Unisys Internal PKI Certificate Policy
1y ago
23 Views
1 Downloads
1.34 MB
79 Pages
Report/dmca
Download PDF

Transcription

Certificate PolicyUnisys Internal Public Key InfrastructureLynn Devore (Author)Unisys Internal PKI Certificate Policyv1 14.docxUnisysUnisys Internal PKI Certificate PolicyUnisys CorporationApril 28, 2017Copyright 2004-2017 Unisys Corporation All rights reservedCreated on 28 April 2017This is a Public DocumentPage 1 of 79

Certificate PolicyUnisys Internal Public Key InfrastructureLynn Devore (Author)Unisys Internal PKI Certificate Policyv1 14.docxUnisysContent:This document contains the text for the Certificate Policy, whichwill govern the issuance and management of Certificates for theUnisys Internal PKI.Name:Unisys Internal PKI Certificate PolicyVersion / Last Revision:See headerClassification:Public documentApproval:ResponsibleNameDateUnisys InfoSec / PMAChristopher HawleyUnisys UITChristopher OdomSignatureCompliance Status:Compliance needed with DocumentNot applicableStatusRemarksCP is the governing document that will establishhigh level criteria for all other project requirements documents.Copyright 2004-2017 Unisys Corporation All rights reservedCreated on 28 April 2017This is a Public DocumentPage 2 of 79

UnisysCertificate PolicyUnisys Internal Public Key InfrastructureLynn Devore (Author)Unisys Internal PKI Certificate Policyv1 14.docxContentsContents . 3Part 1 Document Information . 9History . 9Management Summary . 10Contacts . 111INTRODUCTION . 141.1.Overview . 141.2.Identification . 151.3. Community and Applicability. 161.3.1.Policy Management Authority . 161.3.2.Certification Authorities and Certificate Manufacturing Authorities . 161.3.3.Registration Authorities . 171.3.4.Repositories. 171.3.5.Subscribers . 181.3.6.Qualified Relying Parties . 181.3.7.Service Providers . 191.3.8.Applicability . 191.4. Contact details . 201.4.1.Person Determining CPS Suitability for the Policy . 202.GENERAL PROVISIONS . 222.1. Obligations . 222.1.1.UICA Obligations . 222.1.2.RA Obligations . 222.1.3.Repository Obligations . 232.1.4.Subscriber Obligations . 232.1.5.Qualified Relying Party Obligations . 242.2. Liability . 242.2.1.UICA Liability . 242.2.2.Warranties and Limitations on Warranties . 242.2.3.Disclaimers . 242.2.4.Loss Limitations. 252.2.5.Other Exclusions . 252.2.6.RA Liability . 252.3. Financial Responsibility . 262.3.1.Indemnification by Relying Parties . 26Copyright 2004-2017 Unisys Corporation All rights reservedCreated on 28 April 2017This is a Public DocumentPage 3 of 79

Unisys2.3.2.2.3.3.Certificate PolicyUnisys Internal Public Key InfrastructureLynn Devore (Author)Unisys Internal PKI Certificate Policyv1 14.docxIndemnification by Subscribers . 26Fiduciary Relationships. 262.4. Interpretation and Enforcement. 272.4.1.Governing Law . 272.4.2.Severability, Survival, Merger, Notice . 272.4.3.Conflict of provisions. 272.4.4.Dispute resolution procedures . 272.5. Fees . 282.5.1.Certificate Issuance or Renewal Fees . 282.5.2.Certificate Suspension or Revocation Fees . 282.5.3.Certificate Access Fees . 282.5.4.Certificate Status Information or CRL Access Fees . 282.5.5.Fees for Other Services such as Private Key Archive or Trusted Time Stamp Services . 282.5.6.Refund Policy. 282.6. Publication and Repositories. 282.6.1.Publication of Certification Authority Information . 282.6.2.Frequency of Publication . 292.6.3.Access Controls. 292.7. Compliance Audit (Inspection) . 292.7.1.Frequency of Compliance Audit . 302.7.2.Identity/Qualifications of Auditor . 302.7.3.Auditor’s Relationship to Audited Party . 302.7.4.Topics Covered by Audit . 302.7.5.Actions Taken as a Result of Deficiency . 302.7.6.Communication of Results . 312.8. Confidentiality . 312.8.1.Types of Information to Be Kept Confidential . 312.8.2.Types of Information Not Considered Confidential . 322.8.3.Disclosure of Certificate Revocation or Suspension Information . 322.8.4.Release of Confidential Information to Law Enforcement Officials . 322.8.5.Release as Part of Civil Discovery . 322.8.6.Disclosure upon Owner's Request. 322.8.7.Other Information Release Circumstances. 322.9.3.Intellectual Property Rights . 33IDENTIFICATION AND AUTHENTICATION . 343.1. Initial Registration . 343.1.1.Types of Names . 343.1.2.Need for Names to be Meaningful . 343.1.3.Rules for Interpreting Various Name Forms . 343.1.4.Uniqueness of Names. 353.1.5.Name Claim Dispute Resolution Procedure . 35Copyright 2004-2017 Unisys Corporation All rights reservedCreated on 28 April 2017This is a Public DocumentPage 4 of 79

Unisys3.1.6.3.1.7.3.1.8.3.1.9.3.1.10.Certificate PolicyUnisys Internal Public Key InfrastructureLynn Devore (Author)Unisys Internal PKI Certificate Policyv1 14.docxRecognition, authentication and roles of trademarks . 35Proof of possession of private key . 35Authentication of Individual Identity . 36Authentication of Devices and Applications. 37Authentication of Organization Role . 383.2. Routine Certificate Re-Key, Renewal, or Update . 383.2.1.Authentication for Routine Re-Key or Renewal . 383.2.2.Authentication for Certificate Update . 394.3.3.Authentication for Certificate Re-Key, Renewal, or Update after Revocation . 393.4.Authentication for Certificate Revocation . 39OPERATIONAL REQUIREMENTS . 414.1. Application for a Certificate . 414.1.1.Delivery of Public Key for Certificate issuance . 414.2. Certificate issuance . 424.2.1.Delivery of Subscriber's Private Key to Subscriber . 424.2.2.Delivery of the UICA’s Public Keys . 434.3.Certificate acceptance . 434.4. Certificate suspension and Revocation . 434.4.1.Circumstances for revocation. 434.4.2.Circumstances for Suspension . 454.4.3.CRL Issuance Frequency . 454.4.4.CRL Checking Requirements . 464.4.5.Online Certificate Status Checking Availability . 464.4.6.Other Forms of Revocation Advertisements Available . 464.4.7.Checking Requirements for Other Forms of Revocation Advertisements . 474.4.8.Special Requirements Regarding Key Compromise . 474.5. Security Audit Procedures . 474.5.1.Types of Events Recorded . 474.5.2.Frequency of Audit Log Processing. 504.5.3.Period for which Audit Logs are Kept . 514.5.4.Protection of Audit Logs . 514.5.5.Audit Log Back Up Procedures . 514.5.6.Audit Collection System . 514.5.7.Notification of Audit Subjects . 514.5.8.Vulnerability Assessments . 514.6. Records Archival . 524.6.1.Types of Events Archived . 524.6.2.Retention Period for Archive . 524.6.3.Protection of Archive . 524.6.4.Archive Backup Procedures . 53Copyright 2004-2017 Unisys Corporation All rights reservedCreated on 28 April 2017This is a Public DocumentPage 5 of 79

Unisys4.6.5.4.6.6.4.6.7.4.7.Certificate PolicyUnisys Internal Public Key InfrastructureLynn Devore (Author)Unisys Internal PKI Certificate Policyv1 14.docxRequirements for Time-Stamping of Records . 53Archive Collection System (Internal or External) . 53Procedures to Obtain and Verify Archive Information . 53Key Changeover . 534.8. Compromise and Disaster Recovery . 544.8.1.Computing Resources, Software, and/or Data Are Corrupted . 544.8.2.UICA Certificate is Revoked . 544.8.3.Private Key is Compromised (Key Compromise Plan) . 544.8.4.Secure Facility after a Natural or Other Disaster (Disaster Recovery Plan) . 554.9.5.UICA Termination . 55PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS. 565.1. Physical Security Controls . 565.1.1.Site Location and Construction . 565.1.2.Physical Access . 565.1.3.Power and Air Conditioning . 575.1.4.Water Exposures . 575.1.5.Fire Prevention and Protection . 575.1.6.Media Storage . 575.1.7.Waste Disposal. 575.1.8.Off-site Backup . 575.2. Procedural Controls. 575.2.1.Trusted Roles . 575.2.2.Separation of Roles . 595.2.3.Number of Persons Required Per Task . 595.2.4.Identification and Authentication for Each Role . 595.3. PERSONNEL CONTROLS . 595.3.1.Background and Qualifications . 595.3.2.Background Investigation . 595.3.3.Training Requirements . 595.3.4.Retraining Frequency and Requirements . 605.3.5.Job Rotation Frequency and Sequence . 605.3.6.Sanctions for Unauthorized Actions . 605.3.7.Contracting Personnel Requirements . 605.3.8.Documentation Supplied to Personnel . 606.TECHNICAL SECURITY CONTROLS . 616.1. Key Pair Generation And Installation . 616.1.1.Key Pair Generation . 616.1.2.Private Key Delivery to Entity . 616.1.3.Subscriber Public Key Delivery to UICA . 616.1.4.UICA Public Key Delivery to Users . 616.1.5.Key Sizes . 61Copyright 2004-2017 Unisys Corporation All rights reservedCreated on 28 April 2017This is a Public DocumentPage 6 of 79

Unisys6.1.6.6.1.7.6.1.8.6.1.9.Certificate PolicyUnisys Internal Public Key InfrastructureLynn Devore (Author)Unisys Internal PKI Certificate Policyv1 14.docxPublic key parameters generation . 61Parameter quality checking . 62Hardware/Software Key Generation . 62Key Usage Purposes. 626.2. Private Key Protection. 636.2.1.Standards for Cryptographic Modules . 636.2.2.Private Key (n out of m) Multi-Person Control . 636.2.3.Private Key Escrow. 636.2.4.Private Key Backup . 646.2.5.Private Key Archival . 646.2.6.Private Key Entry into Cryptographic Module . 646.2.7.Method of Activating Private Key . 646.2.8.Method of Deactivating Private Key. 646.2.9.Method of Destroying Subscriber’s Private Key . 656.3. Other Aspects Of Key Pair Management . 656.3.1.Public Key Archival . 656.3.2.Usage Periods for the Public and Private Keys (Key Replacement) . 656.4. Activation Data. 656.4.1.Activation Data Generation and Installation . 656.4.2.Activation Data Protection . 656.5. Computer Security Controls . 666.5.1.Specific Computer Security Technical Requirements . 666.5.2.Computer Security Rating. 666.6. Life Cycle Technical Controls . 666.6.1.System Development Controls. 666.6.2.Security Management Controls . 676.6.3.Life Cycle Security Ratings . 677.6.7.Network Security Controls . 676.8.Cryptographic Module Engineering Controls. 67CERTIFICATE AND CRL PROFILES . 687.1. CERTIFICATE PROFILE . 687.1.1.Version Numbers . 687.1.2.Certificate Extensions . 687.1.3.Algorithm Object Identifiers . 687.1.4.Name Forms . 697.1.5.Name Constraints . 697.1.6.Certificate Policy Object Identifier . 697.1.7.Usage of Policy Constraints Extension . 697.1.8.Policy Qualifiers Syntax and Semantics . 697.2.CRL PROFILE . 69Copyright 2004-2017 Unisys Corporation All rights reservedCreated on 28 April 2017This is a Public DocumentPage 7 of 79

Unisys7.2.1.7.2.2.8.Certificate PolicyUnisys Internal Public Key InfrastructureLynn Devore (Author)Unisys Internal PKI Certificate Policyv1 14.docxVersion Numbers . 69CRL Entry Extensions . 69CERTIFICATE POLICY ADMINISTRATION . 708.1. CERTIFICATE POLICY CHANGE PROCEDURES . 708.1.1.Items that can change without notification . 708.1.2.Changes with notification . 709.108.2.Publication and Notification Procedures . 708.3.CPS Approval Procedures. 70GLOSSARY . 719.1.Definition of Terms . 719.2.Acronyms . 77REFERENCES . 79Copyright 2004-2017 Unisys Corporation All rights

Unisys Certificate Policy Unisys Internal Public Key Infrastructure Certificate Policy .

Related Books

PKIS: End-to-End PKI Provisioning System - PKI Center

PKIS: End-to-End PKI Provisioning System - PKI Center

What can Unisys do for you?

What can Unisys do for you?

PKI Automation - Microsoft

PKI Automation - Microsoft

- X.509 Pki Commerzbank P Pki

- X.509 Pki Commerzbank P Pki

Finding the RESTful path to certificate lifecycle automation . - Entrust

Finding the RESTful path to certificate lifecycle automation . - Entrust

PKI: Simplify Certificate Provisioning with EST - Cisco

PKI: Simplify Certificate Provisioning with EST - Cisco

Managing Your Return on Investment (ROI) for Public Key Infrastructure .

Managing Your Return on Investment (ROI) for Public Key Infrastructure .

3 Product PKI Certificate Management Service 4 Certification Practice .

3 Product PKI Certificate Management Service 4 Certification Practice .

Intelligence Community Public Key Infrastructure (IC PKI)

Intelligence Community Public Key Infrastructure (IC PKI)

NEAT EVALUATION FOR UNISYS: Managed Security Services

NEAT EVALUATION FOR UNISYS: Managed Security Services

Frcs Vms Pki

Frcs Vms Pki

PopularTags

Recent Views