Transcription
SymantecExternal Certificate Authority KeyRecovery Practice Statement (KRPS)Version 224 April 2013(Portions of this document have been redacted.)Symantec Corporation350 Ellis StreetMountain View, CA 94043 USA 1 650.527.8000www.symantec.comCOPYRIGHT 2013 Symantec Corporation, ALL RIGHTS RESERVED
Symantec External Certificate Authority Key Recovery Practice Statement 2013 Symantec Corporation All rights reserved.Printed in the United States of America.Revision date: April 2013Important – Acquisition NoticeOn August 9, 2010, Symantec Corporation completed the acquisition of VeriSign Inc’s Authentication division. As aresult Symantec is now the registered owner of this Certificate Practices Statement document and the PKI Servicesdescribed within this document.However a hybrid of references to both “VeriSign” and “Symantec” shall be evident within this document for aperiod of time until it is operationally practical to complete the re-branding of the Certification Authorities andservices. Any references to VeriSign as a corporate entity should be strictly considered to be legacy language thatsolely reflects the history of ownership.Trademark NoticesSymantec, the Symantec logo, and the Checkmark Logo are the registered trademarks of Symantec Corporation orits affiliates in the U.S. and other countries. The VeriSign logo, VeriSign Trust and other related marks are thetrademarks or registered marks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries andlicensed by Symantec Corporation. Other names may be trademarks of their respective owners.Without limiting the rights reserved above, and except as licensed below, no part of this publication may bereproduced, stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic,mechanical, photocopying, recording, or otherwise), without prior written permission of Symantec Corporation.Notwithstanding the above, permission is granted to reproduce and distribute this Symantec KRPS on anonexclusive, royalty-free basis, provided that (i) the foregoing copyright notice and the beginning paragraphs areprominently displayed at the beginning of each copy, and (ii) this document is accurately reproduced in full,complete with attribution of the document to Symantec Corporation.Requests for any other permission to reproduce this KRPS (as well as requests for copies from Symantec) must beaddressed to: Symantec Corporation 350 Ellis Street, Mountain View, CA 94043 USA Attn: Practices Development.Tel: 1 650.527.8000 Fax: 1 650.527.8050. Net: practices@symantec.com.- i COPYRIGHT 2013 Symantec Corporation, ALL RIGHTS RESERVED
Table of Contents1.INTRODUCTION . 11.1 OVERVIEW . 11.2 IDENTIFICATION . 11.3 COMMUNITY AND APPLICABILITY . 11.3.1 Key Recovery System Roles . 11.3.2 Key Recovery System (KRS) . 21.3.3 Applicability . 21.4 CONTACT DETAILS . 31.4.1 Key Recovery Policy Administration Organization . 31.4.2 Contact Office . 31.4.3 Person Performing Policy / Practice CompatibilityAnalysis . 32.GENERAL PROVISIONS . 42.1 OBLIGATIONS . 42.1.1 Symantec Obligations . 42.1.2 KRA Obligations . 42.1.3 TA Obligations . 42.1.4 Requestor Obligations . 52.1.5 Subscriber Obligations . 52.2 LIABILITY . 62.2.1 Warranties and Limitations on Warranties . 62.2.2 Damages Covered and Disclaimers . 62.2.3 Loss Limitations . 62.2.4 Other Exclusions . 62.2.5 US Federal Government Liability . 62.3 FINANCIAL RESPONSIBILITY . 62.3.1 Indemnification by Relying Parties and Subscribers . 62.3.2 Fiduciary Relationships . 62.4 INTERPRETATION AND ENFORCEMENT. 72.4.1 Governing Law . 72.4.2 Severability of Provisions, Survival, Merger, and Notice. 72.4.3 Conflict Provision . 72.4.4 Dispute Resolution Procedures . 72.5 FEES. 72.6 PUBLICATION AND REPOSITORY . 72.7 COMPLIANCE AUDIT . 72.7.1 Frequency of Entity Compliance Audit . 72.7.2 Identity/Qualifications of Compliance Auditor. 82.7.3 Compliance Auditor’s Relationship to Audited Party . 82.7.4 Topics Covered by Compliance Audit . 82.7.5 Actions Taken as a Result of Deficiency . 82.7.6 Communication of Results . 82.8 CONFIDENTIALITY . 82.8.1 Type of Information to be Protected . 82.8.2 Information Release Circumstances . 83.IDENTIFICATION AND AUTHENTICATION . 93.1 IDENTITY AUTHENTICATION . 93.2 THIRD PARTY REQUESTOR . 93.2.1 Requestor Authentication. 93.2.2 Requestor Authorization Verification . 103.3 SUBSCRIBER. 103.3.1 Subscriber Authentication . 103.3.2 Subscriber Authorization Verification . 113.4 KRA AND KRO AUTHENTICATION . 113.4.1 KRA Authentication . 113.4.2 TA Authentication . 124.OPERATIONAL REQUIREMENTS . 134.1 ESCROWED KEY RECOVERY REQUESTS . 134.1.1 Who Can Request Recovery of Escrowed Keys . 134.1.2Requirements for Requesting Escrowed Key Recovery. 134.2 PROTECTION OF ESCROWED KEYS . 134.2.1 Key Escrow and Recovery through Symantec . 134.2.2 Automated Self-Recovery. 144.3 CERTIFICATE ISSUANCE . 154.4 CERTIFICATE ACCEPTANCE. 154.5 SECURITY AUDIT PROCEDURES . 154.5.1 Vulnerability Assessments. 154.6 RECORDS ARCHIVAL . 154.7 KRS KEY CHANGEOVER. 154.8 KRS COMPROMISE AND DISASTER RECOVERY . 154.8.1 KRS Compromise . 154.8.2 Disaster Recovery . 164.9 KRA TERMINATION . 165.PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITYCONTROLS . 175.1 PHYSICAL CONTROLS . 175.2 PROCEDURAL CONTROLS . 175.2.1 Trusted Roles . 175.3 PERSONNEL CONTROLS. 175.3.1 Background, qualifications, experience, and clearancerequirements . 175.3.2 Background check procedures . 175.3.3 Training requirements . 175.3.4 Retraining Frequency and Requirements . 175.3.5 Job Rotation Frequency and Sequence . 175.3.6 Sanctions for Unauthorized Actions . 175.3.7 Contracting Personnel Requirements . 185.3.8 Documentation Supplied to Personnel . 186.TECHNICAL SECURITY CONTROLS . 196.1 PROTOCOL SECURITY . 196.1.1 Escrowed Key Distribution Security . 196.2 KMS AND KRA PRIVATE KEY PROTECTION . 196.2.1 Standards for Cryptographic Modules . 196.2.2 Private Key Control . 196.2.3 KMS Key Backup . 196.2.4 Private Key Generation and Transport . 196.2.5 Method of Activating Private Key . 196.2.6 Method of Deactivating Private Key . 196.3 PRIVATE KEY ACTIVATION DATA . 206.4 COMPUTER SECURITY CONTROLS . 206.5 LIFE CYCLE TECHNICAL CONTROLS . 206.6 NETWORK SECURITY CONTROLS . 206.7 Network access controls are specified in the SymantecECA CPS section 6.7. CRYPTOGRAPHIC MODULEENGINEERING CONTROLS . 207.POLICY ADMINISTRATION . 217.1 POLICY CHANGE PROCEDURES . 217.2 PUBLICATION AND NOTIFICATION POLICIES . 217.3 POLICY APPROVAL PROCEDURES . 21APPENDIX A: ACRONYMS AND ABBREVIATIONS . 22APPENDIX B: GLOSSARY. 23APPENDIX C: ECA Key Recovery Request Form . 24APPENDIX D: ECA Key Recovery Acknowledgement Form . 26- ii COPYRIGHT 2013 Symantec Corporation, ALL RIGHTS RESERVED
1. INTRODUCTIONSymantec is an approved External Certification Authority (ECA) providing PKI services in support of the UnitedStates (US) Government ECA program. As part of its ECA services, Symantec provides escrow and recovery ofprivate encryption keys for Symantec ECA Subscribers.The Symantec Key Recovery System (KRS) provides the computer system hardware, software, personnel andprocedures to store the private encryption keys securely and recover them, when appropriate. This Key RecoveryPractices Statement (KRPS) document describes the procedural and technical security controls in place to ensurethat the KRS operates securely.1.1OVERVIEWSymantec’s policies and procedures for the issuance and management of ECA Subscriber certificates are definedin the Symantec ECA Certificate Practices Statement (CPS). Requirements for ECA key recovery servicesprovided in support of ECA certificate services are defined in the Key Recovery Policy (KRP) for ExternalCertification Authorities.This Key Recovery Practice Statement (KRPS) describes the security and authentication controls for the SymantecKRS, and the procedures in place to ensure that encrypted data can be recovered expeditiously, when appropriate.The Symantec KRS is based on the principle that all encryption activities using ECA certificates are performed onbehalf of the person or the organization that authorized the issuance of encryption certificates. Therefore, theperson or the organization has the right to identify the persons authorized to recover the private key needed todecrypt information. In addition, there may be need to access encrypted information for investigative and lawenforcement purposes.For the Symantec KRS implemented in support of the Symantec ECA service, Symantec will host and manage all ofthe components of the KRS. Only authorized Symantec employees and contractors shall perform the role of KeyRecovery Agent.1.2IDENTIFICATIONNo stipulation1.3COMMUNITY AND APPLICABILITYThis section describes some of the roles and systems involved in the key recovery process.1.3.1 Key Recovery System Roles1.3.1.1Key Recovery Agent (KRA)Symantec shall appoint trusted personnel as KRAs who, using a two party control procedure with a second KRA,are authorized, as specified in this Key Recovery Practices Statement (KRPS) to interact with the KRS in order torecover an escrowed key.1.3.1.2Trusted Agent (TA)Symantec shall appoint TAs who will perform identity verification and authorization of a Requestor. The TA may actas an intermediary between the Requestor and the KRA providing the encrypted recovered keys to the Requestor.- 1 COPYRIGHT 2013 Symantec Corporation, ALL RIGHTS RESERVED
1.3.1.3RequestorA Requestor is the person who requests the recovery of a private encryption key. A Requestor is the Subscriber ofthe certificate or a third party (e.g., supervisor, corporate officer or law enforcement officer) who is authorized torequest recovery of a Subscriber’s escrowed key.Internal Requestor: An Internal Requestor is any Requestor who is in the Subscriber’s supervisory chain orotherwise authorized to obtain the Subscriber’s key for the organization. The intent of this KRPS is not to changethe policy and procedures of the organization. The Subscribers’ organization shall appoint authorized Requestors toSymantec to ensure that its existing organization policy regarding access and release of sensitive information canbe met. The Subscriber organization shall provide Symantec with pre-established point of contact information forthe organization’s Legal and Human Resources department.External Requestor: An External Requestor is an investigator or someone outside the Subscribers’ organizationwith authorized court order to obtain the private encryption key of the Subscriber. An external Requestor must workwith an internal Requestor unless the law requires Symantec to release the Subscriber’s private key withoutapproval of the Subscriber and Subscriber’s organization. The intent of this KRPS is not to change the currentprocedures for obtaining information about individuals in connection with such requests. Symantec and Subscribers’organizations shall appoint authorized personnel and implement the KRPS so that the existing organization policycan be met while releasing the escrowed private key.A KRA shall validate the authorization of the Requestor in consultation with management and legal counsel, asappropriate.1.3.1.4SubscriberThe Subscriber is the person or device that holds a private key that corresponds to a public key listed in theircertificate.1.3.2 Key Recovery System (KRS)The Key Recovery System (KRS) includes all the information systems used to provide key escrow and key recoveryservices for Symantec ECA Customers. It is comprised of the Key Recovery System Infrastructure (KRSI)components and the Key Recovery Agent (KRA) and Trusted Agent (TA) Workstations. The KRSI only responds tokey recovery requests from two or more Key Recovery Agents (KRAs) operating a KRA Workstation. Section 5.2.1contains the description of the trusted roles required to operate the KRS.The KRSI components include: a Key Manager Database (KMD), a Key Manager Server (KMS), the SymantecCertificate Server (SCS), and the Symantec Certificate Database (SCD).1.3.2.1KRA WorkstationKRAs perform the recovery process using a KRA Workstation that securely communicates with the KRSI.1.3.2.2Key Manager Server (KMS)The Key Manager Server (KMS) generates and encrypts the Subscriber’s private encryption key. It also stores andretrieves the encrypted key in the Key Manager Database.1.3.2.3Key Manager Database (KMD)The Key Manager Database (KMD) is the repository that stores Subscribers’ encrypted private keys.1.3.3 ApplicabilityThis KRPS applies to Symantec’s ECA, and Subscribers and Subscribers’ organizations using Symantec ECACertificates.- 2 COPYRIGHT 2013 Symantec Corporation, ALL RIGHTS RESERVED
1.4CONTACT DETAILS1.4.1 Key Recovery Policy Administration OrganizationThe organization administering this KRPS is the Symantec Practices Development group.1.4.2 Contact OfficeThe contact office for the KRPS is:Symantec Corporation350 Ellis StreetMountain View, CA 94043 USA 1 (650) 527-8000 (voice) 1 (650) 527-8050 (fax)practices@symantec.com1.4.3 Person Performing Policy / Practice Compatibility AnalysisA compatibility analysis will be performed by the ECA Policy Management Authority (EPMA), who will ensure thatSymantec’s KRPS is in compliance with the ECA KRP.- 3 COPYRIGHT 2013 Symantec Corporation, ALL RIGHTS RESERVED
2. GENERAL PROVISIONS2.1OBLIGATIONS2.1.1 Symantec ObligationsSymantec shall: Obtain the EPMA approval for the KRPS. Provide a copy of the ECA CP, ECA KRP, approved, redacted Symantec ECA CPS and the approved,redacted Symantec ECA KRPS to the KRAs and TAs. Operate the KRS in accordance with the provisions of the approved KRPS. Notify the Subscribers when their private keys have been escrowed with the KRS (e.g., a dialog box mayappear on a Subscriber’s screen during the certificate request process). Monitor Internet traffic into and out of Symantec and review the audit logs for patterns of potentiallyanomalous KRA or TA activity (e.g., repeated login failures) as indicators of possible problems in theinfrastructure, and initiate inquiries or investigations as appropriate. Protect escrowed keys, during delivery, against disclosure to any party except the Requestor. Make commercially reasonable efforts to ensure that each individual understands and complies with theobligations for any Key Recovery role they execute and is trained to perform their duties in accordance withthis KRPS.2.1.2 KRA ObligationsKRAs shall: Acknowledge receipt of the KRPS and their responsibility to operate in accordance with the provisions ofthis KRPS. Protect Subscribers’ escrowed keys from unauthorized disclosure, including the encrypted files andassociated PKCS#12 passwords. Protect Subscribers’ recovered keys from compromise. After providing the Requestor with the encryptedkey, the KRA shall destroy the copy of the encrypted key and associated PKCS #12 password in his/hersystem. Protect all information, including the KRA key(s) that could be used to recover Subscribers’ escrowed keys. Initiate the process to recover a Subscriber’s escrowed key only upon receipt of a request from anauthorized Requestor. The KRA shall authenticate the identity of the Requestor using the same process asthe one used for user registration as defined in section 3.2.3 of the Symantec ECA CPS. If the Requestormakes an electronic request, the KRA shall validate that the request is digitally signed as defined in section3.2.3.2 of the Symantec ECA CPS. Validate the authorization for key recovery requests, to include consultation with legal counsel whenappropriate. Release Subscribers’ escrowed keys only for properly authenticated and authorized requests fromRequestors. Protect all information regarding all occurrences of key reco
Symantec’s policies and procedures for the issuance and management of ECA Subscriber certificates are defined in the Symantec ECA Certificate Practices Statement (CPS). Requirements for ECA key recovery services provided in support of ECA certificate services are defined in the Key Recovery Policy (KRP) for External Certification Authorities.
