Transcription
Certificate Policyfor theUnited States Patent and Trademark OfficeApril 28, 2021Version 4.0Prepared by:United States Patent and Trademark OfficePublic Key Infrastructure Policy AuthorityApproved:Users, Holcombe,HenryDigitally signed by Users,Holcombe, HenryDate: 2021.05.12 07:55:26-04'00'Henry J. Holcombe Jr.Chief Information OfficerDate:
United States Patent and Trademark OfficePublic Key Infrastructure Certificate PolicyVersion 4.0This page is intentionally left blank.
United States Patent and Trademark OfficePublic Key Infrastructure Certificate PolicyVersion 4.0REVISION HISTORYVersion DateEditorChange Description1.1-1.38/20/04DarrylClemonsVersion 1.3 was the first signed version.1.412/8/04Amit JainModified sections 1.4.2, 2.7.1, 3.1.4, 3.2.1, 4.2.1,4.4.4, 4.5.1, 4.5.5, 4.6.5, 5.3.1, 6.1.5, and 6.4.1 toincorporate necessary modifications identified byFBCA/CPWG.1.412/14/04Greg McCainChanged column title from ‘Author’ to ‘Editor’ inthe Revision History table.1.503/27/07Greg McCainUpdated to reflect USPTO organizational changesrelated to management or operational responsibilitiesfor: Security PolicySecurity OperationsUser Account Creation and Maintenance2.008/06/07John MichieUpdated to reflect the new RFC 3647 format2.101/11/10Greg McCainand Amit JainUpdated following review and recommendationsfrom External Auditor.2.104/16/10Amit JainUpdated the contact information2.25/25/10Amit JainUpdates made based on agreements with CPWG tocross-certify at medium-hardware2.36/9/10Amit JainChanged CRL lifetime to 18 hours in section 4.9.72.47/9/12JermaineHarris andAmit JainChanges to implement FBCA CP change proposals:David Wu andAmit JainChanges related to requirements for FBCA CPMapping. Modified: 3.1.5, 3.2.3.1, 3.2.3.2, 3.4, 5.4.3,5.4.8, 5.5, 5.7.3, 6.1.1.1, 6.1.1.2, 6.2.3, 6.2.4.1, 6.2.6,6.2.9, 6.3.2, 6.4.2, 7.1.3. Added: 6.2.4.5. Removed:3.2.3.3. Updated outdated NIST security terms and2.511/26/132010-01, 2010-02, 2010-06, 2010-07, 2010-08,2011-01, 2011-02, 2011-06 and 2011-07.iCUI//Information Systems Vulnerability Information//Limited Dissemination Control
United States Patent and Trademark OfficePublic Key Infrastructure Certificate PolicyVersion 4.0Version DateEditorChange Descriptiondocumentation references in sections 10 and11.Updated outdated USPTO organization names andterms in sections 1.5.3, 6.1.3, 8.1, and 9.6.6.2.63/23/2016Amit Jain andZach IlerUpdated to bring document current and makechanges based on previous audit.2.710/31/2016 Ben Spainhour Updated to reflect new OIDs for Medium Device andMedium Device Hardware. Additions to reflectrecent FBCA CP changes.2.7.111/8/2016Ben Spainhour Minor wording changes related to requirements forFBCA CP Mapping.2.7.202/02/2017 RichardArnold,SamanFarazmandand Amit JainUpdated to reflect new OID for Basic Device.Modified: 1, 1.2, 1.4.1, 3.1.1, 4.5.1, 4.7, 4.9.12,5.4.2, 5.4.6, 5.5.2, 6.2.1,2.811/13/2017 RichardArnoldUpdated to bring document current and makechanges based on previous audit2.910/01/2018 RichardArnoldUpdated to bring document current and makechanges based on previous audit3.011/07/2019 RichardArnoldUpdated to bring document current and makechanges based on previous audit3.101-06-2021Scott CobbUpdated to align with the Bridge and Common CPs.4.004-28-2021Scott CobbUpdated to align with the v4.0 USPTO CPS document.iiCUI//Information Systems Vulnerability Information//Limited Dissemination Control
United States Patent and Trademark OfficePublic Key Infrastructure Certificate PolicyVersion 4.0TABLE OF CONTENTS1INTRODUCTION. 1-11.1 Overview . 1-11.1.1Certificate Policy (CP) . 1-11.1.2Relationship between the CP and the CPS . 1-21.1.3Relationship between the FBCA CP and the USPTO CP. 1-21.1.4Scope . 1-21.1.5Interaction with PKIs External to the Federal Government . 1-21.2 Document Name and Identification . 1-21.3 PKI ENTITIES . 1-41.3.1PKI Authorities . 1-41.3.2Registration Authority (RA) . 1-61.3.3Card Management System (CMS) . 1-61.3.4Subscribers . 1-61.3.5Affiliated Organizations. 1-71.3.6Relying Parties . 1-71.3.7Other Participants . 1-71.4 Certificate Usage . 1-71.4.1Appropriate Certificate Uses . 1-71.4.2Prohibited Certificate Uses . 1-91.5 Policy Administration . 1-91.5.1Specification Administration Organization . 1-91.5.2Contact Person . 1-91.5.3Person Determining CPS Suitability for the Policy . 1-91.5.4CPS Approval Procedures. 1-101.6 Definitions and Acronyms . 1-102PUBLICATION AND REPOSITORY RESPONSIBILITIES . 2-12.1 Repositories . 2-12.1.1USPTO Repository Obligations . 2-12.2 Publication of Certification Information . 2-12.2.1Publication of Certificates and Certificate Status . 2-12.2.2Publication of CA Information . 2-12.2.3Interoperability . 2-12.3 Frequency of Publication . 2-22.4 Access Controls on Repositories. 2-23IDENTIFICATION AND AUTHENTICATION . 3-13.1 Naming . 3-13.1.1Types of Names . 3-13.1.2Need for Names to be Meaningful . 3-23.1.3Anonymity or Pseudonymity of Subscribers . 3-2iiiCUI//Information Systems Vulnerability Information//Limited Dissemination Control
United States Patent and Trademark OfficePublic Key Infrastructure Certificate PolicyVersion 4.03.1.4Rules for Interpreting Various Name Forms . 3-23.1.5Uniqueness of Names . 3-23.1.6Recognition, Authentication, and Role of Trademarks . 3-33.2 Initial Identity Validation . 3-33.2.1Method to Prove Possession of Private Key . 3-33.2.2Authentication of Organization Identity . 3-33.2.3Authentication of Individual Identity . 3-33.2.4Non-verified Subscriber Information . 3-83.2.5Validation of Authority. 3-83.2.6Criteria for Interoperation. 3-83.3 Identification and Authentication for Re-key Requests . 3-83.3.1Identification and Authentication for Routine Re-key . 3-83.3.2Identification and Authentication for Re-key after Revocation . 3-93.4 Identification and Authentication for Revocation Request . 3-94CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS. 4-14.1 Certificate Application . 4-14.1.1Who Can Submit a Certificate Application . 4-14.1.2Enrollment Process and Responsibilities. 4-14.2 Certificate Application Processing . 4-24.2.1Performing Identification and Authentication Functions . 4-24.2.2Approval or Rejection of Certificate Applications . 4-24.2.3Time to Process Certificate Applications . 4-24.3 Certificate Issuance . 4-24.3.1CA Actions during Certificate Issuance . 4-24.3.2Notification to Subscriber by the CA of Issuance of Certificate . 4-34.4 Certificate Acceptance . 4-34.4.1Conduct Constituting Certificate Acceptance . 4-34.4.2Publication of the Certificate by the CA . 4-34.4.3Notification of Certificate Issuance by the CA to Other Entities . 4-34.5 Key Pair and Certificate Usage . 4-34.5.1Subscriber Private Key and Certificate Usage . 4-44.5.2Relying Party Public Key and Certificate Usage . 4-44.6 Certificate Renewal . 4-44.6.1Circumstance for Certificate Renewal . 4-44.6.2Who May Request Renewal . 4-44.6.3Processing Certificate Renewal Requests. 4-44.6.4Notification of New Certificate Issuance to Subscriber . 4-44.6.5Conduct Constituting Acceptance of a Renewal Certificate. 4-54.6.6Publication of the Renewal Certificate by the CA . 4-54.6.7Notification of Certificate Issuance by the CA to Other Entities . 4-54.7 Certificate Re-key . 4-54.7.1Circumstance for Certificate Re-key . 4-5ivCUI//Information Systems Vulnerability Information//Limited Dissemination Control
United States Patent and Trademark OfficePublic Key Infrastructure Certificate PolicyVersion 4.04.7.2Who May Request Certification of a New Public Key . 4-54.7.3Processing Certificate Re-keying Requests . 4-54.7.4Notification of New Certificate Issuance to Subscriber . 4-64.7.5Conduct Constituting Acceptance of a Re-keyed Certificate . 4-64.7.6Publication of the Re-keyed Certificate by the CA . 4-64.7.7Notification of Certificate Issuance by the CA to Other Entities . 4-64.8 Certificate Modification . 4-64.8.1Circumstance for Certificate Modification . 4-64.8.2Who May Request Certificate Modification . 4-64.8.3Processing Certificate Modification Requests . 4-64.8.4Notification of New Certificate Issuance to Subscriber . 4-74.8.5Conduct Constituting Acceptance of Modified Certificate . 4-74.8.6Publication of the Modified Certificate by the CA . 4-74.8.7Notification of Certificate Issuance by the CA to Other Entities . 4-74.9 Certificate Revocation and Suspension . 4-74.9.1Circumstances for Revocation . 4-74.9.2Who can Request a Revocation . 4-84.9.3Procedure for Revocation Request . 4-84.9.4Revocation Grace Period . 4-94.9.5Time within which CA must Process the Revocation Request . 4-94.9.6Revocation Checking Requirements for Relying Parties . 4-94.9.7CRL/CARL Issuance Frequency . 4-94.9.8Maximum Latency for CRLs . 4-94.9.9Online Revocation / Status Checking Availability . 4-104.9.10 Online Revocation Checking Requirements . 4-104.9.11 Other Forms of Revocation Advertisements Available . 4-104.9.12 Special Requirements Related to Key Compromise . 4-104.9.13 Circumstances for Suspension . 4-114.9.14 Who Can Request Suspension . 4-114.9.15 Procedure for Suspension Request . 4-114.9.16 Limits on Suspension Period . 4-114.10 Certificate Status Services . 4-114.10.1 Operational Characteristics . 4-114.10.2 Service Availability . 4-114.10.3 Optional Features . 4-114.11 End of Subscription . 4-114.12 Key Escrow and Recovery . 4-114.12.1 Key Escrow and Recovery Policy and Practices . 4-114.12.2 Session Key Encapsulation and Recovery Policy and Practices . 4-125PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS . 5-15.1 Physical Controls. 5-15.1.1Site Location and Construction . 5-1vCUI//Information Systems Vulnerability Information//Limited Dissemination Control
United States Patent and Trademark OfficePublic Key Infrastructure Certificate PolicyVersion 4.05.1.2Physical Access . 5-15.1.3Power and Air Conditioning . 5-35.1.4Water Exposures . 5-35.1.5Fire Prevention and Protection . 5-35.1.6Media Storage . 5-35.1.7Waste Disposal . 5-35.1.8Off-site Backup . 5-35.2 Procedural Controls. 5-35.2.1Trusted Roles . 5-45.2.2Number of Persons Required per Task . 5-45.2.3Identification and Authentication for Each Role . 5-45.2.4Separation of Roles . 5-45.3 Personnel Controls . 5-55.3.1Qualifications, Experience, and Clearance Requirements. 5-55.3.2Background Check Procedures . 5-55.3.3Training Requirements . 5-65.3.4Retraining Frequency and Requirements . 5-65.3.5Job Rotation Frequency and Sequence . 5-65.3.6Sanctions for Unauthorized Actions . 5-65.3.7Contracting Personnel Requirements . 5-75.3.8Documentation Supplied to Personnel . 5-75.4 Audit Logging Procedures . 5-75.4.1Types of Events Recorded . 5-75.4.2Frequency of Processing Data . 5-115.4.3Retention Period for Security Audit Data . 5-125.4.4Protection of Security Audit Data . 5-125.4.5Security Audit Data Backup Procedures. 5-125.4.6Security Audit Collection System (Internal vs. External) . 5-125.4.7Notification to Event-Causing Subject . 5-135.4.8Vulnerability Assessments. 5-135.5 Records Archival . 5-135.5.1Types of Events Archived . 5-135.5.2Retention Period for Archive . 5-
Public Key Infrastructure Certificate Policy Version 4.0 ii CUI//Information Systems Vulnerability Information//Limited Dissemination Control Version Date Editor Change Description documentation references in sections 10 and11. Updated outdated USPTO organization
