ACP 185
ACP 185
ACP 185
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
UNCLASSIFIED<br />
<strong>ACP</strong> <strong>185</strong><br />
CHAPTER 1<br />
INTRODUCTION<br />
PURPOSE<br />
101. Allied Communications Publication (<strong>ACP</strong>) <strong>185</strong> - PKI Cross-Certification<br />
Between CCEB Nations establishes the framework for PKI interoperability to facilitate<br />
the cross-certification of CCEB National Defence/Defence Public Key (NDPKI). It<br />
defines the minimum set of standards which each PKI needs to meet and the processes<br />
and activities that each CCEB Nation needs to conduct prior to cross-certification, and, in<br />
order to maintain cross-certification.<br />
102. This framework serves to describe a common approach to authentication within<br />
CCEB environments. Provided that each Nation meets the minimum standards listed in<br />
Annex A, each Nation can use their own processes to perform identity proofing and<br />
credentialing for their employees and affiliates, while relying on identity proofing and<br />
credentialing performed by other nations for their employees and affiliates. Although not<br />
mandated by this framework, the issuance of cross-certificates between NDPKIs is the<br />
preferred technical approach for implementing formal and reciprocal recognition of trust<br />
between the NDPKIs of two CCEB Member Nations.<br />
SCOPE<br />
103. This <strong>ACP</strong> applies to all CCEB NDPKIs that seek to or have established<br />
mechanisms to interoperate with another CCEB NDPKI at the Secret or below level<br />
environment under the Combined Joint Multilateral Master Military Information<br />
Exchange Memorandum of Understanding (CJM3IEM). It may be used by other non<br />
CCEB nations for information purposes. In no way does it imply that this will be<br />
employed as a basis for cross-certification outside of CCEB partners.<br />
NATURE OF THE CROSS-CERTIFICATION ARRANGEMENT<br />
104. This <strong>ACP</strong> provides a framework for bi-lateral PKI interoperability. Self-assertion<br />
to the requirements described in Annex A does not automatically result in interoperability<br />
across the CCEB. Each participating nation must establish a Cross-Certification<br />
Arrangement (CCA) with all other participating nations they wish to interoperate with as<br />
the arrangements are not transitive 1 .<br />
Uncontrolled copy when printed<br />
105. In addition, a CCA allows individuals with certificates from one NDPKI to<br />
authenticate to relying party information systems hosted by the other NDPKI. However,<br />
it is not an authorization arrangement and is not intended to supplement or replace any<br />
1 For example, if Nation A establishes a CCA with Nation B, and Nation B establishes a CCA with Nation C,<br />
there is no arrangement between Nation A and Nation C as a result.<br />
1-1<br />
UNCLASSIFIED