Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

4.8.5 Conduct Constituting Acceptance of Modified Certificate See Section 4.4.1. 4.8.6 Publication of the Modified Certificate by the CA See Section 4.4.2. 4.8.7 Notification of Certificate Issuance by the CA to Other Entities See Section 4.4.3. 4.9 Certificate Revocation and Suspension Revocation requests must be authenticated. Requests to revoke a certificate may be authenticated using that certificate's associated public key, regardless of whether or not the private key has been compromised. 4.9.1 Circumstance for Revocation of a Certificate A certificate shall be revoked when the binding between the subject and the subject’s public key defined within a certificate is no longer considered valid. Examples of circumstances that invalidate the binding are: � Identifying information or affiliation components of any names in the certificate become invalid; � Privilege attributes asserted in the Subject's certificate are reduced; � The Subject can be shown to have violated the stipulations of its agreement; � The private key is suspected of compromise; or � The Subject or other authorized party (as defined in the applicable CP or CPS) asks for his/her certificate to be revoked. Whenever any of the above circumstances occur, the associated certificate shall be revoked and placed on the CRL. Revoked certificates shall be included on all new publications of the certificate status information until at least the certificates expire. The Raytheon PKI shall request the CBCA revoke their cross-certificate if they do not meet the stipulations of the certificate policies listed in their certificate, including all OIDs asserted in this CP. 4.9.2 Who Can Request Revocation of a Certificate A certificate subject, human supervisor of a human subject, Human Resources (HR) person for the human subject, security officer for the human subject, PKI Sponsor for a device, Signing CA, or RA may request revocation of a certificate. In the case of certificates issued by a Raytheon CA, the RPMA may request revocation of a certificate. For CA certificates, authorized individuals representing the CA operations may request revocation of certificates. 4.9.3 Procedure for Revocation Request A request to revoke a certificate shall identify the certificate to be revoked, explain the reason for revocation, and allow the request to be authenticated (e.g., digitally or manually signed). 36 7/25/2011
Any CA may unilaterally revoke another CA certificate it has issued. However, the ROA for a Raytheon CA shall revoke a Subject CA certificate only in the case of an emergency. Generally, the certificate shall be revoked based on the subject request, authorized representative of subject request, or RPMA request. Upon receipt of a revocation request, a CA shall authenticate the request and then revoke the certificate. In the case of a CA certificate issued by a Raytheon CA, the ROA shall seek guidance from the RPMA before revocation of the certificate except when the RPMA is not available and there is an emergency situation such as: � Request from the Signing CA for reason of key compromise; � Determination by the Raytheon Operational Authority that a Subject CA key is compromised; or � Determination by the Raytheon Operational Authority that a Subject CA is in violation of the CP or CPS to a degree that threatens the integrity of the Raytheon PKI. At the medium-hardware, medium-CBP-hardware, and high-hardware assurance levels, a Subscriber ceasing its relationship with an organization that sponsored the certificate shall, prior to departure, surrender to the organization (through any accountable mechanism) all cryptographic hardware tokens that were issued by or on behalf of the sponsoring organization. The token shall be zeroized or destroyed promptly upon surrender and shall be protected from malicious use between surrender and zeroization or destruction. If a Subscriber leaves an organization and the hardware tokens cannot be obtained from the Subscriber, then all Subscriber certificates associated with the unretrieved tokens shall be immediately revoked for the reason of key compromise. 4.9.4 Revocation Request Grace Period There is no revocation grace period. Responsible parties must request revocation as soon as they identify the need for revocation. 4.9.5 Time within which CA must Process the Revocation Request RRCA shall process all revocation requests within six hours of receipt of request. For Signing CAs, revocation request processing time shall be as specified below: Assurance Level Processing Time for Revocation Requests Medium Software and Medium CBP Software Medium Hardware and Medium CBP Hardware Within 18 hours of receipt of request Within 18 hours of receipt of request High Hardware Within six hours of receipt of request 4.9.6 Revocation Checking Requirements for Relying Parties Use of revoked certificates could have damaging or catastrophic consequences in certain applications. The matter of how often new revocation data should be obtained is a determination to be made by the Relying Party and the system accreditor. If it is temporarily infeasible to obtain revocation information, then the Relying Party must either reject use of the 37 7/25/2011
Page 1 and 2: Raytheon Company Public Key Infrast
Page 3 and 4: Table of Contents 1 INTRODUCTION ..
Page 5 and 6: 4.6.7 Notification of Certificate I
Page 7 and 8: 5.4.8 Vulnerability Assessments ...
Page 9 and 10: 9 OTHER BUSINESS AND LEGAL MATTERS
Page 11 and 12: 1 INTRODUCTION This Certificate Pol
Page 13 and 14: 1.1.3 Scope The following diagram r
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23 and 24: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 25 and 26: establishing how the applicant is k
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29 and 30: 3.3.1 Identification and Authentica
Page 31 and 32: For subscriber certificates, the pr
Page 33 and 34: 4.3.1 CA Actions during Certificate
Page 35: 4.7.4 Notification of New Certifica
Page 39 and 40: 4.9.8 Maximum Latency for CRLs The
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47 and 48: � Be trustworthy; � Have no oth
Page 49 and 50: administrative documents (e.g., Adm
Page 51 and 52: REVOCATION PROFILE MANAGEMENT Audit
Page 53 and 54: It is acceptable for the system to
Page 55 and 56: 5.6 Key Changeover A CA uses a sign
Page 57 and 58: If a RA signature keys are compromi
Page 59 and 60: show that appropriate role separati
Page 61 and 62: Hashing: Cryptographic Function Has
Page 63 and 64: 6.2 Private Key Protection and Cryp
Page 65 and 66: 6.3 Other Aspects of Key Management
Page 67 and 68: � All hardware must be shipped or
Page 69 and 70: 7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72: When multiple values exist for an a
Page 73 and 74: 8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76: 9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78: � There are no material misrepres
Page 79 and 80: � Ensure that certificate and rev
Page 81 and 82: as a termination of this CP unless
Page 83 and 84: enforce the agreement to arbitrate,
Page 85 and 86: 10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88:
Field Value Policy Mapping For SHA-
Page 89 and 90:
10.3 Raytheon Root CA Certificate (
Page 91 and 92:
91 7/25/2011
Page 93 and 94:
10.6 Medium Assurance Signing CA Ce
Page 95 and 96:
Field Value Entrust Version Info c=
Page 97 and 98:
10.9 Medium Assurance Code Signing
Page 99 and 100:
Field Value Entrust Version Info En
Page 101 and 102:
10.12 Medium Assurance Domain Contr
Page 103 and 104:
10.13 Medium Assurance Role Signatu
Page 105 and 106:
10.15 OCSP Responder Certificate Th
Page 107 and 108:
10.17 Medium Assurance CA CRL Forma
Page 109 and 110:
11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112:
BIBLIOGRAPHY The following document
Page 113 and 114:
HTTP Hypertext Transfer Protocol IA
Page 115 and 116:
13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?