Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

certificate, or make an informed decision to accept the risk, responsibility, and consequences for using a certificate whose authenticity cannot be guaranteed to the standards of this CP. Such use may occasionally be necessary to meet urgent operational requirements. 4.9.7 CRL Issuance Frequency CRLs shall be issued periodically, even if there are no changes to be made, to ensure timeliness of information. Certificate status information may be issued more frequently than the issuance frequency described below. A CA shall ensure that superseded certificate status information is removed from the PKI Repository upon posting of the latest certificate status information. Certificate status information shall be published not later than the next scheduled update. This will facilitate the local caching of certificate status information for off-line or remote (laptop) operation. PKI participants shall coordinate with the PKI Repositories to which they post certificate status information to reduce latency between creation and availability. The following table provides CRL issuance frequency requirements for medium-software, medium-CBP-software, medium-hardware, and medium-CBP-hardware assurance certificates. CRL Issuance Frequency Routine At least once every 30 days for Off-line Roots and Off-line Bridge CAs; At Least Once every 24 hours for all others Loss or Compromise of Private Key Within 18 Hours of Notification CA Compromise Immediately, but no later than within 18 hours after notification The following table provides CRL issuance frequency requirements for the high-hardware assurance certificates. CRL Issuance Frequency Routine At least once every 30 days for Off-line Roots; At Least Once every 24 hours for all others Loss or Compromise of Private Key Within 6 Hours of Notification CA Compromise Immediately, but no later than within six hours after notification The CAs that issue routine CRLs less frequently that the requirement for Emergency CRL issuance (i.e., CRL issuance for loss or compromise of key or for compromise of CA) shall meet the requirements specified above for issuing Emergency CRLs. Such CAs shall also be required to notify the Raytheon PMA upon Emergency CRL issuance. The Raytheon PMA shall in turn notify the CertiPath Operational Authority and all cross certified CAs of revocation. 38 7/25/2011
4.9.8 Maximum Latency for CRLs The maximum delay between the time a Subscriber certificate is revoked by a CA and the time that this revocation information is available to Relying Parties shall be no greater than 24 hours. 4.9.9 Online Revocation Checking Availability In addition to CRLs, CAs and Relying Party client software may optionally support on-line status checking. Client software using on-line status checking need not obtain or process CRLs. CSAs shall function in a manner that ensures that: � Accurate and up-to-date information from the authorized CA is used to provide the revocation status; � Revocation status responses provide authentication and integrity services commensurate with the assurance level of the certificate being checked. If on-line revocation/status checking is supported by a CA, the latency of certificate status information distributed on-line by the CA or its delegated status responders shall meet or exceed the requirements for CRL issuance as stated in 4.9.7. 4.9.10 Online Revocation Checking Requirements CAs are not required to operate a CSA covering the certificates they issue. The Raytheon PKI Repository shall contain and publish a list of all CSAs operated by the Raytheon PKI. Relying Parties may optionally use on-line status checking. Since Raytheon operates in some environments that cannot accommodate on-line communications, all CAs shall be required to support CRLs. Client software using on-line revocation checking need not obtain or process CRLs. 4.9.11 Other Forms of Revocation Advertisements Available Any alternate forms used to disseminate revocation information shall be implemented in a manner consistent with the security and latency requirements for the implementation of CRLs and on-line revocation and status checking. 4.9.11.1 Checking Requirements for Other Forms of Revocation Advertisements No stipulation. 4.9.12 Special Requirements Related To Key Compromise None beyond those stipulated in Section 4.9.7. 4.9.13 Circumstances for Suspension Suspension shall be permitted for certificates issued under the medium-hardware or medium- CBP-hardware policies only, in the event that a user’s token is temporarily unavailable to them. 4.9.14 Who can Request Suspension A human subscriber, human supervisor of a human subscriber, HR person for the human subscriber, issuing CA, or RA may request suspension of a certificate. 39 7/25/2011
Page 1 and 2: Raytheon Company Public Key Infrast
Page 3 and 4: Table of Contents 1 INTRODUCTION ..
Page 5 and 6: 4.6.7 Notification of Certificate I
Page 7 and 8: 5.4.8 Vulnerability Assessments ...
Page 9 and 10: 9 OTHER BUSINESS AND LEGAL MATTERS
Page 11 and 12: 1 INTRODUCTION This Certificate Pol
Page 13 and 14: 1.1.3 Scope The following diagram r
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23 and 24: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 25 and 26: establishing how the applicant is k
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29 and 30: 3.3.1 Identification and Authentica
Page 31 and 32: For subscriber certificates, the pr
Page 33 and 34: 4.3.1 CA Actions during Certificate
Page 35 and 36: 4.7.4 Notification of New Certifica
Page 37: Any CA may unilaterally revoke anot
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47 and 48: � Be trustworthy; � Have no oth
Page 49 and 50: administrative documents (e.g., Adm
Page 51 and 52: REVOCATION PROFILE MANAGEMENT Audit
Page 53 and 54: It is acceptable for the system to
Page 55 and 56: 5.6 Key Changeover A CA uses a sign
Page 57 and 58: If a RA signature keys are compromi
Page 59 and 60: show that appropriate role separati
Page 61 and 62: Hashing: Cryptographic Function Has
Page 63 and 64: 6.2 Private Key Protection and Cryp
Page 65 and 66: 6.3 Other Aspects of Key Management
Page 67 and 68: � All hardware must be shipped or
Page 69 and 70: 7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72: When multiple values exist for an a
Page 73 and 74: 8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76: 9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78: � There are no material misrepres
Page 79 and 80: � Ensure that certificate and rev
Page 81 and 82: as a termination of this CP unless
Page 83 and 84: enforce the agreement to arbitrate,
Page 85 and 86: 10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88: Field Value Policy Mapping For SHA-
Page 89 and 90:
10.3 Raytheon Root CA Certificate (
Page 91 and 92:
91 7/25/2011
Page 93 and 94:
10.6 Medium Assurance Signing CA Ce
Page 95 and 96:
Field Value Entrust Version Info c=
Page 97 and 98:
10.9 Medium Assurance Code Signing
Page 99 and 100:
Field Value Entrust Version Info En
Page 101 and 102:
10.12 Medium Assurance Domain Contr
Page 103 and 104:
10.13 Medium Assurance Role Signatu
Page 105 and 106:
10.15 OCSP Responder Certificate Th
Page 107 and 108:
10.17 Medium Assurance CA CRL Forma
Page 109 and 110:
11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112:
BIBLIOGRAPHY The following document
Page 113 and 114:
HTTP Hypertext Transfer Protocol IA
Page 115 and 116:
13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?