Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

The ROA shall be responsible for ensuring name uniqueness in certificates issued by the Raytheon CAs. Raytheon CAs shall include the following information in their CPS: � What name forms shall be used, and � How they will allocate names within the Subscriber community to guarantee name uniqueness among current and past Subscribers (e.g., if “Joe Smith” leaves a CA’s community of Subscribers, and a new, different “Joe Smith” enters the community of Subscribers, how will these two people be provided unique names?). 3.1.6 Recognition, Authentication & Role of Trademarks A Raytheon CMA is not required to issue a name that contains a requested trademark. A CMA shall not knowingly issue a certificate including a name and may withdraw an issued name, where a court of competent jurisdiction has determined the name in question infringes the trademark of another. A CMA is not subsequently required to issue a name containing a trademark if the CMA has already issued a name sufficient for identification within Raytheon. A CMA is not obligated to research trademarks or resolve trademark disputes. 3.1.7 Name Claim Dispute Resolution Procedure The ROA shall resolve any name collisions brought to its attention that may affect interoperability. 3.2 Initial Identity Validation 3.2.1 Method to Prove Possession of Private Key In all cases where the Subscriber generates keys, the Subscriber shall be required to prove possession of the private key that corresponds to the public key in the certificate request. For signature keys, this proof of possession may be done by signing the request. For encryption keys, the CA or RA may encrypt the Subscriber’s certificate in a confirmation request message. The Subscriber can then decrypt and return the certificate to the CA or RA in a confirmation message. The RPMA may allow other mechanisms that are at least as secure as those cited here to be acceptable. 3.2.2 Authentication of Organization Identity Requests for certificates in the name of an organization shall include the organization name, address, and documentation of the existence of the organization. The RA shall verify the information, in addition to the authenticity of the requesting representative, and that representative's authorization to act in the name of the organization. 3.2.3 Authentication of Individual Identity The Raytheon CA shall ensure that the applicant’s identity information is verified and checked in accordance with this CP and the applicable CPS. The CA or RA shall ensure that the applicant’s identity information and public key are properly bound. Additionally, the CA or RA shall record the process that was followed for issuance of each certificate. Process information shall depend upon the certificate level of assurance and shall be addressed in the applicable CPS. The process documentation and authentication requirements shall include the following: � The identity of the person performing the identity verification; � A signed declaration by that person that he or she verified the identity of the applicant as required by the applicable certificate policy which may be met by 24 7/25/2011
establishing how the applicant is known to the verifier as required by this certificate policy; � The applicant shall present one valid National Government-issued photo ID (e.g. passport), or two valid non-National Government IDs, one of which shall be a recent photo ID (e.g., Drivers License). � Unique identifying numbers from the Identifier (ID) of the verifier and from an ID of the applicant; � The date and time of the verification, and; � A declaration of identity signed by the applicant using a handwritten signature or equivalent and performed in the presence of the person performing the identity authentication, using the format set forth at 28 U.S.C 1746 (declaration under penalty of perjury) or comparable procedure under local law. Practice Note: Examples of signatures equivalent to handwritten signature are a good fingerprint or other adequate biometric that can be linked to the individual identity. Another example of a signature equivalent to handwritten signature is digital signature that can be verified using a certificate provided to the same identity. However, that certificate must not be the same certificate for whose issuance the identity proofing is being performed. Identity shall be established by in-person proofing before the RA or Trusted Agent; information provided shall be verified to ensure legitimacy. Requirements for authentication of individual identity using an in-person antecedent are listed in Section 3.2.3.3. 3.2.3.1 Authentication of Component Identities Some computing and communications devices (applications, routers, firewalls, servers, etc.) shall be named as certificate subjects. In such cases, the device shall have a human sponsor. The PKI sponsor shall be responsible for providing the following registration information: � Equipment identification (e.g., serial number) or service name (e.g., DNS name) � Equipment public keys � Equipment authorizations and attributes (if any are to be included in the certificate) � Contact information to enable the CA or RA to communicate with the sponsor when required � The registration information shall be verified to an assurance level commensurate with the certificate assurance level being requested. Acceptable methods for performing this authentication and integrity checking include, but are not limited to: o Verification of digitally signed messages sent from the sponsor (using certificates of equivalent or greater assurance than that being requested). o In person registration by the sponsor, with the identity of the sponsor confirmed in accordance with the requirements of Section 3.2.3. 3.2.3.2 Human Subscriber Re-Authentication If a human subscriber credentials containing the private keys associated with the public key certificates are lost, damaged, or stolen, the subscriber may be issued new certificates using the process described in this section. However, the validity period of the certificates issued using this process shall not exceed the identity-reproofing requirements in Section 3.3.1. Alternatively, the subscriber can undergo an initial identity proofing process described in Section 3.2.3. 25 7/25/2011
Page 1 and 2: Raytheon Company Public Key Infrast
Page 3 and 4: Table of Contents 1 INTRODUCTION ..
Page 5 and 6: 4.6.7 Notification of Certificate I
Page 7 and 8: 5.4.8 Vulnerability Assessments ...
Page 9 and 10: 9 OTHER BUSINESS AND LEGAL MATTERS
Page 11 and 12: 1 INTRODUCTION This Certificate Pol
Page 13 and 14: 1.1.3 Scope The following diagram r
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29 and 30: 3.3.1 Identification and Authentica
Page 31 and 32: For subscriber certificates, the pr
Page 33 and 34: 4.3.1 CA Actions during Certificate
Page 35 and 36: 4.7.4 Notification of New Certifica
Page 37 and 38: Any CA may unilaterally revoke anot
Page 39 and 40: 4.9.8 Maximum Latency for CRLs The
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47 and 48: � Be trustworthy; � Have no oth
Page 49 and 50: administrative documents (e.g., Adm
Page 51 and 52: REVOCATION PROFILE MANAGEMENT Audit
Page 53 and 54: It is acceptable for the system to
Page 55 and 56: 5.6 Key Changeover A CA uses a sign
Page 57 and 58: If a RA signature keys are compromi
Page 59 and 60: show that appropriate role separati
Page 61 and 62: Hashing: Cryptographic Function Has
Page 63 and 64: 6.2 Private Key Protection and Cryp
Page 65 and 66: 6.3 Other Aspects of Key Management
Page 67 and 68: � All hardware must be shipped or
Page 69 and 70: 7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72: When multiple values exist for an a
Page 73 and 74: 8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76:
9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78:
� There are no material misrepres
Page 79 and 80:
� Ensure that certificate and rev
Page 81 and 82:
as a termination of this CP unless
Page 83 and 84:
enforce the agreement to arbitrate,
Page 85 and 86:
10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88:
Field Value Policy Mapping For SHA-
Page 89 and 90:
10.3 Raytheon Root CA Certificate (
Page 91 and 92:
91 7/25/2011
Page 93 and 94:
10.6 Medium Assurance Signing CA Ce
Page 95 and 96:
Field Value Entrust Version Info c=
Page 97 and 98:
10.9 Medium Assurance Code Signing
Page 99 and 100:
Field Value Entrust Version Info En
Page 101 and 102:
10.12 Medium Assurance Domain Contr
Page 103 and 104:
10.13 Medium Assurance Role Signatu
Page 105 and 106:
10.15 OCSP Responder Certificate Th
Page 107 and 108:
10.17 Medium Assurance CA CRL Forma
Page 109 and 110:
11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112:
BIBLIOGRAPHY The following document
Page 113 and 114:
HTTP Hypertext Transfer Protocol IA
Page 115 and 116:
13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

Create successful ePaper yourself

Delete template?

Save as template?