ACP 185
ACP 185
ACP 185
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
UNCLASSIFIED<br />
<strong>ACP</strong> <strong>185</strong><br />
607. Generation and transport of the certificate signing request<br />
• The NDPKI operating the CA to be cross-certified will arrange for the<br />
generation of the principal cross-certificate request at a mutually agreed date<br />
and time. At least two persons will act as witnesses of the generation of the<br />
certificate request. The Nation that will sign the cross-certificate request may<br />
have a representative at the generation<br />
• The principal cross-certificate request will be generated in an agreed file<br />
format<br />
• Authorised witnesses will record the requesting CA’s thumbprint, e.g. a hash<br />
of its public key<br />
• The request is saved to a media or application suitable for transportation (e.g.<br />
on a CD)<br />
• The request is safe handed 4 to authorised national representatives of the other<br />
CCEB Member Nation<br />
• The request is delivered to the cross-certifying NDPKI environment<br />
608. Signing and publishing the principal cross-certificate<br />
• Prior to signing the request, the cross-certifying NDPKI CA checks that the<br />
request has not been tampered with, by verifying the CAs thumbprint on the<br />
request file<br />
• After checking that the request has not been tampered with, the principal<br />
cross-certificate is signed by the applicable cross-certifying CCEB Member<br />
Nation CA<br />
• The principal cross-certificate is returned to the originating CCEB Member<br />
Nation by a mutually agreed secure mechanism (e.g. safe hand)<br />
• The principal cross-certificate will be published to a location where it is<br />
accessible by Relying Parties (i.e. Subscribers) of the cross-certified NDPKI<br />
Note: The indicative process described above is a one way process, i.e. the trust is one<br />
way. The process will need to be repeated with roles reversed for mutual trust.<br />
Uncontrolled copy when printed<br />
4 Alternatively by any mutually agreed secure method.<br />
6-2<br />
UNCLASSIFIED