WIXLIB

National Aeronautics and Space AdministrationAmes Research CenterMoffett Field, California 94035X.509 CERTIFICATE POLICYFORNational Aeronautics and Space Administration(NASA)Public Key Infrastructure (PKI)December 17, 2004Revision 1.3.1.2National Aeronautics and Space AdministrationAmes Research CenterApplied Information Technology DivisionMoffett Field, CA. 94035-1000

X.509 Certificate Policy for NASA PKISignature:NASA Chief Information OfficerDate

X.509 Certificate Policy for NASA PKITable of Contents1.INTRODUCTION. 11.1OVERVIEW . 21.2IDENTIFICATION . 21.3COMMUNITY & APPLICABILITY . 21.3.1Certification Authority (CA) . 31.3.2Registration Authorities (RAs) . 31.3.3End Entities . 31.3.4Applicability . 41.3.5Approved And Prohibited Applications . 41.3.6Repositories . 41.4CONTACT DETAILS . 52.GENERAL PROVISIONS . 62.1OBLIGATIONS . 62.1.1CA Obligations . 62.1.2RA Obligations . 72.1.3Subscriber Obligations. 82.1.4Relying Party Obligations . 92.1.5Repository Obligations. 92.2LIABILITY . 92.3FINANCIAL RESPONSIBILITY . 92.3.1Indemnification By Relying Parties . 92.3.2Fiduciary Relationships. 92.4INTERPRETATION & ENFORCEMENT . 102.4.1Governing Law. 102.4.2Severability, Survival, Merger, Notice. 102.4.3Dispute Resolution Procedures . 102.5FEES . 102.6PUBLICATION & REPOSITORY . 102.6.1Publication Of CA Information . 102.6.2Frequency Of Publication . 112.6.3Access Controls . 112.6.4Repositories . 112.7COMPLIANCE AUDIT . 112.7.1Frequency Of Compliance Audit. 112.7.2Identity/Qualifications Of CA Auditor . 112.7.3Auditor’s Relationship To Audited CA. 122.7.4Topics Covered By Audit . 122.7.5Actions Taken As A Result Of Audit . 122.7.6Communication Of Results . 122.8CONFIDENTIALITY OF INFORMATION . 132.8.1Types Of Information To Be Kept Confidential . 132.8.2Types Of Information Not Considered Confidential . 132.8.3Disclosure Of Certificate Revocation Information. 142.8.4Information Release. 142.8.5Release As Part Of Civil Discovery . 142.8.6Other Information Release Circumstances. 142.9INTELLECTUAL PROPERTY RIGHTS . 143.IDENTIFICATION & AUTHENTICATION. 15NASA X.509 Certificate Policy:v1.3.1.2:12/17/04Pagei

3.1INITIAL REGISTRATION . 153.1.1Types Of Names . 153.1.2Need For Names To Be Meaningful . 153.1.3Rules For Interpreting Various Name Forms. 153.1.4Uniqueness Of Names. 153.1.5Name Claim Dispute Resolution Procedure . 163.1.6Recognition, Authentication And Roles Of Trademarks . 163.1.7Method To Prove Possession Of Private Key . 163.1.8Authentication Of Organization Identity . 163.1.9Authentication Of Individual Identity . 173.1.10Authentication Of Devices Or Applications . 183.2AUTHENTICATION FOR ROUTINE REKEY . 183.3AUTHENTICATION FOR REKEY AFTER REVOCATION . 193.4AUTHENTICATION OF REVOCATION REQUEST . 194.OPERATIONAL REQUIREMENTS . 204.1APPLICATION FOR A CERTIFICATE . 204.2CERTIFICATE ISSUANCE . 204.3CERTIFICATE ACCEPTANCE . 204.4CERTIFICATE SUSPENSION & REVOCATION . 214.4.1Circumstances for revocation . 214.4.2Who Can Request Revocation . 214.4.3Procedure For Revocation Request . 214.4.4Revocation Request Grace Period . 224.4.5Circumstances For Suspension. 224.4.6Who Can Request Suspension. 224.4.7Procedure For Suspension Request . 224.4.8Limits On Suspension Period .234.4.9CRL Issuance Frequency . 234.4.10CRL Checking Requirements . 234.4.11On-line Revocation/Status Checking Availability . 234.4.12On-line Revocation Checking Requirements. 234.4.13Other Forms Of Revocation Advertisements Available . 234.4.14Checking Requirements For Other Forms Of Revocation Advertisements. 234.4.15Special Requirements Related To Key Compromise . 234.5SYSTEM SECURITY AUDIT PROCEDURES . 244.5.1Types Of Events Recorded. 244.5.2Frequency Of Audit Log Processing . 254.5.3Retention Period For Audit Log .254.5.4Protection Of Audit Log. 264.5.5Audit Log Backup Procedures . 264.5.6Audit Collection System . 264.5.7Notification To Event Causing Subject . 264.5.8Vulnerability Assessments. 264.6RECORDS RETENTION . 264.6.1Types Of Data Retained . 264.6.2Period For Record Retention . 274.6.3Protection Of Record Retention. 274.6.4Records Retention Backup Procedures . 274.6.5Requirements For Time-Stamping Of Records . 274.6.6Records Retention Collection System . 274.6.7Procedures To Obtain And Verify Retained Information . 274.7KEY CHANGEOVER . 274.8COMPROMISE AND DISASTER RECOVERY. 284.8.1Computing Resources, Software, And/Or Data Are Corrupted . 284.8.2Entity Key Recovery. 28NASA X.509 Certificate Policy:v1.3.1.2:12/17/04Pageii

4.8.3Entity Key Compromise . 284.8.4Disaster Recovery. 284.9CA TERMINATION . 295.PHYSICAL, PROCEDURAL & PERSONNEL SECURITY . 305.1PHYSICAL CONTROLS . 305.1.1Site Location And Construction . 305.1.2Physical Access . 305.1.3Power And Air Conditioning. 305.1.4Water Exposures . 305.1.5Fire Prevention And Protection. 315.1.6Media Storage. 315.1.7Waste Disposal . 315.1.8Off-site Backup . 315.2PROCEDURAL CONTROLS . 315.2.1Trusted Roles. 315.2.2Number Of Persons Required Per Task. 325.2.3Identification & Authentication For Each Role . 335.3PERSONNEL SECURITY CONTROLS . 335.3.1Background, Qualifications, Experience, And Clearance Requirements . 335.3.2Background Check Procedures . 335.3.3Training Requirements . 335.3.4Retraining Frequency And Requirements . 345.3.5Job Rotation. 345.3.6Sanctions For Unauthorized Actions . 345.3.7Contracting Personnel . 345.3.8Documentation Supplied To Personnel . 346.TECHNICAL SECURITY CONTROLS . 356.1KEY PAIR GENERATION AND INSTALLATION . 356.1.1Key Pair Generation. 356.1.2Private Key Delivery To Entity . 356.1.3Public Key Delivery To Certificate Issuer . 356.1.4CA Public Key Delivery To Users . 356.1.5Asymmetric Key Sizes . 356.1.6Public Key Parameters Generation . 366.1.7Parameter Quality Checking. 366.1.8Hardware/software Key Generation . 366.1.9Key Usage Purposes (as per X.509v3 field). 366.2PRIVATE KEY PROTECTION . 366.2.1Standards For Cryptographic Module. 366.2.2Private Key Multi-person Control . 376.2.3Private Key Escrow. 376.2.4Private Key Backup. 376.2.5Private Key Retention . 376.2.6Private Key Entry Into Cryptographic Module. 376.2.7Method Of Activating Private Key . 386.2.8Method Of Deactivating Private Key. 386.2.9Method Of Destroying Private Key . 386.3OTHER ASPECTS OF KEY PAIR MANAGEMENT . 386.3.1Public Key Retention. 386.3.2Usage Periods For The Public And Private Keys . 396.4ACTIVATION DATA . 396.4.1Activation Data Generation And Installation . 396.4.2Activation Data Protection . 396.4.3Other Aspects Of Activation Data . 39NASA X.509 Certificate Policy:v1.3.1.2:12/17/04Pageiii

6.5COMPUTER SECURITY CONTROLS. 406.5.1Specific Computer Security Technical Requirements . 406.5.2Computer Security Rating. 406.6LIFE CYCLE TECHNICAL CONTROLS . 406.6.1System Development Controls . 406.6.2Security Management Controls . 406.7NETWORK SECURITY CONTROLS . 416.8CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS. 417.CERTIFICATE & CRL PROFILES . 427.1CERTIFICATE PROFILE . 427.1.1Version Number . 427.1.2Certificate Extensions . 427.1.3Algorithm Object IDs . 427.1.4Name Forms . 427.1.5Name Constraints . 427.1.6Certificate Policy Object Identifier. 427.1.7Usage Of Policy Constraints Extension . 437.1.8Policy Qualifiers Syntax And Semantics. 437.1.9Processing Semantics For The Critical Certificate Policy . 437.2CRL PROFILE . 437.2.1Version Number . 437.2.2CRL And CRL Entry Extensions . 438.SPECIFICATION ADMINISTRATION . 448.1SPECIFICATION CHANGE PROCEDURES . 448.1.1Items That Can Change Without Notification . 448.1.2Changes With Notification . 448.2PUBLICATION & NOTIFICATION PROCEDURES. 458.3CPS APPROVAL PROCEDURES . 45APPENDIX A: ACRONYMS. 46APPENDIX B: DEFINITIONS . 47REFERENCES. 52NASA X.509 Certificate Policy:v1.3.1.2:12/17/04Pageiv

1. IntroductionThe National Aeronautics and Space Administration (NASA) operates a Public KeyInfrastructure (PKI) to provide security for its electronic information. Programs that carry out orsupport NASA’s missions may require the type of security services provided by a PKI. A PKIis a complex system that provides secure electronic data storage and exchange. Security isachieved by using public key cryptography. The types of security services provided by a PKIare: Confidentiality: The transformation of data into a form unreadable by anyone without theproper keyData Integrity: A service that addresses the unauthorized alteration of data by eitherconfirming its integrity or warning about changesAuthentication: The process whereby users or information sources prove that they arewho they claim to beNon-repudiation: A service that limits denial of previous commitments or actionsThese services are provided through public key cryptography’s use of certificates and the publicand private cryptographic keys associated with the certificates.The primary function of a PKI is to manage these certificates and keys. A PKI manages thecertificates through the following components: Certification Authority (CA): A trusted party that creates, renews, and revokescertificates.Registration Authority (RA): A trusted agent of the CA that verifies user identity.Certificate Repository: The public area in which users’ public keys are stored. This isusually a directory such as X.500.Policy: The set of rules that guide the operation of the PKI.The NASA PKI consists of a central NASA CA, RAs at each of the eleven NASA centers, andan X.500 directory for each NASA center. This document defines the Certificate Policy (CP) forthe administration and operation of the NASA PKI. This document includes: Subscriber identification and authorization verificationControl of PKI computer and cryptographic systemsOperation of PKI computer and cryptographic systems, facilities and personnelUsage of keys and public-key certificates by Subscribers and Relying PartiesDefinition of rules to limit liability and to provide a high degree of certainty that thestipulations of this policy are being metThis CP will be used by Certification Authorities (CAs) within the NASA PKI and by CAs outsidethe NASA PKI who wish to inter-operate with CAs within the NASA PKI. Please note definitionsof terms used in this CP are provided in Appendix B. Terms defined in Appendix B areunderlined the first time they appear in the CP.NASA X.509 Certificate Policy:v1.3.1.2:12/17/04Page 1