Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

More documents

Recommendations

Info

6.5 Computer Security Controls 6.5.1 Specific Computer Security Technical Requirements The following computer security functions may be provided by the operating system, or through a combination of operating system, software, and physical safeguards. The CA, CSA and RA shall include the following functionality: � Require authenticated logins � Provide Discretionary Access Control, including managing privileges of users to limit users to their assigned roles � Provide a security audit capability (See Section 5.4) � Prohibit object re-use � Require use of cryptography for session communication and database security � Require a trusted path for identification and authentication � Provide domain isolation for processes � Provide self-protection for the operating system � Require self-test security related CA services (e.g., check the integrity of the audit logs) � Support recovery from key or system failure When CA equipment is hosted on evaluated platforms in support of computer security assurance requirements then the system (hardware, software, operating system) shall, when possible, operate in an evaluated configuration. At a minimum, such platforms shall use the same version of the computer operating system as that which received the evaluation rating. The computer system shall be configured with minimum of the required accounts and network services, and no remote login. 6.5.2 Computer Security Rating See section 6.5.1. 6.6 Life-Cycle Technical Controls 6.6.1 System Development Controls The System Development Controls for the CA and CSA are as follows: � Use software that has been designed and developed under a formal, documented development methodology. � Hardware and software procured shall be purchased in a fashion to reduce the likelihood that any particular device was tampered with (e.g., by ensuring the equipment was randomly selected at time of purchase). � Hardware and software developed shall be developed in a controlled environment, and the development process shall be defined and documented. This requirement does not apply to commercial off-the-shelf hardware or software. 66 7/25/2011
� All hardware must be shipped or delivered via controlled methods that provide a continuous chain of accountability, from the purchase location to the operations location. � The hardware and software shall be dedicated to performing the PKI activities. There shall be no other applications; hardware devices, network connections, or device software installed which are not part of the PKI operation. � Proper care shall be taken to prevent malicious software from being loaded onto the RA equipment. RA hardware and software shall be scanned for malicious code on first use and periodically thereafter. � Hardware and software updates shall be purchased or developed in the same manner as original equipment, and be installed by trusted and trained personnel in a defined manner. 6.6.2 Security Management Controls The configuration of the CA and CSA system as well as any modifications and upgrades shall be documented and controlled. There shall be a mechanism for detecting unauthorized modification to the CA and CSA software or configuration. A formal configuration management methodology shall be used for installation and ongoing maintenance of the CA system. The CA and CSA software, when first loaded, shall be verified as being that supplied from the vendor, with no modifications, and be the version intended for use. 6.6.3 Life Cycle Security Controls No stipulation. 6.7 Network Security Controls The Raytheon Root CA and its internal PKI Repository shall be off-line. Information shall be transported from the Internal PKI Repository to the external PKI Repositories using manual mechanisms. Signing CAs, CSAs, and RAs and associated PKI Repositories shall employ appropriate security measures to ensure they are guarded against denial of service and intrusion attacks. Such measures include the use of firewalls, intrusion detection software and filtering routers. Unused network ports and services shall be turned off. Any network software present shall be necessary to the functioning of the CA. Any boundary control devices used to protect the network on which PKI equipment is hosted shall deny all but the necessary services to the PKI equipment even if those services are enabled for other devices on the network. 6.8 Time Stamping All CA and CSA components shall regularly synchronize with a time service such as National Institute of Standards and Technology (NIST) Atomic Clock or NIST Network Time Protocol (NTP) Service. Time derived from the time service shall be used for establishing the time of: � Initial validity time of a Subscriber’s Certificate � Revocation of a Subscriber’s Certificate � Posting of CRL updates � CSA responses 67 7/25/2011
Page 1 and 2:
Raytheon Company Public Key Infrast
Page 3 and 4:
Table of Contents 1 INTRODUCTION ..
Page 5 and 6:
4.6.7 Notification of Certificate I
Page 7 and 8:
5.4.8 Vulnerability Assessments ...
Page 9 and 10:
9 OTHER BUSINESS AND LEGAL MATTERS
Page 11 and 12:
1 INTRODUCTION This Certificate Pol
Page 13 and 14:
1.1.3 Scope The following diagram r
Page 15 and 16: 1. The CAs asserting id-raytheon-SH
Page 17 and 18: approval of the PMA. The ROA activi
Page 19 and 20: � Raytheon employees and eligible
Page 21 and 22: 1.5 Policy Administration 1.5.1 Org
Page 23 and 24: 3.1 Naming 3 IDENTIFICATION & AUTHE
Page 25 and 26: establishing how the applicant is k
Page 27 and 28: 4. The Identity Verifier shall reco
Page 29 and 30: 3.3.1 Identification and Authentica
Page 31 and 32: For subscriber certificates, the pr
Page 33 and 34: 4.3.1 CA Actions during Certificate
Page 35 and 36: 4.7.4 Notification of New Certifica
Page 37 and 38: Any CA may unilaterally revoke anot
Page 39 and 40: 4.9.8 Maximum Latency for CRLs The
Page 41 and 42: 4.12.2 Session Key Encapsulation an
Page 43 and 44: depart shall initial a sign-out she
Page 45 and 46: � Performing or overseeing intern
Page 47 and 48: � Be trustworthy; � Have no oth
Page 49 and 50: administrative documents (e.g., Adm
Page 51 and 52: REVOCATION PROFILE MANAGEMENT Audit
Page 53 and 54: It is acceptable for the system to
Page 55 and 56: 5.6 Key Changeover A CA uses a sign
Page 57 and 58: If a RA signature keys are compromi
Page 59 and 60: show that appropriate role separati
Page 61 and 62: Hashing: Cryptographic Function Has
Page 63 and 64: 6.2 Private Key Protection and Cryp
Page 65: 6.3 Other Aspects of Key Management
Page 69 and 70: 7 CERTIFICATE, CRL AND OCSP PROFILE
Page 71 and 72: When multiple values exist for an a
Page 73 and 74: 8 COMPLIANCE AUDIT AND OTHER ASSESS
Page 75 and 76: 9.1 Fees 9 OTHER BUSINESS AND LEGAL
Page 77 and 78: � There are no material misrepres
Page 79 and 80: � Ensure that certificate and rev
Page 81 and 82: as a termination of this CP unless
Page 83 and 84: enforce the agreement to arbitrate,
Page 85 and 86: 10 CERTIFICATE, CRL, AND OCSP FORMA
Page 87 and 88: Field Value Policy Mapping For SHA-
Page 89 and 90: 10.3 Raytheon Root CA Certificate (
Page 91 and 92: 91 7/25/2011
Page 93 and 94: 10.6 Medium Assurance Signing CA Ce
Page 95 and 96: Field Value Entrust Version Info c=
Page 97 and 98: 10.9 Medium Assurance Code Signing
Page 99 and 100: Field Value Entrust Version Info En
Page 101 and 102: 10.12 Medium Assurance Domain Contr
Page 103 and 104: 10.13 Medium Assurance Role Signatu
Page 105 and 106: 10.15 OCSP Responder Certificate Th
Page 107 and 108: 10.17 Medium Assurance CA CRL Forma
Page 109 and 110: 11 PKI REPOSITORY INTEROPERABILITY
Page 111 and 112: BIBLIOGRAPHY The following document
Page 113 and 114: HTTP Hypertext Transfer Protocol IA
Page 115 and 116: 13 GLOSSARY Access Ability to make
Page 117 and 118:
Client (application) A system entit
Page 119 and 120:
Non-Repudiation Assurance that the
Page 121 and 122:
other CA. (See superior CA). Subscr
show all

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

Create successful ePaper yourself

Delete template?

Save as template?