ACP 185
ACP 185
ACP 185
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
UNCLASSIFIED<br />
ANNEX A TO<br />
<strong>ACP</strong> <strong>185</strong><br />
A request for re-key shall only be made by a Subscriber (or PKI sponsor acting on the<br />
Subscriber’s behalf) in whose name the keys have been issued.<br />
For certificates issued in hardware, the entity shall use the valid signature certificate and<br />
associated private key stored on the hardware token to authenticate to the CA. The process shall<br />
ensure that the signature keys are generated within the hardware token or, in the case of<br />
externally generated keys, are inserted in the appropriate token, and the entity or PKI sponsor<br />
shall provide proof of possession of its current private key.<br />
Re-key requests for certificates shall be identified and authenticated on the basis of current valid<br />
Subscriber certificates. The validity period of the new certificate shall not extend beyond the<br />
periodic in-person authentication requirements listed in the table below.<br />
Certificate Type<br />
Software<br />
Hard Token<br />
Device<br />
In Person Authentication Requirement<br />
9 Years<br />
6 Years<br />
9 Years<br />
For CA Key Changeover see 5.6 Key Changeover.<br />
1.13.2 Identification and Authentication for Re-key after Revocation<br />
Where the information in a certificate has changed or where the certificate is revoked the CA<br />
shall authenticate a re-key in the same manner as in initial identity validation. Any change in the<br />
information contained in the certificate shall be verified before the certificate is issued.<br />
1.14 Identification and authentication for revocation request<br />
Revocation requests shall be authenticated.<br />
1.15 Identification and Authentication for Key Recovery Request<br />
The identity of the requestor shall be authenticated either in a face to face authentication as<br />
specified in Section 3.2.3 or using a digital signature based on a valid certificate with<br />
cryptographic strength at least that of the certificate of the key to be recovered.<br />
CERTIFICATE LIFE-CYCLE<br />
Uncontrolled copy when printed<br />
1.16 Certificate Application<br />
The applicant and the CMA shall perform the following steps when an applicant applies for a<br />
certificate:<br />
• Establish and record the identity of the Subscriber (per Section 3.2);<br />
A-9<br />
UNCLASSIFIED