WIXLIB

Committee on National Security SystemsCNSSI No. 1300(U) INSTRUCTION FORNATIONAL SECURITY SYSTEMSPUBLIC KEY INFRASTRUCTUREX.509 CERTIFICATE POLICYUnder CNSS Policy No. 25THIS DOCUMENT PRESCRIBES MINIMUM STANDARDSYOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHERIMPLEMENTATION

CNSS Instruction No. 1300NATIONAL MANAGERFOREWORD1. The Committee on National Security Systems Instruction (CNSSI) No. 1300, Instruction forNational Security Systems (NSS) Public Key Infrastructure (PKI) X.509 Certificate Policy,Under CNSS Policy No. 25, provides a secure, interoperable electronic environment that closesthe gap between the unclassified Federal PKI, managed by the Federal PKI Policy Authority, andthe TOP SECRET Intelligence Community PKI, managed by the Office of the Director ofNational Intelligence (ODNI).2. The NSS PKI operates using a hierarchical architecture, with a Root Certificate Authority(CA) operated by the National Security Agency (NSA) on behalf of the CNSS. CNSS memberagencies may either establish and operate one or more CAs subordinate to the Root CA inaccordance with this Certificate Policy (CP) or obtain certificates from a Common ServicesProvider CA operated in accordance with this CP.3. The NSS PKI CP states the requirements for issuing and managing certificates that RelyingParties can use in making decisions regarding what assurance they can place in a certificateissued by a NSS PKI CA. This revision reflects lessons learned in the establishment of the Rootand initial subordinate and cross certified CAs, as well as changes in PKI operations since itsinitial publication.4. CNSS Instruction No. 1300, Version 1.3.3, is effective upon receipt.5. Additional copies of this Instruction may be obtained from the CNSS Secretariat or theCNSS website: http://www.cnss.gov.FOR THE NATIONAL MANAGER:CNSS Secretariat (IE414). National Security Agency. 9800 Savage Road, STE 6716. Ft Meade, MD 20755-6716Office: (410) 854-6805 Unclassified FAX: (410) 854-6814CNSS@nsa.gov

CNSS Instruction No. 1300Document Version ControlVersionDateRevision DetailsFinal 1.024 July 2009Final version as approved by the CNSS Committee for signatureFinal 1.17 March 2011 /June 2011Final first revision as approved by the CNSS Committee for signature1.2.1December 2012 /January 2013Second revision required based on changes necessitated by activation of the NSSPKI Common Service Provider and changes to existing entity subordinate CAs1.2.2April 2013Updates to resolve questions/comments from CNSS review1.2.3September 2013Updates to resolve questions/comments from CNSS review1.3May 2014Third revision required based on PKI Common Service Provider operations, otheroperational changes requested by member organizations, and updated format toalign with CNSS Instruction template1.3.1July 2014Updates to resolve questions/comments from CNSS Pre-coordination1.3.2September 2014Updates to resolve questions/comments from CNSS Formal Open Comment Period1.3.3October 2014Updates to resolve questions/comments from CNSS Formal Subcommittee Review

CNSS Instruction No. 1300THIS PAGE INTENTIONALLY LEFT BLANK

CNSS Instruction No. 1300TABLE OF CONTENTSSECTIONPAGESECTION I – PURPOSE .1SECTION II – AUTHORITY .1SECTION III – SCOPE .1SECTION IV – POLICY .2SECTION V – RESPONSIBILITIES .2SECTION VI – DEFINITIONS.2SECTION VII – REFERENCES .2ANNEXPAGEANNEX A: X.509 CERTIFICATE POLICY FOR THE NSS PKI . A-1ANNEX B: REFERENCES.B-1ANNEX C: ACRONYMS AND ABBREVIATIONS .C-1ANNEX D: GLOSSARY OF TERMS . D-1i

CNSS Instruction No. 1300(U) INSTRUCTION FORNATIONAL SECURITY SYSTEMSPUBLIC KEY INFRASTRUCTUREX.509 CERTIFICATE POLICYUnder CNSS Policy No. 25SECTION I – PURPOSE1.Under the provisions of National Security Directive (NSD) 42, National Policy for theSecurity of National Security Telecommunications and Information Systems [NSD 42], theCommittee on National Security Systems (CNSS) has established a Public Key Infrastructure(PKI) for SECRET-high collateral classified networks, known as the National Security Systems(NSS) PKI. The purpose of the NSS PKI is to provide a secure, interoperable electronicenvironment that closes the gap between the unclassified Federal PKI, managed by the FederalPKI Policy Authority, and the highly classified Intelligence Community PKI, managed by theOffice of the Director of National Intelligence (ODNI).2.CNSS Policy (CNSSP) No. 25, National Policy for Public Key Infrastructure in NationalSecurity Systems [CNSSP 25] establishes the requirements for Federal Departments andAgencies to implement the NSS PKI to manage and support their SECRET and below collateralclassified NSS networked systems, and to obtain PKI support from the NSS PKI for NSSoperating at the Secret level.3.Instruction for National Security Systems Public Key Infrastructure X.509 CertificatePolicy Under CNSS Policy No. 25 is the policy under which the NSS PKI operates. ThisCertificate Policy (CP) defines the creation and management of certificates that comply with theInternational Telecommunications Union (ITU) X.509: Information Technology - Open SystemsInterconnection - The Directory: Public-Key and Attribute Certificate Frameworks X.509Version 3 Public Key Certificates [ITU X.509] for use in applications requiring communicationbetween networked computer-based systems. Such applications include, but are not limited to,signature of electronic mail; encryption of information; and authentication to networks, webservers, or other applications. This CP is consistent with the Internet X.509 Public KeyInfrastructure Certificate Policy and Certification Practices Framework [RFC 3647].SECTION II – AUTHORITY4.The authority to issue this instruction derives from National Security Directive 42, whichoutlines the roles and responsibilities for securing national security systems consistent withapplicable law, E.O. 12333, as amended, and other Presidential directives.5.Nothing in this instruction shall alter or supersede the authorities of the Director ofNational Intelligence.SECTION III – SCOPE6.This instruction applies to Certification Authority (CA) Systems (CAS) that issuecertificates that assert this policy and all certificates issued to CAs, other CAS components,named individuals, roles, and systems or devices that assert a NSS PKI Certificate Policy Object1

CNSS Instruction No. 1300Identifier (OID). This instruction also applies to the individuals responsible for these certificatesand persons operating the NSS PKI.SECTION IV – POLICY7.As stated in [CNSSP 25], “NSS operating at the Secret level shall obtain PKI supportfrom the NSS PKI.” This instruction defines the policies governing the issuance, management,and use of [ITU X.509] public key certificates issued under the NSS PKI. It defines multiplecertificate policies, one or more of which may be asserted in a NSS PKI issued certificate bypopulating the appropriate Certificate Policy OID in the certificatePolicies extension of thecertificate. All certificates, except the self-signed Root CA certificate, issued under this policyshall contain a registered Certificate Policy OID that may be used by a Relying Party todetermine the policy under which the certificate was issued.SECTION V – RESPONSIBILITIES8.Department and agency responsibilities are outlined in [CNSSP 25]. Specificrequirements for NSS PKI roles are described in Annex A, Section 1.3.SECTION VI – DEFINITIONS9.Acronyms are defined in Annex C. A glossary of terms is provided as Annex D.SECTION VII – REFERENCES10.References are provided as Annex B.2

CNSS Instruction No. 1300ANNEX A:X.509 CERTIFICATE POLICYFOR THE NSS PKIA-1

CNSS Instruction No. 1300Table of Contents1INTRODUCTION .A-81.1OVERVIEW . A-91.1.1 Certificate Policy . A-91.1.2 Relationship between the Certificate Policy and the Certification Practice Statement . A-91.1.3 Scope. A-101.1.4 Interoperation with CAs Issuing Under Different Policies . A-101.2DOCUMENT NAME AND IDENTIFICATION. A-101.3PKI PARTICIPANTS . A-101.3.1 CNSS Policy Management . A-111.3.2 Certification Authority System . A-121.3.3 Security Auditor . A-141.3.4 Registration Authority. A-141.3.5 Trusted Agent . A-151.3.6 Subscriber . A-151.3.7 Relying Party . A-161.3.8 Other Participants . A-171.4CERTIFICATE USAGE . A-171.4.1 Appropriate Certificate Uses . A-171.4.2 Prohibited Certificate Uses . A-171.5POLICY ADMINISTRATION . A-171.5.1 Organization Administering the Document . A-171.5.2 Contact Person . A-181.5.3 Person Determining CPS Suitability for the Policy . A-181.5.4 CPS Approval Procedures . A-181.5.5 Waivers . A-181.6DEFINITIONS AND ACRONYMS. A-182PUBLICATION AND REPOSITORY RESPONSIBILITIES . A-192.1REPOSITORIES . A-192.2PUBLICATION OF CERTIFICATION INFORMATION . A-192.3TIME OR FREQUENCY OF PUBLICATION . A-192.4ACCESS CONTROLS ON REPOSITORIES . A-193IDENTIFICATION AND AUTHENTICATION . A-213.1NAMING . A-213.1.1 Types of Names . A-213.1.2 Need for Names to be Meaningful . A-213.1.3 Anonymity or Pseudonymity of Subscribers . A-213.1.4 Rules for Interpreting Various Name Forms . A-223.1.5 Uniqueness of Names . A-223.1.6 Recognition, Authentication and Role of Trademarks . A-223.2INITIAL IDENTITY VALIDATION. A-223.2.1 Method to Prove Possession of Private Key . A-223.2.2 Authentication of Organization Identity . A-223.2.3 Authentication of Individual Identity . A-223.2.4 Non-Verified Subscriber Information . A-253.2.5 Validation of Authority . A-263.2.6 Criteria for Interoperation . A-263.3IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS. A-263.3.1 Identification and Authentication for Routine Re-Key . A-263.3.2 Identification and Authentication for Re-Key After Revocation . A-263.4IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST . A-26A-2