MD-Grid
CERTIFICATION AUTHORITY
CERTIFICATE POLICY
AND
CERTIFICATION PRACTICE STATEMENT
Version 1.3
March, 2009
Table of Contents:
1. INTRODUCTION..................................................................................................................................................................................... 7
1.1 Overview.......................................................................................................................................................................................... 7
1.2 Document name and identification............................................................................................................................. 7
1.3 PKI participants......................................................................................................................................................................... 7
1.3.1 Certification Authorities......................................................................................................................................................... 7
1.3.2 Registration authorities.......................................................................................................................................................... 7
1.3.3 Subscribers................................................................................................................................................................................ 7
1.3.4. Relying parties......................................................................................................................................................................... 8
1.3.5 Other participants.................................................................................................................................................................... 8
1.4 Certificate usage...................................................................................................................................................................... 8
1.4.1 Appropriate certificate uses................................................................................................................................................... 8
1.4.2 Prohibited certificate uses...................................................................................................................................................... 8
1.5 Policy administration........................................................................................................................................................... 8
1.5.1 Organization administering the document......................................................................................................................... 8
1.5.2 Contact person......................................................................................................................................................................... 8
1.5.3 Person determining CPS suitability for the policy............................................................................................................ 9
1.5.4 CPS approval procedures...................................................................................................................................................... 9
1.6 Definitions and acronyms.................................................................................................................................................. 9
2 PUBLICATION AND REPOSITORY RESPONSIBILITIES.......................................................................................................... 10
2.1 Repositories................................................................................................................................................................................. 10
2.2 Publication of certification information............................................................................................................ 10
2.3 Time or frequency of publication................................................................................................................................ 10
2.4 Access control on repositories..................................................................................................................................... 10
3 IDENTIFICATION AND AUTHENTICATION................................................................................................................................... 11
3.1 Naming............................................................................................................................................................................................ 11
3.1.1 Types of names........................................................................................................................................................................ 11
3.1.2 Need for names to be meaningful........................................................................................................................................ 11
3.1.3 Anonymity or pseudonimity of subscribers....................................................................................................................... 11
3.1.4 Rules for interpreting various name forms........................................................................................................................ 11
3.1.5 Uniqueness of names............................................................................................................................................................. 11
3.1.6 Recognition, authentication, and role of trademarks.................................................................................................... 11
3.2 Initial identity validation............................................................................................................................................... 11
3.2.1 Method to prove possession of a key.................................................................................................................................. 11
3.2.2 Authentication of organization identity............................................................................................................................ 12
3.2.3 Authentication of individual entity.................................................................................................................................... 12
3.2.4 Non-verified subscriber information.................................................................................................................................. 12
3.2.5 Validation of Authority......................................................................................................................................................... 12
3.2.6 Criteria of interoperation.................................................................................................................................................... 12
3.3 Identification and authentication for re-key requests............................................................................. 12
3.3.1 Identification and authentication for routine re-key...................................................................................................... 12
3.3.2 Identification and authentication for re-key after revocation...................................................................................... 13
3.4 Identification and authentication for revocation request................................................................... 13
4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS................................................................................................ 13
4.1 Certificate application...................................................................................................................................................... 13
4.1.1 Who can submit a certificate application......................................................................................................................... 13
4.1.2 Enrollment process and responsibilities........................................................................................................................... 13
4.2.1 Performing identification and authentication functions............................................................................................... 13
4.2.2 Approval or rejection of certificate applications............................................................................................................ 14
4.2.3 Time to process certificate applications............................................................................................................................ 14
4.3 Certificate issuance............................................................................................................................................................. 14
4.3.1 CA actions during certificate issuance.............................................................................................................................. 14
4.3.2 Notification to subscriber by the CA of issuance of certificate..................................................................................... 14
4.4 Certificate acceptance............................................................................................................................................................. 14
4.4.1 Conduct constituting certificate acceptance................................................................................................................... 14
4.4.2 Publication of the certificate by the CA............................................................................................................................ 14
4.4.3 Notification of certificate issuance by the CA to other entities.................................................................................... 14
4.5 Key pair and certificate usage...................................................................................................................................... 15
4.5.1 Subscriber private key and certificate usage................................................................................................................... 15
4.5.2 Relying party public key and certificate usage............................................................................................................... 15
4.6 Certificate renewal............................................................................................................................................................. 15
4.6.1 Circumstance for certificate renewal................................................................................................................................. 15
4.6.2 Who may request renewal..................................................................................................................................................... 15
4.6.3 Processing certificate renewal requests............................................................................................................................ 15
4.6.4 Notification of new certificate issuance to subscriber.................................................................................................... 15
4.6.5 Conduct constituting acceptance of a renewal certificate............................................................................................ 15
4.6.6 Publication of the renewal certificate by the CA............................................................................................................. 15
4.6.7 Notification of certificate issuance by the CA to other entities.................................................................................... 16
4.7 Certificate re-key................................................................................................................................................................... 16
4.7.1 Circumstances for certificate re-key................................................................................................................................... 16
4.7.2 Who may request certification of a new public key......................................................................................................... 16
4.7.3 Processing certificate re-keying requests......................................................................................................................... 16
4.7.4 Notification of new certificate issuance to subscriber.................................................................................................... 16
4.7.5 Conduct constituting acceptance of a re-keyed certificate........................................................................................... 16
4.7.6 Publication of the re-keyed certificate by the CA............................................................................................................ 16
4.7.7 Notification of certificate issuance by the CA to other entities.................................................................................... 16
4.8 Certificate modification................................................................................................................................................... 16
4.8.1 Circumstances for certificate modification....................................................................................................................... 16
4.8.2 Who may request certificate modification......................................................................................................................... 17
4.8.3 Processing certificate modification requests.................................................................................................................... 17
4.8.4 Notification of new certificate issuance to subscriber.................................................................................................... 17
4.8.5 Conduct constituting acceptance of modified certificate.............................................................................................. 17
4.8.6 Publication of the modified certificate by the CA............................................................................................................ 17
4.8.7 Notification of certificate issuance by the CA to other entities.................................................................................... 17
4.9 Certificate revocation and suspension................................................................................................................... 17
4.9.1 Circumstances for revocation.............................................................................................................................................. 17
4.9.2 Who can request revocation................................................................................................................................................ 17
4.9.3 Procedure for revocation request....................................................................................................................................... 17
4.9.4 Revocation request grace period........................................................................................................................................ 18
4.9.5 Time within which CA must process the revocation request......................................................................................... 18
4.9.6 Revocation checking requirement for relying parties.................................................................................................... 18
4.9.7 CRL issuance frequency........................................................................................................................................................ 18
4.9.8 Maximum latency for CRLs.................................................................................................................................................. 18
4.9.9 On-line revocation/status checking availability............................................................................................................. 18
4.9.10 On-line revocation checking requirements.................................................................................................................... 18
4.9.11 Other forms of revocation advertisements available.................................................................................................... 18
4.9.12 Special requirements re key compromise........................................................................................................................ 18
4.9.13 Circumstances for suspension........................................................................................................................................... 18
4.9.14 Who can request suspension.............................................................................................................................................. 18
4.9.15 Procedure for suspension request.................................................................................................................................... 18
4.9.16 Limits on suspension period.............................................................................................................................................. 18
4.10 Certificate status services............................................................................................................................................ 19
4.10.1 Operational characteristics.............................................................................................................................................. 19
4.10.2 Service availability............................................................................................................................................................. 19
4.10.3 Optional features................................................................................................................................................................. 19
4.11 End of subscription.............................................................................................................................................................. 19
4.12 Key escrow and recovery................................................................................................................................................ 19
4.12.1 Key escrow and recovery policy and practices............................................................................................................. 19
4.12.2 Session key encapsulation and recovery policy and practices.................................................................................. 19
5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS............................................................................................... 19
5.1 Physical controls.................................................................................................................................................................. 19
5.1.1 Site location and construction............................................................................................................................................ 19
5.1.2 Physical access....................................................................................................................................................................... 20
5.1.3 Power and Air Conditioning............................................................................................................................................... 20
5.1.4 Water Exposures..................................................................................................................................................................... 20
5.1.5 Fire Prevention and Protection.......................................................................................................................................... 20
5.1.6 Media storage......................................................................................................................................................................... 20
5.1.7 Waste Disposal....................................................................................................................................................................... 20
5.1.8 Off-site Backup....................................................................................................................................................................... 20
5.2 Procedural controls........................................................................................................................................................... 20
5.2.1 Trusted roles........................................................................................................................................................................... 20
5.2.2 Number of persons required per task................................................................................................................................. 20
5.2.3 Identification and authentication for each role.............................................................................................................. 20
5.2.4 Roles requiring separation of duties.................................................................................................................................. 20
5.3 Personnel controls............................................................................................................................................................... 20
5.3.1 Qualifications, experience and clearance requirements................................................................................................ 20
5.3.2 Background check procedures........................................................................................................................................... 20
5.3.3 Training requirements.......................................................................................................................................................... 21
5.3.4 Retraining frequency and requirements............................................................................................................................ 21
5.3.5 Job rotation frequency and sequence................................................................................................................................ 21
5.3.6 Sanctions for unauthorized actions................................................................................................................................... 21
5.3.7 Independent contractor requirements............................................................................................................................... 21
5.3.8 Documentation supplied to personnel............................................................................................................................... 21
5.4 Audit logging procedures.................................................................................................................................................. 21
5.4.1 Types of events recorded....................................................................................................................................................... 21
5.4.2 Frequency of processing log................................................................................................................................................ 21
5.4.3 Retention period for audit log............................................................................................................................................. 21
5.4.4 Protection of audit log.......................................................................................................................................................... 21
5.4.5 Audit log backup procedures.............................................................................................................................................. 22
5.4.6 Audit collection system (internal vs. external)................................................................................................................ 22
5.4.7 Notification to event-causing subject................................................................................................................................ 22
5.4.7 Notification to event-causing subject................................................................................................................................ 22
5.4.8 Vulnerability assessments.................................................................................................................................................... 22
5.5 Records archival.................................................................................................................................................................... 22
5.5.1 Types of records archived..................................................................................................................................................... 22
5.5.2 Retention Period for Archive............................................................................................................................................... 22
5.5.3 Protection of Archive............................................................................................................................................................ 22
5.5.4 Archive backup procedures................................................................................................................................................. 22
5.5.5 Requirements for time-stamping of records....................................................................................................................... 22
5.5.6 Archive collection system (internal or external)............................................................................................................. 23
5.5.7 Procedures to obtain and verify archive information..................................................................................................... 23
5.6 Key changeover........................................................................................................................................................................ 23
Lifetime of MD-Grid CA is 10 years and lifetime of end entity certificates is 1 year. The CA's private key is changed periodically; from that time on, the new key will be valid in order to sign new certificates or CRL lists of new certificates. The overlap of the old and new key must be at least one year. The older but still valid certificate must be available to verify old signatures and its private key must be used to sign CRLs until all the certificates signed using the associated key have expired or been revoked. 23
5.7 Compromise and Disaster Recovery............................................................................................................................ 23
5.7.2 Computing resources, software, and/or data are corrupted......................................................................................... 23
5.7.3 Entity private key compromise procedures....................................................................................................................... 23
5.7.4 Business continuity capabilities after a disaster............................................................................................................. 23
5.8 CA or RA Termination........................................................................................................................................................... 23
6. TECHNICAL SECURITY CONTROLS............................................................................................................................................. 24
6.1 Key Pair Generation and Installation..................................................................................................................... 24
6.1.1 Key Pair Generation............................................................................................................................................................. 24
6.1.2 Private key delivery to subscriber...................................................................................................................................... 24
6.1.3 Public key delivery to certificate issuer............................................................................................................................ 24
6.1.4 CA public key delivery to relying parties......................................................................................................................... 24
6.1.5 Key Sizes.................................................................................................................................................................................. 24
6.1.6 Public key parameters generation..................................................................................................................................... 24
6.1.7 Key usage purposes (as per X.509 v3 key usage field)................................................................................................... 24
6.2 Private key protection and cryptographic module engineering controls..................................................................... 24
6.2.1 Cryptographic module standards and controls............................................................................................................... 24
6.2.2 Private key (n out of m) multi-person control.................................................................................................................. 24
6.2.3 Private key escrow................................................................................................................................................................. 25
6.2.4 Private key backup................................................................................................................................................................ 25
6.2.5 Private key archival.............................................................................................................................................................. 25
6.2.6 Private key transfer into or from a cryptographic module............................................................................................ 25
6.2.7 Private key storage on cryptographic module................................................................................................................. 25
6.2.8 Method of activating private key........................................................................................................................................ 25
6.2.9 Method of deactivating private key................................................................................................................................... 25
6.2.10 Method of destroying private key..................................................................................................................................... 25
6.2.11 Cryptographic Module Rating......................................................................................................................................... 25
6.3 Other Aspects of Key Pair Management................................................................................................................... 25
6.3.1 Public Key Archival.............................................................................................................................................................. 25
6.3.2 Certificate operational periods and key pair usage periods........................................................................................ 25
6.4 Activation Data...................................................................................................................................................................... 26
6.4.1 Activation data generation and installation................................................................................................................... 26
6.4.2 Activation data protection................................................................................................................................................... 26
6.5 Computer security controls........................................................................................................................................... 26
6.5.1 Specific computer security technical requirements......................................................................................................... 26
6.5.2 Computer security rating..................................................................................................................................................... 26
6.6 Life Cycle technical controls........................................................................................................................................ 26
6.6.1 System development controls............................................................................................................................................... 26
6.6.2 Security management controls............................................................................................................................................ 26
6.6.3 Life cycle security controls................................................................................................................................................... 26
6.7 Network Security Controls............................................................................................................................................. 27
6.8 Time stamping............................................................................................................................................................................ 27
7. CERTIFICATE, CRL AND OCSP PROFILES.................................................................................................................................. 27
7.1 Certificate Profile................................................................................................................................................................. 27
7.1.1 Version Number...................................................................................................................................................................... 27
7.1.2 Certificate Extensions........................................................................................................................................................... 27
7.1.3 Algorithm Object Identifiers................................................................................................................................................. 27
7.1.4 Name Forms............................................................................................................................................................................ 27
7.1.5 Name constraints................................................................................................................................................................... 28
7.1.6 Certificate Policy Object Identifier..................................................................................................................................... 28
7.1.7 Usage of Policy Constraints extension.............................................................................................................................. 28
7.1.8 Policy qualifiers syntax and semantics.............................................................................................................................. 28
7.1.9 Processing semantics for the critical Certificate Policies extension........................................................................... 28
7.2 CRL profile.................................................................................................................................................................................... 28
7.2.1 Version number(s)................................................................................................................................................................. 28
7.2.2 CRL and CRL entry extensions............................................................................................................................................ 28
7.2.2.1 Authority key identifier..................................................................................................................................................... 28
7.2.2.2 CRL Number........................................................................................................................................................................ 28
7.3 OCSP profile................................................................................................................................................................................. 29
7.3.1 Version number(s)................................................................................................................................................................. 29
7.3.2 OCSP extensions.................................................................................................................................................................... 29
8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS.................................................................................................................. 29
8.1 Frequency or circumstances of assessment........................................................................................................ 29
8.2 Identity/qualifications of assessor.......................................................................................................................... 29
8.3 Assessor's relationship to assessed entity........................................................................................................... 29
8.4 Topics covered by assessment......................................................................................................................................... 29
8.5 Actions taken as a result of deficiency................................................................................................................. 29
8.6 Communication of results............................................................................................................................................... 29
9 OTHER BUSINESS AND LEGAL MATTERS................................................................................................................................... 30
9.1 Fees.................................................................................................................................................................................................... 30
9.1.1 Certificate issuance or renewal fees................................................................................................................................... 30
9.1.2 Certificate access fees........................................................................................................................................................... 30
9.1.3 Revocation or status information access fees................................................................................................................... 30
9.1.4 Fees for other services........................................................................................................................................................... 30
9.1.5 Refund policy.......................................................................................................................................................................... 30
9.2 Financial responsibility..................................................................................................................................................... 30
9.2.1 Insurance coverage............................................................................................................................................................... 30
9.2.2 Other assets............................................................................................................................................................................. 30
9.2.3 Insurance or warranty coverage for end-entities............................................................................................................ 30
9.3 Confidentiality of business information................................................................................................................................ 30
9.3.1 Scope of confidential information...................................................................................................................................... 30
9.3.2 Information not within the scope of confidential information...................................................................................... 30
9.3.3 Responsibility to protect confidential information......................................................................................................... 30
9.4 Privacy of personal information................................................................................................................................ 30
9.4.1 Privacy plan............................................................................................................................................................................ 31
9.4.2 Information treated as private............................................................................................................................................. 31
9.4.3 Information not deemed private.......................................................................................................................................... 31
9.4.4 Responsibility to protect private information.................................................................................................................. 31
9.4.5 Notice and consent to use private information................................................................................................................ 31
9.4.6 Disclosure pursuant to judicial or administrative process............................................................................................ 31
9.4.7 Other information disclosure circumstances.................................................................................................................... 31
9.5 Intellectual property rights......................................................................................................................................... 31
9.6 Representations and warranties............................................................................................................................... 31
9.6.1 CA representations and warranties................................................................................................................................... 31
9.6.2 RA representations and warranties.................................................................................................................................... 31
9.6.3 Subscriber representations and warranties..................................................................................................................... 31
9.6.4 Relying party representations and warranties................................................................................................................ 31
9.6.5 Representations and warranties of other participants................................................................................................... 32
9.7 Disclaimers of warranties.............................................................................................................................................. 32
9.8 Limitations of liability...................................................................................................................................................... 32
9.9 Indemnities.................................................................................................................................................................................. 32
9.10 Term and termination....................................................................................................................................................... 32
9.10.1 Term........................................................................................................................................................................................ 32
9.10.2 Termination.......................................................................................................................................................................... 32
9.10.3 Effect of termination and survival.................................................................................................................................... 32
9.11 Individual notices and communications with participants.................................................................. 32
9.12 Amendments............................................................................................................................................................................. 32
9.12.1 Procedure for amendment.................................................................................................................................................. 32
9.12.2 Notification mechanism and period................................................................................................................................. 33
9.12.3 Circumstances under which OID must be changed....................................................................................................... 33
9.13 Dispute resolution provisions...................................................................................................................................... 33
9.14 Governing law......................................................................................................................................................................... 33
9.15 Compliance with applicable law............................................................................................................................... 33
9.16 Miscellaneous provisions................................................................................................................................................ 33
9.16.1 Entire agreement................................................................................................................................................................. 33
9.16.2 Assignment............................................................................................................................................................................ 33
9.16.3 Severability........................................................................................................................................................................... 33
9.16.4 Enforcement (attorneys' fees and waiver of rights)....................................................................................................... 33
9.16.5 Force Majeure...................................................................................................................................................................... 33
9.17 Other provisions...................................................................................................................................................................... 33
This document describes the rules and procedures used by the MD-Grid Certification Authority.
This document is organized according to the specifications proposed by the RFC 3647. It describes the procedure followed by MD-Grid (National Grid Initiative of Moldova) Certification Authority and is the combination of Certificate Policy and Certification Practice Statement (CP/CPS).
This document is a valid CP/CPS as of March 04, 2008, 09:00 UTC.
Document title: MD-Grid Certification Authority Certificate Policy and Certification Practice Statement
Document version: 1.3
Document date: 16.03.2009.
ASN.1 Object Identifier (OID): 1.3.6.1.4.1.31194.10.1.1.3
The next table describes the meaning of the OID:
|
1.3.6.1.4.1 |
Prefix for IANA private enterprises |
|
31194 |
RENAM registered identifier |
|
10 |
Certification Authorities |
|
1 |
CP/CPS |
|
1.3 |
Major and minor CP/CPS number. |
MD-Grid CA provides PKI services to the Moldavian academics and research communities who participate in national or international Grid activities. The MD-Grid CA does not issue or sign certificates to subordinate CAs.
The RA Operators are responsible for verifying Subscribers’ identities and approving their certificate requests. RA Operators do not issue certificates. The list of RAs is available on the MD-Grid CA website.
The MD-Grid CA issues user (personal), host and service certificates. Subscribers eligible for certification from MD-Grid CA must be:
All entities that use public keys of certificates, issued by MD-Grid CA, for signature verification and/or encryption, will be considered as relying parties.
No stipulation.
Personal certificates can be used to authenticate a user that would like to benefit from the Grid resources.
Host certificates can be used to identify computers that have special tasks related to the Grid activities.
Service certificates can be used to recognize the host applications and data or communication encryption (SSL/TLS).
In addition, it is permissible to use certificates for email signing.
Notwithstanding the above, using certificates for purposes contrary to Moldavian law is explicitly prohibited.
MD-Grid Security Group at RENAM is in charge of the management of MD-Grid CA.
Phone: +373 22 739827 or +373 22 234635
Fax: +373 22 288006
e-mail: ca@renam.md
Address:
5 Academiei str., of. 331
MD-2028, Chisinau
Moldova, Republic of
The contact person that can deal with any questions related to this document or operational issues:
Valentin Pocotilenco
Address:
RENAM Association
5 Academiei str., of. 331
MD-2028, Chisinau
Moldova, republic of
Phone: +373 22 739827 or +373 22 234635
Fax: +373 22 288006 or +373 22 234635
e-mail: pvv@renam.md
Alexei Altuhov
Address:
RENAM Association
5 Academiei str. of. 331
MD-2028, Chisinau
Moldova, republic of
Phone: +373 22 739827 or or +373 22 234635
Fax: +373 22 288006 or +373 22 234635
e-mail: alexx@renam.md
Website: http://ca.grid.md/
The CP/CPS document and all CPS modifications should be approved by the EuGridPMA before being applied.
|
RENAM |
Research and Educational Networking Association of Moldova |
|
ASN.1 |
Abstract Syntax Notation One (http://asn1.elibel.tm.fr/) |
|
CA |
Certification Authority |
|
CP/CPS |
Certificate Policy/Certification Practice Statement |
|
CRL |
Certificate Revocation List |
|
DNS |
Domain Name System |
|
FQDN |
Fully Qualified Domain Name |
|
HTTP |
Hypertext Transfer Protocol |
|
IANA |
Internet Assigned Numbers Authority |
|
IP |
Internet Protocol |
|
OCSP |
Online Certificate Status Protocol |
|
OID |
Object Identifier |
|
PKI |
Public Key Infrastructure |
|
RA |
Registration Authority |
|
RFC |
Request For Comment |
|
S/MIME |
Secure / Multipurpose Internet Mail Extensions |
|
SEE-GRID |
South East European GRid-enabled eInfrastructure Development |
|
SSL |
Secure Sockets Layer |
|
URL |
Uniform Resource Locator |
|
USB |
Universal Serial Bus |
The MD-Grid CA operates an on-line repository that contains:
The MD-Grid CA communication information for information regarding repositories is:
RENAM Certification authority
RENAM Association
5 Academiei str. of. 331
MD-2028, Chisinau
Moldova, republic of
Phone: +373 22 739827
Phone: +373 22 234635
Fax: +373 22 288006
e-mail: ca@renam.md
See section 2.1
Certificates will be put to the MD-Grid CA website as soon as they are issued.
The online repository is maintained on best effort basis and is available substantially on a 24 hours per day, 7 days per week basis, subject to reasonable scheduled maintenance.
MD-Grid CA may impose a more restricted access control policy to the repository at its discretion.
The MD-Grid CA does not impose any access control on its CP/CPS, issued certificates or CRLs.
The subject names for the certificate applicants shall follow the X.509.v3 RENAM registered identifier standard and compliant with RFC3280:
The subject name must represent the subscriber in a way that is easily understandable by humans and must have a reasonable association with the authenticated name of the subscriber. Each host certificate must be linked to a single network entity.
MD-Grid CA will neither issue nor sign pseudonymous or anonymous certificates.
See section 3.1.1.
The subject name included in the CN part of a certificate must be unique for all certificates issued by the MD-Grid CA. When essential, extra characters may be affixed to the original name to guarantee the uniqueness of the subject name.
Private keys must not be shared among end entities.
DNs cannot be recycled.
No stipulation.
The MD-Grid CA proves possession of the private key that is the companion to the public key in MD-Grid CA root certificate by issuing certificates and signing CRLs.
The MD-Grid CA verifies the possession of the private key relating to certificates requests by out-of-band, non-technical means at the time of authentication. Such verification may take the form of a directly posed question to requester. A cryptographic challenge-response exchange may be used to prove possession of the private key at any point in time before certification of subscriber.
The MD-Grid CA will not generate the key pair for subscribers and will not accept or retain private keys generated by subscribers.
The MD-Grid CA authenticates organizations by:
Certificate of a person:
The subject should contact personally the RA or CA staff in order to validate his/her identity. The subject authentication is fulfilled by providing an official document for personal identification (ID-card, driving license or a passport), and a valid document proving subject’s relation with an institute or organization, declaring that the subject is a valid end entity.
Certificate of a host or service:
Host or service certificates can only be requested by the administrator responsible for the particular host. In order to request a host or service certificate the following conditions must be met:
1.The host must have a valid FQDN.
2.The administrator must already possess a valid personal MD-Grid certificate.
3.The administrator must provide a proof of his or hers relation to the host itself.
The subscriber requesting service from the MD-Grid CA should contact personally the RA or CA staff in order to validate his/her identity.
MD-Grid CA or RA will archive photocopies of ID documents in case of user certificates and digitally signed e-mails in case of host or service certificates.
During the initial identity validation the requester's e-mail is not verified. This is done during the processing of the certificate application as described in section 4.2.2.
No stipulation.
No stipulation.
Expiration warnings will be sent to subscribers before it is re-key time. Re-key before expiration can be executed by stating a re-key request signed with the personal certificate of the subscriber but after 3 years face-to-face identity validation is required as described in 3.2.3. Re-key after expiration uses completely the same authentication procedure as new certificate.
The procedure for re-key after revocation is exactly the same with an initial registration.
Certificate revocation requests should be authenticated in one of the following ways:
The essential procedures that must be conformed in a certificate application request are as follows:
· The subject must be appropriate to the specifications stated in this policy.
· The key length of a generated certificate must be 1024 or 2048 bits.
· Use a strong passphrase of at least 12 characters.
MD-Grid CA issues the certificate only if, the authentication of the subject is successful. The applicant will be notified about the issuance by signed e-mail. If the authentication is not successful, the certificate is not issued and the applicant will also be notified.
4.2 Certificate application processing
All the certificate applications will be authenticated and validated by the MD-Grid CA and RAs as stated in section 3.2.3. In the cases of re-key of user certificate or request for host or service certificate, the authentication of the certificate application will take place by checking that the requester has a valid MD-Grid CA certificate. Upon successful authentication, the information included in the certificate request will be validated by RA or CA.
If the certificate request does not meet one or more of the criteria in 4.1.1, it will be rejected and the requester will be informed via e-mail.
Each certificate application will take no more that 5 working days to be processed.
CA will check that identity validation is properly performed as described in 3.2.3.
CA will ensure secure communication with RAs by signed e-mails or voice conversations.
Applicants will be notified via e-mail when the certificate is issued and the issued certificate will be hosted at the online CA repository.
If the user wants to accept the certificate, he or she must follow the procedure in section 4.4.1.
If a user wants to reject a certificate, he or she must submit a revocation request as described in section 4.9.
Subscribers of MD-Grid CA are required to agree with the following issues:
· acknowledgment of conditions and loyalty to the procedures interpreted in this document
· permanent provision of correct information to the MD-Grid CA and avoidance of unnecessary information out of purposes of this document
· use of the certificate for only authorized purposes that are stated in this document
· admission of restrictions to liability defined in section 9.8
· admission of statements about confidentiality of information emphasized in section 9.4
· key pair (public key and private key) generation using a secure method
· acceptable precautions against loss, disclosure or illegal use of the private key
· notifying MD-Grid CA in case private key is compromised or lost
· notifying MD-Grid CA in case of information change in the certificate
· notifying MD-Grid CA in case the subscriber requests to revoke the certificate
All the certificates issued by the MD-Grid CA will be published in the on-line repository operated by the MD-Grid CA.
If the RA has handled the communication with the subscriber, then it will be notified of the certificate issuance.
The RA will be informed about any certificate signatures and re-keys before expiration that were submitted through it.
The subscribers' private keys along with the certificates issued by the MD-Grid CA can be used for:
· email signing/verifying and encryption/decryption (S/MIME);
· server authentication and encryption of communications;
· authentication purposes in Grid Infrastructures;
· non-repudiation.
Relying parties can use the public keys and certificates of the subscribers for:
· email encryption and signature verification (S/MIME);
· server authentication and encryption of communications;
· authentication purposes in Grid infrastructures.
Relying parties must download the CRL at least once a day and implement its restrictions while validating certificates.
MD-Grid CA will not renew subscribers’ certificates. Subscribers must follow the re-key procedure as defined in section 4.7.
MD-Grid CA will not renew subscribers’ certificates. Subscribers must follow the re-key procedure as defined in section 4.7.
MD-Grid CA will not renew subscribers’ certificates. Subscribers must follow the re-key procedure as defined in section 4.7.
MD-Grid CA will not renew subscribers’ certificates. Subscribers must follow the re-key procedure as defined in section 4.7.
MD-Grid CA will not renew subscribers’ certificates. Subscribers must follow the re-key procedure as defined in section 4.7.
MD-Grid CA will not renew subscribers’ certificates. Subscribers must follow the re-key procedure as defined in section 4.7.
MD-Grid CA will not renew subscribers’ certificates. Subscribers must follow the re-key procedure as defined in section 4.7.
Subscribers must regenerate their key pair in the following circumstances:
1.Expiration of their certificate signed by the MD-Grid CA;
2.Revocation of their certificate by the MD-Grid CA.
Every subscriber holding a valid MD-Grid CA certificate can request certificate under the circumstances given in section 4.7.1.
Expiration warnings will be sent to subscribers before it is re-key time.
a) Re-key before expiration can be executed by stating a re-key request signed with the private key corresponding to the public one in the valid personal certificate of the subscriber. The requester is not required to pass the authentication procedure described in section 3.2.3, if this does not contrast with c) or d).
b) Re-key after certificate expiration uses completely the same authentication procedure as that for the new certificate.
c) At least once every 3 years the subscriber must go through the same authentication procedure as the one described for a new certificate.
d) In case the request for a new certificate is due to revocation of certificate the subscriber must follow the same procedure as the one described in for a new one.
Same as in section 4.3.2
Same as in section 4.4.1
Same as in section 4.4.2
Same as in section 4.4.3
MD-Grid CA does not modify certificates. In case a modification is required
the revocation and re-key procedures should be followed.
MD-Grid CA does not modify certificates. In case a modification is required
the revocation and re-key procedures should be followed.
MD-Grid CA does not modify certificates. In case a modification is required
the revocation and re-key procedures should be followed.
MD-Grid CA does not modify certificates. In case a modification is required
the revocation and re-key procedures should be followed.
MD-Grid CA does not modify certificates. In case a modification is required
the revocation and re-key procedures should be followed.
MD-Grid CA does not modify certificates. In case a modification is required
the revocation and re-key procedures should be followed.
MD-Grid CA does not modify certificates. In case a modification is required
the revocation and re-key procedures should be followed.
A certificate will be revoked in the following situations:
· The CA is informed that the Subscriber has ceased to be an eligible subject as defined in 1.3.3:
· The Subscriber’s private key is lost or suspected to be compromised;
· The information in the Subscriber’s certificate is wrong or inaccurate, or suspected to be wrong or inaccurate;
· The Subscriber violates his/her obligations.
· The Subscriber does not need the certificate any more.
In one of the conditions above, end entity must request revocation of the certificate as soon as possible but within one working day.
The CA, RA, subscriber of the certificate or any other entity holding evidence of a revocation circumstance about that certificate can request revocation.
The entity requesting the certificate revocation is authenticated by signing the revocation request with a valid MD-Grid CA certificate. Otherwise authentication will be performed with the same procedure as described in section 3.2.3.
MD-Grid CA will process the revocation request with the highest priority. The maximum time for revocation must not exceed 1 working day.
MD-Grid CA will process all revocation requests within 1 working day.
Relying parts must download the CRL from the online-repository [section 2.1] at least once a day and implement its restrictions while validating certificates.
1.CRLs will be published in the on-line repository as soon as issued and at least once every 23 days;
2.The maximum CRL lifetime is 30 days;
3.Each new CRL is issued at least 7 days before expiration of the previous CRL.
No stipulation.
Currently there are no on-line revocation/status services offered by the MD-Grid CA.
Currently there are no on-line revocation/status services offered by the MD-Grid CA.
No stipulation.
No stipulation.
MD-Grid CA does not suspend certificates.
MD-Grid CA does not suspend certificates.
MD-Grid CA does not suspend certificates.
MD-Grid CA does not suspend certificates.
MD-Grid CA online repository contains list of valid certificates and list of revoked certificates (CRL). Both lists are continuously updated.
The on-line repository is maintained on best effort basis with intended availability of 24x7.
No stipulation.
No stipulation.
MD-Grid CA will not accept any key escrow or recovery services and will not
give keys on escrow as well.
No stipulation.
The MD-Grid CA operates in a controlled and protected room located in Technical University of Moldova.
The address is:
Technical University of Moldova
78, 31 August str.,
Chisinau
Moldova
Phone: +373 22 234635
E-mail: ca@renam.md
Physical access to the MD-Grid CA is restricted to authorized personnel only.
Premises containing the CA machine are air conditioned.
No stipulation.
Technical University of Moldova premises have a fire alarm system installed.
Backups are to be stored in removable storage media (CD-ROM, Floppies and USB Flash) in a safe location in Technical University of Moldova.
Floppy disks or CDs are physically destroyed before being trashed.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
Access to servers and applications is limited to the MD-Grid CA Security Personnel who are staff in RENAM.
No stipulation.
Internal training is given to MD-Grid CA and RA operators.
MD-Grid CA will perform operational audit of the CA/RA staff at least once per year. If the results of the operational audit are not satisfactory, retraining will be considered.
No stipulation.
No stipulation.
No stipulation.
Operational manual for CA and RA operators is supplied to the new MD-Grid CA personnel.
The following events are recorded by MD-Grid CA:
Each RA must keep log of the following:
Audit logs will be processed at least once per month.
Audit logs will be retained for a minimum of 3 years.
Only authorized CA personnel are allowed to view and process audit logs. Audit logs are kept in a safe storage in a room with limited access.
Audit logs are copied to an offline medium and kept in a safe storage in a room with limited access.
Audit log collection system is internal to the MD-Grid CA.
No stipulation.
No stipulation.
No stipulation.
The following data and files are recorded and archived by the CA:
Each RA must keep log of the following:
Minimum retention period is three years.
Archives are kept in a safe storage in a room with limited access.
All data and files are copied to an off-line medium.
No stipulation.
The archive collection system is internal to the MD-Grid CA.
No stipulation.
If the CA’s private key is (or is suspected to be) compromised, the CA will:
If an RA Operator’s private key is compromised or suspected to be compromised, the RA Operator or Manager must inform the CA and request the revocation of the RA Operator’s certificate.
No stipulation.
No stipulation.
No stipulation.
Before the CA terminates its services, it will:
Before the RA terminates its services, it will:
An advance notice of no less than 60 days will be given in the case of normal (scheduled) CA or RA termination.
Keys for the MD-Grid CA root certificate are generated on a dedicated machine, not connected to any type of network. The software used for key generation is OpenSSL.
Each subscriber must generate his/her own key pair.
As each applicant generates his/her own key pair, CA has no access to subscribers' private keys.
Applicants can make user/host/service certificate requests as described in section 4.1
The MD-Grid CA root certificate is available on the website: http://ca.grid.md/
For a user or host certificate the key size is 1024 or 2048 bits. The MD-Grid CA key size is 2048 bits.
No stipulation.
Keys may be used for authentication, non-repudiation, data encipherment, message integrity and session establishment..
The CA’ private key is only used for signing certificates and CRLs.
No stipulation.
No stipulation.
No stipulation.
A backup of the MD-Grid CA private key is kept encrypted in multiple copies in USB flash drive and CD-ROM in a safe location. The password for the private key is kept separately in paper form with an access control. Only authorized CA personnel have access to the backups.
MD-Grid CA does not archive private keys.
MD-Grid CA does not use any kind of cryptographic module.
MD-Grid CA does not use any kind of cryptographic module.
MD-Grid CA private key is protected by a passphrase of at least 15 characters and only known by authorized CA personnel.
The subscriber is required to generate a secure pass phrase, at least 12 characters long for the private key. Private key cannot be shared and it is subscriber responsibility to protect the private key properly.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
As a part of the certificate archival, the public key is archived.
MD-Grid CA root certificate has a validity of ten years.
End Entity certificates have maximum lifetime of 1 year.
MD-Grid CA does not generate activation data for subscribers. It's upon the subscriber to generate a secure pass phrase, at least 12 characters long, in order to be used as activation data for his/her private key.
MD-Grid CA private key is protected by a passphrase of at least 15 characters. Pass phrase is regenerated every 180 days by one of MD-Grid CA operators.
The MD-Grid CA does not have access to or generate the private keys of a subscriber. The key pair is generated and managed by the client and it is subscriber's responsibility to keep the private key secure.
The passphrase for the private key of CA root certificate is kept separately in paper form with an access limited to CA personnel.
6.4.3 Other aspects of activation data
No stipulation.
Computers operating at MD-Grid CA meet the following requirements:
No stipulation.
No stipulation.
No stipulation.
No stipulation.
Certificates are issued on a machine, not connected to any kind of network. Protection of other machines is provided by firewalls.
No stipulation.
X.509 v3
User, host or service certificate :
No stipulation.
Issuer:
DC=MD, DC=MD-Grid, O=RENAM, OU=Certification Authority, CN=MD-Grid-CA
Subject:
DC=MD, DC=MD-Grid, O=XXX, CN=Subject-name
Where XXX is the name or acronym of the institution. The “CN” field structure for the user or host/service are described in section 1.3.
In case of person, the CN part of DN can contain only letters, numbers and following special characters: left round bracket (‘(’), right round bracket (‘)’), space (‘ ‘) and hyphen (‘-‘). In case of host and service, the CN part of DN can contain only letters, numbers and following special characters: dot (‘.‘) and hyphen (‘-‘). Additionally, in case of grid service certificate character ‘/’ can be used. The maximal length of the CN is 128 characters for all types of certificates.
Subject attribute constraints:
Domain Component:
must be “MD”
Domain Component:
must be “MD-Grid”
Organization:
must be name or acronym of the institution
CommonName:
First name and last name of the subject for user certificate, DNS FQDN for host certificate. In case of service certificate the subject name must include the service name and the DNS FQDN separated by a “/”.
See section 1.2.
No stipulation.
No stipulation.
No stipulation.
CRLs are in X.509 v2 format, compliant with RFC 3280. SHA1 algorithm is used to generate CRLs.
The CRL extension Authority Key Identifier will be used in CRLs. CRL entry extensions used are: CRL Number and CRL Reason Code. They are described in the following sections.
Non-critical extension, a unique identifier for the CA key as defined in RFC 3280.
Non-critical extension, the number of current CRL as defined in RFC 3280.
7.2.2.3 CRL Reason Code
Non-critical extension, carrying the revocation reason code as specified in RFC3280, section 5.3.1.
No stipulation.
No stipulation.
No stipulation.
The MD-Grid CA must allow to be audited by other trusted CAs to verify its compliance with the rules and procedures specified in this document. Any costs associated with such an audit must be covered by the requesting party.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No fees shall be charged.
No fees shall be charged.
No fees shall be charged.
No fees shall be charged.
No fees shall be charged, so there is no refund policy.
MD-Grid CA denies any financial responsibilities for damages or impairments resulting from its operation.
MD-Grid CA does not collect any confidential or private information. Except for the case when CA or RA archives copies of ID documents for identity validation of a user certificate request. MD-Grid CA guarantees that this personal information will not be used for any other purposes.
No stipulation.
No stipulation.
MD-Grid CA collects the following information which is not deemed as private:
1.subscriber's e-mail address;
2.subscriber's name;
3.subscriber's organization;
MD-Grid CA has not responsibility to protect private information as all the information it collects is public.
No stipulation.
No stipulation.
No stipulation.
1.RFC 3647;
2.HellasGrid CA Certificate Policy;
3.TR-Grid CA Certificate Policy;
4.UK e-Science CA Certificate Policy;
5.SEE-GRID CA Certificate Policy;
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
1.MD-Grid CA guarantees to control the identity of the certification requests according to the procedures described in this document;
2.MD-Grid CA guarantees to control the identity of the revocation requests according to the procedures described in this document;
3.MD-Grid CA is run on a best effort basis.
4.MD-Grid CA guarantees its service security.
5.MD-Grid CA shall not be held liable for any problems arising from its operation or improper use of the issued certificates ;
6.MD-Grid CA denies any kind of responsibilities for damages or impairments resulting from its operation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
Subscribers will not be informed in advance if the CP / CPS document is changed. Changes are announced to EUGridPMA and get approved before the new CP/CPS is declared on the website as defined in section 2.3. Changes are published on the website as well.
No stipulation.
OID must change whenever the version of CP/CPS document is updated.
Legal disputes arising from the operation of the MD-Grid CA will be resolved according to the Moldovian Law.
The enforceability, construction, interpretation, and validity of this policy shall be governed by the Laws of Moldova, republic of.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
The CP/CPS document and all CPS modifications should be approved by the EuGridPMA before being applied.