Attachment to Aeromacs PKI Certificate Policy

WiMAX FORUM PROPRIETARY

WiMAX Forum® Network Architecture DRAFT-T32-006-R010v01-D

AeroMACS PKI Certificate Policy

Copyright Notice, Use Restrictions, Disclaimer, and Limitation of Liability

Copyright 2015 WiMAX Forum. All rights reserved.

The WiMAX Forum® owns the copyright in this document and reserves all rights herein. This document is available for download from the WiMAX Forum and may be duplicated for internal use by the WiMAX Forum Members, provided that all copies contain all proprietary notices and disclaimers included herein. Except for the foregoing, this document may not be duplicated, in whole or in part, or distributed without the express written authorization of the WiMAX Forum.

Use of this document is subject to the disclaimers and limitations described below. Use of this document constitutes acceptance of the following terms and conditions:

THIS DOCUMENT IS PROVIDED “AS IS” AND WITHOUT WARRANTY OF ANY KIND. TO THE GREATEST EXTENT PERMITTED BY LAW, THE WiMAX Forum DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE WiMAX Forum DOES NOT WARRANT THAT THIS DOCUMENT IS COMPLETE OR WITHOUT ERROR AND DISCLAIMS ANY WARRANTIES TO THE CONTRARY.

Any products or services provided using technology described in or implemented in connection with this document may be subject to various regulatory controls under the laws and regulations of various governments worldwide. The user is solely responsible for the compliance of its products and/or services with any such laws and regulations and for obtaining any and all required authorizations, permits, or licenses for its products and/or services as a result of such regulations within the applicable jurisdiction.

NOTHING IN THIS DOCUMENT CREATES ANY WARRANTIES WHATSOEVER REGARDING THE APPLICABILITY OR NON-APPLICABILITY OF ANY SUCH LAWS OR REGULATIONS OR THE SUITABILITY OR NON-SUITABILITY OF ANY SUCH PRODUCT OR SERVICE FOR USE IN ANY JURISDICTION.

NOTHING IN THIS DOCUMENT CREATES ANY WARRANTIES WHATSOEVER REGARDING THE SUITABILITY OR NON-SUITABILITY OF A PRODUCT OR A SERVICE FOR CERTIFICATION UNDER ANY CERTIFICATION PROGRAM OF THE WiMAX Forum OR ANY THIRD PARTY.

The WiMAX Forum has not investigated or made an independent determination regarding title or noninfringement of any technologies that may be incorporated, described or referenced in this document. Use of this document or implementation of any technologies described or referenced herein may therefore infringe undisclosed third-party patent rights or other intellectual property rights. The user is solely responsible for making all assessments relating to title and noninfringement of any technology, standard, or specification referenced in this document and for obtaining appropriate authorization to use such technologies, technologies, standards, and specifications, including through the payment of any required license fees.

NOTHING IN THIS DOCUMENT CREATES ANY WARRANTIES OF TITLE OR NONINFRINGEMENT WITH RESPECT TO ANY TECHNOLOGIES, STANDARDS OR SPECIFICATIONS REFERENCED OR INCORPORATED INTO THIS DOCUMENT.

IN NO EVENT SHALL THE WiMAX Forum OR ANY MEMBER BE LIABLE TO THE USER OR TO A THIRD PARTY FOR ANY CLAIM ARISING FROM OR RELATING TO THE USE OF THIS DOCUMENT, INCLUDING, WITHOUT LIMITATION, A CLAIM THAT SUCH USE INFRINGES A THIRD PARTY’S INTELLECTUAL PROPERTY RIGHTS OR THAT IT FAILS TO COMPLY WITH APPLICABLE LAWS OR REGULATIONS. BY USE OF THIS DOCUMENT, THE USER WAIVES ANY SUCH CLAIM AGAINST THE WiMAX Forum AND ITS MEMBERS RELATING TO THE USE OF THIS DOCUMENT.

The WiMAX Forum reserves the right to modify or amend this document without notice and in its sole discretion. The user is solely responsible for determining whether this document has been superseded by a later version or a different document.

“WiMAX,” “Mobile WiMAX,” “Fixed WiMAX,” “WiMAX Forum,” “WiMAX Certified,” “WiMAX Forum Certified,” “WiGRID,” the WiMAX Forum logo and the WiMAX Forum Certified logo are trademarks or registered trademarks of the WiMAX Forum. All other trademarks are the property of their respective owners.

Page - v

WiMAX FORUM PROPRIETARY

WiMAX Forum® Network Architecture DRAFT-T32-006-R010v01-D

AeroMACS PKI Certificate Policy

Document Status

WiMAX Forum Document ID: / T32-006-R010-v01
Document Title: / AeroMACS PKI Certificate Policy
Status: / Work in Progress / Draft / Issued / Closed
Distribution Restrictions: / Author Only / AeroMACS/ Member / AeroMACS/ Member/
Vendor / Public

Revision History

Revision / Date / Remarks
A / 2015-10-13 / Initial Draft to propose structure and outline certificate profiles in section 7
B / 2015-10-14 / Outline of all future sections added for context
C / 2015-11-10 / Section 6 added and Section 7 updated
D / 2015-11-24 / Section 5 and 8 added

Key to Document Status Codes:

Work in Progress / An incomplete document, designed to guide discussion and generate feedback that may include several alternative requirements for consideration.
Draft / A document in specification format considered largely complete, but lacking review by Members. Drafts are susceptible to substantial change during the review process.
Issued / A stable document, which has undergone rigorous review and is suitable for publication.
Closed / A static document, reviewed, tested, validated, and closed to further documentation change requests.

TABLE OF CONTENTS

WiMAX Forum® Network Architecture i

1. Introduction 8

1.1 Overview 8

1.2 Document Name and Identification 8

1.3 PKI Participants 8

1.4 Certificate Usage 8

1.5 Policy Administration 8

1.6 Definitions and Acronyms 8

2. Introduction 9

2.1 Repositories 9

2.2 Publication of Certification Information 9

2.3 Time or Frequency of Publication 9

2.4 Access Controls on Repositories 9

3. Identification and Authentication 10

3.1 Naming 10

3.2 Initial Identity Validation 10

3.3 Identification and Authentication for Re-key Requests 10

3.4 Identification and Authentication for Revocation Request 10

4. Certificate Life-cycle Operational Requirements 11

4.1 Certificate Application 11

4.2 Certificate Application Processing 11

4.3 Certificate Issuance 11

4.4 Certificate Acceptance 11

4.5 Key Pair and Certificate Usage 11

4.6 Certificate Renewal 11

4.7 Certificate Re-key 11

4.8 Certificate Modification 11

4.9 Certificate Revocation and Suspension 11

4.10 Certificate Status Services 11

4.11 End of Subscription 11

4.12 Key Escrow and Recovery 11

5. Facility, Management, and Operational Controls 12

5.1 Physical Controls 12

5.1.1 Site Location and Construction 12

5.1.2 Physical Access for CA Equipment 12

5.1.3 Power and Air Conditioning 13

5.1.4 Water Exposures 13

5.1.5 Fire Prevention and Protection 13

5.1.6 Media Storage 13

5.1.7 Waste Disposal 13

5.1.8 Off-Site Backup 13

5.2 Procedural Controls 13

5.2.1 Trusted Roles 13

5.2.2 Number of Persons Required per Task 14

5.2.3 Identification and Authentication for Each Role 15

5.2.4 Roles Requiring Separation of Duties 15

5.3 Personnel Controls 15

5.3.1 Qualifications, Experience, and Clearance Requirements 15

5.3.2 Background Check Procedures 15

5.3.3 Training Requirements 16

5.3.4 Retraining Frequency and Requirements 16

5.3.5 Job Rotation Frequency and Sequence 16

5.3.6 Sanctions for Unauthorized Actions 16

5.3.7 Independent Contractor Requirements 16

5.3.8 Documentation Supplied to Personnel 17

5.4 Audit Logging Procedures 17

5.4.1 Types of Events Recorded 17

5.4.2 Frequency of Processing Log 19

5.4.3 Retention Period for Audit Log 19

5.4.4 Protection of Audit Log 19

5.4.5 Audit Log Backup Procedures 19

5.4.6 Audit Collection System (Internal vs. External) 19

5.4.7 Notification to Event-Causing Subject 20

5.4.8 Vulnerability Assessments 20

5.5 Records Archival 20

5.5.1 Types of Events Archived 20

5.5.2 Retention Period for Archive 20

5.5.3 Protection of Archive 21

5.5.4 Archive Backup Procedures 21

5.5.5 Requirements for Time-Stamping of Records 21

5.5.6 Archive Collection System (Internal or External) 21

5.5.7 Procedures to Obtain and Verify Archive Information 21

5.6 Key Changeover 21

5.7 Compromise and disaster recovery 21

5.7.1 Incident and Compromise Handling Procedures 21

5.7.2 Computing Resources, Software, and/or Data Are Corrupted 22

5.7.3 Entity (CA) Private Key Compromise Procedures 22

5.7.4 Business Continuity Capabilities after a Disaster 22

5.8 CA Termination 22

6. TECHNICAL SECURITY CONTROLS 23

6.1 Key Pair Generation and Installation 23

6.1.1 Key Pair Generation 23

6.1.2 Private Key Delivery to Subscriber 23

6.1.3 Public Key Delivery to Certificate Issuer 24

6.1.4 CA Public Key Delivery to Relying Parties 24

6.1.5 Key Sizes 24

6.1.6 Public Key Parameters Generation and Quality Checking 24

6.1.7 Key Usage Purposes (as per X.509 v3 Key Usage Field) 24

6.2 Private Key Protection and Cryptographic Module Engineering Controls 27

6.2.1 Cryptographic Module Standards and Controls 27

6.2.2 Private Key (n out of m) Multi-Person Control 27

6.2.3 Private Key Escrow 28

6.2.4 Private Key Backup 28

6.2.5 Private Key Archival 28

6.2.6 Private Key Transfer into or from a Cryptographic Module 28

6.2.7 Private Key Storage on Cryptographic Module 29

6.2.8 Method of Activating Private Key 29

6.2.9 Method of Deactivating Private Key 29

6.2.10 Method of Destroying Private Key 30

6.2.11 Cryptographic Module Rating 30

6.3 Other Aspects of Key Pair Management 30

6.3.1 Public Key Archival 30

6.3.2 Certificate Operational Periods and Key Pair Usage Periods 30

6.4 Activation data 30

6.4.1 Activation Data Generation and Installation 30

6.4.2 Activation Data Protection 31

6.4.3 Other Aspects of Activation Data 31

6.5 Computer security controls 31

6.5.1 Specific Computer Security Technical Requirements 31

6.5.2 Computer Security Rating 32

6.6 Life Cycle Technical Controls 32

6.6.1 System Development Controls 32

6.6.2 Security Management Controls 33

6.6.3 Life Cycle Security Controls 33

6.7 Network Security Controls 33

6.8 Time-Stamping 33

7. CERTIFICATE, CRL, AND OCSP PROFILES 34

7.1 Certificate Profile 34

7.1.1 Version Number(s) 34

7.1.2 Certificate Extensions 35

7.1.3 Algorithm Object Identifiers (OIDs) 38

7.1.4 Name Forms 39

7.1.5 Name Constraints 41

7.1.6 Certificate Policy Object Identifier 41

7.1.7 Usage of Policy Constraints Extension 41

7.1.8 Policy Qualifiers Syntax and Semantics 41

7.1.9 Processing Semantics for the Critical Certificate Policies Extension 41

7.2 CRL Profile 41

7.2.1 Version Number(s) 42

7.2.2 CRL and CRL entry extensions 42

7.3 OCSP Profile 42

7.3.1 Version Number(s) 42

7.3.2 OCSP Extensions 42

8. Compliance Audit and Other Assessments 44

8.1 Frequency or Circumstances of Assessment 44

8.2 Identity/Qualifications of Assessor 44

8.3 Assessor's Relationship to Assessed Entity 44

8.4 Topics Covered by Assessment 44

8.5 Actions Taken as a Result of Deficiency 44

8.6 Communication of Results 45

9. Other Business and Legal Matters 46

9.1 Fees 46

9.2 Financial Responsibility 46

9.3 Confidentiality of business information 46

9.4 Privacy of Personal Information 46

9.5 Intellectual Property Rights 46

9.6 Representations and Warranties 46

9.7 Disclaimers of warranties 46

9.8 Limitations of liability 46

9.9 Indemnities 46

9.10 Term and termination 46

9.11 Individual notices and communications with participants 46

9.12 Amendments 46

9.13 Dispute Resolution Provisions 46

9.14 Governing Law 46

9.15 Compliance with Applicable Law 46

9.16 Miscellaneous provisions 46

9.17 Other Provisions 46

10. References 47

11. Glossary 48

12. Abbreviations and Acronyms 51

TABLE OF FIGURES (If applicable)

TABLE OF TABLES

Table 1: Algorithm Type and Key Size 24

Table 2: keyUsage Extension for all CA certificates 25

Table 3: keyUsage Extension for all Subscriber Signature Certificates 25

Table 4: keyUsage Extension for all Key Management Certificates 26

Table 5: keyUsage Extension for all Server Certificates 27

Table 6: Certificate Profile Basic Fields 34

Table 7: Root CA Certificate Standard Extensions 35

Table 8: Sub-CA Certificate Standard Extensions 35

Table 9: Subscriber Certificate Standard Extensions 36

Table 10: OCSP Certificate Standard Extensions 36

Table 11: subjectKeyIdentifier Extension for AeroMACS CA Certificates 37

Table 12: basicConstraints Extension for AeroMACS Root CA Certificates 37

Table 13: basicConstraints Extension for AeroMACS Sub-CA Certificates 37

Table 14: extKeyUsage Exstension for AeroMACS Server Certificates 38

Table 15: extKeyUsage Exstension for AeroMACS Client Certificates 38

Table 16: Signature OIDS for Certificates 38

Table 17: subjectPublicKeyInfo for Certificate 39

Table 18: Root CA Certificate issuer and subject Fields 39

Table 19: Sub-CA Certificate subject Fields 40

Table 20: Subscriber Certificate subject Fields 40

Table 21: certificatePolicies Extension for AeroMACS Certificates 41

Table 22: CRL Profile Basic Fields 41

Page - v

WiMAX FORUM PROPRIETARY

WiMAX Forum® Network Architecture DRAFT-T32-006-R010v01-D

AeroMACS PKI Certificate Policy

1.  Introduction

1.1  Overview

1.2  Document Name and Identification

1.3  PKI Participants

1.4  Certificate Usage

1.5  Policy Administration

1.6  Definitions and Acronyms

2.  Introduction

2.1  Repositories

2.2  Publication of Certification Information

2.3  Time or Frequency of Publication

2.4  Access Controls on Repositories

3.  Identification and Authentication

3.1  Naming

3.2  Initial Identity Validation

3.3  Identification and Authentication for Re-key Requests

3.4  Identification and Authentication for Revocation Request

4.  Certificate Life-cycle Operational Requirements

4.1  Certificate Application

4.2  Certificate Application Processing

4.3  Certificate Issuance

4.4  Certificate Acceptance

4.5  Key Pair and Certificate Usage

4.6  Certificate Renewal

4.7  Certificate Re-key

4.8  Certificate Modification

4.9  Certificate Revocation and Suspension

4.10  Certificate Status Services

4.11  End of Subscription

4.12  Key Escrow and Recovery

5.  Facility, Management, and Operational Controls

All entities performing CA functions shall implement and enforce the following physical, procedural, logical, and personnel security controls for a CA.

5.1  Physical Controls

CA equipment shall be protected from unauthorized access while the cryptographic module is installed and activated. The CA shall implement physical access controls to reduce the risk of equipment tampering even when the cryptographic module is not installed and activated. CA cryptographic modules shall be protected against theft, loss, and unauthorized use.

All the physical control requirements specified below apply equally to the Root and subordinate CAs, and any remote workstations used to administer the CAs except where specifically noted.