ACP 185
ACP 185
ACP 185
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
UNCLASSIFIED<br />
ANNEX A TO<br />
<strong>ACP</strong> <strong>185</strong><br />
1.36.2 Private Key Delivery to Subscriber<br />
Where private keys are generated or recovered by the Subscriber on/into the Subscriber’s<br />
cryptographic module, no additional delivery process is required. Where private keys are<br />
generated on the Subscriber’s cryptographic module under the control of another person, the<br />
process for delivery of the Subscriber’s cryptographic module to the Subscriber shall ensure:<br />
• The correct token and activation data are provided to the correct Subscriber<br />
• No unauthorized parties can access or use the token during the delivery process<br />
Where private keys are generated in another cryptographic module or recovered by an RA, the<br />
process to delivery of the private key securely onto the Subscriber’s token or to the requestor<br />
shall be approved by the nation’s DSA / DSO. While outside of the cryptographic module or the<br />
Subscriber’s token, private keys shall be encrypted using an algorithm and process approved by<br />
the DSA / DSO.<br />
1.36.3 Public Key Delivery to Certificate Issuer<br />
Public keys shall be delivered to the certificate issuer in a way that binds the applicant’s verified<br />
identification to the public key being certified.<br />
1.36.4 CA Public Key Delivery to Relying Parties<br />
Trusted CA certificates for the NDPKIs and any directly trusted intermediate CAs shall be<br />
delivered to Relying Parties via a controlled mechanism.<br />
1.36.5 Key Sizes<br />
The strength of key size and hash algorithms shall be as specified in National Institute of<br />
Standards and Technology Special Publication 800-57 Part 1 – “Recommendation for Key<br />
Management – Part 1: General. [SP 800-57P1]”<br />
1.36.6 Public Key Parameters Generation and Quality Checking<br />
Public key parameters shall always be generated and checked in accordance with the standard<br />
that defines the crypto-algorithm in which the parameters are to be used. For example, public<br />
key parameters for use with algorithms defined in the Federal Information Processing Standard<br />
186-3, Digital Signature Standard [FIPS 186] shall be generated and tested in accordance with<br />
[FIPS 186]. Whenever a crypto-algorithm is described in [FIPS 186], the parameter generation<br />
and checking requirements and recommendations of [FIPS 186] shall be required of all entities<br />
generating key pairs whose public components are to be certified by the CA.<br />
Uncontrolled copy when printed<br />
1.36.7 Key Usage Purposes (as per X.509 v3 key usage field)<br />
The use of a specific key is determined by the key usage extension in the X.509 certificate.<br />
A-29<br />
UNCLASSIFIED