Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

present proof of identity to Trusted Agents or Registration Authorities, to agree to the Subscriber Agreement, and to sign it with a handwritten signature. 4.2 Certificate Application Processing It is the responsibility of the CA and RA to verify that the information in certificate applications is accurate. The CPS shall specify procedures to verify information in certificate applications. 4.2.1 Performing Identification and Authentication Functions For the cross-certificate issued by the RRCA, the identification and authentication of the applicant representing the Entity CA shall be performed by the Raytheon Operational Authority. For the Raytheon CAs, the identification and authentication of the applicant representing the Raytheon CA shall be performed by the Raytheon Operational Authority. For end entity certificates issued by the Raytheon Signing CA, the identification and authentication of the Subscriber must meet the requirements specified for Subscriber authentication as specified in Sections 3.2 and 3.3 of this CP. Prior to certificate issuance, a Subscriber shall be required to sign a document containing the requirements the Subscriber shall protect the private key and use the certificate and private key for authorized purposes only. 4.2.2 Approval or Rejection of Certificate Applications For a CA certificate application, the RPMA may approve or reject a certificate application. For subscriber certificates, the Trusted Agent, RA or CA may approve or reject a certificate application. 4.2.3 Time to Process Certificate Applications The entire subscriber registration process (i.e., from initial application to identity proofing to certificate issuance) shall take no more than 30 days. No stipulation for the CA application registration process. 4.3 Certificate Issuance Upon receiving a request for a certificate, the CA or RA shall respond in accordance with the requirements set forth in this CP and the applicable CPS. The certificate request may contain an already built ("to-be-signed") certificate. This certificate shall not be signed until the process set forth in this CP and the applicable CPS has been met. While the Subscriber may do most of the data entry, it is still the responsibility of the CA and the RA to verify that the information is correct and accurate. This may be accomplished through a system approach linking trusted databases containing personnel information, other equivalent authenticated mechanisms, or through personal contact with the Subscriber’s sponsoring organization. If databases are used to confirm Subscriber information, then these databases must be protected from unauthorized modification to a level commensurate with the level of assurance of the certificate being sought. Specifically, the databases shall be protected using physical security controls, personnel security controls, cryptographic security controls, computer security controls, and network security controls specified for the RA elsewhere in this CP. 32 7/25/2011
4.3.1 CA Actions during Certificate Issuance A CA verifies the source of a certificate request before issuance. Certificates shall be checked to ensure that all fields and extensions are properly populated. After generation, verification, and acceptance, a CA shall post the certificate as set forth in this CP. 4.3.2 Notification to Subscriber of Certificate Issuance A CA shall notify a subject (CA or Subscriber) of certificate issuance. 4.4 Certificate Acceptance The MOA shall set forth responsibilities of all parties before the RPMA authorizes issuance of a cross certificate by a Raytheon CA. Once a CA certificate has been issued, its acceptance by the subject shall trigger the Subject CA's obligations under the MOA (if any) and this CP. 4.4.1 Conduct Constituting Certificate Acceptance For CAs cross certified with Raytheon, certificate acceptance shall be governed by the MOA between Raytheon and the representatives of the Cross-certified CA. For Raytheon CAs operating under this policy, notification to the CA shall constitute acceptance, unless the CA objects. In the case of objection, the certificate shall be revoked. For end-entities, downloading of the certificate shall constitute acceptance of the issued certificate. 4.4.2 Publication of the Certificate by the CA CA certificates and Subscriber certificates shall be published to the appropriate repositories. 4.4.3 Notification of Certificate Issuance by the CA to Other Entities The ROA shall inform the RPMA of any CA certificate issued by the Raytheon PKI. When the Raytheon Root CA issues a CA certification, the RPMA shall inform the CertiPath PMA of successful certification issuance. Notification of cross certificate issuance by the Raytheon Root CA shall be provided to all crosscertified entities. 4.5 Key Pair and Certificate Usage 4.5.1 Subscriber Private Key and Certificate Usage Subscribers and CAs shall protect their private keys from access by any other party. Subscribers and CAs shall use their private keys for the purposes as constrained by the extensions (such as key usage, extended key usage, certificate policies, etc.) in the certificates issued to them. 4.5.2 Relying Party Public Key and Certificate Usage Relying parties shall use public key certificates for the purposes as constrained by the extensions (such as key usage, extended key usage, certificate policies, etc.) in the certificates. 4.6 Certificate Renewal Raytheon does not support certificate renewal. 33 7/25/2011
Page 1 and 2: Raytheon Company Public Key Infrast
Page 3 and 4: Table of Contents 1 INTRODUCTION ..
Page 5 and 6: 4.6.7 Notification of Certificate I
Page 7 and 8: 5.4.8 Vulnerability Assessments ...
Page 9 and 10: 9 OTHER BUSINESS AND LEGAL MATTERS
Page 11 and 12: 1 INTRODUCTION This Certificate Pol
Page 13 and 14: 1.1.3 Scope The following diagram r
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23 and 24: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 25 and 26: establishing how the applicant is k
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29 and 30: 3.3.1 Identification and Authentica
Page 31: For subscriber certificates, the pr
Page 35 and 36: 4.7.4 Notification of New Certifica
Page 37 and 38: Any CA may unilaterally revoke anot
Page 39 and 40: 4.9.8 Maximum Latency for CRLs The
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47 and 48: � Be trustworthy; � Have no oth
Page 49 and 50: administrative documents (e.g., Adm
Page 51 and 52: REVOCATION PROFILE MANAGEMENT Audit
Page 53 and 54: It is acceptable for the system to
Page 55 and 56: 5.6 Key Changeover A CA uses a sign
Page 57 and 58: If a RA signature keys are compromi
Page 59 and 60: show that appropriate role separati
Page 61 and 62: Hashing: Cryptographic Function Has
Page 63 and 64: 6.2 Private Key Protection and Cryp
Page 65 and 66: 6.3 Other Aspects of Key Management
Page 67 and 68: � All hardware must be shipped or
Page 69 and 70: 7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72: When multiple values exist for an a
Page 73 and 74: 8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76: 9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78: � There are no material misrepres
Page 79 and 80: � Ensure that certificate and rev
Page 81 and 82: as a termination of this CP unless
Page 83 and 84:
enforce the agreement to arbitrate,
Page 85 and 86:
10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88:
Field Value Policy Mapping For SHA-
Page 89 and 90:
10.3 Raytheon Root CA Certificate (
Page 91 and 92:
91 7/25/2011
Page 93 and 94:
10.6 Medium Assurance Signing CA Ce
Page 95 and 96:
Field Value Entrust Version Info c=
Page 97 and 98:
10.9 Medium Assurance Code Signing
Page 99 and 100:
Field Value Entrust Version Info En
Page 101 and 102:
10.12 Medium Assurance Domain Contr
Page 103 and 104:
10.13 Medium Assurance Role Signatu
Page 105 and 106:
10.15 OCSP Responder Certificate Th
Page 107 and 108:
10.17 Medium Assurance CA CRL Forma
Page 109 and 110:
11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112:
BIBLIOGRAPHY The following document
Page 113 and 114:
HTTP Hypertext Transfer Protocol IA
Page 115 and 116:
13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?