Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

� Definition of rules to limit liability and to provide a high degree of certainty that the stipulations of the policies in this CP are being met The reliability of the public-key cryptography portion of the security solution is a direct result of the secure and trustworthy operation of an established PKI, including equipment, facilities, personnel, and procedures. Electronic commerce is one important PKI application. The use of public key cryptography for electronic commerce applications should be determined on the basis of a review of the security services provided by the public key certificates, the value of the electronic commerce applications, and the risk associated with the applications. The applicability statements in one or more of the policies in this CP shall be considered minimum requirements; application accreditors may require higher levels of assurance than specified in this CP for the stated applications. This CP is consistent with the Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (IETF PKIX) RFC 3647, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practice Statement Framework. 1.1 Overview The Raytheon Certificate Policy (CP) is the unified policy under which all Certification Authorities (CA) operated by Raytheon are established and operate. This document shall be reviewed and updated as described in section 9.12, based on operational experience, changing threats, new technology, and further analysis. This document defines the creation and management of Version 3 X.509 public-key certificates for use in applications requiring communication between networked computer-based systems. Such applications include, but are not limited to, electronic mail; secure transmission of data; signature of electronic forms; contract formation signatures’ and authentication of infrastructure devices such as web servers, firewalls, and desktops. The intended network backbone for these network security products is the Internet. 1.1.1 Certificate Policy (CP) Certificates contain one or more registered certificate policy object identifier (OID), which may be used by a Relying Party to decide whether a certificate is trusted for a particular purpose. The party that registers the OIDs (in this case, Raytheon Company) also publishes the CP, for examination by Relying Parties. The OID corresponds to a specific level of assurance established by this Certificate Policy (CP) which shall be available to Relying Parties. Each certificate issued by a Raytheon CA shall assert the appropriate level of assurance in the certificatePolicies extension. Cross certificates issued by the Raytheon Root CA shall, in the policyMappings extension and in whatever other fashion is determined by the Raytheon Policy Management Authority (described in Section 1.3.1.1) to be necessary for interoperability, reflect what mappings exist between this CP and the cross certified PKI CP. 1.1.2 Relationship between this CP & the Raytheon CPS This Certificate Policy (CP) states what assurance can be placed in a certificate issued by the Raytheon certificate servers. The Certification Practice Statement (CPS) states how the respective certification authorities establish that assurance. 12 7/25/2011
1.1.3 Scope The following diagram represents the scope of the Raytheon PKI. The Raytheon Root CA shall cross-certify with the CertiPath Bridge CA. Subscriber certificates shall be issued by the Raytheon Signing CA. Raytheon Root CA Raytheon Class 3 CA (Signing CA) Raytheon Public Key Infrastructure Cross-certified CertiPath Bridge CA Figure 1 – Scope of Raytheon PKI Architecture This CP imposes requirements on the following Raytheon CAs involved in Signing certificates: � Raytheon Root Certification Authority (RRCA) � Raytheon Signing CAs The Raytheon Root CA shall issue CA certificates only to the following: � Raytheon CAs approved by the RPMA to issue certificates to subscribers � External CAs approved by the RPMA to cross-certify to the Raytheon PKI The RRCA may also issue certificates to PKI Trusted Roles who operate the CA. The scope of this CP in terms of subscriber (i.e., end entity) certificate types is limited to those listed in Section 10 and repeated here: identity, signature, encryption, web server, code signing, role signature, and role encryption. Within this document, the term CA, when used without qualifier, shall refer to any certification authority subject to the requirements of this certificate policy, including the RRCA and Signing CAs. Requirements that apply to a specific CA type shall be denoted by specify the CA type, e.g., RRCA or Signing CA. 13 7/25/2011
Page 1 and 2: Raytheon Company Public Key Infrast
Page 3 and 4: Table of Contents 1 INTRODUCTION ..
Page 5 and 6: 4.6.7 Notification of Certificate I
Page 7 and 8: 5.4.8 Vulnerability Assessments ...
Page 9 and 10: 9 OTHER BUSINESS AND LEGAL MATTERS
Page 11: 1 INTRODUCTION This Certificate Pol
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23 and 24: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 25 and 26: establishing how the applicant is k
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29 and 30: 3.3.1 Identification and Authentica
Page 31 and 32: For subscriber certificates, the pr
Page 33 and 34: 4.3.1 CA Actions during Certificate
Page 35 and 36: 4.7.4 Notification of New Certifica
Page 37 and 38: Any CA may unilaterally revoke anot
Page 39 and 40: 4.9.8 Maximum Latency for CRLs The
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47 and 48: � Be trustworthy; � Have no oth
Page 49 and 50: administrative documents (e.g., Adm
Page 51 and 52: REVOCATION PROFILE MANAGEMENT Audit
Page 53 and 54: It is acceptable for the system to
Page 55 and 56: 5.6 Key Changeover A CA uses a sign
Page 57 and 58: If a RA signature keys are compromi
Page 59 and 60: show that appropriate role separati
Page 61 and 62: Hashing: Cryptographic Function Has
Page 63 and 64:
6.2 Private Key Protection and Cryp
Page 65 and 66:
6.3 Other Aspects of Key Management
Page 67 and 68:
� All hardware must be shipped or
Page 69 and 70:
7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72:
When multiple values exist for an a
Page 73 and 74:
8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76:
9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78:
� There are no material misrepres
Page 79 and 80:
� Ensure that certificate and rev
Page 81 and 82:
as a termination of this CP unless
Page 83 and 84:
enforce the agreement to arbitrate,
Page 85 and 86:
10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88:
Field Value Policy Mapping For SHA-
Page 89 and 90:
10.3 Raytheon Root CA Certificate (
Page 91 and 92:
91 7/25/2011
Page 93 and 94:
10.6 Medium Assurance Signing CA Ce
Page 95 and 96:
Field Value Entrust Version Info c=
Page 97 and 98:
10.9 Medium Assurance Code Signing
Page 99 and 100:
Field Value Entrust Version Info En
Page 101 and 102:
10.12 Medium Assurance Domain Contr
Page 103 and 104:
10.13 Medium Assurance Role Signatu
Page 105 and 106:
10.15 OCSP Responder Certificate Th
Page 107 and 108:
10.17 Medium Assurance CA CRL Forma
Page 109 and 110:
11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112:
BIBLIOGRAPHY The following document
Page 113 and 114:
HTTP Hypertext Transfer Protocol IA
Page 115 and 116:
13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?