Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS Communication among the CA, RA, Trusted Agent, other parties confirming identities, and subscriber shall have requisite security services (i.e., source authentication, integrity, nonrepudiation, or confidentiality) applied to them commensurate with the assurance level of the certificate being managed. For example, packages secured and transported in a tamperevident manner by a certified mail carrier meet the integrity and confidentiality requirements for High Hardware assurance level. When cryptography is used, the mechanism shall be at least as strong as the certificates being managed. For example, web site secured using SSL certificate issued under medium-software policy and set up with appropriate algorithms and key sizes satisfies integrity and confidentiality requirements for medium-software certificate management. The content of communication shall dictate if some, all, or none of the security services are required. 4.1 Certificate Application It is the intent of this section to identify the minimum requirements and procedures that are necessary to support trust in the PKI, and to minimize imposition of specific implementation requirements on CAs, RAs, Subscribers, and relying parties. This paragraph applies to entities seeking cross certificates from the Raytheon Root CA. The RPMA shall establish procedures for entities to use in applying for a certificate from the RRCA and then publish those procedures. Additional requirements for the enrollment process for cross-certified CAs shall be discussed in an MOA signed with Raytheon. Requests by Raytheon CAs for a CA certificate shall be submitted to the RPMA using the contact provided in Section 1.5. The application shall be accompanied by a CP and CPS written to the format of the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework [RFC 3647]. Additionally, the application shall propose a mapping between the levels of assurance expressed in the Entity’s CP and those in this CP. The RPMA shall evaluate the submitted application for acceptability; make a determination whether or not to issue the requested certificate, and what policy mappings to express in the certificate. The RPMA may require an initial compliance audit, performed by parties of the RPMA’s choosing, to ensure that the CA is prepared to implement all aspects of the CPS, prior to the RPMA authorizing the CA to issue and manage certificates asserting the Raytheon CP. Upon RPMA approval, Raytheon shall enter into a MOA with the applicant organization setting forth their respective responsibilities. The RPMA shall instruct the Raytheon Operational Authority to issue the certificate to the applicant CA. Upon issuance, each certificate issued by the ROA shall be manually checked to ensure each field and extension is properly populated with the correct information, before the certificate is delivered to the Subject CA. The applicant CA shall have a distinguished name that shall be placed in the Subject field of the certificate with the common name as the official name of the CA. Raytheon CAs asserting one or more policy OIDs from this CP shall certify other Raytheon CAs only as authorized by the RPMA. This authorization shall be based on the Subject CA submitting a CPS that complies with this CP. For subscriber certificates, the CA, RA or Trusted Agent must perform the following steps when the subscriber applies for a certificate: � Establish and record identity of Subscriber (per Section 3.2), and; � Establish that the public key forms a functioning key pair with the private key held by the Subscriber (per Section 3.2.1). 30 7/25/2011
For subscriber certificates, the prospective subscriber must perform the following steps when the subscriber applies for a certificate: � Obtain a public/private key pair for each certificate required, and; � Provide a point of contact for verification of any roles or authorizations requested. These steps may be performed in any order that is convenient for the CA, RAs, Trusted Agent and Subscribers, and that do not defeat security, but all must be completed prior to certificate issuance. All communications among CAs supporting the certificate application and issuance process shall be authenticated and protected from modification using mechanisms commensurate with the requirements of the data to be protected by the certificates being issued (i.e., communications supporting the issuance of Medium Assurance certificates shall be protected using Medium Assurance certificates, or some other mechanism of equivalent strength). Any electronic transmission of shared secrets shall be protected (e.g., encrypted) using means commensurate with the requirements of the data to be protected by the certificates being issued. 4.1.1 Submission of Certificate Application For certificate applications to a Raytheon CA, an authorized representative of the Subject CA shall submit the application to the RPMA. For subscriber certificates, the application shall be submitted by an authorized prospective subscriber in the case of human subscribers, or an authorized PKI sponsor in the case of components. 4.1.2 Enrollment Process and Responsibilities CAs external to the Raytheon policy domain applying for cross certification with the Raytheon PKI shall submit a request for cross-certification to the Raytheon PMA accompanied by their CP. The Raytheon PMA shall require a CP/CPS compliance audit, from a third-party auditor, as described in section 8. The Raytheon PMA shall perform a certificate policy mapping to validate policy assurance levels are equivalent. Upon issuance, each cross-certificate issued by the Raytheon PKI shall be manually checked to ensure each field and extension is properly populated with the correct information, before the certificate is delivered to the Subject CA. Raytheon CAs shall submit a request to the Raytheon PMA, accompanied by their CPS. The Raytheon PMA shall evaluate the submitted CPS for acceptability. The Raytheon PMA may require an initial compliance audit, performed by parties of the Raytheon PMA’s choosing, to ensure that the CA is in compliance with this CP, prior to the PMA authorizing the Raytheon Root CA to issue a certificate to the applying CA and authorizing the CA to issue and manage certificates asserting a policy OID from this CP. The RRCA shall only issue certificates to subordinate CAs upon receipt of written authorization from the Raytheon PMA. CAs shall issue certificates asserting a policy OID from this CP only upon receipt of written authorization from the Raytheon PMA, and then may do so only within the constraints imposed by the Raytheon PMA or its designated representatives. For applications by end-entities, the Trusted Agent or Registration Authority must verify all subscriber information, in accordance with section 3.2.3. In addition, the Trusted Agent or Registration Authority shall sign the Subscriber Agreement. Subscribers are expected to 31 7/25/2011
Page 1 and 2: Raytheon Company Public Key Infrast
Page 3 and 4: Table of Contents 1 INTRODUCTION ..
Page 5 and 6: 4.6.7 Notification of Certificate I
Page 7 and 8: 5.4.8 Vulnerability Assessments ...
Page 9 and 10: 9 OTHER BUSINESS AND LEGAL MATTERS
Page 11 and 12: 1 INTRODUCTION This Certificate Pol
Page 13 and 14: 1.1.3 Scope The following diagram r
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23 and 24: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 25 and 26: establishing how the applicant is k
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29: 3.3.1 Identification and Authentica
Page 33 and 34: 4.3.1 CA Actions during Certificate
Page 35 and 36: 4.7.4 Notification of New Certifica
Page 37 and 38: Any CA may unilaterally revoke anot
Page 39 and 40: 4.9.8 Maximum Latency for CRLs The
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47 and 48: � Be trustworthy; � Have no oth
Page 49 and 50: administrative documents (e.g., Adm
Page 51 and 52: REVOCATION PROFILE MANAGEMENT Audit
Page 53 and 54: It is acceptable for the system to
Page 55 and 56: 5.6 Key Changeover A CA uses a sign
Page 57 and 58: If a RA signature keys are compromi
Page 59 and 60: show that appropriate role separati
Page 61 and 62: Hashing: Cryptographic Function Has
Page 63 and 64: 6.2 Private Key Protection and Cryp
Page 65 and 66: 6.3 Other Aspects of Key Management
Page 67 and 68: � All hardware must be shipped or
Page 69 and 70: 7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72: When multiple values exist for an a
Page 73 and 74: 8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76: 9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78: � There are no material misrepres
Page 79 and 80: � Ensure that certificate and rev
Page 81 and 82:
as a termination of this CP unless
Page 83 and 84:
enforce the agreement to arbitrate,
Page 85 and 86:
10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88:
Field Value Policy Mapping For SHA-
Page 89 and 90:
10.3 Raytheon Root CA Certificate (
Page 91 and 92:
91 7/25/2011
Page 93 and 94:
10.6 Medium Assurance Signing CA Ce
Page 95 and 96:
Field Value Entrust Version Info c=
Page 97 and 98:
10.9 Medium Assurance Code Signing
Page 99 and 100:
Field Value Entrust Version Info En
Page 101 and 102:
10.12 Medium Assurance Domain Contr
Page 103 and 104:
10.13 Medium Assurance Role Signatu
Page 105 and 106:
10.15 OCSP Responder Certificate Th
Page 107 and 108:
10.17 Medium Assurance CA CRL Forma
Page 109 and 110:
11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112:
BIBLIOGRAPHY The following document
Page 113 and 114:
HTTP Hypertext Transfer Protocol IA
Page 115 and 116:
13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

Create successful ePaper yourself

Delete template?

Save as template?