ACP 185
ACP 185
ACP 185
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
UNCLASSIFIED<br />
<strong>ACP</strong> <strong>185</strong><br />
OVERVIEW<br />
CHAPTER 2<br />
CERTIFICATE POLICY MAPPING CRITERIA<br />
201. Certificate Policies (CP) under which Certification Authorities (CA) are<br />
established and operate can vary as well the requirements for creating and managing<br />
certificates. Differences, if not known and managed, can introduce risks to entities<br />
exercising a CCA. Determining comparability and equivalence between CCEB National<br />
Defence certificate policies, is critical prior to moving forward with the crosscertification<br />
of PKIs.<br />
BASELINE REQUIREMENTS<br />
202. The CCEB Nations have agreed to a minimum set of standards that all NDPKIs<br />
must meet. This minimum set of standards is known as the CP Mapping Criteria (CPMC)<br />
and can be found in Annex A of this document. All PKI certificates issued by<br />
interoperable CCEB NDPKIs will be based on the Internet Engineering Task Force<br />
(IETF) Request for comments (RFC) 5280.<br />
SELF-ASSERTION<br />
203. Each CCEB nation will compare their CPs against the mapping criteria found in<br />
Annex A and confirm their compliance or equivalence to the requirements and any stated<br />
guidance listed therein. This process is called self-assertion.<br />
RECORDING AND DISTRIBUTING RESULTS OF THE SELF-ASSERTION<br />
204. The NDPKI Policy Management Authority (PMA) will notify the PMA’s of each<br />
CCEB NDPKI when they have completed their self-assertion and will make available the<br />
formal self-assertion to the NDPKI PMA that they plan to/or are cross-certified with.<br />
Additionally where a criterion in relation to the CPMC cannot be met entirely the NDPKI<br />
PMAs involved shall reach an agreement on the resolution of non-conformance. Such<br />
agreement will be documented and be made available to the other Participant of the bilateral<br />
cross-certification.<br />
Uncontrolled copy when printed<br />
FREQUENCY OF SELF-ASSERTION<br />
205. A CCEB nation is required to complete a self-assertion prior to entering into any<br />
CCA with another CCEB nation or issuing a cross-certificate from their NDPKI to<br />
another CCEB NDPKI. After the initial self-assertion, each NDPKI PMA in a bi-lateral<br />
arrangement shall revalidate the self-assertion on an annual basis and shall share the<br />
results with the other NDPKI PMA in the bilateral arrangement. Additionally, NDPKI<br />
PMAs shall reassert compliance against the CPMC when an applicable NDPKI CP is<br />
amended and shall notify the other NDPKI PMA if any areas of non-compliance have<br />
2-1<br />
UNCLASSIFIED