessment "DSG")(1) and the Information Security Committee's PKI Assessment
Guidelines (hereinafter "PAG")(2), "a CPS is a statement of the Guidelines (hereinafter "PAG")(2), "a CPS is a statement of the
practices which a certification authority employs in issuing practices which a certification authority employs in issuing
certificates." [ABA1, ABA2] In general, CPSs also describe practices certificates." [ABA1, ABA2] In general, CPSs also describe practices
relating to all certificate lifecycle services (e.g., issuance, relating to all certificate lifecycle services (e.g., issuance,
management, revocation, and renewal or re-keying), and CPSs provide management, revocation, and renewal or re-keying), and CPSs provide
details concerning other business, legal, and technical matters. details concerning other business, legal, and technical matters.
The terms contained in a CP or CPS may or may not be binding upon a The terms contained in a CP or CPS may or may not be binding upon a
PKI's participants as a contract. A CP or CPS may itself purport to PKI's participants as a contract. A CP or CPS may itself purport to
be a contract. More commonly, however, an agreement may incorporate be a contract. More commonly, however, an agreement may incorporate
a CP or CPS by reference and therefore attempt to bind the parties of a CP or CPS by reference and therefore attempt to bind the parties of
the agreement to some or all of its terms. For example, some PKIs the agreement to some or all of its terms. For example, some PKIs
may utilize a CP or (more commonly) a CPS that is incorporated by may utilize a CP or (more commonly) a CPS that is incorporated by
reference in the agreement between a subscriber and a CA or RA reference in the agreement between a subscriber and a CA or RA
(called a "subscriber agreement") or the agreement between a relying (called a "subscriber agreement") or the agreement between a relying
party and a CA (called a "relying party agreement" or "RPA"). In party and a CA (called a "relying party agreement" or "RPA"). In
other cases, however, a CP or CPS has no contractual significance at other cases, however, a CP or CPS has no contractual significance at
skipping to change at page 12, line 57 skipping to change at page 12, line 59
The Certificate Policies extension field has a provision for The Certificate Policies extension field has a provision for
conveying, along with each CP identifier, additional policy- conveying, along with each CP identifier, additional policy-
dependent information in a qualifier field. The X.509 standard does dependent information in a qualifier field. The X.509 standard does
not mandate the purpose for which this field is to be used, nor does not mandate the purpose for which this field is to be used, nor does
it prescribe the syntax for this field. Policy qualifier types can it prescribe the syntax for this field. Policy qualifier types can
be registered by any organization. be registered by any organization.
The following policy qualifier types are defined in PKIX RFC 2459 The following policy qualifier types are defined in PKIX RFC 2459
[PKI1]: [PKI1]:
(a) The CPS Pointer qualifier contains a pointer to a CPS, CPS
(a) The CPS Pointer qualifier contains a pointer to a CPS, CPS
Summary, RPA, or PDS published by the CA. The pointer is in the Summary, RPA, or PDS published by the CA. The pointer is in the
form of a uniform resource identifier (URI). form of a uniform resource identifier (URI).
(b) The User Notice qualifier contains a text string that is to be (b) The User Notice qualifier contains a text string that is to be
displayed to subscribers and relying parties prior to the use of the displayed to subscribers and relying parties prior to the use of the
certificate. The text string may be an IA5String or a BMPString - a certificate. The text string may be an IA5String or a BMPString - a
subset of the ISO 100646-1 multiple octet coded character set. A CA subset of the ISO 100646-1 multiple octet coded character set. A CA
may invoke a procedure that requires that the relying party may invoke a procedure that requires that the relying party
acknowledge that the applicable terms and conditions have been acknowledge that the applicable terms and conditions have been
disclosed and/or accepted. disclosed and/or accepted.
skipping to change at page 13, line 59 skipping to change at page 14, line 4
"statement of practices" used by one or more CAs within that PKI. "statement of practices" used by one or more CAs within that PKI.
Consequently, that agreement may also be considered a CPS and can Consequently, that agreement may also be considered a CPS and can
be entitled or subtitled as such. be entitled or subtitled as such.
Likewise, since a detailed CPS may contain sensitive details of its Likewise, since a detailed CPS may contain sensitive details of its
system, a CA may elect not to publish its entire CPS. It may system, a CA may elect not to publish its entire CPS. It may
instead opt to publish a CPS Summary (or CPS Abstract). The CPS instead opt to publish a CPS Summary (or CPS Abstract). The CPS
Summary would contain only those provisions from the CPS that the CA Summary would contain only those provisions from the CPS that the CA
considers to be relevant to the participants in the PKI (such as the considers to be relevant to the participants in the PKI (such as the
responsibilities of the parties or the stages of the certificate responsibilities of the parties or the stages of the certificate
lifecycle). A CPS Summary, however, would not contain those
lifecycle). A CPS Summary, however, would not contain those
sensitive provisions of the full CPS that might provide an sensitive provisions of the full CPS that might provide an
attacker with useful information about the CA's operations. attacker with useful information about the CA's operations.
Throughout this document, the use of "CPS" includes both a detailed Throughout this document, the use of "CPS" includes both a detailed
CPS and a CPS Summary (unless otherwise specified). CPS and a CPS Summary (unless otherwise specified).
CPSs do not automatically constitute contracts and do not CPSs do not automatically constitute contracts and do not
automatically bind PKI participants as a contract would. Where a automatically bind PKI participants as a contract would. Where a
document serves the dual purpose of being a subscriber or relying document serves the dual purpose of being a subscriber or relying
party agreement and CPS, the document is intended to be a contract party agreement and CPS, the document is intended to be a contract
and constitutes a binding contract to the extent that a subscriber and constitutes a binding contract to the extent that a subscriber
skipping to change at page 45, line 9 skipping to change at page 45, line 9
unenforceability of one clause from causing the whole agreement to unenforceability of one clause from causing the whole agreement to
be unenforceable; and be unenforceable; and
* An enforcement clause, which may state that a party prevailing in * An enforcement clause, which may state that a party prevailing in
any dispute arising out of an agreement is entitled to attorneys' any dispute arising out of an agreement is entitled to attorneys'
fees as part of its recovery, or may state that a party's waiver of fees as part of its recovery, or may state that a party's waiver of
one breach of contract does not constitute a continuing waiver or a one breach of contract does not constitute a continuing waiver or a
future waiver of other breaches of contract. future waiver of other breaches of contract.
* A force majeure clause, commonly used to excuse the performance
of one or more parties to an agreement due to an event outside the
reasonable control of the affected party or parties. Typically,
the duration of the excused performance is commensurate with the
duration of the delay caused by the event. The clause may also
provide for the termination of the agreement under specified
circumstances and conditions. Events considered to constitute a
"force majeure" may include so-called "Acts of God," wars, terrorism,
strikes, natural disasters, failures of suppliers or vendors to
perform, or failures of the Internet or other infrastructure. Force
majeure clauses should be drafted so as to be consistent with other
portions of the framework and applicable service level agreements.
For instance, responsibilities and capabilities for business
continuity and disaster recovery may place some events within the
reasonable control of the parties, such as an obligation to maintain
backup electrical power in the face of power outages.
4.9.17 Other Provisions 4.9.17 Other Provisions
This subcomponent is a "catchall" location where additional This subcomponent is a "catchall" location where additional
responsibilities and terms can be imposed on PKI participants that responsibilities and terms can be imposed on PKI participants that
do not neatly fit within one of the other components or do not neatly fit within one of the other components or
subcomponents of the framework. CP and CPS writers can place any subcomponents of the framework. CP and CPS writers can place any
provision within this subcomponent that is not covered by another provision within this subcomponent that is not covered by another
subcomponent. subcomponent.
5. OUTLINE OF A SET OF PROVISIONS 5. Security Considerations
According to X.509, a certificate policy (CP) is "a named set of
rules that indicates the applicability of a certificate to a
particular community and/or class of applications with common
security requirements." A CP may be used by a relying party to help
in deciding whether a certificate, and the binding therein, are
sufficiently trustworthy and otherwise appropriate for a particular
application.
The degree to which a relying party can trust the binding embodied
in a certificate depends on several factors. These factors can
include the practices followed by the certification authority (CA)
in authenticating the subject; the CA's operating policy, procedures,
and technical security controls (including the scope of the
subscriber's responsibilities (for example, in protecting the private
key); and the stated responsibilities and liability terms and
conditions of the CA (for example, warranties, disclaimers of warranties,
and limitations of liability).
This document provides a framework to address technical, procedural,
personnel, and physical security aspects of Certification Authorities.
Registration Authorities, repositories, subscribers, and relying party
cryptographic modules in order to ensure that the certificate
generation, publication, renewal, re-key, usage, and revocation is done
in a secure manner. Specifically, Section 4.3 IDENTIFICATION AND
AUTHENTICATION (I&A); Section 4.4 CERTIFICATE LIFE-CYCLE
OPERATIONAL REQUIREMENTS; Section 4.5 FACILITY,
MANAGEMENT, AND OPERATIONAL CONTROLS; Section 4.6
TECHNICAL SECURITY CONTROLS; Section 4.7 CERTIFICATE,
CRL, AND OCSP PROFILES; and Section 4.8 COMPLIANCE AUDIT
AND OTHER ASSESSMENT are oriented towards ensuring secure
operation of the PKI entities such as CA, RA, repository,
subscriber systems, and relying party systems.
6. OUTLINE OF A SET OF PROVISIONS
This section contains a recommended outline for a set of provisions, This section contains a recommended outline for a set of provisions,
intended to serve as a checklist or (with some further development) intended to serve as a checklist or (with some further development)
a standard template for use by CP or CPS writers. Such a common a standard template for use by CP or CPS writers. Such a common
outline will facilitate: outline will facilitate:
(a) Comparison of two certificate policies during cross- (a) Comparison of two certificate policies during cross-
certification or other forms of interoperation (for the purpose of certification or other forms of interoperation (for the purpose of
equivalency mapping). equivalency mapping).
(b) Comparison of a CPS with a CP to ensure that the CPS faithfully (b) Comparison of a CPS with a CP to ensure that the CPS faithfully
skipping to change at page 48, line 47 skipping to change at page 49, line 45
5.3.1 Qualifications, experience, and clearance requirements 5.3.1 Qualifications, experience, and clearance requirements
5.3.2 Background check procedures 5.3.2 Background check procedures
5.3.3 Training requirements 5.3.3 Training requirements
5.3.4 Retraining frequency and requirements 5.3.4 Retraining frequency and requirements
5.3.5 Job rotation frequency and sequence 5.3.5 Job rotation frequency and sequence
5.3.6 Sanctions for unauthorized actions 5.3.6 Sanctions for unauthorized actions
5.3.7 Independent contractor requirements 5.3.7 Independent contractor requirements
5.3.8 Documentation supplied to personnel 5.3.8 Documentation supplied to personnel
5.4 Audit logging procedures 5.4 Audit logging procedures
5.4.1 Types of event recorded 5.4.1 Types of events recorded
5.4.2 Frequency of processing log 5.4.2 Frequency of processing log
5.4.3 Retention period for audit log 5.4.3 Retention period for audit log
5.4.4 Protection of audit log 5.4.4 Protection of audit log
5.4.5 Audit log backup procedures 5.4.5 Audit log backup procedures
5.4.6 Audit collection system (internal vs. external) 5.4.6 Audit collection system (internal vs. external)
5.4.7 Notification to event-causing subject 5.4.7 Notification to event-causing subject
5.4.8 Vulnerability assessments 5.4.8 Vulnerability assessments
5.5 Records archival 5.5 Records archival
5.5.1 Types of records archived 5.5.1 Types of records archived
5.5.2 Retention period for archive 5.5.2 Retention period for archive
5.5.3 Protection of archive
5.5.3 Protection of archive
5.5.4 Archive backup procedures 5.5.4 Archive backup procedures
5.5.5 Requirements for time-stamping of records 5.5.5 Requirements for time-stamping of records
5.5.6 Archive collection system (internal or external) 5.5.6 Archive collection system (internal or external)
5.5.7 Procedures to obtain and verify archive information 5.5.7 Procedures to obtain and verify archive information
5.6 Key changeover 5.6 Key changeover
5.7 Compromise and disaster recovery 5.7 Compromise and disaster recovery
5.7.1 Incident and compromise handling procedures 5.7.1 Incident and compromise handling procedures
5.7.2 Computing resources, software, and/or data are corrupted 5.7.2 Computing resources, software, and/or data are corrupted
5.7.3 Entity private key compromise procedures 5.7.3 Entity private key compromise procedures
skipping to change at page 51, line 54 skipping to change at page 52, line 53
9.14 Governing law 9.14 Governing law
9.15 Compliance with applicable law 9.15 Compliance with applicable law
9.16 Miscellaneous provisions 9.16 Miscellaneous provisions
9.16.1 Entire agreement 9.16.1 Entire agreement
9.16.2 Assignment 9.16.2 Assignment
9.16.3 Severability 9.16.3 Severability
9.16.4 Enforcement (attorneys' fees and waiver of rights) 9.16.4 Enforcement (attorneys' fees and waiver of rights)
9.16.5 Force Majeure
9.17 Other provisions 9.17 Other provisions
6. ACKNOWLEDGMENTS 7. COMPARISON TO RFC 2527
This framework represents an incremental improvement over RFC 2527.
The new framework benefits from the experience gained in the course
of deploying CP and CPS documents under RFC 2527. Further, this new
framework is based on coordination with the American Bar Association
Information Security Committee within the Section of Science and
Technology Law. The ISC wrote the PKI Assessment Guidelines [ABA2],
which embodies a great deal of technical, business, and legal
experience in PKI operations. In particular, representatives of the
ISC made changes to the framework to make it better suited to the
legal environment and more accessible to lawyers.
>From a technical perspective, the changes to the RFC 2527 framework
were minimal and incremental, rather than revolutionary. Sections
3-7 have largely been preserved, with modest reorganization and new
topics. For example, the new framework includes a revision of
Section 4 of the framework to include a full treatment of the
certificate life-cycle, the addition of key escrow, key
encapsulation, and key recovery policies and practices, and OCSP.
Section 2 audit functions now appear alone in Section 8, and
Section 2 focuses exclusively on repository functions. The
business and legal matters in RFC 2527's Section 2 now appear in a
new Section 9.
>From a legal perspective, the new Section 9 is useful because it
places topics in the framework in an ordering that is similar to
software licensing and other technology agreements and thus is
familiar to technology lawyers. Moreover, the framework as a whole
can double as a framework for a subscriber, relying party, or other
PKI-related agreement. The changes are intended to make legal
review of, and input into, CP and CPS documents more efficient.
Section 9 also adds new legal topics, such as the privacy of
personal information, liability terms, and duration of the
effectiveness of the document.
Section 1 of the new framework is largely the same as RFC 2527,
although it increases coverage of PKI participants by breaking out
subscribers from relying parties and adding a section for other
participants. It changes the "applicability" section to one
covering appropriate and prohibited uses of certificates. Also, it
moves CPS approval procedures from RFC 2527's Section 8.3 into a
collected policy administration section. Finally, Section 1.6 adds
a place to list definitions and acronyms.
Section 2 of the new framework is a reorganization of Section 2.6
of the old framework. Section 3 of the new framework is based on
a division of the old Section 3.1 into two parts for naming and
identification and authentication issues. It adds new issues, such
as the permissibility of pseudonyms and anonymity. Old Section 4
topics on audit logging, records archival, key changeover,
compromise and disaster recovery, and CA termination have moved to
Section 5. The remaining Section 4 topics have been expanded and
reorganized to cover a complete certificate lifecycle. New topics
include items implicit in the RFC 2527 Section 4, but now explicit,
such as certificate application processing, certificate
modification, and the end of subscription.
New Sections 5.1 through 5.3 are almost identical to their
counterparts in RFC 2527. The remainder of the new Section 5 is
the topics moved from RFC 2527's Section 4, in the order that they
had appeared in Section 4. Section 6 of the new framework is
almost the same as the old Section 6, with some exceptions, such as
the consolidation of old Section 6.8 (cryptographic module
engineering controls) into Section 6.2.1 (now called "cryptographic
module standards and controls") and the addition of time-stamping in
a new Section 6.8. Section 7 is almost identical to the old Section
7, the major change being the addition of a section covering OCSP
profile. Section 8 is almost identical to RFC 2527's Section 2.7.
New Section 9 contains business and legal topics that had been
covered in RFC 2527's Section 2, including fees, financial
responsibility, confidentiality, and intellectual property. It adds
a section on the privacy of personal information, which has become a
significant policy issue. The "liability" Section 2.2 in RFC 2527
now appears in Sections 9.6 through 9.9, covering representations
and warranties, disclaimers, limitations of liability, and
indemnities. Section 9.10 adds a section concerning the duration of
the effectiveness of documentation. Section 9.12 collects terms
concerning the way in which a document (CP, CPS, agreement, or other
document) may be amended, formerly appearing in Section 8.1.
Section 9 includes "legal boilerplate" topics, some of which had
been in the old Section 2. Finally, Section 9.17 is a catch-all
"other provisions" section where drafters can place information that
does not fit well into any other section of the framework.
The following matrix shows the sections in the old RFC 2527
framework and their successor sections in the new framework.
ORIGINAL RFC 2527 NEW RFC SECTION
SECTION
------------------------------------------------------
1. Introduction 1.
------------------------------------------------------
1.1 Overview 1.1
------------------------------------------------------
1.2 Identification 1.2
------------------------------------------------------
1.3 Community and
Applicability 1.3
------------------------------------------------------
1.3.1 Certification
Authorities 1.3.1
------------------------------------------------------
1.3.2 Registration Authorities 1.3.2
------------------------------------------------------
1.3.3 End entities 1.3.3,
1.3.4
------------------------------------------------------
1.3.4 Applicability 1.4, 4.5
------------------------------------------------------
1.4 Contact Details 1.5
------------------------------------------------------
1.4.1 Specification Administration
Organization 1.5.1
------------------------------------------------------
1.4.2 Contact Person 1.5.2
------------------------------------------------------
1.4.3 Person Determining CPS
Suitability for the Policy 1.5.3
------------------------------------------------------
2. General Provisions 2, 8, 9
------------------------------------------------------
2.1 Obligations 2.6.4
------------------------------------------------------
2.1.1 1A Obligations Integrated
throughout
portions of the
framework that
apply to CAs
------------------------------------------------------
2.1.2 RA Obligations Integrated
throughout
portions of the
framework that
apply to RAs
------------------------------------------------------
2.1.3 Subscriber Obligations 4.1.2, 4.4, 4.5,
4.5.1, 4.6.5,
4.7.5, 4.8.1,
4.8.5, 4.9.1,
4.9.2, 4.9.13,
4.9.15, 5., 6.,
9.6.3, 9.9
------------------------------------------------------
2.1.4 Relying Party Obligations 4.5, 4.5.2, 4.9.6,
5., 6., 9.6.4, 9.9
------------------------------------------------------
2.1.5 Repository Obligations 2., 4.4.2, 4.4.3,
4.6.6, 4.6.7,
4.7.6, 4.7.7,
4.8.6, 4.8.7
------------------------------------------------------
2.2 Liability 9.6, 9.7, 9.8, 9.9
------------------------------------------------------
2.2.1 CA Liability 9.6.1, 9.7., 9.8,
9.9
------------------------------------------------------
2.2.2 RA Liability 9.6.2, 9.7, 9.8, 9.9
------------------------------------------------------
2.3 Financial Responsibility 9.2
------------------------------------------------------
2.3.1 Indemnification by Relying
Parties 9.9
------------------------------------------------------
2.3.2 Fiduciary Relationships 9.7
------------------------------------------------------
2.4 Interpretation and Enforcement 9.16
------------------------------------------------------
2.4.1 Governing Law 9.14, 9.15
------------------------------------------------------
2.4.2 Severability, Survival,
Merger, Notice 9.10.3, 9.11,
9.16.1,9.16.3
------------------------------------------------------
2.4.3 Dispute Resolution
Procedures 9.13, 9.16.4
------------------------------------------------------
2.5 Fees 9.1
------------------------------------------------------
2.5.1 Certificate Issuance
or Renewal Fees 9.1.1
------------------------------------------------------
2.5.2 Certificate Access Fees 9.1.2
------------------------------------------------------
2.5.3 Revocation or Status
Information Access Fees 9.1.3
------------------------------------------------------
2.5.4 Fees for Other Services Such
as Policy Information 9.1.4
------------------------------------------------------
2.5.5 Refund Policy 9.1.5
------------------------------------------------------
2.6 Publication and Repository 2.
------------------------------------------------------
2.6.1 Publication of CA
Information 2.2, 4.4.2,
4.4.3, 4.6.6,
4.6.7, 4.7.6,
4.7.7, 4.8.6,
4.8.7
------------------------------------------------------
2.6.2 Frequency of Publication 2.3
------------------------------------------------------
2.6.3 Access Controls 2.4
------------------------------------------------------
2.6.4 Repositories 2.1
------------------------------------------------------
2.7 Compliance Audit 8.
------------------------------------------------------
2.7.1 Frequency of Entity Compliance
Audit 8.1
------------------------------------------------------
2.7.2 Identity/Qualifications of
Auditor 8.2
------------------------------------------------------
2.7.3 Auditor's Relationship to Audited
Party 8.3
------------------------------------------------------
2.7.4 Topics Covered by Audit 8.4
------------------------------------------------------
2.7.5 Actions Taken as a Result of
Deficiency 8.5
------------------------------------------------------
2.7.6 Communications of Results 8.6
------------------------------------------------------
2.8 Confidentiality 9.3, 9.4
------------------------------------------------------
2.8.1 Types of Information to be
Kept Confidential 9.3.1, 9.4.2
------------------------------------------------------
2.8.2 Types of Information Not
Considered Confidential 9.3.2, 9.4.3
------------------------------------------------------
2.8.3 Disclosure of Certificate
Revocation/Suspension
Information 9.3.1, 9.3.2,
9.3.3, 9.4.2,
9.4.3, 9.4.4
------------------------------------------------------
2.8.4 Release to Law Enforcement
Officials 9.3.3, 9.4.6
------------------------------------------------------
2.8.5 Release as Part of Civil
Discovery 9.3.3, 9.4.6
------------------------------------------------------
2.8.6 Disclosure Upon Owner's
Request 9.3.3, 9.4.7
------------------------------------------------------
2.8.7 Other Information Release
Circumstances 9.3.3, 9.4.7
------------------------------------------------------
2.9 Intellectual Property Rights 9.5
------------------------------------------------------
3. Identification and Authentication 3.
------------------------------------------------------
3.1 Initial Registration 3.1, 3.2
------------------------------------------------------
3.1.1 Type of Names 3.1.1
------------------------------------------------------
3.1.2 Need for Names to be
Meaningful 3.1.2, 3.1.3
------------------------------------------------------
3.1.3 Rules for Interpreting
Various Name Forms 3.1.4
------------------------------------------------------
3.1.4 Uniqueness of Names 3.1.5
------------------------------------------------------
3.1.5 Name Claim Dispute
Resolution Procedure 3.1.6
------------------------------------------------------
3.1.6 Recognition, Authentication,
and Role of Trademarks 3.1.6
------------------------------------------------------
3.1.7 Method to Prove Possession
of Private Key 3.2.1
------------------------------------------------------
3.1.8 Authentication of
Organization Identity 3.2.2
------------------------------------------------------
3.1.9 Authentication of
Individual Identity 3.2.3
------------------------------------------------------
3.2 Routine Rekey 3.3.1, 4.6, 4.7
------------------------------------------------------
3.3 Rekey After Revocation 3.3.2
------------------------------------------------------
3.4 Revocation Request 3.4
------------------------------------------------------
4. Operational Requirements 4., 5.
------------------------------------------------------
4.1 Certificate Application 4.1, 4.2, 4.6,
4.7
------------------------------------------------------
4.2 Certificate Issuance 4.2, 4.3, 4.4.3,
4.6, 4.7, 4.8.4,
4.8.6, 4.8.7
------------------------------------------------------
4.3 Certificate Acceptance 4.3.2, 4.4, 4.6,
4.7, 4.8.4-4.8.7
------------------------------------------------------
4.4 Certificate Suspension
and Revocation 4.8, 4.9
------------------------------------------------------
4.4.1 Circumstances for Revocation 4.8.1, 4.9.1
------------------------------------------------------
4.4.2 Who Can Request Revocation 4.8.2, 4.9.2
------------------------------------------------------
4.4.3 Procedure for Revocation
Request 4.8.3-4.8.7,
4.9.3
------------------------------------------------------
4.4.4 Revocation Request
Grace Period 4.9.4
------------------------------------------------------
4.4.5 Circumstances for Suspension 4.9.13
------------------------------------------------------
4.4.6 Who Can Request Suspension 4.9.14
------------------------------------------------------
4.4.7 Procedure for Suspension
Request 4.9.15
------------------------------------------------------
4.4.8 Limits on Suspension Period 4.9.16
------------------------------------------------------
4.4.9 CRL Issuance Frequency
(If Applicable) 4.9.7, 4.9.8,
4.10
------------------------------------------------------
4.4.10 CRL Checking Requirements 4.9.6, 4.10
------------------------------------------------------
4.4.11 On-Line Revocation/
Status Checking
Availability 4.9.9, 4.10
------------------------------------------------------
4.4.12 On-Line Revocation
Checking Requirements 4.9.6, 4.9.10,
4.10
------------------------------------------------------
4.4.13 Other Forms
of Revocation
Advertisements 4.9.11, 4.10
------------------------------------------------------
4.4.14 Checking Requirements
for Other Forms of
Revocation
Advertisements 4.9.6, 4.9.11,
4.10
------------------------------------------------------
4.4.15 Special Requirements re
Key Compromise 4.9.12
------------------------------------------------------
4.5 Security Audit Procedures 5.4
------------------------------------------------------
4.5.1 Types of Events Recorded 5.4.1
------------------------------------------------------
4.5.2 Frequency of Processing Log 5.4.2
------------------------------------------------------
4.5.3 Retention Period for Audit
Log 5.4.3
------------------------------------------------------
4.5.4 Protection of Audit Log 5.4.4
------------------------------------------------------
4.5.5 Audit Log Backup Procedures 5.4.5
------------------------------------------------------
4.5.6 Audit Collection System
(Internal vs. External) 5.4.6
------------------------------------------------------
4.5.7 Notification to Event-Causing
Subject 5.4.7
------------------------------------------------------
4.5.8 Vulnerability Assessments 5.4.8
------------------------------------------------------
4.6 Records Archival 5.5
------------------------------------------------------
4.6.1 Types of Records Archived 5.5.1
------------------------------------------------------
4.6.2 Retention Period for Archive 5.5.2
------------------------------------------------------
4.6.3 Protection of Archive 5.5.3
------------------------------------------------------
4.6.4 Archive Backup Procedures 5.5.4
------------------------------------------------------
4.6.5 Requirements for
Time-Stamping of Records 5.5.5
------------------------------------------------------
4.6.6 Archive Collection System
(Internal or External) 5.5.6
------------------------------------------------------
4.6.6 Procedures to Obtain and
Verify Archive Information 5.5.7
------------------------------------------------------
4.7 Key Changeover 5.6
------------------------------------------------------
4.8 Compromise and Disaster
Recovery 5.7, 5.7.1
------------------------------------------------------
4.8.1 Computing Resources, Software,
and/or Data Are Corrupted 5.7.2
------------------------------------------------------
4.8.2 Entity Public
Key is Revoked 4.9.7, 4.9.9,
4.9.11
------------------------------------------------------
4.8.3 Entity Key is Compromised 5.7.3
------------------------------------------------------
4.8.4 Secure Facility After a Natural
or Other Type of Disaster 5.7.4
------------------------------------------------------
4.9 CA Termination 5.8
------------------------------------------------------
5. Physical, Procedural, and
Personnel Security Controls 5.
------------------------------------------------------
5.1 Physical Controls 5.1
------------------------------------------------------
5.1.1 Site Location and Construction 5.1.1
------------------------------------------------------
5.1.2 Physical Access 5.1.2
------------------------------------------------------
5.1.3 Power and Air Conditioning 5.1.3
------------------------------------------------------
5.1.4 Water Exposures 5.1.4
------------------------------------------------------
5.1.5 Fire Prevention and Protection 5.1.5
------------------------------------------------------
5.1.6 Media Storage 5.1.6
------------------------------------------------------
5.1.7 Waste Disposal 5.1.7
------------------------------------------------------
5.1.8 Off-Site Backup 5.1.8
------------------------------------------------------
5.2 Procedural Controls 5.2
------------------------------------------------------
5.2.1 Trusted Roles 5.2.1, 5.2.4
------------------------------------------------------
5.2.2 Number of Persons
Required per Task 5.2.2, 5.2.4
------------------------------------------------------
5.2.3 Identification and
Authentication for Each Role 5.2.3
------------------------------------------------------
5.3 Personnel Controls 5.3
------------------------------------------------------
5.3.1 Background, Qualifications,
Experience, and Clearance
Requirements 5.3.1
------------------------------------------------------
5.3.2 Background Check Procedures 5.3.2
------------------------------------------------------
5.3.3 Training Requirements 5.3.3
------------------------------------------------------
5.3.4 Retraining Frequency
and Requirements 5.3.4
------------------------------------------------------
5.3.5 Job Rotation Frequency
and Sequence 5.3.5
------------------------------------------------------
5.3.6 Sanctions for
Unauthorized Actions 5.3.6
------------------------------------------------------
5.3.7 Contracting Personnel
Requirements 5.3.7
------------------------------------------------------
5.3.8 Documentation Supplied to
Personnel 5.3.8
------------------------------------------------------
6. Technical Security Controls 6.
------------------------------------------------------
6.1 Key Pair Generation and
Installation 6.1
------------------------------------------------------
6.1.1 Key Pair Generation 6.1.1
------------------------------------------------------
6.1.2 Private Key Delivery to Entity 6.1.2
------------------------------------------------------
6.1.3 Public Key Delivery to
Certificate Issuer 6.1.3
------------------------------------------------------
6.1.4 CA Public Key Delivery to Users 6.1.4
------------------------------------------------------
6.1.5 Key Sizes 6.1.5
------------------------------------------------------
6.1.6 Public Key Parameters Generation 6.1.6
------------------------------------------------------
6.1.7 Parameter Quality Checking 6.1.6
------------------------------------------------------
6.1.8 Hardware/Software Key Generation 6.1.1
------------------------------------------------------
6.1.9 Key Usage Purposes
(as per X.509 v3 Key Usage Field) 6.1.9
------------------------------------------------------
6.2 Private Key Protection 6.2
------------------------------------------------------
6.2.1 Standards for Cryptographic
Module 6.2.1
------------------------------------------------------
6.2.2 Private Key (n out of m)
Multi-Person Control 6.2.2
------------------------------------------------------
6.2.3 Private Key Escrow 6.2.3
------------------------------------------------------
6.2.4 Private Key Backup 6.2.4
------------------------------------------------------
6.2.5 Private Key Archival 6.2.5
------------------------------------------------------
6.2.6 Private Key Entry Into
Cryptographic Module 6.2.6, 6.2.7
------------------------------------------------------
6.2.7 Method of Activating
Private Key 6.2.8
------------------------------------------------------
6.2.8 Method of Deactivating
Private Key 6.2.9
------------------------------------------------------
6.2.9 Method of Destroying Private
Key 6.2.10
------------------------------------------------------
6.3 Other Aspects of Key Pair
Management 6.3
------------------------------------------------------
6.3.1 Public Key Archival 6.3.1
------------------------------------------------------
6.3.2 Usage Periods for the Public
and Private Keys 6.3.2
------------------------------------------------------
6.4 Activation Data 6.4
------------------------------------------------------
6.4.1 Activation Data Generation
and Installation 6.4.1
------------------------------------------------------
6.4.2 Activation Data Protection 6.4.2
------------------------------------------------------
6.4.3 Other Aspects of Activation
Data 6.4.3
------------------------------------------------------
6.5 Computer Security Controls 6.5
------------------------------------------------------
6.5.1 Specific Computer Security
Technical Requirements 6.5.1
------------------------------------------------------
6.5.2 Computer Security Rating 6.5.2
------------------------------------------------------
6.6 Life Cycle Technical Controls 6.6
------------------------------------------------------
6.6.1 System Development Controls 6.6.1
------------------------------------------------------
6.6.2 Security Management Controls 6.6.2
------------------------------------------------------
6.6.3 Life Cycle Security Controls 6.6.3
------------------------------------------------------
6.7 Network Security Controls 6.7
------------------------------------------------------
6.8 Cryptographic Module
Engineering Controls 6.2.1, 6.2,
6.2.1, 6.2.11
------------------------------------------------------
7.Certificate and CRL Profiles 7.
------------------------------------------------------
7.1 Certificate Profile 7.1
------------------------------------------------------
7.1.1 Version Number(s) 7.1.1
------------------------------------------------------
7.1.2 Certificate Extensions 7.1.2
------------------------------------------------------
7.1.3 Algorithm Object Identifiers 7.1.3
------------------------------------------------------
7.1.4 Name Forms 7.1.4
------------------------------------------------------
7.1.5 Name Constraints 7.1.5
------------------------------------------------------
7.1.6 Certificate Policy Object
Identifier 7.1.6
------------------------------------------------------
7.1.7 Usage of Policy Constraints
Extension 7.1.7
------------------------------------------------------
7.1.8 Policy Qualifiers Syntax
and Semantics 7.1.8
------------------------------------------------------
7.1.9 Processing Semantics for
the Critical Certificate
Policies Extension 7.1.9
------------------------------------------------------
7.2 CRL Profile 7.2
------------------------------------------------------
7.2.1 Version Number(s) 7.2.1
------------------------------------------------------
7.2.2 CRL and CRL Entry Extensions 7.2.1
------------------------------------------------------
8. Specification Administration N/A
------------------------------------------------------
8.1 Specification Change
Procedures 9.12
------------------------------------------------------
8.2 Publication and Notification
Policies 2.2, 2.3
------------------------------------------------------
8.3 CPS Approval Procedures 1.5.4
------------------------------------------------------
The following matrix shows the sections in the new framework and the sections in RFC 2527 to which the headings in the new framework correspond.
NEW RFC SECTION ORIGINAL RFC 2527
SECTION
------------------------------------------------------
1. Introduction 1.
------------------------------------------------------
1.1 Overview 1.1
------------------------------------------------------
1.2 Document Name and Identification 1.2
------------------------------------------------------
1.3 PKI Participants 1.3
------------------------------------------------------
1.3.1 Certification Authorities 1.3.1
------------------------------------------------------
1.3.2 Registration Authorities 1.3.2
------------------------------------------------------
1.3.3 Subscribers 1.3.3
------------------------------------------------------
1.3.4 Relying Parties 1.3.3
------------------------------------------------------
1.3.5 Other Participants N/A
------------------------------------------------------
1.4 Certificate Usage 1.3.4
------------------------------------------------------
1.4.1 Appropriate Certificate Uses 1.3.4
------------------------------------------------------
1.4.2 Prohibited Certificate Uses 1.3.4
------------------------------------------------------
1.5 Policy Administration 1.4
------------------------------------------------------
1.5.1 Organization Administering
the Document 1.4.1
------------------------------------------------------
1.5.2 Contact Person 1.4.2
------------------------------------------------------
1.5.3 Person Determining CPS
Suitability for the Policy 1.4.3
------------------------------------------------------
1.5.4 CPS Approval Procedures 8.3
------------------------------------------------------
1.6 Definitions and Acronyms N/A
------------------------------------------------------
2. Publication and Repository
Responsibilities 2.1.5, 2.6
------------------------------------------------------
2.1 Repositories 2.6.4
------------------------------------------------------
2.2 Publication of Certification
Information 2.6.1, 8.2
------------------------------------------------------
2.3 Time or Frequency of
Publication 2.6.2, 8.2
------------------------------------------------------
2.4 Access Controls on Repositories 2.6.3
------------------------------------------------------
3. Identification and Authentication 3.
------------------------------------------------------
3.1 Naming 3.1
------------------------------------------------------
3.1.1 Type of Names 3.1.1
------------------------------------------------------
3.1.2 Need for Names to be Meaningful 3.1.2
------------------------------------------------------
3.1.3. Anonymity or Pseudonymity of
Subscribers 3.1.2
------------------------------------------------------
3.1.4 Rules for Interpreting Various
Name Forms 3.1.3
------------------------------------------------------
3.1.5 Uniqueness of Names 3.1.4
------------------------------------------------------
3.1.6 Recognition, Authentication,
and Role of Trademarks 3.1.5, 3.1.6
------------------------------------------------------
3.2 Initial Identity Validation 3.1
------------------------------------------------------
3.2.1 Method to Prove Possession
of Private Key 3.1.7
------------------------------------------------------
3.2.2 Authentication of
Organization Identity 3.1.8
------------------------------------------------------
3.2.3 Authentication of Individual
Identity 3.1.9
------------------------------------------------------
3.2.4 Non-Verified Subscriber
Information N/A
------------------------------------------------------
3.2.5 Validation of Authority 3.1.9
------------------------------------------------------
3.2.6 Criteria for Interoperation 4.1
------------------------------------------------------
3.3 Identification and Authentication
for Re-Key Requests 3.2, 3.3
------------------------------------------------------
3.3.1 Identification and
Authentication for Routine
Re-Key 3.2
------------------------------------------------------
3.3.2 Identification and
Authentication for Re-Key
After Revocation 3.3
------------------------------------------------------
3.4 Identification and Authentication
for Revocation Request 3.4
------------------------------------------------------
4. Certificate Life-Cycle
Operational Requirements 4.
------------------------------------------------------
4.1 Certificate Application 4.1
------------------------------------------------------
4.1.1 Who Can Submit a Certificate
Application 4.1
------------------------------------------------------
4.1.2 Enrollment Process and
Responsibilities 2.1.3, 4.1
------------------------------------------------------
4.2 Certificate Application
Processing 4.1, 4.2
------------------------------------------------------
4.2.1 Performing Identification
and Authentication Functions 4.1, 4.2
------------------------------------------------------
4.2.2 Approval or Rejection of
Certificate Applications 4.1, 4.2
------------------------------------------------------
4.2.3 Time to Process
Certificate Applications 4.1, 4.2
------------------------------------------------------
4.3 Certificate Issuance 4.2
------------------------------------------------------
4.3.1 CA Actions During
Certificate Issuance 4.2
------------------------------------------------------
4.3.2 Notifications to Subscriber by
the CA of Issuance of Certificate 4.2, 4.3
------------------------------------------------------
4.4 Certificate Acceptance 2.1.3, 4.3
------------------------------------------------------
4.4.1 Conduct Constituting
Certificate Acceptance 4.3
------------------------------------------------------
4.4.2 Publication of the
Certificate by the CA 2.1.5, 2.6.1, 4.3
------------------------------------------------------
4.4.3 Notification of
Certificate Issuance by
the CA to Other Entities 2.1.5, 2.6.1,
4.2, 4.3
------------------------------------------------------
4.5 Key Pair and
Certificate Usage 1.3.4, 2.1.3,
2.1.4
------------------------------------------------------
4.5.1 Subscriber Private Key
and Certificate Usage 1.3.4, 2.1.3
------------------------------------------------------
4.5.2 Relying Party Public
Key and Certificate
Usage 1.3.4, 2.1.4
------------------------------------------------------
4.6 Certificate Renewal 3.2, 4.1, 4.2,
4.3
------------------------------------------------------
4.6.1 Circumstances for
Certificate Renewal 3.2, 4.1
------------------------------------------------------
4.6.2 Who May Request Renewal 3.2, 4.1
------------------------------------------------------
4.6.3 Processing Certificate
Renewal Requests 3.2, 4.1, 4.2
------------------------------------------------------
4.6.4 Notification of New
Certificate Issuance to
Subscriber 3.2, 4.2, 4.3
------------------------------------------------------
4.6.5 Conduct Constituting
Acceptance of a Renewal
Certificate 2.1.3, 3.2, 4.3
------------------------------------------------------
4.6.6 Publication of the
Renewal Certificate
by the CA 2.1.5, 2.6.1,
3.2, 4.3
------------------------------------------------------
4.6.7 Notification of
Certificate Issuance by
the CA to Other Entities 2.1.5, 2.6.1, 3.2,
4.2, 4.3
------------------------------------------------------
4.7 Certificate Re-Key 3.2, 4.1, 4.2, 4.3
------------------------------------------------------
4.7.1 Circumstances for
Certificate Re-Key 3.2, 4.1
------------------------------------------------------
4.7.2 Who May Request Certification
of a New Public Key 3.2, 4.1
------------------------------------------------------
4.7.3 Processing Certificate
Re-Keying Requests 3.2, 4.1, 4.2
------------------------------------------------------
4.7.4 Notification of New
Certificate Issuance to
Subscriber 3.2, 4.2, 4.3
------------------------------------------------------
4.7.5 Conduct Constituting
Acceptance of a
Re-Keyed Certificate 2.1.3, 3.2, 4.3
------------------------------------------------------
4.7.6 Publication of the
Re-Keyed Certificate
by the CA 2.1.5, 2.6.1,
3.2, 4.3
------------------------------------------------------
4.7.7 Notification of Certificate
Issuance by the CA
to Other Entities 2.1.5, 2.6.1,
3.2, 4.2, 4.3
------------------------------------------------------
4.8 Certificate Modification 4.4
------------------------------------------------------
4.8.1 Circumstances for
Certificate Modification 2.1.3, 4.4.1
------------------------------------------------------
4.8.2 Who May Request Certificate
Modification 4.4.2
------------------------------------------------------
4.8.3 Processing Certificate
Modification Requests 4.4.3
------------------------------------------------------
4.8.4 Notification of New
Certificate Issuance to
Subscriber 4.2, 4.3, 4.4.3
------------------------------------------------------
4.8.5 Conduct Constituting
Acceptance of Modified
Certificate 2.1.3, 4.3, 4.4.3
------------------------------------------------------
4.8.6 Publication of the Modified
Certificate by
the CA 2.1.5, 2.6.1,
4.2, 4.3, 4.4.3
------------------------------------------------------
4.8.7 Notification of
Certificate Issuance by
the CA to Other
Entities 2.1.5, 2.6.1,
4.2, 4.3, 4.4.3
------------------------------------------------------
4.9 Certificate Revocation
and Suspension 4.4
------------------------------------------------------
4.9.1 Circumstances for Revocation 2.1.3, 4.4.1
------------------------------------------------------
4.9.2 Who Can Request Revocation 4.4.2
------------------------------------------------------
4.9.3 Procedure for Revocation
Request 2.1.3, 4.4.3
------------------------------------------------------
4.9.4 Revocation Request Grace
Period 4.4.4
------------------------------------------------------
4.9.5 Time Within Which CA Must
Process the Revocation Request N/A
------------------------------------------------------
4.9.6 Revocation Checking
Requirements for Relying
Parties 2.1.4, 4.4.10,
4.4.12, 4.4.14
------------------------------------------------------
4.9.7 CRL Issuance Frequency 4.4.9, 4.8.3
------------------------------------------------------
4.9.8 Maximum Latency for CRLs 4.4.9
------------------------------------------------------
4.9.9 On-Line Revocation/Status
Checking Availability 4.4.11, 4.8.3
------------------------------------------------------
4.9.10 On-Line Revocation
Checking Requirements 4.4.12
------------------------------------------------------
4.9.11 Other Forms of Revocation
Advertisements Available 4.4.13, 4.4.14,
4.8.3
------------------------------------------------------
4.9.12 Special Requirements re
Key Compromise 4.4.15
------------------------------------------------------
4.9.13 Circumstances for Suspension 2.1.3, 4.4.5
------------------------------------------------------
4.9.14 Who Can Request Suspension 4.4.6
------------------------------------------------------
4.9.15 Procedure for
Suspension Request 2.1.3, 4.4.7
------------------------------------------------------
4.9.16 Limits on Suspension Period 4.4.8
------------------------------------------------------
4.10 Certificate Status Services 4.4.9-4.4.14
------------------------------------------------------
4.10.1 Operational
Characteristics 4.4.9, 4.4.11,
4.4.13
------------------------------------------------------
4.10.2 Service Availability 4.4.9, 4.4.11,
4.4.13
------------------------------------------------------
4.10.3 Operational Features 4.4.9, 4.4.11,
4.4.13
------------------------------------------------------
4.11 End of Subscription N/A
------------------------------------------------------
4.12 Key Escrow and Recovery 6.2.3
------------------------------------------------------
4.12.1 Key Escrow and Recovery Policy
and Practices 6.2.3
------------------------------------------------------
4.12.2 Session Key Encapsulation
and Recovery Policy and
Practices 6.2.3
------------------------------------------------------
5. Facility, Management, and
Operational Controls 2.1.3, 2.1.4,
4., 5.
------------------------------------------------------
5.1 Physical Controls 5.1
------------------------------------------------------
5.1.1 Site Location and Construction 5.1.1
------------------------------------------------------
5.1.2 Physical Access 5.1.2
------------------------------------------------------
5.1.3 Power and Air Conditioning 5.1.3
------------------------------------------------------
5.1.4 Water Exposures 5.1.4
------------------------------------------------------
5.1.5 Fire Prevention and Protection 5.1.5
------------------------------------------------------
5.1.6 Media Storage 5.1.6
------------------------------------------------------
5.1.7 Waste Disposal 5.1.7
------------------------------------------------------
5.1.8 Off-Site Backup 5.1.8
------------------------------------------------------
5.2 Procedural Controls 5.2
------------------------------------------------------
5.2.1 Trusted Roles 5.2.1
------------------------------------------------------
5.2.2 Number of Persons Required
per Task 5.2.2
------------------------------------------------------
5.2.3 Identification and
Authentication for Each Role 5.2.3
------------------------------------------------------
5.2.4 Roles Requiring Separation
of Duties 5.2.1, 5.2.2
------------------------------------------------------
5.3 Personnel Controls 5.3
------------------------------------------------------
5.3.1 Qualifications, Experience,
and Clearance Requirements 5.3.1
------------------------------------------------------
5.3.2 Background Check Procedures 5.3.2
------------------------------------------------------
5.3.3 Training Requirements 5.3.3
------------------------------------------------------
5.3.4 Retraining Frequency
and Requirements 5.3.4
------------------------------------------------------
5.3.5 Job Rotation Frequency
and Sequence 5.3.5
------------------------------------------------------
5.3.6 Sanctions for Unauthorized
Actions 5.3.6
------------------------------------------------------
5.3.7 Independent Contractor
Requirements 5.3.7
------------------------------------------------------
5.3.8 Documentation Supplied to
Personnel 5.3.8
------------------------------------------------------
5.4 Audit Logging Procedures 4.5
------------------------------------------------------
5.4.1 Types of Events Recorded 4.5.1
------------------------------------------------------
5.4.2 Frequency of Processing Log 4.5.2
------------------------------------------------------
5.4.3 Retention Period for Audit
Log 4.5.3
------------------------------------------------------
5.4.4 Protection of Audit Log 4.5.4
------------------------------------------------------
5.4.5 Audit Log Backup Procedures 4.5.5
------------------------------------------------------
5.4.6 Audit Collection System
(Internal vs. External) 4.5.6
------------------------------------------------------
5.4.7 Notification to Event-Causing
Subject 4.5.7
------------------------------------------------------
5.4.8 Vulnerability Assessments 4.5.8
------------------------------------------------------
5.5 Records Archival 4.6
------------------------------------------------------
5.5.1 Types of Records Archived 4.6.1
------------------------------------------------------
5.5.2 Retention Period for Archive 4.6.2
------------------------------------------------------
5.5.3 Protection of Archive 4.6.3
------------------------------------------------------
5.5.4 Archive Backup Procedures 4.6.4
------------------------------------------------------
5.5.5 Requirements for Time-Stamping
of Records 4.6.5
------------------------------------------------------
5.5.6 Archive Collection System
(Internal or External) 4.6.6
------------------------------------------------------
5.5.7 Procedures to Obtain and
Verify Archive
Information 4.6.7
------------------------------------------------------
5.6 Key Changeover 4.7
------------------------------------------------------
5.7 Compromise and Disaster Recovery 4.8
------------------------------------------------------
5.7.1 Incident and Compromise
Handling Procedures 4.8
------------------------------------------------------
5.7.2 Computing Resources, Software,
and/or Data Are Corrupted 4.8.1
------------------------------------------------------
5.7.3 Entity Private Key
Compromise Procedures 4.8.3
------------------------------------------------------
5.7.4 Business Continuity
Capabilities After a
Disaster 4.8.4
------------------------------------------------------
5.8 CA or RA Termination 4.9
------------------------------------------------------
6. Technical Security Controls 2.1.3, 2.1.4,
6.
------------------------------------------------------
6.1 Key Pair Generation and
Installation 6.1
------------------------------------------------------
6.1.1 Key Pair Generation 6.1.1, 6.1.8
------------------------------------------------------
6.1.2 Private Key Delivery to
Subscriber 6.1.2
------------------------------------------------------
6.1.3 Public Key Delivery to
Certificate Issuer 6.1.3
------------------------------------------------------
6.1.4 CA Public Key Delivery to
Relying Parties 6.1.4
------------------------------------------------------
6.1.5 Key Sizes 6.1.5
------------------------------------------------------
6.1.6 Public Key Parameters Generation
and Quality Checking 6.1.6, 6.1.7
------------------------------------------------------
6.1.7 Key Usage Purposes
(as per X.509 v3
Key Usage Field) 6.1.9
------------------------------------------------------
6.2 Private Key Protection and
Cryptographic Module
Engineering Controls 6.2, 6.8
------------------------------------------------------
6.2.1 Cryptographic Module Standards
and Controls 6.2.1, 6.8
------------------------------------------------------
6.2.2 Private Key (n out of m)
Multi-Person Control 6.2.2
------------------------------------------------------
6.2.3 Private Key Escrow 6.2.3
------------------------------------------------------
6.2.4 Private Key Backup 6.2.4
------------------------------------------------------
6.2.5 Private Key Archival 6.2.5
------------------------------------------------------
6.2.6 Private Key Transfer Into
or From a Cryptographic
Module 6.2.6
------------------------------------------------------
6.2.7 Private Key Storage on
Cryptographic Module 6.2.6
------------------------------------------------------
6.2.8 Method of Activating Private
Key 6.2.7
------------------------------------------------------
6.2.9 Method of Deactivating
Private Key 6.2.8
------------------------------------------------------
6.2.10 Method of Destroying
Private Key 6.2.9
------------------------------------------------------
6.2.11 Cryptographic Module Rating 6.2.1, 6.8
------------------------------------------------------
6.3 Other Aspects of Key Pair
Management 6.3
------------------------------------------------------
6.3.1 Public Key Archival 6.3.1
------------------------------------------------------
6.3.2 Certificate Operational
Periods and Key Pair Usage
Periods 6.3.2
------------------------------------------------------
6.4 Activation Data 6.4
------------------------------------------------------
6.4.1 Activation Data Generation
and Installation 6.4.1
------------------------------------------------------
6.4.2 Activation Data Protection 6.4.2
------------------------------------------------------
6.4.3 Other Aspects of Activation
Data 6.4.3
------------------------------------------------------
6.5 Computer Security Controls 6.5
------------------------------------------------------
6.5.1 Specific Computer Security
Technical Requirements 6.5.1
------------------------------------------------------
------------------------------------------------------
6.5.2 Computer Security Rating 6.5.2
------------------------------------------------------
6.6 Life Cycle Technical Controls 6.6
------------------------------------------------------
6.6.1 System Development Controls 6.6.1
------------------------------------------------------
6.6.2 Security Management Controls 6.6.2
------------------------------------------------------
6.6.3 Life Cycle Security Controls 6.6.3
------------------------------------------------------
6.7 Network Security Controls 6.7
------------------------------------------------------
6.8 Time-Stamping N/A
------------------------------------------------------
7. Certificate, CRL, and
OCSP Profiles 7.
------------------------------------------------------
7.1 Certificate Profile 7.1
------------------------------------------------------
7.1.1 Version Number(s) 7.1.1
------------------------------------------------------
7.1.2 Certificate Extensions 7.1.2
------------------------------------------------------
7.1.3 Algorithm Object Identifiers 7.1.3
------------------------------------------------------
7.1.4 Name Forms 7.1.4
------------------------------------------------------
7.1.5 Name Constraints 7.1.5
------------------------------------------------------
7.1.6 Certificate Policy
Object Identifier 7.1.6
------------------------------------------------------
7.1.7 Usage of Policy Constraints
Extension 7.1.7
------------------------------------------------------
7.1.8 Policy Qualifiers Syntax
and Semantics 7.1.8
------------------------------------------------------
7.1.9 Processing Semantics for the
Critical Certificate Policies
Extension 7.1.9
------------------------------------------------------
7.2 CRL Profile 7.2
------------------------------------------------------
7.2.1 Version Number(s) 7.2.1
------------------------------------------------------
7.2.2 CRL and CRL Entry Extesions 7.2.1
------------------------------------------------------
7.3 OCSP Profile N/A
------------------------------------------------------
7.3.1 Version Number(s) N/A
------------------------------------------------------
7.3.2 OCSP Extensions N/A
------------------------------------------------------
8. Compliance Audit and Other
Assessments 2.7
------------------------------------------------------
8.1 Frequency and Circumstances
of Assessment 2.7.1
------------------------------------------------------
8.2 Identity/Qualifications of
Assessor 2.7.2
------------------------------------------------------
8.3 Assessor's Relationship to
Assessed Entity 2.7.3
------------------------------------------------------
8.4 Topics Covered by Assessment 2.7.4
------------------------------------------------------
8.5 Actions Taken as a Result
of Deficiency 2.7.5
------------------------------------------------------
8.6 Communications of Results 2.7.6
------------------------------------------------------
9. Other Business and Legal
Matters 2.
------------------------------------------------------
9.1 Fees 2.5
------------------------------------------------------
9.1.1 Certificate Issuance or
Renewal Fees 2.5.1
------------------------------------------------------
9.1.2 Certificate Access Fees 2.5.2
------------------------------------------------------
9.1.3 Revocation or Status
Information Access Fees 2.5.3
------------------------------------------------------
9.1.4 Fees for Other Services 2.5.4
------------------------------------------------------
9.1.5 Refund Policy 2.5.5
------------------------------------------------------
9.2 Financial Responsibility 2.3
------------------------------------------------------
9.2.1 Insurance Coverage 2.3
------------------------------------------------------
9.2.2 Other Assets 2.3
------------------------------------------------------
9.2.3 Insurance or Warranty Coverage
for End-Entities 2.3
------------------------------------------------------
9.3 Confidentiality of Business
Information 2.8
------------------------------------------------------
9.3.1 Scope of Confidential
Information 2.8.1, 2.8.3
------------------------------------------------------
9.3.2 Information Not Within the
Scope of Confidential
Information 2.8.2, 2.8.3
------------------------------------------------------
9.3.3 Responsibility to Protect
Confidential Information 2.8,
2.8.3-2.8.7
------------------------------------------------------
9.4 Privacy of Personal Information 2.8
------------------------------------------------------
9.4.1 Privacy Plan N/A
------------------------------------------------------
9.4.2 Information Treated as Private 2.8.1, 2.8.3
------------------------------------------------------
9.4.3 Information Not Deemed Private 2.8.2, 2.8.3
------------------------------------------------------
9.4.4 Responsibility to Protect
Private Information 2.8, 2.8.1,
2.8.3
------------------------------------------------------
9.4.5 Notice and Consent to Use
Private Information N/A
------------------------------------------------------
9.4.6 Disclosure Pursuant to
Judicial or Administrative
Process 2.8.4-2.8.5
------------------------------------------------------
9.4.7 Other Information Disclosure
Circumstances 2.8.6-2.8.7
------------------------------------------------------
9.5 Intellectual Property rights 2.9
------------------------------------------------------
9.6 Representations and Warranties 2.2
------------------------------------------------------
9.6.1 CA Representations and
Warranties 2.2.1
------------------------------------------------------
9.6.2 RA Representations and
Warranties 2.2.2
------------------------------------------------------
9.6.3 Subscriber Representations
and Warranties 2.1.3
------------------------------------------------------
9.6.4 Relying Party Representations
and Warranties 2.1.4
------------------------------------------------------
9.6.5 Representations and Warranties
of Other Participants N/A
------------------------------------------------------
9.7 Disclaimers of Warranties 2.2, 2.3.2
------------------------------------------------------
9.8 Limitations of Liability 2.2
------------------------------------------------------
------------------------------------------------------
9.9 Indemnities 2.1.3, 2.1.4,
2.2, 2.3.1
------------------------------------------------------
9.10 Term and Termination N/A
------------------------------------------------------
9.10.1 Term N/A
------------------------------------------------------
9.10.2 Termination N/A
------------------------------------------------------
9.10.3 Effect of Termination and
Survival N/A
------------------------------------------------------
9.11 Individual Notices and
Communications with Participants 2.4.2
------------------------------------------------------
9.12 Amendments 8.1
------------------------------------------------------
9.12.1 Procedure for Amendment 8.1
------------------------------------------------------
9.12.2 Notification Mechanism
and Period 8.1
------------------------------------------------------
9.12.3 Circumstances Under Which OID
Must be Changed 8.1
------------------------------------------------------
9.13 Dispute Resolution Provisions 2.4.3
------------------------------------------------------
9.14 Governing Law 2.4.1
------------------------------------------------------
9.15 Compliance with Applicable Law 2.4.1
------------------------------------------------------
9.16 Miscellaneous Provisions 2.4
------------------------------------------------------
9.16.1 Entire Agreement 2.4.2
------------------------------------------------------
9.16.2 Assignment N/A
------------------------------------------------------
9.16.3 Severability 2.4.2
------------------------------------------------------
9.16.4 Enforcement (Attorney's Fees
and Waiver of Rights) 2.4.3
------------------------------------------------------
9.17 Other Provisions N/A
------------------------------------------------------
8. ACKNOWLEDGMENTS
The development of the predecessor document (RFC 2527) was supported The development of the predecessor document (RFC 2527) was supported
by the Government of Canada's Policy Management Authority (PMA) by the Government of Canada's Policy Management Authority (PMA)
Committee, the National Security Agency, the National Institute of Committee, the National Security Agency, the National Institute of
Standards and Technology (NIST), and the American Bar Association Standards and Technology (NIST), and the American Bar Association
Information Security Committee Accreditation Working Group. Information Security Committee Accreditation Working Group.
This revision effort is largely a result of constant inspiration This revision effort is largely a result of constant inspiration
from Michael Baum. Michael Power, Mike Jenkins, and Alice Sturgeon from Michael Baum. Michael Power, Mike Jenkins, and Alice Sturgeon
have also made several contributions. have also made several contributions.
7. REFERENCES 9. REFERENCES
[ABA1] American Bar Association, Digital Signature Guidelines: [ABA1] American Bar Association, Digital Signature Guidelines:
Legal Infrastructure for Certification Authorities and Secure Legal Infrastructure for Certification Authorities and Secure
Electronic Commerce, 1996. Electronic Commerce, 1996.
[ABA2] American Bar Association, PKI Assessment Guidelines, v0.30, [ABA2] American Bar Association, PKI Assessment Guidelines, v0.30,
Public Draft For Comment, June 2001. Public Draft For Comment, June 2001.
[BAU1] Michael. S. Baum, Federal Certification Authority Liability [BAU1] Michael. S. Baum, Federal Certification Authority Liability
and Policy, NIST-GCR-94-654, June 1994, available at and Policy, NIST-GCR-94-654, June 1994, available at
skipping to change at page 53, line 5 skipping to change at page 78, line 44
[PEM1] S. Kent, "Privacy Enhancement for Internet Electronic Mail, [PEM1] S. Kent, "Privacy Enhancement for Internet Electronic Mail,
Part II: Certificate-Based Key Management," Internet RFC 1422, 1993. Part II: Certificate-Based Key Management," Internet RFC 1422, 1993.
[PKI1] R. Housley, W. Ford, W. Polk, D. Solo, "Internet X.509 Public [PKI1] R. Housley, W. Ford, W. Polk, D. Solo, "Internet X.509 Public
Key Infrastructure, Certificate and CRL Profile," RFC 2459 1998. Key Infrastructure, Certificate and CRL Profile," RFC 2459 1998.
[CPF] S. Chokhani and W. Ford, "Internet X.509 Public Key [CPF] S. Chokhani and W. Ford, "Internet X.509 Public Key
Infrastructure, Certificate Policy and Certification Practices Infrastructure, Certificate Policy and Certification Practices
Statement Framework," RFC 2527, April 1998. Statement Framework," RFC 2527, April 1998.
8. AUTHORS' ADDRESSES 10. AUTHORS' ADDRESSES
Santosh Chokhani Santosh Chokhani
CygnaCom Solutions, Inc., an Entrust company Orion Security Solutions, Inc.
7927 Jones Branch Drive, Suite 100 West 3410 N. Buchanan Street, Arlington, VA 22207
McLean, VA 22102 (703) 237-4621 (O)
Phone: (703) 270-3520 (703) 237-4920 (Fax)
Fax: (703) 848-0960 chokhani@orionsec.com
EMail: chokhani@cygnacom.com
Warwick Ford Warwick Ford
VeriSign, Inc. VeriSign, Inc.
401 Edgewater Place, Suite 280 401 Edgewater Place, Suite 280, Wakefield, MA 01880
Wakefield, MA 01880
Phone: (781) 245-6996 x225 Phone: (781) 245-6996 x225
Fax: (781) 245-6006 Fax: (781) 245-6006
EMail: wford@verisign.com EMail: wford@verisign.com
Randy V. Sabett, J.D., CISSP Randy V. Sabett, J.D., CISSP
Cooley Godward LLP Cooley Godward LLP
One Freedom Square, Reston Town Center One Freedom Square, Reston Town Center
11951 Freedom Drive 11951 Freedom Drive, Reston, VA 20190-5656
Reston, VA 20190-5601
Phone: (703) 456-8137 Phone: (703) 456-8137
Fax: (703) 456-8100 Fax: (703) 456-8100
EMail: rsabett@cooley.com EMail: rsabett@cooley.com
Charles (Chas) R. Merrill Charles (Chas) R. Merrill
McCarter & English, LLP McCarter & English, LLP
Four Gateway Center Four Gateway Center
100 Mulberry Street 100 Mulberry Street, Newark, New Jersey 07101-0652
Newark, New Jersey 07101-0652
Phone: (973) 622-4444 Phone: (973) 622-4444
Fax: (973) 624-7070 Fax: (973) 624-7070
EMail: cmerrill@concentric.net EMail: cmerrill@mccarter.com
Stephen S. Wu Stephen S. Wu
Infoliance, Inc. Infoliance, Inc.
101 First St. # 725 101 First St. # 725, Los Altos, CA 94022
Los Altos, CA 94022
Phone: (650) 917-8045 Phone: (650) 917-8045
Fax: (650) 618-1454 Fax: (650) 618-1454
EMail: swu@infoliance.com EMail: swu@infoliance.com
NOTES NOTES
1 A paper copy of the ABA Digital Signature Guidelines can be 1 A paper copy of the ABA Digital Signature Guidelines can be
purchased from the ABA. See http://www.abanet.com for ordering purchased from the ABA. See http://www.abanet.com for ordering
details. The DSG may also be downloaded without charge from the ABA details. The DSG may also be downloaded without charge from the ABA
website at website at
http://www.abanet.org/scitech/ec/isc/digital_signature.html. http://www.abanet.org/scitech/ec/isc/digital_signature.html.
skipping to change at page 55, line 4 skipping to change at page 80, line 40
Accountants. Accountants.
10 See <http://www.aicpa.org>. 10 See <http://www.aicpa.org>.
11 All or some of the following items may be different for the 11 All or some of the following items may be different for the
various types of entities, i.e., CA, RA, and end entities. various types of entities, i.e., CA, RA, and end entities.
LIST OF ACRONYMS LIST OF ACRONYMS
ABA - American Bar Association ABA - American Bar Association
CA - Certification Authority CA - Certification Authority
CP - Certificate Policy
CPS - Certification Practice Statement CPS - Certification Practice Statement
CRL - Certificate Revocation List CRL - Certificate Revocation List
DAM - Draft Amendment DAM - Draft Amendment
FIPS - Federal Information Processing Standard FIPS - Federal Information Processing Standard
I&A - Identification and Authentication I&A - Identification and Authentication
IEC - International Electrotechnical Commission IEC - International Electrotechnical Commission
IETF - Internet Engineering Task Force IETF - Internet Engineering Task Force
IP - Internet Protocol IP - Internet Protocol
ISO - International Organization for Standardization ISO - International Organization for Standardization
ITU - International Telecommunications Union ITU - International Telecommunications Union
NIST - National Institute of Standards and Technology NIST - National Institute of Standards and Technology
OID - Object Identifier OID - Object Identifier
PIN - Personal Identification Number PIN - Personal Identification Number
PKI - Public Key Infrastructure PKI - Public Key Infrastructure
PKIX - Public Key Infrastructure (X.509) (IETF Working Group) PKIX - Public Key Infrastructure (X.509) (IETF Working Group)
RA - Registration Authority RA - Registration Authority
RFC - Request For Comment RFC - Request For Comment
URL - Uniform Resource Locator URL - Uniform Resource Locator
US - United States US - United States
< draft-ietf-pkix-ipki-new-rfc2527-01.txt > < draft-ietf-pkix-ipki-new-rfc2527-02.txt >
Expires in six months from January 3, 2002 Expires in six months from April 22, 2003
 End of changes. 35 change blocks. 
133 lines changed or deleted 1546 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/