Transcription
VERISIGNGATEKEEPER CERTIFICATIONPRACTICE STATEMENT(VERISIGN GATEKEEPER CPS)Date of Publication: November 2005Proposed Effective Date: November 2005V8.0Page 1 of 30
Copyright 2001-2004 VeriSign Australia Pty Ltd. All rights reserved.No part of this publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted, in anyform or by any means (electronic, mechanical, photocopying, recording, or otherwise), without prior writtenpermission of VeriSign Australia Pty Ltd. Notwithstanding the above, permission is granted to reproduce anddistribute this document for an individual or organisation’s own uses on a nonexclusive, royalty-free basis, providedthat (i) the foregoing copyright notice and the beginning paragraphs are prominently displayed at the beginning ofeach copy, and (ii) this document is accurately reproduced in full, complete with attribution of the document toVeriSign Australia Pty Ltd.The eSign thumbprint and logo is a trademark of VeriSign Australia Pty Ltd. eSign Gatekeeper Services is aregistered business name of VeriSign Australia Pty Ltd under which VeriSign Australia Pty Ltd provides Gatekeeperservices.VeriSign is a registered trademark of VeriSign, Inc. VeriSign Trust Network is a trademark of VeriSign, Inc. Allother trademarks and service marks are the property of their respective owners.V8.0 – Printed: 10 Nov 2005 09:11Page 2 of 30
TABLE OF CONTENTS1.INTRODUCTION.61.0Structure of this CPS and relationship to Certificate Policy * .61.1Overview.61.2Identification .81.3Community and applicability .81.3.1Certification Authorities (CAs) .81.3.2Registration Authorities (RAs).81.3.3End Entities.81.3.4Applicability.81.3.5Gatekeeper Accreditation* .81.4Contact Details .91.4.1PKI Service Providers .91.4.2Specification Administration Authorities.91.4.3Contact Person.91.4.4Competent Authority.91.4.5Person determining CPS suitability for CPs.92.GENERAL PROVISIONS .102.1Obligations generally* .102.1.0RCA Obligations*.102.1.1CA obligations .102.1.1.1Certificate Issue*.102.1.1.2Key Management* .102.1.1.3Directories and Certificate Revocation* .102.1.1.4General*.102.1.1.5Obligations of Subordinate CAs*.112.1.2RA Obligations.112.1.3Subscriber Obligations .112.1.4Relying Party obligations.112.1.4.1 Validating Digital Signatures*.112.1.5Repository Obligations .122.2Liability.122.2.1Liability Generally*.122.2.2Liability of the Commonwealth*.122.2.3Force majeure* .132.2.4VeriSign Liability*.132.2.5Subscriber Liability* .142.2.6Relying Party Liability .142.3Financial responsibility .142.3.1Indemnification of Relying Parties.142.3.2Fiduciary relationships.142.3.3Administrative processes .142.4Interpretation and Enforcement .142.4.1Governing law.142.4.2Severability, survival, merger, notice .3Notice* .142.4.2.4Precedence* .152.4.3Dispute resolution procedures .152.5Fees.152.5.1Certificate Issuance or Renewal fees .152.5.2Certificate access fee .152.5.3Revocation or status information access fee .152.5.4Fees for other services such as policy information.152.5.5Refund Policy .152.6Publication and Repository .162.6.1Publication of CA information .162.6.2Frequency of publication .162.6.3Access controls .162.6.4Repositories.162.7Compliance audit.162.7.1Frequency of entity compliance audit .162.7.2Identity/qualifications of auditor.162.7.3Auditor’s relationship to audited party.162.7.4Topics covered by audit .162.7.5Actions taken as a result of deficiency.17V8.0 – Printed: 10 Nov 2005 09:11Page 3 of 30
2.7.6Communication of results.172.8Privacy and Data Protection.172.9Intellectual Property Rights .173.IDENTIFICATION AND AUTHENTICATION .174.OPERATIONAL REQUIREMENTS.174.1Certificate Application.174.2Certificate issuance .174.3Certificate acceptance.174.4Certificate Suspension and Revocation .174.5Security Audit Procedures.174.5.1Type of event recorded .174.5.2Frequency of processing log .184.5.3Retention period for audit log .184.5.4Protection of audit log.184.5.5Audit log backup procedures.184.5.6Audit collection system (internal vs external).184.5.7Notification to event-causing subject .184.5.8Vulnerability assessments.184.6Records Archival .184.6.1Types of event recorded.184.6.2Retention period for archive .184.6.3Protection of archive.184.6.4Archive backup procedures.194.6.5Requirements for Time Stamping of records .194.6.6Archive collection system (internal or external) .194.6.7Procedure to obtain and Verify archive information.194.7Key changeover .194.8Compromise and Disaster Recovery .194.8.1Computing resources, software, and/or data are corrupted .194.8.2Entity Public Key is Revoked .194.8.3Entity Key is Compromised .194.8.4Secure facility after a natural or other type of disaster .194.9PKI Service Provider Termination* .195.PHYSICAL, PROCEDURAL AND PERSONNEL SECURITY CONTROLS.205.0General* .205.0.1Security Policy*.205.0.2Protective Security Risk Review* .205.0.3Protective Security Plan*.215.1Physical Controls.215.1.1Site location and construction .215.1.2Physical access .215.1.3Power and air conditioning .215.1.4Water exposures .215.1.5Fire prevention and protection .215.1.6Media storage .215.1.7Waste disposal .215.1.8Off-site backup .225.2Procedural Controls.225.2.1Trusted roles.225.2.2Number of persons required per task .225.2.3Identification and authentication for each role .225.3Personnel Controls.225.3.1Background, qualifications, experience, and clearance requirements .225.3.2Background check procedures.225.3.3Training requirements .225.3.4Retraining frequency and requirements.225.3.5Job rotation frequency and sequence.225.3.6Sanctions for unauthorised actions .225.3.7Contracting personnel requirements .225.3.8Documentation supplied to personnel.226.TECHNICAL SECURITY CONTROLS.226.0Key Management*.226.1Key Pair Generation and Installation .236.1.1Key Pair generation .236.1.2Private Key delivery to Entity .23V8.0 – Printed: 10 Nov 2005 09:11Page 4 of 30
6.56.5.16.5.26.66.6.16.6.26.6.36.76.8Public Key Delivery to Certificate Issuer .23VeriSign CA Public Key delivery to users .23Key sizes .23Public Key parameters generation .23Parameter quality checking .23Hardware/software Key generation.23Key usage purposes (as per X.509 v 3 Key Usage field) .23Private Key Protection.23Standards for Cryptographic Module .24Private key (n out of m) multi-person control .24Private Key Escrow .24Private Key backup.24Private Key archival.24Private Key entry into Cryptographic Module .24Method of activating Private Key.24Method of deactivating Private Key.24Method of destroying Private Key .24Other Aspects of Key Pair Management .24Public Key archival .24Usage periods for the Public and Private Keys .24Activation Data .24Computer Security Controls .24Specific computer security technical requirements.25Computer security rating .25Life Cycle Technical Controls.25System development controls .25Security management controls.25Life cycle security ratings .25Network Security Controls.25Cryptographic Module Engineering Controls .257CERTIFICATE AND CRL PROFILES.257.1Certificate Profile .257.1.1Version Number(s) .297.1.2Certificate Extensions.297.1.3Algorithm object identifiers .297.1.4Name forms .297.1.5Name Constraints.297.1.6Certificate Policy Object Identifier .297.1.7Usage of Policy Constraints extension .297.1.8Policy qualifiers syntax and semantics .297.1.9Processing semantics for the critical Certificate Policy extension.297.2CRL Profile .297.2.1Version number(s) .307.2.2CRL and CRL entry extensions.308SPECIFICATION ADMINISTRATION.308.1Specification Change Procedures.308.2Publication and notification policies .308.3CPS approval procedures .30V8.0 – Printed: 10 Nov 2005 09:11Page 5 of 30
1.INTRODUCTION1.0Structure of this CPS and relationship to Certificate Policy *1.VeriSign Australia Pty Ltd trading as eSign Gatekeeper Services (‘eSign’) provides both Public and Privatecertification services using technology from VeriSign Inc.2.This Certification Practices Statement (“CPS”) is a general document that sets out a number of policy andoperational matters in relation to VeriSign Gatekeeper services, including the practices that VeriSignemploys in Issuing, Revoking and managing Certificates. It should be read in conjunction with the relevantCertificate Policy (“CP”), which sets out the rules regarding the applicability of a Certificate to a particularcommunity and contains information about the specific structure of the relevant Certificate Type and Grade.3.The obligations of the PKI Entities are also set out in the relevant VeriSign Gatekeeper CP as well as otherrelevant documentat
V8.0 - Printed: 10 Nov 2005 09:11 Page 6 of 30 1. INTRODUCTION 1.0 Structure of this CPS and relationship to Certificate Policy * 1. VeriSign Australia Pty Ltd trading as eSign Gatekeeper Services (' eSign') provides both Public and Private certification services using technology from VeriSign Inc.
