Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

Systems using high-hardware assurance certificates shall store Trusted Certificates such that unauthorized alteration or replacement is readily detectable. 6.1.5 Key Sizes If the RPMA determines that the security of a particular algorithm may be compromised, it may require the CAs to revoke the affected certificates. All certificates and Transport Layer Security (TLS) protocols shall use the following algorithm suites. Public Keys: Cryptographic Function Public keys in CA, Identity, Authentication, and Digital Signature Certificates; CRL Signatures; and OCSP Response Signatures (FIPS 186-3) Public Keys in Encryption Certificates (PKCS 1 for RSA and NIST SP 800-56A for ECDH) Expire on or before 12/31/2010 1024 bit RSA, 193 bit ECDSA in prime field or 163 bit ECDSA in binary field 1024 bit, 193 bit ECDSA in prime field or 163 bit ECDSA in binary field Expire after 12/31/2010 but before 12/31/2030 2048 bit RSA ,224 bit ECDSA in prime field or 233 bit ECDSA in binary field 2048 bit, 224 bit ECDSA in prime field or 233 bit ECDSA in binary field Symmetric Encryption AES AES AES Expire after 12/31/2030 3072 bit RSA, 256 bit ECDSA in prime field, or 283 bit ECDSA in binary field 3072 bit RSA, 256 bit ECDSA in prime field, or 283 bit ECDSA in binary field 60 7/25/2011
Hashing: Cryptographic Function Hashing Algorithm for Certificates Hashing Algorithm for CRLs Hashing Algorithm for Pre-signed OCSP Responses Hashing Algorithm for Other (i.e., not presigned) OCSP Responses Issued on or before 12/31/2010 Issued after 12/31/2010 but before 12/31/2030 SHA-1 SHA-224 or SHA- 256 Issued after 12/31/2030 SHA-256 SHA-1 SHA-1 7 SHA-256 SHA-1 SHA-1 8 SHA-256 SHA-1 SHA-224 or SHA- 256 SHA-256 CSAs shall use the same signature algorithms, key sizes, and hash algorithms as used by the CA to sign the certificate in question. However CRLs and pre-signed OCSP responses can be signed using SHA-1 at all assurance levels. Using compensating controls on the SHA-1 hashing algorithm increases the effective bit strength to 80 bits and allows it to be effectively used through the end of 2013. The compensating controls employed introduce validity entropy (randomness) into the unused and least significant bits of the validity date fields. As an exception to all of the other assertions in this section, CAs not asserting “id-raytheon- SHA2-…..” series certificate policy OID(s) may continue to use SHA-1 for issuing end entity certificates after 12/31/2010. OCSP Responders that only provide “certificate revocation status” of certificates that do not possess “id-raytheon-SHA2-…..” certificate policy OIDs, may use SHA-1 for all OCSP response types, not just for pre-signed. After 12/31/2010, CAs operatingi 9 at medium and high assurance shall only act on certificate requests to sign using the SHA-1 hashing algorithm if all of the following conditions are met: 1. The certificate request is generated/created by a trusted entity (e.g., RA, CA, or CSA); and 2. The certificate request is securely submitted by a trusted entity. 6.1.6 Public Key Parameters Generation and Quality Checking RSA keys shall be generated in accordance with ANSI X9.31. Prime numbers for RSA shall be generated or tested for primality in accordance with ANSI X9.80. ECDSA and ECDH keys shall be generated in accordance with FIPS 186-2. Curves from FIPS 186-3 shall be used. 7 Raytheon may decide to transition to stronger hash algorithm earlier than 12/31/2030. 8 Raytheon may decide to transition to stronger hash algorithm earlier than 12/31/2030. 9 A CA is considered operating at an assurance level, if it has been issued a certificate for that assurance level or is issuing certificates at that assurance level. 61 7/25/2011
Page 1 and 2:
Raytheon Company Public Key Infrast
Page 3 and 4:
Table of Contents 1 INTRODUCTION ..
Page 5 and 6:
4.6.7 Notification of Certificate I
Page 7 and 8:
5.4.8 Vulnerability Assessments ...
Page 9 and 10: 9 OTHER BUSINESS AND LEGAL MATTERS
Page 11 and 12: 1 INTRODUCTION This Certificate Pol
Page 13 and 14: 1.1.3 Scope The following diagram r
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23 and 24: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 25 and 26: establishing how the applicant is k
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29 and 30: 3.3.1 Identification and Authentica
Page 31 and 32: For subscriber certificates, the pr
Page 33 and 34: 4.3.1 CA Actions during Certificate
Page 35 and 36: 4.7.4 Notification of New Certifica
Page 37 and 38: Any CA may unilaterally revoke anot
Page 39 and 40: 4.9.8 Maximum Latency for CRLs The
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47 and 48: � Be trustworthy; � Have no oth
Page 49 and 50: administrative documents (e.g., Adm
Page 51 and 52: REVOCATION PROFILE MANAGEMENT Audit
Page 53 and 54: It is acceptable for the system to
Page 55 and 56: 5.6 Key Changeover A CA uses a sign
Page 57 and 58: If a RA signature keys are compromi
Page 59: show that appropriate role separati
Page 63 and 64: 6.2 Private Key Protection and Cryp
Page 65 and 66: 6.3 Other Aspects of Key Management
Page 67 and 68: � All hardware must be shipped or
Page 69 and 70: 7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72: When multiple values exist for an a
Page 73 and 74: 8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76: 9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78: � There are no material misrepres
Page 79 and 80: � Ensure that certificate and rev
Page 81 and 82: as a termination of this CP unless
Page 83 and 84: enforce the agreement to arbitrate,
Page 85 and 86: 10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88: Field Value Policy Mapping For SHA-
Page 89 and 90: 10.3 Raytheon Root CA Certificate (
Page 91 and 92: 91 7/25/2011
Page 93 and 94: 10.6 Medium Assurance Signing CA Ce
Page 95 and 96: Field Value Entrust Version Info c=
Page 97 and 98: 10.9 Medium Assurance Code Signing
Page 99 and 100: Field Value Entrust Version Info En
Page 101 and 102: 10.12 Medium Assurance Domain Contr
Page 103 and 104: 10.13 Medium Assurance Role Signatu
Page 105 and 106: 10.15 OCSP Responder Certificate Th
Page 107 and 108: 10.17 Medium Assurance CA CRL Forma
Page 109 and 110: 11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112:
BIBLIOGRAPHY The following document
Page 113 and 114:
HTTP Hypertext Transfer Protocol IA
Page 115 and 116:
13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?