ACP 185

More documents

Recommendations

Info

UNCLASSIFIED ACP 185 505. There are three classes of algorithms typically used in PKI - hashing, encryption, and key agreement. Hashing and encryption are used for authentication and digital signature. Either an encryption or key agreement algorithm is used for data encryption. Additionally, encryption and key agreement algorithms may use different key sizes. ALGORITHM COORDINATION 506. As algorithms deprecate, Participant nations are to review the level of assurance asserted in the CCA and notify the other Participant of any change it proposes to make in relation to OID mappings. 507. In addition, Nations are required to declare in advance their intent with regards to algorithm migrations to provide the opportunity for all Nations to prepare for the potential change. This declaration should include a timeline for the transition, including the period of time where multiple algorithms (old and new) will be used and accepted by the Nation’s PKI and relying parties. If possible, the declaration should also include known or anticipated interoperability impacts. Uncontrolled copy when printed 5-2 UNCLASSIFIED
UNCLASSIFIED ACP 185 INTRODUCTION CHAPTER 6 PROCESS FOR CROSS-CERTIFICATION 601. Cross-certification is the preferred mechanism for formal and reciprocal recognition of trust between the NDPKIs of two CCEB Member Nations. Once the two NDPKIs have completed interoperability testing and signed a CCA, the generation, exchange and signing of principal cross-certificates is achieved through a formally managed process known as a Cross-certification signing ceremony. 602. The process for generating, exchanging and signing principal cross-certificates is outlined below. A cross-certification signing ceremony template can be found at Annex C. CCEB nations may modify the template to suit their individual cross-certification requirements. 603. The goal is for the cross-certified community to be able to trust that the procedures involved were executed correctly, and that the private key materials are stored securely. Security of the private key is important because it ensures that any signature made by that key is known to originate from a legitimate key ceremony, and not by an untrusted third party. 604. For the initial generation and signing of principal cross-certificates, at least one authorised representative from both CCEB Member Nations is required to act as a witness 3 at the Cross-Certification Signing Ceremony. The generation and signing of subsequent principal cross-certificates between two NDPKIs will be at the discretion of each nation through an agreed secure mechanism. Participants will determine if authorised representatives from both nations are required to witness subsequent Cross- Certification Signing Ceremonies. PROCESS 605. Nations will mutually agree to the process for generation and delivery of the cross-certificate request (CSR) and signing and publication of Principal Cross-Certificate. Uncontrolled copy when printed 606. The following outlines an indicative process for the generation, exchange and signing of principal cross-certificates. 3 The role of the witness is to confirm that the certificate details conform to the authorised certificate policy. Witnesses must sign statements to attest that the cross certification signing ceremony proceedings have been carried out correctly. 6-1 UNCLASSIFIED
Page 1 and 2: UNCLASSIFIED ACP 185 Public Key Inf
Page 3 and 4: UNCLASSIFIED ACP 185 THE COMBINED C
Page 5 and 6: UNCLASSIFIED ACP 185 TABLE OF CONTE
Page 7 and 8: UNCLASSIFIED ACP 185 ANNEX C ......
Page 9 and 10: UNCLASSIFIED ACP 185 existing polic
Page 11 and 12: UNCLASSIFIED ACP 185 arisen as a re
Page 13 and 14: UNCLASSIFIED ACP 185 • Subject al
Page 15 and 16: UNCLASSIFIED ACP 185 CHAPTER 4 CROS
Page 17: UNCLASSIFIED ACP 185 INTRODUCTION C
Page 21 and 22: UNCLASSIFIED ACP 185 CHAPTER 7 GOVE
Page 23 and 24: UNCLASSIFIED ANNEX A TO ACP 185 •
Page 25 and 26: UNCLASSIFIED ANNEX A TO ACP 185 use
Page 27 and 28: UNCLASSIFIED ANNEX A TO ACP 185 IDE
Page 29 and 30: UNCLASSIFIED ANNEX A TO ACP 185 1.1
Page 31 and 32: UNCLASSIFIED ANNEX A TO ACP 185 •
Page 33 and 34: UNCLASSIFIED ANNEX A TO ACP 185 An
Page 37 and 38: UNCLASSIFIED ANNEX A TO ACP 185 CAs
Page 39 and 40: UNCLASSIFIED ANNEX A TO ACP 185 The
Page 43 and 44: UNCLASSIFIED ANNEX A TO ACP 185 pro
Page 45 and 46: UNCLASSIFIED ANNEX A TO ACP 185 CA,
Page 47 and 48: UNCLASSIFIED ANNEX A TO ACP 185 Sho
Page 49 and 50: UNCLASSIFIED ANNEX A TO ACP 185 Sof
Page 51 and 52: UNCLASSIFIED ANNEX A TO ACP 185 Cer
Page 53 and 54: UNCLASSIFIED ANNEX A TO ACP 185 Cro
Page 57 and 58: UNCLASSIFIED ANNEX A TO ACP 185 Fie
Page 67 and 68: UNCLASSIFIED ANNEX A TO ACP 185 id-
Page 69 and 70:
UNCLASSIFIED ANNEX A TO ACP 185 1.4
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
UNCLASSIFIED ANNEX B TO ACP 185 In
Page 77 and 78:
UNCLASSIFIED ANNEX B TO ACP 185 Mil
Page 79 and 80:
UNCLASSIFIED ANNEX B TO ACP 185 the
Page 81 and 82:
UNCLASSIFIED ANNEX B TO ACP 185 4.4
Page 83 and 84:
UNCLASSIFIED ANNEX B TO ACP 185 Any
Page 85 and 86:
UNCLASSIFIED ANNEX B TO ACP 185 Sig
Page 87 and 88:
UNCLASSIFIED ANNEX B TO ACP 185 SCH
Page 89 and 90:
UNCLASSIFIED ANNEX C TO ACP 185 CRO
Page 91 and 92:
UNCLASSIFIED ANNEX C TO ACP 185 WIT
Page 93 and 94:
UNCLASSIFIED ANNEX C TO ACP 185 g)
Page 95 and 96:
UNCLASSIFIED ANNEX C TO ACP 185 •
Page 97 and 98:
CA Certificate UNCLASSIFIED Certifi
Page 99 and 100:
NDPKI UNCLASSIFIED National Defence
Page 101 and 102:
System equipment configuration Syst
Page 103:
KES Key Escrow Server UNCLASSIFIED
show all

ACP 185

Create successful ePaper yourself

Delete template?

Save as template?