GTS ROOT CA CERTIFICATION PRACTICE STATEMENT - Global Trusted Sign
1y ago
21 Views
1 Downloads
851.30 KB
79 Pages
Report/dmca
Download PDF

Transcription

GTS ROOT CA Certification Practice StatementGTS ROOT CACERTIFICATION PRACTICE STATEMENTGlobal Trusted SignDocument Reference DP01 GTS V12Document Classification: PublicDate: July 22nd, 2022D Público1 DP01 GTS V12

GTS ROOT CA Certification Practice StatementTABLE OF CONTENTS1.Introduction . 10a)Scope . 10b)Target Audience. 10c)Document Structure . 101.1.Overview . 101.2.Document Name and Identification . 111.2.1.Revision Record . 111.2.2.Relevant Dates . 111.3.PKI Participants . 121.3.1.Certification Authorities . 121.3.2.Registration Authority. 161.3.3.Subscribers . 161.3.4.Relying Parties . 171.3.5.Other Participants . 171.4.Certificate Usage . 181.4.1.Appropriate Certificate Uses. 181.4.2.Prohibited Certificate Uses . 181.5.Policy Administration . 181.5.1.Organization Administering the Document . 181.5.2.Contact Entity . 191.5.3.Entity Determining CPS suitability for the policy . 191.5.4.CPS Approval Procedures . 191.6.Definitions and Acronyms . 201.6.1.Definitions . 201.6.2.Acronyms . 251.6.3.References . 251.6.4.Conventions . 262.Publication and Repository Responsibilities . 262.1.Repositories . 262.2Publication of Information . 272.3Time or Frequency of Publication . 272.4Access Controls on Repositories . 283.Identification and Authentication . 283.1.Naming . 283.1.1.Types of Names. 29D Público2 DP01 GTS V12

GTS ROOT CA Certification Practice Statement3.1.2.Need for Names to be Meaningful . 293.1.3.Anonymity or Pseudonymity of Subscribers . 303.1.4.Rules for Interpreting Various Names Forms . 303.1.5.Uniqueness of Names . 303.1.6.Recognition, Authentication and Role of Trademarks. 303.2.3.2.1.Method to Prove Possession of Private Key . 303.2.2.Authentication of Organization and Domain Identity . 313.2.2.1.Identity . 323.2.2.2.DBA/Tradename . 323.2.2.3.Verification Country . 333.2.2.4.Validation of Domain Authorization or Control . 333.2.2.5.Authentication for an IP address . 333.2.2.6.Wildcard Domain . 333.2.2.7.Data Source Accuracy . 333.2.2.8.CAA Records . 333.2.3.Authentication of Individual Identity . 333.2.4.Non-Verified Subscriber Information . 363.2.5.Validation of Authority. 363.2.6.Criteria for Interoperation or Certification . 363.3.Identification and Authentication for Re-Key Requests . 373.3.1.Identification and Authentication for Routine Re-Key . 373.3.2.Identification and Authentication for Re-Key after Revocation . 373.4.4.Initial Identity Validation . 30Identification and Authentication for Revocation Request . 37Certificate Life Cycle Operational Requirements . 374.1.Certificate Application . 374.1.1.Who Can Submit a Certificate Application . 374.1.2.Enrolment Process and Responsibilities . 384.2.Certificate Application Processing . 384.2.1.Performing Identification and Authentication Functions . 384.2.2.Approval or Rejection of Certificate Applications . 384.2.3.Time to Process Certificate Applications . 384.3.Certificate Issuance . 394.3.1.CA Actions during Certificate Issuance . 394.3.2.Notification to Subscriber by the CA of Issuance of Certificate . 394.4.Certificate Acceptance . 394.4.1.Conduct Constituting Certificate Acceptance . 39D Público3 DP01 GTS V12

GTS ROOT CA Certification Practice Statement4.4.2.Publication of the Certificate by the CA . 394.4.3.Notification of Certificate Issuance by the CA to other Entities . 394.5.Key Pair and Certificate Usage . 404.5.1.Subscriber Private Key and Certificate Usage . 404.5.2.Relying Party Public Key and Certificate Usage . 404.6.Certificate Renewal . 404.6.1.Circumstance for Certificate Renewal . 404.6.2.Who may Request Renewal . 404.6.3.Processing Certificate Renewal Request . 404.6.4.Notification of New Certificate Issuance to Subscriber . 404.6.5.Conduct Constituting Acceptance of a Renewal Certificate. 414.6.6.Publication of the Renewal Certificate by the CA . 414.6.7.Notification of Certificate Issuance by the CA to Other Entities . 414.7.Certificate Re-Key . 414.7.1.Circumstance for Certificate Re-Key . 414.7.2.Who may Request Certification of a New Public Key . 414.7.3.Processing Certificate Re-Key Requests . 414.7.4.Notification of New Certificate Issuance to Subscriber . 414.7.5.Conduct Constituting Acceptance of a Re-Keyed Certificate . 414.7.6.Publication of the Re-Keyed Certificate by the CA . 414.7.7.Notification of Certificate Issuance by the CA to Other Entities . 424.8.Certificate Modification . 424.8.1.Circumstances for Certificate Modification . 424.8.2.Who May Request a Certificate Modification . 424.8.3.Processing Certificate Modification Requests . 424.8.4.Notification of New Certificate Issuance to Subscriber . 424.8.5.Conduct Constituting Acceptance of Modified Certificate . 424.8.6.Publication of the Modified Certificate by the CA . 424.8.7.Notification of Certificate Issuance by the CA to Other Entities . 424.9.Certificate Revocation and Suspension . 434.9.1.Circumstances for Revocation . 434.9.2.Who can Request Revocation . 434.9.3.Procedure for Revocation Request . 444.9.4.Revocation Request Grace Period . 444.9.5.Time within which CA must Process the Revocation Request . 444.9.6.Revocation Checking Requirement for Relying Parties . 444.9.7.CRL Issuance Frequency . 444.9.8.Maximum Latency for CRLs . 44D Público4 DP01 GTS V12

GTS ROOT CA Certification Practice Statement4.9.9.Online Revocation/Status Checking Availability . 454.9.10. Online Revocation Checking Requirements . 454.9.11. Other Forms of Revocation Advertisements Available . 454.9.12. Special Requirements Re-Key Compromise . 454.9.13. Circumstances for Suspension . 454.9.14. Who can Request Suspension . 454.9.15. Suspension Request Procedure . 454.9.16. Limits on Suspension Period . 464.10. Certificate Status Services . 464.10.1. Operational Characteristics . 464.10.2. Service Availability . 464.10.3. Optional Features . 464.11. End of Subscription . 464.12. Key Escrow and Recovery . 464.12.1. Key Escrow and Recovery Policy and Practices . 464.12.2. Session Key Encapsulation and Recovery Policy and Practices . 465.Management, Operational and Physical Controls . 475.1.Physical Security Controls . 475.1.1.Site Location and Construction . 475.1.2.Physical Access . 475.1.3.Power and Air Conditioning . 485.1.4.Water Exposures . 495.1.5.Fire Prevention and Protection . 495.1.6.Media Storage . 495.1.7.Waste Disposal . 495.1.8.Off-Site Backup . 495.2.Procedural Controls . 505.2.1.Trusted Roles . 505.2.2.Number of Individuals Required per Task . 525.2.3.Identification and Authentication for each Role . 525.2.4.Roles Requiring Separation of Duties . 535.3.Personnel Controls . 535.3.1.Qualifications, Experience and Clearance Requirements . 535.3.2.Background Check Procedures . 535.3.3.Training Requirements and Procedures . 535.3.4.Retraining Frequency and Requirements . 545.3.5.Job Rotation Frequency and Sequence . 54D Público5 DP01 GTS V12

GTS ROOT CA Certification Practice Statement5.3.6.Sanctions for Unauthorized Actions . 545.3.7.Independent Contractor Controls . 545.3.8.Documentation Supplied to Personnel . 555.4.Audit Logging Procedures. 555.4.1.Types of Events Recorded . 555.4.2.Frequency for Processing and Archiving Audit Logs . 555.4.3.Retention Period for Audit Logs . 565.4.4.Protection of Audit Logs . 565.4.5.Audit Log Backup Procedures . 565.4.6.Audit Log Accumulation System (Internal vs. External) . 565.4.7.Notification to Event-Causing Subject . 565.4.8.Vulnerability Assessment . 565.5.Records Archival . 575.5.1.Types of Records Archived . 575.5.2.Retention Period for Archive . 575.5.3.Protection of Archive . 575.5.4.Archive Backup Procedures . 575.5.5.Requirements for Time-Stamping of Records . 575.5.6.Archive Collection System (Interna or External) . 575.5.7.Procedures to Obtain and Verify Archive Information . 575.6.Key Changeover . 585.7.Compromise or Disaster Recovery . 585.7.1.Incident and Compromise Handling Procedures . 585.7.2.Recovery Procedures if Computing Resources, Software and/or Data are Corrupted585.7.3.Recovery Procedures after Key Compromise . 595.7.4.Business Continuity Capabilities after a Disaster . 595.8.6.CA or RA Termination . 59Technical Security Controls . 606.1.Key Pair Generation and Installation . 606.1.1.Key Pair Generation . 606.1.2.Private Key Delivery to Subscriber . 606.1.3.Public Key Delivery to Certificate Issuer . 606.1.4.CA Public Key Delivery to Relying Parties . 606.1.5.Key Sizes . 606.1.6.Public Key Parameters Generation and Quality Checking . 616.1.7.Key Usage Purposes (as per X.509 v3 Key Usage Field) . 61D Público6 DP01 GTS V12

GTS ROOT CA Certification Practice Statement6.2.Private Key Protection and Cryptographic Module Engineering Controls . 616.2.1.Cryptographic Module Standards and Controls . 616.2.2.Private Key (n out of m) Multi Person Control . 626.2.3.Private Key Escrow . 626.2.4.Private Key Backup . 626.2.5.Private Key Archival . 626.2.6.Private Key Transfer into or from a Cryptographic Module . 626.2.7.Private Key Storage on Cryptographic Module . 626.2.8.Activating Private Keys . 636.2.9.Deactivating Private Keys . 636.2.10. Destroying Private Keys . 636.2.11. Cryptographic Module Capabilities . 636.3.Other Aspects of Key Pair Management . 636.3.1.Public Key Archival . 636.3.2.Certificate Operational Periods and Key Pair Usage Periods . 646.4.Activation Data . 646.4.1.Activation Data Generation and Installation . 646.4.2.Activation Data Protection . 646.4.3.Other Aspects of Activation Data . 646.5.Computer Security Controls . 646.5.1.Specific Computer Security Technical Requirements . 646.5.2.Computer Security Rating . 646.6.Life Cycle Technical Controls . 656.6.1.System Development Controls . 656.6.2.Security Management Controls . 656.6.3.Life Cycle Security Controls . 656.7.Network Security Controls . 656.8.Time-Stamping . 657.Certificate, CRL and OCSP Profiles . 667.1.Certificate Profile . 667.1.1.Version Number(s) . 667.1.2.Certificate Content and Extensions; Application of RFC 5280 . 667.1.3.Algorithm Object Identifiers . 667.1.4.Name Forms . 667.1.5.Name Constraints . 677.1.6.Certificate Policy Object Identifier . 677.1.7.Usage of Policy Constraints Extensions . 67D Público7 DP01 GTS V12

GTS ROOT CA Certification Practice Statement7.1.8.Policy Qualifiers Syntax and Semantics . 677.1.9.Processing Semantics for the Critical Certificate Policies Extension . 677.2.7.2.1.Version Number(s) . 677.2.2.CRL and CRL Entry Extensions . 687.3.8.CRL Profile . 67OCSP Profile. 687.3.1.Version Number(s) . 687.3.2.OCSP Extensions . 68Compliance Audit and Other Assessments . 698.1.Frequency or Circumstances of Assessment . 698.2.Identity/Qualifications of Assessor . 698.3.Assessor s Relationship to Assessed Entity . 698.4.Topics Covered by Assessment . 698.5.Actions Taken as a Result of Deficiency . 708.6.Communication of Results . 708.7.Internal Audits . 709.Other Business and Legal Matters . 709.1.Fees . 719.1.1.Certificate Issuance or Renewal Fees . 719.1.2.Certificate Access Fees . 719.1.3.Revocation or Status Information Access

GTS ROOT CA Certification Practice Statement D Público 1 DP01_GTS_V12 GTS ROOT CA CERTIFICATION PRACTICE STATEMENT Global Trusted Sign

Related Books

Practical Guide to SAP GTS

Practical Guide to SAP GTS

Deloitte Global Trade Services Centre of Excellence

Deloitte Global Trade Services Centre of Excellence

ESA了解自定义CA列表证书过期警报

ESA了解自定义CA列表证书过期警报

Root Cause Analysis - ge

Root Cause Analysis - ge

Multi-process QEMU - Linux Foundation Events

Multi-process QEMU - Linux Foundation Events

Practical Guide to SAP GTS Part I

Practical Guide to SAP GTS Part I

White paper Introduction of SAP GTS – the Customs solution

White paper Introduction of SAP GTS – the Customs solution

GTS-600/GTS-600C series ELECTRONIC TOTAL STATION

GTS-600/GTS-600C series ELECTRONIC TOTAL STATION

Root Cause Analysis Methods - USALearning

Root Cause Analysis Methods - USALearning

ROOT CAUSE ANALYSIS - CCSD

ROOT CAUSE ANALYSIS - CCSD

THE GUIDE TO CAPA & ROOT CAUSE ANALYSIS IN FDA

THE GUIDE TO CAPA & ROOT CAUSE ANALYSIS IN FDA

PopularTags

Recent Views