[cabfcert_policy] CA Components

Barreira Iglesias, Iñigo i-barreira at izenpe.eus
Thu Jun 2 23:31:21 MST 2016 

Peter, in ETSI the certification services have also sub-services such as:

The certification services are broken down in the present document into the following component services for the purposes of classifying requirements:
•	Registration service: verifies the identity and if applicable, any specific attributes of a subject. The results of this service are passed to the certificate generation service.
NOTE 2:	This service includes proof of possession of non-CA generated subject private keys.
•	Certificate generation service: creates and signs certificates based on the identity and other attributes verified by the registration service. This can include key generation.
•	Dissemination service: disseminates certificates to subjects, and if the subject consents, makes them available to relying parties. This service also makes available the TSP's terms and conditions, and any published policy and practice information, to subscribers and relying parties.
•	Revocation management service: processes requests and reports relating to revocation to determine the necessary action to be taken. The results of this service are distributed through the revocation status service.
•	Revocation status service: provides certificate revocation status information to relying parties.
•	Subject device provision service (optional): prepares, and provides or makes available secure cryptographic devices, or other secure devices, to subjects.


Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.eus 
945067705



ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

-----Mensaje original-----
De: policyreview-bounces at cabforum.org [mailto:policyreview-bounces at cabforum.org] En nombre de Peter Bowen
Enviado el: jueves, 02 de junio de 2016 19:42
Para: policyreview at cabforum.org
Asunto: [cabfcert_policy] CA Components

On the policy WG call today, there was a discussion of diagramming the components in a CA.  I’ve seen a number of components defined in various Certificate Policies,   The items below are pulled from several docs, including a NIST model CP and several commercial CA CPs.  Are there other components worth mentioning?  Does anyone who does Subscriber Key Escrow have additional components relevant to that functionality?

Thanks,
Peter

Certificate Service Provider components:

Certification Authority (probably the top level component?)

CA Management Authority

Registration Authority

Local Registration Authority

Certificate Manufacturing Authority (I think this is the same as a Certificate Management System) with subcomponents:
- Cryptographic module
- CA Key Storage
- Audit Log persistence
- <thing that talks to cryptographic module> (needs name)

Certificate Status Authority with subcomponents:
- OCSP Response Signers
- OCSP Responders

Repository Service Provider (distributes CRLs and Issuer certificates)

Policy Authority

 

End Entity roles:

Subscribers

Relying Parties

 

Others:

Trust Anchor List maintainer (usually an Application Software Supplier that operates a Root Certificate Program) _______________________________________________
Policyreview mailing list
Policyreview at cabforum.org
https://cabforum.org/mailman/listinfo/policyreview

More information about the Policyreview mailing list