Operational Research Consultants, Inc. (ORC)
Access Certificates For Electronic Services (ACES)
Certificate Practice Statement
DRAFT Version 3.1.5
October 1, 2004
THIS PAGE INTENTIONALLY LEFT BLANK.
DRAFT
ã Copyright 2004, Operational Research Consultants, Inc.
All Rights Reserved
Table of Contents
1 Introduction 1
1.1 Overview 1
1.2 Policy Identification 2
1.3 Community and Applicability 4
1.3.1 Certificate Service Providers 4
1.3.2 End Entities (EE) 6
1.3.3 Policy Authority 8
1.3.4 Applicability 98
1.3.5 Related Authorities 12
1.4 Contact Details 13
1.4.1 Policy Administration Organization 13
1.4.2 Policy Contact Personnel 13
1.4.3 Person Determining CPS Suitability for the Policy 13
1.4.4 CPS Administration Organization 13
2 General Provisions 1514
2.1 Obligations 1514
2.1.1 Authorized CA Obligations 1514
2.1.2 RA, LRA and IA Obligations 1615
2.1.3 Certificate Manufacturing Authority Obligations 1817
2.1.4 Repository Obligations 1817
2.1.5 Subscriber Obligations 1918
2.1.6 Server/Component Certificate Subscriber Obligations 201918
2.1.7 Code Signer Certificate Subscriber Obligations 2019
2.1.8 Relying Party Obligations 2120
2.1.9 Policy Authority Obligations 232221
2.1.10 ORC Certificate Status Authority (CSA) Obligations 232221
2.2 Liability 2322
2.2.1 Authorized CA Liability 2322
2.2.2 RA, IA, CMA, and Repository Liability 2322
2.2.3 Warranties and Limitations On Warranties 2322
2.2.4 Damages Covered and Disclaimers 242322
2.2.5 Loss Limitations 2423
2.2.6 Other Exclusions 2423
2.3 Financial Responsibility 252423
2.3.1 Indemnification By Relying Parties and Subscribers 252423
2.3.2 Fiduciary Relationships 252423
2.3.3 Administrative Processes 252423
2.4 Interpretation and Enforcement 2524
2.4.1 Governing Law 2524
2.4.2 Severability of Provisions, Survival, Merger, and Notice 262524
2.4.3 Dispute Resolution Procedures 262524
2.5 Fees 2625
2.5.1 Certificate Issuance, Renewal, Suspension, and Revocation Fees 2625
2.5.2 Certificate Access Fees 272625
2.5.3 Revocation or Status Information Access Fees 272625
2.5.4 Fees for Other Services Such as Policy Information 272625
2.5.5 Refund Policy 272625
2.6 Publication and Repository 2726
2.6.1 Publication of ORC ACES Information 2726
2.6.2 Frequency of Publication 282726
2.6.3 Access Controls 282726
2.6.4 Repositories 2827
2.7 Inspections And Reviews 292827
2.7.1 Certification and Accreditation 2928
2.7.2 Quality Assurance Inspection and Review 313029
2.8 Confidentiality 323130
2.8.1 Types of Information to Be Kept Confidential 323130
2.8.2 Types of Information Not Considered Confidential 333231
2.8.3 Disclosure of Certificate Revocation/Suspension Information 333231
2.8.4 Release to Law Enforcement Officials 3332
2.8.5 Release as Part of Civil Discover 3332
2.8.6 Disclosure upon Owner's Request 343332
2.9 Security Requirements 343332
2.9.1 System Security Plan (SSP) 343332
2.9.2 Risk Management 3433
2.9.3 Certification and Accreditation 3433
2.9.4 Rules and Behavior 353433
2.9.5 Contingency Plan 353433
2.9.6 Incident Response Capability 353433
2.10 Intellectual Property Rights 353433
3 Identification And Authentication 373635
3.1 Initial Registration 373635
3.1.1 Types of Names 373635
3.1.2 Need for Names to be Meaningful 403938
3.1.3 Rules for Interpreting Various Name Forms 414039
3.1.4 Uniqueness of Names 414039
3.1.5 Name Claim Dispute Procedure 424140
3.1.6 Recognition, Authentication and Role of Trademarks 424140
3.1.7 Verification of Possession of Private Key 424140
3.1.8 Authentication of Sponsoring Organizational Identity 434241
3.1.9 Authentication of Individual Identity 444342
3.1.10 Code Signer Authentication 464746
3.1.11 Authentication of Component Identities 464847
3.2 Routine Re-Key (Certificate Renewal) 464947
3.2.1 CA Certificate Routine Re-Key 464947
3.2.2 Certificate Re-Key 464947
3.2.3 Certificate Renewal 464948
3.3 Obtaining a New Certificate After Revocation 465049
3.4 Revocation Request 465149
4 Operational Requirements 465251
4.1 Certificate Application 465251
4.1.1 Application Initiation 465251
4.1.2 Application Rejection 465453
4.2 Certificate Issuance 465453
4.2.1 Certificate Delivery 465554
4.2.2 Certificate Replacement 465655
4.3 Certificate Acceptance 465655
4.4 Certificate Suspension and Revocation 465756
4.4.1 Who Can Request a Revocation 465756
4.4.2 Circumstances for Revocation 465857
4.4.3 Revocation Request Procedure 465958
4.4.4 Revocation Grace Period 466059
4.4.5 Certificate Authority Revocation Lists (CARLs)/Certificate Revocation Lists (CRLs) 466159
4.4.6 Online Revocation/Status Checking Availability 466160
4.4.7 Online Revocation Checking Requirements 466260
4.4.8 Other Forms of Revocation Advertisements Available 466261
4.4.9 Checking Requirements for Other Forms of Revocation Advertisements Available 466261
4.4.10 Special Requirements With Respect to Key Compromise 466261
4.5 Certificate Suspension 466361
4.5.1 Circumstances for Suspension 466361
4.5.2 Who Can Request Suspension 466362
4.5.3 Procedure for Suspension Request 466362
4.6 Computer Security and Audit Procedures 466362
4.6.1 Types of Event Recorded 466462
4.6.2 Frequency of Processing Data 466765
4.6.3 Retention Period for Security Audit Data 466766
4.6.4 Protection of Security Audit Data 466766
4.6.5 Security Audit Data Backup Procedures 466866
4.6.6 Security Audit Collection System (Internal vs. External) 466866
4.6.7 Notification to Event-Causing Subject 466866
4.6.8 Vulnerability Assessments 466867
4.7 Records Archival 466867
4.7.1 Types of Data Archived 466867
4.7.2 Retention Period for Archive 467068
4.7.3 Protection of Archive 467068
4.8 Key Changeover 467169
4.9 Compromise and Disaster Recovery 467170
4.9.1 Computing Resources, Software, and/or Data are Corrupted 467270
4.9.2 Authorized CA Public Key Is Revoked 467270
4.9.3 Private Key Is Compromised (Key Compromise Plan) 467271
4.9.4 Facility after a Natural or Other Disaster (Disaster Recovery Plan) 467371
4.10 Authorized CA Cessation of Services 467372
4.11 Customer Service Center 467472
5 Physical, Procedural And Personnel Security Controls 467574
5.1 Physical Security Controls 467574
5.1.1 Physical Access Controls 467574
5.1.2 Security Checks 467775
5.1.3 Media Storage 467776
5.1.4 Environmental Security 467776
5.1.5 Off-site Backup 467877
5.2 Procedural Controls 467877
5.2.1 Trusted Roles 467877
5.2.2 Number of Persons Required Per Task (Separation of Roles) 468281
5.2.3 Identification and Authentication for Each Role 468381
5.2.4 Hardware/Software Maintenance Controls 468382
5.2.5 Documentation 468382
5.2.6 Security Awareness Training 468382
5.2.7 Retraining Frequency and Requirements 468483
5.2.8 Job Rotation Frequency and Sequence 468483
5.2.9 Sanctions for Unauthorized Actions 468583
5.2.10 Contracting Personnel Requirements 468583
5.2.11 Documentation Supplied to Personnel 468584
5.3 Personnel Security Controls 468584
5.3.1 Access Authorization 468584
5.3.2 Limited Access 468684
6 Technical Security Controls 468887
6.1 Key Pair Generation and Installation 468887
6.1.1 Key Pair Generation 468887
6.1.2 Private Key Delivery to Entity 468887
6.1.3 Subscriber Public Key Delivery to Authorized CA (Certificate Issuer) 468988
6.1.4 ORC ACES CA Public Key Delivery to Users 468988
6.1.5 Key Sizes 468988
6.1.6 Public Key Parameters Generation 468988
6.1.7 Parameter Quality Checking 468988
6.1.8 Key Usage Purposes (X.509 V3 Key Usage Field) 468988
6.1.9 Private Key Shared by Multiple Subscribers 469089
6.1.10 Date/Time stamping 469089
6.2 Private Key Protection 469089
6.2.1 Standards for Cryptographic Modules 469089
6.2.2 Private Key Backup 469190
6.2.3 Private Key Archival 469190
6.2.4 Private Key Entry Into Cryptographic Module 469190
6.2.5 Method of Activating Private Key 469291
6.2.6 Method of Deactivating Private Key 469291
6.2.7 Method of Destroying Private Key 469391
6.3 Good Practices Regarding Key Pair Management 469392
6.3.1 Public Key Archival 469392
6.3.2 Private Key Archival 469392
6.3.3 Usage Periods for the Public and Private Keys 469392
6.3.4 Restrictions on CA's Private Key Use 469392
6.3.5 Private Key Multi-person Control 469392
6.3.6 Private Key Escrow 469493
6.4 Activation Data 469493
6.4.1 Activation Data Installation and Generation 469493
6.4.2 Activation Data Protection 469593
6.4.3 Other Aspects of Activation Data 469594
6.5 Computer Security Controls 469594
6.5.1 Audit 469594
6.5.2 Technical Access Controls 469796
6.5.3 Identification and Authentication 469796
6.5.4 Trusted Paths 469796
6.6 Life Cycle Technical Controls 469896
6.6.1 System Development Controls (Environment Security) 469998
6.6.2 Security Management Controls 469998
6.6.3 Object Reuse 4610099
6.7 Network Security Controls 4610099
6.7.1 Remote Access/Dial-up Access 46101100
6.7.2 Firewalls 46101100
6.7.3 Encryption 46102100
6.7.4 Interconnections 46102101
6.7.5 Router 46103101
6.7.6 Inventory of Network Hardware/Software 46103101
6.8 Cryptographic Module Engineering Controls 46103101
7 Certificate And CRL Profiles 46104102
7.1 Certificate Profile 46104102
7.1.1 Version Numbers 46104102
7.1.2 Certificate Extensions 46104102
7.1.3 Algorithm Object Identifiers 46104102
7.1.4 Name Forms 46105103
7.1.5 Name Constraints 46105103
7.1.6 Certificate Policy Object Identifier 46105103
7.1.7 Usage of Policy Constraints Extension 46105103
7.1.8 Policy Qualifiers Syntax and Semantics 46105103
7.1.9 Processing Semantics for the Critical Certificate Policy Extension 46105103
7.2 CRL Profile 46105103
7.2.1 Version Numbers 46106104
7.2.2 CRL and CRL Entry Extensions 46106104
7.3 OCSP Request – Response Format 46106104
8 CPS Administration 46107105
8.1 CPS Change Procedures 46107105
8.1.1 List of Items 46107105
8.1.2 Comment Period 46107105
8.2 Publication and Notification Procedures 46107105
8.3 CPS and External Approval Procedures 46107105
8.4 Waivers 46107105
Appendix A: Relying Party Agreement A461
Appendix B: Acronyms And Abbreviations B461
Appendix C: Auditable Events Table C461
Appendix D: Applicable Federal and GSA Regulations D461
Appendix E: ORC ACES Profile Formats E461
E.1 ACES Root CA Self-Signed Certificate E461
E.2 Authorized CA Certificate Profile E462
E.3 Unaffiliated Individual Identity Certificate E463
E.3(a) Unaffiliated Individual Identity Certificate Hardware E464
E.4 Unaffiliated Individual Encryption Certificate E465
E.4(a) Unaffiliated Individual Encryption Certificate Hardware E466
E.5 Business Representative Identity Certificate E467
E.5(a) Business Representative Identity Certificate Hardware E468
E.6 Business Representative Encryption Certificate E469
E.6(a) Business Representative Encryption Certificate Hardware E4610
E.7 Relying Party Application Identity Certificate E4611
E.8 Relying Party Application Encryption Certificate E4612
E.9 Federal Employee Identity Certificate E4613
E.9(a) Federal Employee Identity Certificate Hardware E4614
E.10 Federal Employee Encryption Certificate E4615
E.10(a) Federal Employee Encryption Certificate Hardware E4616
E.11 Federal Agency Application Encryption (SSL) Certificate E4617
E.12 State and Local Employee Identity Certificate E4618
E.12(a) State and Local Employee Identity Certificate Hardware E4619
E.13 State and Local Employee Encryption Certificate E4620
E.13(a) State and Local Employee Encryption Certificate Hardware E4621
E.14 State and Local Server (SSL) Certificate E4622
E.15 Code Signing Certificate E4623
E.16 Non Government Component Certificate E4624
E.17 Domain Controller Certificate E4625
E.18 ORC Government Root CRL E4626
E.19 ORC ACES CA CRL E4626
E.20 OCSP REQUEST FORMAT E4627
E.21 OCSP Response Format E4627
Appendix F: Security Officer Appointment Letter F461
Appendix G: References G461
Appendix H: Glossary H461
ORCACEScpsDraftV3_1_5 [bjb v1].docORCACEScpsDraftV3_1_5 [bjb] iv DRAFT
ã Copyright 2004, Operational Research Consultants, Inc.
All Rights Reserved
1 Introduction
1.1 Overview
This Certificate Practice Statement (CPS) is the implementation document for Operational Research Consultant’s (ORC’s) Access Certificates for Electronic Services (ACES) Program (also known as the ORC ACES Public Key Infrastructure, “ORC ACES PKI”). The General Services Administration (GSA) Office of Government-wide policy (OGP) and Federal Technology Services (FTS) has designated ORC as an ACES "Authorized Certification Authority (CA)" by:
· Entering into an appropriate GSA ACES contract with ORC.
· Reviewing the specific practices and procedures ORC implements to satisfy the requirements of the ACES Certificate Policy (CP) in this certificate practice statement.
· Successfully completing a GSA's ACES Security Certification and Accreditation.
· Approving this CPS.
This CPS is applicable to individuals, business representatives, Federal employees, State and Local Government employees, relying parties, and agency applications who [that] directly use these certificates, and who are responsible for applications or servers that use certificates. Certificate users include, but are not limited to, Certificate Management Authorities (CMAs), Registration Authorities (RAs), Issuing Authorities (IAs), Local Registration Authorities (LRAs), subscribers, and relying parties.
This CPS applies to X.509 version 3 certificates with assurance levels as defined in the ACES CP and the Common Policy Framework CP, as used to protect information up to and including Sensitive But Unclassified (SBU). The policies and procedures in this CPS are applicable to individuals who manage the certificates, who directly use these certificates, and individuals who are responsible for applications or servers that rely on these certificates.
In accordance with the stipulations of the Common Policy Framework CP, this CPS and the ORC ACES subordinate CA that issues Federal employee will be updated to support the use of 2048 bit RSA keys and the SHA-256 hash algorithm.
The CPS describes the operations of the ORC ACES PKI and the services that the ORC ACES PKI provides. These services include:
· Subscriber Registration: A subscriber or certificate applicant must appear in person before an ORC Registration Authority (RA), an approved Local Registration Authority (LRA) or a registered Notary Public (or a person legally empowered to witness and certify the validity of documents and to take affidavits and depositions), as stipulated by the Policy Authority, present valid identification (driver’s license, passport, etc.), sign the subscriber’s obligation and mail the forms to ORC.
· Subscriber Enrollment: The ORC ACES system provides Federal Information Processing Standards (FIPS) 140-1/2 Level 3 Secure Socket Layer (SSL) connections to the certification authority. The subscriber must use a FIPS 140-1/2 Level 1 or 2 client for connection for enrollment.
· Enrollment Validation: The ORC ACES registration process validates the subscriber enrollment information (see above).
· Certificate Issuance: When notified by an RA of a valid enrollment request, an ORC IA issues the requested certificate for delivery to a FIPS 140-1/2 Level 1 or 2 client. A FIPS 140-1 Level 1 issuance does not require a hardware token. ORC then notifies the subscriber of the issuance and provide instructions for receiving the certificate.
· Certificate Publishing: When a certificate is issued, the ORC publishes it to a Lightweight Directory Access Protocol (LDAP) directory. The directory may be accessed via Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) gateway or via the LDAP protocol.
· Encryption Key Storage: Optional storage (escrow) of encryption keys.
· Key Recovery: If encryption key storage (escrow) is selected.
· Certificate Status information: In the form of Certificate Revocation Lists (CRLs) distribution and Online Certificate Status Protocol (OCSP) responses.
To assist in providing these services and in meeting the reporting requirements outlined in this CPS, ORC maintains a website, which contains instructions, online forms, a summary of this CPS, compliance audit results, and copies of certificates and CRLs. The majority of the information on the website is publicly accessible, although it incorporates SSL to promote data integrity and to allow users to validate the source of the information. Portions of the website are access controlled and require certificate authentication for access to authorized individuals.
ORC is periodically audited by its independent auditor against this CPS and operates primary and secondary secure data centers in conformance with the Department of Defense (DoD), National Security Agency (NSA), U.S. General Services Administration (GSA) and commercial practices.