ACP 185
ACP 185
ACP 185
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
UNCLASSIFIED<br />
ANNEX A TO<br />
<strong>ACP</strong> <strong>185</strong><br />
X.509 CERTIFICATE POLICY MAPPING CRITERIA (CPMC) INTRODUCTION<br />
The CPMC follows the format of the Internet Engineering Task Force Public Key Infrastructure<br />
X.509 (IETF PKIX) RFC 3647, Certificate Policy and Certification Practices Framework. The<br />
CERTIFICATE POLICY MAPPING CRITERIA (CPMC) was developed based on RFC 3647<br />
and the collective Certificate Policies from each of the representative Combined<br />
Communications Electronics Board (CCEB) member nations.<br />
The CPMC states the criteria against which National Defence Public Key Infrastructure<br />
(NDPKI) Policy Management Authorities (PMAs) assess their NDPKIs. Each NDPKI PMA<br />
shall formally assess their NDPKI CPs against the CPMC and assert compliance. This process is<br />
known as self-assertion. The CPMC sets the minimum standards that shall be met. Where a<br />
criterion cannot be met entirely, NDPKI PMAs involved shall reach an agreement on the<br />
resolution of non-conformance.<br />
1.1 Overview<br />
1.1.1 Certificate Policy (CP)<br />
Certificates shall contain at least one registered certificate policy object identifier (OID), which<br />
shall be used by a Relying Party to decide whether a certificate is trusted for a particular purpose.<br />
The OID corresponds to a specific set of configuration, physical and technical security policy<br />
requirements and (optionally) functionality specified in the CCA. The bi-lateral mapping of<br />
policy identifiers between two NDPKIs shall be documented and be available to Relying Parties.<br />
Each certificate will assert the appropriate OID using the X.509 certificate Policies extension.<br />
1.2 Document Name and Identification<br />
NDPKI CPs shall be identified using an OID registered in each Nation’s Object ID Registry.<br />
There are three general policies for certificates: Device, Hardware, and Software.<br />
A Device OID shall only be used in cross-certificates which map to a member policy OID that is<br />
only for devices.<br />
The Hardware and Software OIDs may be used for certificates issued to people, roles or devices.<br />
The Hardware OID shall only be asserted in a cross-certificate if the member policy OID for the<br />
subscriber certificates requires that:<br />
Uncontrolled copy when printed<br />
• Keys shall be generated in a hardware cryptographic module. If generated off token,<br />
no copies, other than authorized escrowed copies of the private keys associated with<br />
Encryption certificates, continue to exist after the generation and insertion process has<br />
completed.<br />
A-1<br />
UNCLASSIFIED