David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L. Wasley University of California

2 Certificate Policy is … v The basis of trust between unrelated entities v Not a “contract” v A framework that informs/constrains a PKI implementation v A way of giving advice to Relying Parties v One of a number of related documents, incl. l Certification Practices l Directory Policy

3 Goals v A “generic” CP for higher ed PKI v Compatible with the Federal BCA policy v Simple (relatively) to implement at the “Rudimentary” level (PKI Lite) v Specific requirements intended to foster inter- domain trust v All implementation specific details deferred to associated Certification Practices Statement

4 PKI Players v Policy Management Authority (PMA) l Responsible for developing end enforcing policy v Certificate Authority (CA) l Operational unit(s) l Term also applies to the entire set of functions v Registration Authority (RA) l Optional delegated responsibility for I & A v Relying Parties

5 RFC 2527 CP Sections v Introduction v General Provisions v Identification and Authentication v Operational Requirements v Physical, Procedural and Personnel Security Ctrls v Technical Security Controls v Certificate and CARL/CRL Profiles v Specification Administration

6 Introduction v Distinction between CP and CPS v CP is transitive throughout the hierarchy l Authorizing CA has responsibility for authorized CA v Document identity l OID for the CP and OIDs for each LOA v On-line copy of CP and CPS must be signed v Community served may be any defined in the CPS l Relying Party can’t make assumptions unless so stated

7 Introduction (cont.) v Applicability of the issued certificates based on Level of Assurance (LOA) l Test - used for development and testing only l Rudimentary - very low risk apps; data integrity l Basic - for apps with minimal risk l Medium - modest risk, including monetary loss l High - secure apps; transactions of significant financial consequence

8 General Provisions v Obligations of the parties l CA, RA, Subscriber, Relying Party, Repository l RP is problematic since there is no “contract” s In some cases a contract may be needed, e.g. FERPA v Liability limited to $1,000 l Considered necessary to indicate trustworthiness v Audit requirements l Must be performed by qualified third party l Results must be made available

9 Identification and Authentication v Types of Subject names l If included, must be meaningful l Must be unique for all time v Different requirements for each LOA l Photo ID required for Medium or High LOA l Document ID marks must be recorded and archived v CA rekey requirements l Must notify PKC Subjects …

10 Operational Requirements v CA may not generate key pairs for Subjects v PKC acceptance for Med/High require signature v PKC Suspension or Revocation l Suspension not used l Revocation required at Basic or higher LOA s Requires standard CRL; allows for OCSP s Relying Party required to check for revocation

11 Operational Requirements (cont.) v Security Audit Procedure l Everything that might affect the CA or RA l Simple for Rudimentary v Records Archival l Up to 20 years + 6 months for High LOA l (Electronic archive is an activity unto itself) v Disaster Recovery Requirements v CA Termination Process

12 Physical, Procedural and Personnel Security Controls v CA Roles [may change] l Administrator - sysadmin; installs & configures l Officer - approves issuance and revocation of PKCs l Operator - routine system operation & backup l Auditor - reviews syslogs; oversees external audit v Separation of roles required at higher LOAs v Some tasks require action by 2 out of 4 persons

13 Technical Security Controls v FIPS 140 Technical Security l Level depends on LOA l Key sizes and private key protection requirements v Escrow of end-entity decryption (private) key l CA must have possession of key before issuing PKC l Must NOT escrow any other private key v Computer platform and network controls v Engineering and development controls

14 Certificate and CARL/CRL Profiles v Certificate profile is x.509v3 or higher l Details in CPS l CertPolicyID is the LOA OID l CPSuri points to the on-line signed CPS s CPS specifies CP OID and URL where it can be found l Certificate serial number must be unique across all PKCs issued by this CA v CARL/CRL is x.509v2 or higher

15 Specification Administration v Specifies how the PMA changes or updates this policy document, etc. v See also the Bibliography and Glossary

16 Other Policy Documents v Certification Practices Statement l All specific details, e.g. community, I&A, etc. l HE draft example begun … v Directory Policy Statement l As critical as the credential l Includes access controls, element definitions, etc… v Business Policy Provisions l The basis for the institution to issue credentials

17 Similar CPs for Comparison v Federal BCA Certificate Policy v European PKI certificate policy v Globus Grid CP v Draft Model Interstate Certificate Policy v Commercial PKI CPs (very different) v CP for the State of Washington v NACHA CARAT guidelines

18 HE CP Status v Draft in process for 9 months l Will be vetted to wider audience ASAP v Companion HEBCA CP needs to be reviewed to ensure compatibility v Generic OIDs may be acquired for CP, LOAs v Example CPS(s) will be generated v Notes for CA implementers will be created v See

19 Acknowledgements v Richard Guida, Federal PKI Council v Ken Klingenstein and the I2 HEPKI-PAG v Judith Boettcher, CREN v Dan Burke, Legal Council, CREN v Scott Fullerton -- Wisconsin-Madison v Art Vandenburg -- Georgia State v Support: Renee Frost, Ellen Vaughan, Nate Klingenstein (I2), Michelle Gildea (CREN)