ACP 185
ACP 185
ACP 185
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
UNCLASSIFIED<br />
ANNEX A TO<br />
<strong>ACP</strong> <strong>185</strong><br />
• Subscriber or PKI Sponsor’s manager, Information System Security Officer,<br />
supervisor, or superior officers.<br />
• Law enforcement or counterintelligence agents.<br />
• Agents of a Court system with jurisdiction over the NDPKI.<br />
• Any person or organization authorized by the NDPKI PMA via an authenticated<br />
communication.<br />
1.27.2.3 Processing Key Recovery Requests<br />
The KES may act on a key recovery request from the Subscriber or the PKI Sponsor acting on<br />
behalf of the Subscriber or from a single RA as part of a RA authenticated process to rekey a<br />
Subscriber hardware token. In all other cases, the KES shall require authentication by two<br />
individuals holding trusted roles prior to releasing the private key.<br />
The RA shall authenticate to the KES using a mechanism commensurate with the cryptographic<br />
strength of the strongest key stored in the KES.<br />
All copies of recovered keys shall be continuously protected using mechanisms at least<br />
commensurate with the level of the data the key provides access to or protects.<br />
1.27.2.4 Notification of Key Recovery to the Subscriber<br />
When executing a key recovery based solely on a request authenticated by the Subscriber or the<br />
PKI Sponsor acting on behalf for the Subscriber, the KES shall send an email to the requestor at<br />
an address in authorized repository. If there is no address, the request is rejected.<br />
There is no requirement to notify the Subscriber of key recovery operations executed directly by<br />
an RA.<br />
1.27.2.5 Notification of Key Recovery by the CA to Other Entities<br />
No Stipulation.<br />
FACILITY MANAGEMENT & OPERATIONS CONTROLS<br />
1.28 Physical Controls<br />
Physical security controls shall be implemented that protect the CMA hardware and software<br />
from unauthorized use and shall be operated in accordance with the National Defence security<br />
regulations and procedures. CMA cryptographic modules shall be protected against theft, loss,<br />
and unauthorized use.<br />
Uncontrolled copy when printed<br />
1.28.1 Site Location and Construction<br />
The location and construction of the facility that will house CMA equipment and operations shall<br />
be in accordance with National Defence security regulations and procedures and local policy for<br />
A-21<br />
UNCLASSIFIED