ACP 185

More documents

Recommendations

Info

UNCLASSIFIED ANNEX A TO ACP 185 1.25 Certificate Status Services Certificate Status Services are provided by CSAs. CSAs are not a required component of the NDPKI. If supported as part of the NDPKI, the CSA is considered an integral part of the CAS and, except where expressly noted, all requirements imposed on CAS apply. 1.25.1 Operational Characteristics A CSA shall meet the following requirements: • The CSA shall be operated in compliance with this CP and any applicable Internet standards. • Information exchanged between the CA and the CSA shall be authenticated and protected from modification using mechanisms commensurate with the requirements of the data to be protected by the certificates being issued. • Accurate and up-to-date information from the associated CA shall be used to provide the revocation status. • Revocation status responses shall provide authentication and integrity services commensurate with the requirements of the data to be protected by the certificates being issued, to include the status of the certificate and the time the status indication was generated. • Latency of certificate status information shall meet or exceed the requirements for CRL issuance stated in Section 4.9.7. 1.25.2 Service Availability No stipulation. 1.25.3 Optional Features No stipulation. 1.26 End of Subscription As defined in the NDPKI CP. 1.27 Key Escrow & Recovery The NDPKI may support key escrow and recovery for private keys associated with encryption certificates. Uncontrolled copy when printed A-19 UNCLASSIFIED
UNCLASSIFIED ANNEX A TO ACP 185 1.27.1 Key Escrow 1.27.1.1 Circumstances for Key Escrow Private keys associated with encryption certificates may be escrowed prior to certificate issuance. Private keys associated with certificates that assert digitalSignature shall never be escrowed. 1.27.1.2 Escrowing Keys Escrowed keys shall be stored in a KES. All requirements (e.g., Section 6.1.2, Section 6.2.6) for storage and transfer of private keys shall apply to the process of escrowing private keys. 1.27.1.3 Notification of Key Escrow to Subscriber Where applicable, as part of the enrolment process, all subscribers shall be notified that the private keys associated with their encryption certificates will be escrowed. 1.27.1.4 Session Key Encapsulation and Recovery Policy and Practices No stipulation. 1.27.2 Key Recovery At all times, escrowed keys shall be protected against disclosure to any party except the requestor and the trusted roles responsible for the recovery. 1.27.2.1 Circumstances for Key Recovery Escrowed keys may be recovered to support the recovery of encrypted data for business, law enforcement or other requirements. In general, escrowed keys are recovered for the following purposes: • The original copy of the escrowed key has been lost or damaged and the Subscriber cannot access data encrypted with the corresponding public key. • The certificate is to be re-keyed and the earlier issued private keys are recovered to be included on the token containing the re-keyed certificate. • An authorized third party (i.e., a person other than the Subscriber or PKI Sponsor) requires access to data encrypted with the corresponding public key. Uncontrolled copy when printed 1.27.2.2 Who May Request Key Recovery The Subscriber or PKI Sponsors may request recovery of their own escrowed keys. An RA may request initiation of the recovery of escrowed keys as part of a re-key process. Key recovery may also be requested by the following National third parties: A-20 UNCLASSIFIED
Page 1 and 2: UNCLASSIFIED ACP 185 Public Key Inf
Page 3 and 4: UNCLASSIFIED ACP 185 THE COMBINED C
Page 5 and 6: UNCLASSIFIED ACP 185 TABLE OF CONTE
Page 7 and 8: UNCLASSIFIED ACP 185 ANNEX C ......
Page 9 and 10: UNCLASSIFIED ACP 185 existing polic
Page 11 and 12: UNCLASSIFIED ACP 185 arisen as a re
Page 13 and 14: UNCLASSIFIED ACP 185 • Subject al
Page 15 and 16: UNCLASSIFIED ACP 185 CHAPTER 4 CROS
Page 17 and 18: UNCLASSIFIED ACP 185 INTRODUCTION C
Page 19 and 20: UNCLASSIFIED ACP 185 INTRODUCTION C
Page 21 and 22: UNCLASSIFIED ACP 185 CHAPTER 7 GOVE
Page 23 and 24: UNCLASSIFIED ANNEX A TO ACP 185 •
Page 25 and 26: UNCLASSIFIED ANNEX A TO ACP 185 use
Page 27 and 28: UNCLASSIFIED ANNEX A TO ACP 185 IDE
Page 29 and 30: UNCLASSIFIED ANNEX A TO ACP 185 1.1
Page 31 and 32: UNCLASSIFIED ANNEX A TO ACP 185 •
Page 33 and 34: UNCLASSIFIED ANNEX A TO ACP 185 An
Page 37 and 38: UNCLASSIFIED ANNEX A TO ACP 185 CAs
Page 39: UNCLASSIFIED ANNEX A TO ACP 185 The
Page 43 and 44: UNCLASSIFIED ANNEX A TO ACP 185 pro
Page 45 and 46: UNCLASSIFIED ANNEX A TO ACP 185 CA,
Page 47 and 48: UNCLASSIFIED ANNEX A TO ACP 185 Sho
Page 49 and 50: UNCLASSIFIED ANNEX A TO ACP 185 Sof
Page 51 and 52: UNCLASSIFIED ANNEX A TO ACP 185 Cer
Page 53 and 54: UNCLASSIFIED ANNEX A TO ACP 185 Cro
Page 57 and 58: UNCLASSIFIED ANNEX A TO ACP 185 Fie
Page 67 and 68: UNCLASSIFIED ANNEX A TO ACP 185 id-
Page 75 and 76: UNCLASSIFIED ANNEX B TO ACP 185 In
Page 77 and 78: UNCLASSIFIED ANNEX B TO ACP 185 Mil
Page 79 and 80: UNCLASSIFIED ANNEX B TO ACP 185 the
Page 81 and 82: UNCLASSIFIED ANNEX B TO ACP 185 4.4
Page 83 and 84: UNCLASSIFIED ANNEX B TO ACP 185 Any
Page 85 and 86: UNCLASSIFIED ANNEX B TO ACP 185 Sig
Page 87 and 88: UNCLASSIFIED ANNEX B TO ACP 185 SCH
Page 89 and 90: UNCLASSIFIED ANNEX C TO ACP 185 CRO
Page 91 and 92:
UNCLASSIFIED ANNEX C TO ACP 185 WIT
Page 93 and 94:
UNCLASSIFIED ANNEX C TO ACP 185 g)
Page 95 and 96:
UNCLASSIFIED ANNEX C TO ACP 185 •
Page 97 and 98:
CA Certificate UNCLASSIFIED Certifi
Page 99 and 100:
NDPKI UNCLASSIFIED National Defence
Page 101 and 102:
System equipment configuration Syst
Page 103:
KES Key Escrow Server UNCLASSIFIED
show all

ACP 185

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?