ACP 185

More documents

Recommendations

Info

UNCLASSIFIED ANNEX A TO ACP 185 1.33 Key Changeover NDPKI PMA shall ensure that processes for key change-over and other transitional mechanisms relating to CA keys, which maintain the integrity of the systems, are in place. 1.34 Compromise & Disaster Recovery 1.34.1 Incident and Compromise Handling Procedures The NDPKI PMA shall be notified of all incidents, and where the continued integrity of service is impacted, a formal notice to cross-certified entities and accrediting bodies shall be issued indicating the corrective action being taken and the estimated schedule for implementation. 1.34.2 Computing Resources, Software, and/Or Data Are Corrupted The CA shall maintain backup copies of system, databases, and private keys in order to rebuild the CA capability in case of software and / or data corruption. Prior to resuming operations, the integrity of the CA shall be verified. 1.34.3 Entity Private Key Compromise Procedures In case of a CA key compromise, a superior CA shall revoke that CA’s certificate, and the revocation information shall be published immediately in the most expedient manner. If the CA is a Root CA, NDPKI PMA must advise Relying Parties, including the NDPKI PMAs which with it has cross-certified. 1.34.4 Business Continuity Capabilities after a Disaster Each CA shall prepare and maintain a business continuity plan outlining the steps to be taken to re-establish a secure facility in the event of a disaster. 1.35 CA & RA Termination In the event of a CA termination, the CA certificate shall be revoked. CA termination shall follow notification procedures equivalent to key compromise (Section 5.7.3). RA termination is in accordance with the NDPKI policies. 1.36 Key Pair Generation & Installation TECHNICAL SECURITY CONTROLS Uncontrolled copy when printed 1.36.1 Key Pair Generation Cryptographic modules for a UNCLASSIFIED PKI are either approved as specified below or be approved by the nation’s appropriate Defence Security Authority/ Defence Security Organisation (DSA/DSO), Cryptographic modules for a CLASSIFIED PKI need to be approved by DSA/DSO. A-27 UNCLASSIFIED
UNCLASSIFIED ANNEX A TO ACP 185 Software Subscriber RA CA FIPS 140 Level 1 2 2 Hardware Subscriber RA CA FIPS 140 Level 2 2 3 Device Subscriber RA CA FIPS 140 Level 1 2 2 Key pair generation shall be undertaken via combination of products and processes approved by each nation’s appropriate DSA/DSO, to provide keys suitable for: • Use in PKI based authentication, non-repudiation and integrity services for systems and data up to and within a SECRET high environment; • Use in PKI based confidential communications capable of protecting symmetric (Secret Key encryption) keys used to protect data up to and including the RESTRICTED classification over publicly accessible data networks (e.g. the Internet) 6 ; and • Use in PKI based confidential communications within a SECRET high environment to protect “need to know” using processes which are approved by the appropriate DSA/DSO. For hardware certificates: • Signature key pairs shall be generated within a hardware cryptographic module. • Encryption key pairs generation may occur within the hardware token intended for use by the Subscriber; or within an approved Hardware Security Module (HSM) For software certificates: • Key pairs for signature and encryption may be generated, stored and managed in software. • Key generation shall employ a method that meets or exceeds the NDPKI specified standard for Subscriber software cryptographic modules. Uncontrolled copy when printed 6 Canada and the United States do not use the classification RESTRICTED in their national systems. Canada and the United States handle and protect UK/AU/NZ RESTRICTED information in a manner no less stringent than the standards and procedures they apply on the security protection of NATO RESTRICTED information. A-28 UNCLASSIFIED
Page 1 and 2: UNCLASSIFIED ACP 185 Public Key Inf
Page 3 and 4: UNCLASSIFIED ACP 185 THE COMBINED C
Page 5 and 6: UNCLASSIFIED ACP 185 TABLE OF CONTE
Page 7 and 8: UNCLASSIFIED ACP 185 ANNEX C ......
Page 9 and 10: UNCLASSIFIED ACP 185 existing polic
Page 11 and 12: UNCLASSIFIED ACP 185 arisen as a re
Page 13 and 14: UNCLASSIFIED ACP 185 • Subject al
Page 15 and 16: UNCLASSIFIED ACP 185 CHAPTER 4 CROS
Page 17 and 18: UNCLASSIFIED ACP 185 INTRODUCTION C
Page 19 and 20: UNCLASSIFIED ACP 185 INTRODUCTION C
Page 21 and 22: UNCLASSIFIED ACP 185 CHAPTER 7 GOVE
Page 23 and 24: UNCLASSIFIED ANNEX A TO ACP 185 •
Page 25 and 26: UNCLASSIFIED ANNEX A TO ACP 185 use
Page 27 and 28: UNCLASSIFIED ANNEX A TO ACP 185 IDE
Page 29 and 30: UNCLASSIFIED ANNEX A TO ACP 185 1.1
Page 31 and 32: UNCLASSIFIED ANNEX A TO ACP 185 •
Page 33 and 34: UNCLASSIFIED ANNEX A TO ACP 185 An
Page 37 and 38: UNCLASSIFIED ANNEX A TO ACP 185 CAs
Page 39 and 40: UNCLASSIFIED ANNEX A TO ACP 185 The
Page 43 and 44: UNCLASSIFIED ANNEX A TO ACP 185 pro
Page 45 and 46: UNCLASSIFIED ANNEX A TO ACP 185 CA,
Page 47: UNCLASSIFIED ANNEX A TO ACP 185 Sho
Page 51 and 52: UNCLASSIFIED ANNEX A TO ACP 185 Cer
Page 53 and 54: UNCLASSIFIED ANNEX A TO ACP 185 Cro
Page 57 and 58: UNCLASSIFIED ANNEX A TO ACP 185 Fie
Page 67 and 68: UNCLASSIFIED ANNEX A TO ACP 185 id-
Page 75 and 76: UNCLASSIFIED ANNEX B TO ACP 185 In
Page 77 and 78: UNCLASSIFIED ANNEX B TO ACP 185 Mil
Page 79 and 80: UNCLASSIFIED ANNEX B TO ACP 185 the
Page 81 and 82: UNCLASSIFIED ANNEX B TO ACP 185 4.4
Page 83 and 84: UNCLASSIFIED ANNEX B TO ACP 185 Any
Page 85 and 86: UNCLASSIFIED ANNEX B TO ACP 185 Sig
Page 87 and 88: UNCLASSIFIED ANNEX B TO ACP 185 SCH
Page 89 and 90: UNCLASSIFIED ANNEX C TO ACP 185 CRO
Page 91 and 92: UNCLASSIFIED ANNEX C TO ACP 185 WIT
Page 93 and 94: UNCLASSIFIED ANNEX C TO ACP 185 g)
Page 95 and 96: UNCLASSIFIED ANNEX C TO ACP 185 •
Page 97 and 98: CA Certificate UNCLASSIFIED Certifi
Page 99 and 100:
NDPKI UNCLASSIFIED National Defence
Page 101 and 102:
System equipment configuration Syst
Page 103:
KES Key Escrow Server UNCLASSIFIED
show all

ACP 185

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?