Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

� Any incident preventing a CA from issuing a CRL within 24 hours of the time specified in the next update field of its currently valid CRL. The ROA shall reestablish operational capabilities as quickly as possible in accordance with procedures set forth in the respective CPS. When Raytheon has detected an incident or compromise of the RRCA and/or Raytheon signing CA, and upon approval by the Raytheon CISO, the Raytheon PMA shall notify the CertiPath PMA. The above measures will allow member entities to protect their interests as Relying Parties. 5.7.2 Computing Resources, Software, and/or Data are Corrupted The CA shall maintain backup copies of system, databases, and private keys in order to rebuild the CA capability in case of software and/or data corruption. If a CA or CSA equipment is damaged or rendered inoperative, but the signature keys are not destroyed; the operation shall be reestablished as quickly as possible, giving priority to the ability to generate certificate status information. If a CA cannot issue a CRL prior to the time specified in the next update field of its currently valid CRL, then all CAs that have been issued certificates by the CA shall be securely 6 notified immediately. This will allow other CAs to protect their subscribers' interests as Relying Parties. The CA shall reestablish revocation capabilities as quickly as possible in accordance with procedures set forth in the respective CPS. If revocation capability cannot be established in a reasonable time-frame, the CA shall determine whether to request revocation of its certificate(s). If the CA is a Root CA, the CA shall determine whether to notify all subscribers that use the CA as a trust anchor to delete the trust anchor. 5.7.3 Private Key Compromise Procedures If a CA signature keys are compromised, lost, or suspected to be compromised: 1. All cross certified CAs shall be securely notified at the earliest feasible time (so that entities may issue CRLs revoking any cross-certificates issued to the CA); 2. A CA key pair shall be generated by the CA in accordance with procedures set forth in the applicable CPS; 3. New CA certificates shall be requested in accordance with the initial registration process as described in section 3.2.; 4. All Subscribers shall be notified and requested to register in accordance with the initial registration process as described in section 3.2; and 5. If the CA is the Root CA, it shall provide the Subscribers the new trust anchor using secure means. The ROA shall also investigate what caused the compromise or loss, and what measures must be taken to preclude recurrence. If a CSA key is compromised, all certificates issued to the CSA shall be revoked, if applicable. The CSA shall generate a new key pair and request new certificate(s), if applicable. If the CSA is a trust anchor, the relying parties shall be provided the new trust anchor in a secure manner (so that the trust anchor integrity is maintained) to replace the compromised trust anchor. 6 With confidentiality, source authentication, and integrity security services applied. 56 7/25/2011
If a RA signature keys are compromised, lost, or suspected to be compromised: 1. The RA certificate shall be immediately revoked; 2. A new RA key pair shall be generated in accordance with procedures set forth in the applicable CPS; 3. New RA certificate shall be requested in accordance with the initial registration process as described in section 3.2; 4. All certificate registration requests approved by the RA since the date of the suspected compromise shall be reviewed to determine which one are legitimate; 5. For those certificates requests or approval than can not be ascertained as legitimate, the resultant certificates shall be revoked and their subjects (i.e., subscribers) shall be notified of revocation. 5.7.4 Business Continuity Capabilities after a Disaster In the case of a disaster whereby a CA installation is physically damaged and all copies of the CA Signing Key are destroyed as a result, the CA shall request that its certificates be revoked. The CA shall follow steps 2 through 5 in Section 5.7.3 above. The PKI Repositories containing certificates and certificate status information shall be deployed so as to provide 24 hour per day/365 day per year availability. Raytheon shall implement features to provide high levels of PKI Repository reliability. 5.8 CA, CSA, and RA Termination In the event of termination of a CA, the CA shall request all certificates issued to it be revoked. In the event of a CA termination, Raytheon shall provide as much advance notice as circumstances permit notice to all cross certified CAs prior to the termination. A CA, CSA, and RA shall archive all audit logs and other records prior to termination. A CA, CSA, and RA shall destroy all its private keys upon termination. CA, CSA, and RA archive records shall be transferred to an appropriate authority such as the RPMA responsible for the entity. If a Root CA is terminated, the Root CA shall use secure means to notify the subscribers to delete all trust anchors representing the CA. 57 7/25/2011
Page 1 and 2:
Raytheon Company Public Key Infrast
Page 3 and 4:
Table of Contents 1 INTRODUCTION ..
Page 5 and 6: 4.6.7 Notification of Certificate I
Page 7 and 8: 5.4.8 Vulnerability Assessments ...
Page 9 and 10: 9 OTHER BUSINESS AND LEGAL MATTERS
Page 11 and 12: 1 INTRODUCTION This Certificate Pol
Page 13 and 14: 1.1.3 Scope The following diagram r
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23 and 24: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 25 and 26: establishing how the applicant is k
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29 and 30: 3.3.1 Identification and Authentica
Page 31 and 32: For subscriber certificates, the pr
Page 33 and 34: 4.3.1 CA Actions during Certificate
Page 35 and 36: 4.7.4 Notification of New Certifica
Page 37 and 38: Any CA may unilaterally revoke anot
Page 39 and 40: 4.9.8 Maximum Latency for CRLs The
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47 and 48: � Be trustworthy; � Have no oth
Page 49 and 50: administrative documents (e.g., Adm
Page 51 and 52: REVOCATION PROFILE MANAGEMENT Audit
Page 53 and 54: It is acceptable for the system to
Page 55: 5.6 Key Changeover A CA uses a sign
Page 59 and 60: show that appropriate role separati
Page 61 and 62: Hashing: Cryptographic Function Has
Page 63 and 64: 6.2 Private Key Protection and Cryp
Page 65 and 66: 6.3 Other Aspects of Key Management
Page 67 and 68: � All hardware must be shipped or
Page 69 and 70: 7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72: When multiple values exist for an a
Page 73 and 74: 8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76: 9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78: � There are no material misrepres
Page 79 and 80: � Ensure that certificate and rev
Page 81 and 82: as a termination of this CP unless
Page 83 and 84: enforce the agreement to arbitrate,
Page 85 and 86: 10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88: Field Value Policy Mapping For SHA-
Page 89 and 90: 10.3 Raytheon Root CA Certificate (
Page 91 and 92: 91 7/25/2011
Page 93 and 94: 10.6 Medium Assurance Signing CA Ce
Page 95 and 96: Field Value Entrust Version Info c=
Page 97 and 98: 10.9 Medium Assurance Code Signing
Page 99 and 100: Field Value Entrust Version Info En
Page 101 and 102: 10.12 Medium Assurance Domain Contr
Page 103 and 104: 10.13 Medium Assurance Role Signatu
Page 105 and 106: 10.15 OCSP Responder Certificate Th
Page 107 and 108:
10.17 Medium Assurance CA CRL Forma
Page 109 and 110:
11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112:
BIBLIOGRAPHY The following document
Page 113 and 114:
HTTP Hypertext Transfer Protocol IA
Page 115 and 116:
13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?