Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

Auditable Event CA CSA RA Software error conditions X X X Software check integrity failures X X X Receipt of improper messages X X X Misrouted messages X X X Network attacks (suspected or confirmed) X X X Equipment failure X - - Electrical power outages X - - Uninterruptible Power Supply (UPS) failure X - - Obvious and significant network service or access failures X - - Violations of Certificate Policy X X X Violations of Certification Practice Statement X X X Resetting Operating System clock X X X 5.4.2 Frequency of Processing Audit Logs Audit logs shall be reviewed at least once every 30 days. Statistically significant sample of security audit data generated by the CA, CSA, or RA since the last review shall be examined (where the confidence intervals for each category of security audit data are determined by the security ramifications of the category and the availability of tools to perform such a review), as well as a reasonable search for any evidence of malicious activity. The Audit Administrator shall explain all significant events in an audit log summary. Such reviews involve verifying that the log has not been tampered with, there is no discontinuity or other loss of audit data, and then briefly inspecting all log entries, with a more thorough investigation of any alerts or irregularities in the logs. Actions taken as a result of these reviews shall be documented. 5.4.3 Retention Period for Audit Logs Audit logs shall be retained onsite for at least sixty days as well as being retained in the manner described below. For the CA and CSA the Audit Administrator shall be the only person responsible to manage the audit log (e.g., review, backup, rotate, delete, etc.). For the RA System, a System Administrator other than the RA shall be responsible for managing the audit log. 5.4.4 Protection of Audit Logs System configuration and procedures shall be implemented together to ensure that: � Only authorized people 5 have read access to the logs; � Only authorized people may archive audit logs; and, � Audit logs are not modified. The person performing audit log archive need not have modify access, but procedures must be implemented to protect archived data from destruction prior to the end of the audit log retention period (note that deletion requires modification access). Audit logs shall be moved to a safe, secure storage location separate from the CA equipment. 5 For the CA and CSA, the authorized individual shall be the Audit Administrator. For the RA system, the authorized individual shall be a system administrator other than the RA. 52 7/25/2011
It is acceptable for the system to over-write audit logs after they have been backed up and archived. 5.4.5 Audit Log Backup Procedures Audit logs and audit summaries shall be backed up at least once every 30 days. A copy of the audit log shall be sent off-site in accordance with the CPS every 30 days. 5.4.6 Audit Collection System (internal vs. external) The audit log collection system may or may not be external to the CA, CSA, or RA. Audit processes shall be invoked at system startup, and cease only at system shutdown. Should it become apparent that an automated audit system has failed, and the integrity of the system or confidentiality of the information protected by the system is at risk, then the CA shall determine whether to suspend CA operation until the problem is remedied. 5.4.7 Notification to Event-Causing Subject This CP imposes no requirement to provide notice that an event was audited to the individual, organization, device, or application that caused the event. 5.4.8 Vulnerability Assessments The CA, system administrator, and other operating personnel shall be watchful for attempts to violate the integrity of the certificate management system, including the equipment, physical location, and personnel. The security audit data shall be reviewed by the audit administrator for events such as repeated failed actions, requests for privileged information, attempted access of system files, and unauthenticated responses. Security auditors shall check for continuity of the security audit data. The audit administrator shall document the summary results of the period review of the audit logs. 5.5 Records Archival 5.5.1 Types of Records Archived CA, CSA, and RA archive records shall be sufficiently detailed to establish the proper operation of the component or the validity of any certificate (including those revoked or expired) issued by the CA. Data To Be Archived CA CSA RA Certification Practice Statement X X X Contractual obligations X X X System and equipment configuration X X - Modifications and updates to system or configuration X X - Certificate requests X - - Revocation requests X - - Subscriber identity authentication data as per Section 3.2.3 X N/A X Documentation of receipt and acceptance of certificates X N/A X Documentation of receipt of Tokens X N/A X All certificates issued or published X N/A N/A 53 7/25/2011
Page 1 and 2: Raytheon Company Public Key Infrast
Page 3 and 4: Table of Contents 1 INTRODUCTION ..
Page 5 and 6: 4.6.7 Notification of Certificate I
Page 7 and 8: 5.4.8 Vulnerability Assessments ...
Page 9 and 10: 9 OTHER BUSINESS AND LEGAL MATTERS
Page 11 and 12: 1 INTRODUCTION This Certificate Pol
Page 13 and 14: 1.1.3 Scope The following diagram r
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23 and 24: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 25 and 26: establishing how the applicant is k
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29 and 30: 3.3.1 Identification and Authentica
Page 31 and 32: For subscriber certificates, the pr
Page 33 and 34: 4.3.1 CA Actions during Certificate
Page 35 and 36: 4.7.4 Notification of New Certifica
Page 37 and 38: Any CA may unilaterally revoke anot
Page 39 and 40: 4.9.8 Maximum Latency for CRLs The
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47 and 48: � Be trustworthy; � Have no oth
Page 49 and 50: administrative documents (e.g., Adm
Page 51: REVOCATION PROFILE MANAGEMENT Audit
Page 55 and 56: 5.6 Key Changeover A CA uses a sign
Page 57 and 58: If a RA signature keys are compromi
Page 59 and 60: show that appropriate role separati
Page 61 and 62: Hashing: Cryptographic Function Has
Page 63 and 64: 6.2 Private Key Protection and Cryp
Page 65 and 66: 6.3 Other Aspects of Key Management
Page 67 and 68: � All hardware must be shipped or
Page 69 and 70: 7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72: When multiple values exist for an a
Page 73 and 74: 8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76: 9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78: � There are no material misrepres
Page 79 and 80: � Ensure that certificate and rev
Page 81 and 82: as a termination of this CP unless
Page 83 and 84: enforce the agreement to arbitrate,
Page 85 and 86: 10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88: Field Value Policy Mapping For SHA-
Page 89 and 90: 10.3 Raytheon Root CA Certificate (
Page 91 and 92: 91 7/25/2011
Page 93 and 94: 10.6 Medium Assurance Signing CA Ce
Page 95 and 96: Field Value Entrust Version Info c=
Page 97 and 98: 10.9 Medium Assurance Code Signing
Page 99 and 100: Field Value Entrust Version Info En
Page 101 and 102: 10.12 Medium Assurance Domain Contr
Page 103 and 104:
10.13 Medium Assurance Role Signatu
Page 105 and 106:
10.15 OCSP Responder Certificate Th
Page 107 and 108:
10.17 Medium Assurance CA CRL Forma
Page 109 and 110:
11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112:
BIBLIOGRAPHY The following document
Page 113 and 114:
HTTP Hypertext Transfer Protocol IA
Page 115 and 116:
13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?