Transcription
US BANKENTERPRISE PUBLIC KEY INFRASTRUCTURECERTIFICATE POLICYJune 2012Version 1.0Copyright 2012, Entrust, Inc.
US Bank Enterprise Public Key Infrastructure Certificate PolicyVersion ControlVersionRevision DateRevision DescriptionRevised by0.1May 29, 2012Initial release for internalreview.Entrust Managed ServicePolicy Authority0.2June 11, 2012Initial release for review byUS Bank.Entrust Managed ServicePolicy AuthorityPage - i
US Bank Enterprise Public Key Infrastructure Certificate PolicyTable of Contents1INTRODUCTION. 11.1 OVERVIEW . 11.2 DOCUMENT NAME AND IDENTIFICATION . 11.2.1Policy Object Identifiers . 11.3 PKI PARTICIPANTS . 21.3.1Certification Authorities . 21.3.2Registration Authorities . 21.3.3Subscribers . 21.3.4Relying Parties . 31.3.5Other Participants . 31.4 CERTIFICATE USAGE . 41.4.1Assurance Levels and Acceptable Use . 41.4.2Prohibited Certificate Uses . 41.5 POLICY ADMINISTRATION . 41.5.1Organization Responsibilities for this Certificate Policy . 41.5.2Contact Information . 41.5.3Person Determining CPS Suitability for The Policy . 41.5.4Certificate Policy Amendment . 41.6 DEFINITIONS AND ACRONYMS . 41.6.1List of Definitions . 41.6.2List of Acronyms . 52PUBLICATION AND REPOSITORY RESPONSIBILITIES . 72.1 REPOSITORIES . 72.2 PUBLICATION OF CERTIFICATION INFORMATION . 72.3 TIME OR FREQUENCY OF PUBLICATION. 72.4 ACCESS CONTROLS ON REPOSITORIES . 73IDENTIFICATION AND AUTHENTICATION . 83.1 NAMING . 83.2 INITIAL IDENTITY VALIDATION . 83.2.1Method to Prove Possession of Private Key . 83.2.2Authentication of Organization Identity . 83.2.3Authentication of Individual Identity . 83.2.4Non-verified Subscriber Information . 83.2.5Validation of Authority . 83.2.6Criteria for Interoperation . 83.3 IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS . 83.3.1Identification and Authentication for Routine Re-key. 83.3.2Identification and Authentication for Re-key after Revocation. 83.4 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST . 84CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS . 94.1 CERTIFICATE APPLICATION. 94.1.1Who Can Submit a Certificate Application . 94.1.2Enrollment Process and Responsibilities. 94.2 CERTIFICATE APPLICATION PROCESSING . 94.3 CERTIFICATE ISSUANCE . 94.4 CERTIFICATE ACCEPTANCE. 94.4.1Conduct Constituting Certificate Acceptance . 94.4.2Publication of the Certificate by the CA . 94.4.3Notification of Certificate Issuance by the CA to Other Entities . 94.5 KEY PAIR AND CERTIFICATE USAGE . 94.6 CERTIFICATE RENEWAL . 94.7 CERTIFICATE RE-KEY . 94.7.1Circumstance for Certificate Re-key. 94.7.2Who May Request Certification of a New Public Key .10Page - ii
US Bank Enterprise Public Key Infrastructure Certificate Policy4.7.3Processing Certificate Re-keying Requests .104.7.4Notification of New Certificate Issuance to Subscriber .104.7.5Conduct Constituting Acceptance of a Re-keyed Certificate .104.7.6Publication of the Re-keyed Certificate by the CA .104.7.7Notification of Certificate Issuance by the CA to Other Entities .104.8 CERTIFICATE MODIFICATION .104.9 CERTIFICATE REVOCATION AND SUSPENSION .104.9.1Circumstances for Revocation .104.9.2Who Can Request Revocation .104.9.3Procedure for Revocation Request .104.9.4Revocation Request Grace Period .104.9.5Time within which CA Must Process the Revocation Request .104.9.6Revocation Checking Requirement for Relying Parties .114.9.7CRL Issuance Frequency .114.9.8Maximum Latency for CRLs .114.9.9On-line Revocation/Status Checking Availability .114.9.10On-line Revocation Checking Requirements .114.9.11Other Forms of Revocation Advertisements Available .114.9.12Special Requirements re: Re-key Compromise .114.9.13Circumstances for Suspension .114.9.14Who Can Request Suspension .114.9.15Procedure for Suspension Request .114.9.16Limits on Suspension Period .114.10CERTIFICATE STATUS SERVICES .114.10.1Operational Characteristics .114.10.2Service Availability .114.10.3Optional Features .114.11END OF SUBSCRIPTION .114.12KEY ESCROW AND RECOVERY .114.12.1Key Escrow and Recovery Policy and Practices .114.12.2Session Key Encapsulation and Recovery Policy and Practices.115FACILITY MANAGEMENT, AND OPERATIONAL CONTROLS.125.1 PHYSICAL CONTROLS .125.2 PROCEDURAL CONTROLS .125.3 PERSONNEL CONTROLS .125.4 AUDIT LOGGING PROCEDURES .125.5 RECORDS ARCHIVAL.125.6 KEY CHANGEOVER .125.7 COMPROMISE AND DISASTER RECOVERY .125.8 CA TERMINATION .126TECHNICAL SECURITY CONTROLS .136.1 KEY PAIR GENERATION .136.1.1CA Key Pair Generation and Installation .136.1.2Key Delivery to Subscriber .136.1.3Public Key Delivery to Certificate Issuer .136.1.4CA Public Key Delivery to Relying Parties .136.1.5Key Sizes .136.1.6Public Key Parameters Generation and Quality Checking .136.1.7Key Usage Purposes .136.2 PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS .136.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT .136.3.1Public Key Archival .136.3.2Certificate Operational Periods and Key Pair Usage Periods .136.4 ACTIVATION DATA .146.5 COMPUTER SECURITY CONTROLS .146.6 LIFE CYCLE TECHNICAL CONTROLS .14Page - iii
US Bank Enterprise Public Key Infrastructure Certificate Policy6.7 NETWORK SECURITY CONTROLS .146.8 TIME-STAMPING .147CERTIFICATE, CRL, AND OCSP PROFILES .157.1 CERTIFICATE PROFILE .157.2 CRL PROFILE .157.2.1Version Number .157.2.2CRL and CRL Entry Extensions.157.3 OCSP PROFILE .167.3.1Version Number .167.3.2OCSP Extensions .168COMPLIANCE AUDIT AND OTHER ASSESSMENTS .178.1 FREQUENCY OR CIRCUMSTANCES OF ASSESSMENT .178.2 IDENTITY/QUALIFICATIONS OF ASSESSOR .178.3 ASSESSOR’S RELATIONSHIP TO ASSESSED ENTITY .178.4 TOPICS COVERED BY ASSESSMENT .178.5 ACTIONS TAKEN AS A RESULT OF DEFICIENCY .178.6 COMMUNICATION OF RESULTS .179OTHER BUSINESS AND LEGAL MATTERS .18Page - iv
US Bank Enterprise Public Key Infrastructure Certificate Policy1 Introduction1.1 OverviewThis document is referred to as the US Bank Enterprise Public Key Infrastructure (PKI)Certificate Policy (CP). This describes US Bank’s policies involved in the issuance ofdigital certificates by the US Bank Root and Issuing Certification Authorities(collectively referred to as the “US Bank CAs”).The US Bank Enterprise PKI CP is based on the Entrust Managed ServicesCommercial Private CP. Any section listed in this CP, but having no contentsmeans the corresponding section and subsections in the Entrust Managed Services(EMS) Commercial Private CP (CCP) apply. In other word, the US Bank PKI CP ispresented as a ‘delta’ document to the EMS CCP.This document is organized in structure to be fully compliant with IETF RFC3647;however sections are only supplied with text where relevant exceptions or differencesfrom the EMS CCP exist. Those sections without text automatically default to thatsupplied in the EMS CCP.This CP is applicable to all entities with relationships with US Bank Enterprise PKI,including Subscribers, Relying Parties, and Registration Authorities (RA). This CPprovides those entities with a clear statement of the policies and responsibilities of USBank CAs, as well as the responsibilities of each entity in dealing with the CAs.This CP consists of policy statements that outline the principles and requirements thatgovern US Bank Enterprise PKI.A CP specifies “what” the requirements are that will be implemented, while acorresponding Certification Practices Statement (CPS) describes “how” thoserequirements are met for a specific Certificate Authority. This Certificate Policy istherefore not designed to detail the processes and procedures that are involved in themanagement and governance of US Bank PKI; this information is entailed in thedocument, US Bank Public Key Infrastructure Certification Practices Statement.1.2 Document Name and IdentificationDocument Name:US Bank Enterprise PKI Certificate PolicyDocument Version:0.2 DraftDocument Date:June 11th, 2012Document PolicyObject CCITT(2) countries(16) USA(840) organization(1) entrust(114027) EMSPKI(200) policy(3) id-emspki-policy(10) id-emspkiUSBank(15)1.2.1 Policy Object IdentifiersCertificates that are issued under this CP will assert one or more of the policy ObjectIdentifiers (OIDs) listed below, depending upon the type of certificate issued:Page - 1 2012, Entrust. Inc.
US Bank Enterprise Public Key Infrastructure Certificate mspki- 200.3.10.15.22.16.840.1.114027.200.3.10.15.31.3 PKI Participants1.3.1 Certification AuthoritiesThe US Bank Enterprise PKI is comprised of two Certification Authorities, as follows: The US Bank Root CA, which shall issue certificates only to subordinate CAs. Itspurpose is to provide an anchor of trust within US Bank. The US Bank Root CAshall be subject to the stipulations of the EMS CCP for the Commercial PrivateRoot CA, except where otherwise noted in this CP. US Bank Issuing CA, which shall issue certificates to US Bank internal web sites,internal users, business partners, customers, devices and applications. It shall notissue certificates to subordinate Certification Authorities or perform crosscertifications with other Certification Authorities. The US Bank Issuing CA shallbe subject to the stipulations of the EMS CCP for the Commercial Private SSPCA, except where otherwise noted in this CP.The US Bank CAs shall be operated as Entrust Managed Service Customer DedicatedCAs. They shall not be subordinate to any of the Entrust Managed Service Root CAs.Where necessary, the US Bank Enterprise PKI CP distinguishes the different users androles accessing the CA functions. Where this distinction is not required, the termCertification Authority is used to refer to the total CA entity, including the hardware,software, personnel, processes, and its operations.1.3.2 Registration AuthoritiesA Registration Authority (RA) shall be designated as an individual, organization or entityresponsible for verifying the identity of a Subscriber. When required, the RA shall verifya Subscriber’s authority to act on behalf of a client organization. Client organizationsinclude US Bank business units/departments and third party Business Partners. RAs shallbe formally nominated by the Management of the US Bank PKI.1.3.2.1 Local Registration AuthoritiesLocal RAs (LRAs) are US Bank staff appointed by the RA. They are responsible for theidentification and authentication of End Entities in accordance with this CP.1.3.3 SubscribersA Subscriber shall be the recipient of a public key certificate issued by the US BankIssuing CA. Subscribers may include US Bank internal employees and contractors,Page - 2 2012, Entrust. Inc.
US Bank Enterprise Public Key Infrastructure Certificate PolicyBusiness Partners, customers or affiliated third party entities. With respect to the usageof US Bank Enterprise PKI certificates, subscribing entities shall be limited to:(1) US Bank full-time or part-time employees, contractors and temporaries;(2) US Bank customer full-time or part-time employees, contractors and temporaries;(3) Other individuals with whom US Bank has a business relationship;(4) External cross-certified Certification Authorities.(5) Services on digital processing entities, property of US Bank, or used for activities inwhich US Bank is involved; andBy virtue of certificate subscription, the Subscriber agrees to adhere to this CertificatePolicy and all other applicable laws and regulations that govern the use of digitalcertificates. The Subscriber shall also agree to provide true information to the best ofone’s knowledge at the time of certificate application. Should information provided bythe Subscriber or contained in the Subscriber certificate appear to be false or misleading,the Subscriber shall notify the Contact Person listed in section 1.5.2 of this CertificatePolicy.1.3.4 Relying PartiesWith respect to certificates issued under this CP, a Relying Party is as follows: An individual, entity or organization internal or external to US Bank that relies ona certificate issued by the US Bank Issuing CA; and All Subscribers of the US Bank Enterprise PKI are themselves Relying Parties.Individuals or organizations, other than those listed above, shall not be entitled to relyupon certificates issued by US Bank Enterprise PKI and, any such reliance is done attheir own risk. US Bank disclaims any and all liability that may arise out of any suchreliance.Relying Parties shall be responsible for checking certificate expiration and revocationstatus for verifying the validity of US Bank Enterprise PKI issued certificates. RelyingParties shall agree to use these certificates in a manner consistent with the policies setforth in this CP.1.3.5 Other ParticipantsOther participants of US Bank PKI shall include:ParticipantRoleManagement of the US BankEnterprise PKIThe Management of the US Bank PKI Enterpriseshall consist of one or more US Bankorganizational units responsible for ensuring thatUS Bank CAs operate as stated in the US BankEnterprise PKI Certification Practice Statement.Entrust Managed Service PolicyThe Entrust Managed Service Policy AuthorityPage - 3 2012, Entrust. Inc.
US Bank Enterprise Public Key Infrastructure Certificate PolicyParticipantRoleAuthority(EMS PA) shall be the custodian of this CP andshall be responsible administration of this CPincluding the approval of policy changes.Support ServicesSupport Services shall include other US Bankdepartmental groups or third parties under contractto US Bank that support the US Bank EnterprisePKI.1.4 Certificate Usage1.4.1 Assurance Levels and Acceptable Use1.4.2 Prohibited Certificate UsesIn general terms, applications for which US Bank Enterprise PKI issued public keycertificates are prohibited are those where: Business activities are conducted, other than for US Bank or US Bank sponsoredBusiness Partner or third party; Usage contravenes the US Bank Enterprise PKI Policy and other governing USBank policies or this CP; or Usage contravenes relevant law.1.5 Policy Administration1.5.1 Organization Responsibilities for this Certificate Policy1.5.2 Contact Information1.5.3 Person Determining CPS Suitability for The Policy1.5.4 Certificate Policy Amendment1.6 Definitions and Acronyms1.6.1 List of DefinitionsIn addition to the definitions in the EMS CCP, the following are defined:Client OrganizationAn organization within US Bank or an affiliate third party that is aclient, either Relying Party or Subscriber, of the US Bank PKI.Cross-certificateA certificate issued by a Certification Authority to establish a trustrelationship between it and another Certification Authority.US Bank BusinessA US Bank PKI subscriber who is issued a certificate through aPage - 4 2012, Entrust. Inc.
US Bank Enterprise Public Key Infrastructure Certificate PolicyPartnerTrusted Agent requesting a certificate on their behalf. A BusinessPartner will typically be performing operations functions (e.g.,administration of a web site) on behalf of US Bank.US Bank TrustedAgentEmployees of US Bank’s clients appointed by LRAs. Trusted Agentsare responsible for the identification and authentication of End Entitieswithin the client’s domain in accordance with the CP. A contact at aclient site can be appointed to act as a Trusted Agent and authenticateusers (examples are client, vendor and third-party employees) to helpsimplify the registration process.EnrollmentA process by which an individual or an organization registers toreceive a certificate and/or cryptographic keys for use within the USBank PKI.EntityAny autonomous element within the PKI. This may be a CA, a trustedrole within a CA, an RA or an End entity.Non-repudiationNon-repudiation means sufficient evidence to persuade an adjudicatoras to the origin and data integrity of digitally signed data, despite anattempted denial by the purported sender.Digital signatures on electronic transactions provide evidentiarysupport for non-repudiation.PKI PolicyAuthorityThe Authority responsible for the maintenance of the CP and CPS.PKI AdministratorAn individual who is responsible for the management of theSubscriber initialization process; the creation, renewal or revocation ofcertificates and the distribution of tokens (where applicable).1.6.2 List of AcronymsIn addition to the acronyms in the EMS CCP, the following are SSLCRL Distribution PointCommon NameCertificate Subscriber AgreementFully Qualified Domain NameHigh AvailabilityHyper Text Transfer ProtocolHTTP over SSLHardware Security ModuleIntrusion Detection SystemLocal Area NetworkNetwork Intrusion Prevention SystemRivest-Shamir-AdlemanStorage Area NetworkSecure Sockets LayerPage - 5 2012, Entrust. Inc.
US Bank Enterprise Public Key Infrastructure Certificate PolicyUPSURIUninterruptible Power SupplyUniform Resource IdentifierPage - 6 2012, Entrust. Inc.
US Bank Enterprise Public Key Infrastructure Certificate Policy2 Publication and Repository Responsibilities2.1 RepositoriesThe US Bank PKI data shall be published to the following LDAP Directories: Entrust MSO MDSA servers. The US Bank CAs shall write the CA certificates,policy certificates, Entrust MSO PKI administrator certificates and CRLs to theEntrust MDSA servers. Entrust SDSA servers. The US Bank CA data written to the Entrust MSO MDSAservers shall be replicated to the Entrust MSO SDSA servers. The Entrust MSOSDSA servers shall be available to PKI Subscribers and Relying Partiesconnecting from the public Internet. US Bank MDSA and SDSA servers. The US Bank PKI data written to the EntrustMSO MDSA shall be replicated to the US Bank LDAP servers.The US Bank CA certificates and CRLs shall be published on a Web server hosted on theUS Bank network. This Web server shall be available from the public Internet and the USBank corporate network.Relying Parties shall access US Bank PKI CRLs published on the Certificate DistributionPoint (CDP) hosted on the Entrust MSO SDSA LDAP Directory, the US Bank LDAPservers and on HTTP:/crl.usbank.com/CRLs/, which shall be accessible on the publicInternet. These CRLs shall be available 24/7 under normal conditions.2.2 Publication of Certification InformationThis CP shall also be publicly accessible at the following ness Partners and relying third parties shall be entitled to obtain a copy of theCertificate Policy. They may do so by submitting a written req
management and governance of US Bank PKI; this information is entailed in the document, US Bank Public Key Infrastructure Certification Practices Statement. 1.2 Document Name and Identification Document Name: US Bank Enterprise PKI Certificate Policy Document Version: 0.2 Draft Document Date: June 11th, 2012 Document Policy
