ACP 185
ACP 185
ACP 185
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
UNCLASSIFIED<br />
ANNEX A TO<br />
<strong>ACP</strong> <strong>185</strong><br />
1.33 Key Changeover<br />
NDPKI PMA shall ensure that processes for key change-over and other transitional mechanisms<br />
relating to CA keys, which maintain the integrity of the systems, are in place.<br />
1.34 Compromise & Disaster Recovery<br />
1.34.1 Incident and Compromise Handling Procedures<br />
The NDPKI PMA shall be notified of all incidents, and where the continued integrity of service<br />
is impacted, a formal notice to cross-certified entities and accrediting bodies shall be issued<br />
indicating the corrective action being taken and the estimated schedule for implementation.<br />
1.34.2 Computing Resources, Software, and/Or Data Are Corrupted<br />
The CA shall maintain backup copies of system, databases, and private keys in order to rebuild<br />
the CA capability in case of software and / or data corruption. Prior to resuming operations, the<br />
integrity of the CA shall be verified.<br />
1.34.3 Entity Private Key Compromise Procedures<br />
In case of a CA key compromise, a superior CA shall revoke that CA’s certificate, and the<br />
revocation information shall be published immediately in the most expedient manner. If the CA<br />
is a Root CA, NDPKI PMA must advise Relying Parties, including the NDPKI PMAs which<br />
with it has cross-certified.<br />
1.34.4 Business Continuity Capabilities after a Disaster<br />
Each CA shall prepare and maintain a business continuity plan outlining the steps to be taken to<br />
re-establish a secure facility in the event of a disaster.<br />
1.35 CA & RA Termination<br />
In the event of a CA termination, the CA certificate shall be revoked. CA termination shall<br />
follow notification procedures equivalent to key compromise (Section 5.7.3).<br />
RA termination is in accordance with the NDPKI policies.<br />
1.36 Key Pair Generation & Installation<br />
TECHNICAL SECURITY CONTROLS<br />
Uncontrolled copy when printed<br />
1.36.1 Key Pair Generation<br />
Cryptographic modules for a UNCLASSIFIED PKI are either approved as specified below or be<br />
approved by the nation’s appropriate Defence Security Authority/ Defence Security<br />
Organisation (DSA/DSO), Cryptographic modules for a CLASSIFIED PKI need to be approved<br />
by DSA/DSO.<br />
A-27<br />
UNCLASSIFIED