[cabfpub] Potential Discussion Item for Thursday's Call

Ben Wilson ben.wilson at digicert.com
Tue May 12 22:00:40 UTC 2015 

Last week the Policy Review Working Group reviewed version 1.3 of the
Baseline Requirements (BRs) and compared it with version 1.2.5 of the BRs
and RFC 3647.   We only got through section 6--we didn't get to Sections 7,
8 or 9.  We identified gaps and labelled them as "No Stipulation/Not
Applicable" (Yellow), "Important to Address" (Magenta), "Potential Content"
(Light Blue) (for sections where we thought something should/could go), and
we identified a few places where a cross-reference would avoid redundancy
(Red).   See below.  

 

I'll circulate our review of sections 7, 8 and 9 after the next working
group meeting, but I'm sending this out just in case anyone wants to discuss
this on Thursday's call.


BR v.1.3

Title

Title in BR v. 1.2.5 / Proposed Resolution of Gap


 

 

 


1

Introduction

Intro


1.1.

Overview

Scope


1.2.

Document name and Identification

Reserved Certificate Policy Identifiers


1.2.1.

Revisions

Document History


1.2.2.

Relevant Dates

Relevant Compliance Dates


1.3.

PKI Participants

 


1.3.1.

Certification Authorities

Intro


1.3.2.

Registration Authorities

 


1.3.3.

Subscribers

 


1.3.4.

Relying Parties

Intro


1.3.5.

Other Participants

Intro


1.4.

Certificate Usage

Purpose


1.4.1.

Appropriate Certificate Uses

 


1.4.2.

Prohibited Certificate Uses

No Stipulation


1.5.

Policy administration

Notice to Readers


1.5.1

Organization administering the document

Notice to Readers


1.5.2

Contact Person

Potential content


1.5.3

Person determining CPS suitability for the policy

No Stipulation


1.5.4

CPS approval procedures

No Stipulation


1.6.

Definitions and acronyms

 


1.6.1.

Definitions

Definitions


1.6.2.

Acronyms

Abbreviations and Acronyms


1.6.3.

References

References


1.6.4.

Conventions

Conventions


2

PUBLICATION AND REPOSITORY RESPONSIBILITIES

Implementation


2.1.

Repositories

Mechanisms


2.2.

Publication of information

Disclosure, Commitment to Comply


2.3.

Time or frequency of publication

Potential content


2.4.

Access controls on repositories

Potential content


3

IDENTIFICATION AND AUTHENTICATION

 


3.1.

Naming

 


3.1.1

Types of names

Potential content


3.1.2

Need for names to be meaningful

Important to address


3.1.3

Anonymity or pseudonymity of subscribers

No Stipulation


3.1.4

Rules for interpreting various name forms

Potential content


3.1.5

Uniqueness of names

Important to address


3.1.6

Recognition, authentication, and role of trademarks

Potential content


3.2.

Initial identity validation

 


3.2.1.

Method to Prove Possession of Private Key

Important to address


3.2.2.

Authentication of Organization and Domain Identity

Verification of Subject Identity Information


3.2.2.1

Identity 

Identity 


3.2.2.2

DBA/Tradename

DBA/Tradename


3.2.2.3

Verification of Country

Verification of Country


3.2.2.4

Authorization by Domain Name Registrant

Authorization by Domain Name Registrant


3.2.2.5

Authentication for an IP Address

Authentication for an IP Address


3.2.2.6

Wildcard Domain Validation

Wildcard Domain Validation


3.2.2.7

Data Source Accuracy

Data Source Accuracy


3.2.3.

Authentication of Individual Identity

Verification of Individual Applicant


3.2.4.

Non-verified Subscriber Information

Potential content


3.2.5.

Validation of Authority

Authenticity of Certificate Request


3.2.6.

Criteria for Interoperation or Certification

Trust Model


3.3.

Identification and authentication for re-key requests

 


3.3.1.

Identification and Authentication for Routine Re-key

Age of Certificate Data


3.3.2.

Identification and Authentication for Re-key After Revocation

No Stipulation


3.4.

Identification and authentication for revocation request

Important to address


4

CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS

 


4.1.

Certificate Application

 


4.1.1.

Who Can Submit a Certificate Application

Denied List


4.1.2.

Enrollment Process and Responsibilities

Documentation Requirements, Certificate Request


4.2.

Certificate application processing

 


4.2.1.

Performing Identification and Authentication Functions

Information Requirements,  High Risk Requests, 


4.2.2.

Approval or Rejection of Certificate Applications

New gTLD Domains


4.2.3.

Time to Process Certificate Applications

No Stipulation


4.3.

Certificate issuance

 


4.3.1.

CA Actions during Certificate Issuance

Certificate Issuance by a Root CA


4.3.2.

Notification of Certificate Issuance

Potential content


4.4.

Certificate acceptance

No Stipulation


4.5.

Key pair and certificate usage

 


4.5.1

Subscriber private key and certificate usage

Potential content


4.5.2

Relying party public key and certificate usage

No Stipulation


4.6.

Certificate renewal

Potential content


4.7.

Certificate re-key

Potential content


4.8.

Certificate modification

Potential content


4.9.

Certificate revocation and suspension

 


4.9.1.

Circumstances for Revocation

 


4.9.1.1

Reasons for Revoking a Subscriber Certificate

Reasons for Revoking a Subscriber Certificate


4.9.1.2

Reasons for Revoking a Subordinate CA Certificate

Reasons for Revoking a Subordinate CA Certificate


4.9.2.

Who Can Request Revocation

See Section 3.4


4.9.3.

Procedure for Revocation Request

revocation Request, Certificate Problem Reporting


4.9.4.

Revocation Request Grace Period

No Stipulation


4.9.5.

Time within which CA Must Process the Revocation Request

Investigation


4.9.6.

Revocation Checking Requirement for Relying Parties

Potential content


4.9.7.

CRL Issuance Frequency

Repository


4.9.8.

Maximum Latency for CRLs

No Stipulation


4.9.9.

On-line Revocation/Status Checking Availability

OCSP Signing


4.9.10.

On-line Revocation Checking Requirements

Repository, Response for non-issued certificates


4.9.11.

Other Forms of Revocation Advertisements Available

 


4.9.12.

Special Requirements Related to Key Compromise

 


4.9.13.

Circumstances for Suspension

Certificate Suspension


4.9.14.

Who Can Request Suspension

Not applicable


4.9.15.

Procedure for Suspension Request

Not applicable


4.9.16.

Limits on Suspension Period

Not applicable


4.10.

Certificate status services

 


4.10.1.

Operational Characteristics

Deletion of Entries


4.10.2.

Service Availability

Repository, Response, Response Time


4.10.3.

Optional Features

No Stipulation


4.11.

End of subscription

No Stipulation


4.12.

Key escrow and recovery

No Stipulation


5

MANAGEMENT, OPERATIONAL, AND PHYSICAL CONTROLS

Data Security, Objectives, Risk Assessment, Security Plan, System Security


5.1.

Physical security Controls

Important to address


5.2.

Procedural controls

 


5.2.1.

Trusted Roles

Important to address


5.2.2.

Number of Individuals Required per Task

Private Key Protection


5.2.3.

Identification and Authentication for Trusted Roles

Important to address


5.2.4.

Roles Requiring Separation of Duties

Important to address


5.3.

Personnel controls

 


5.3.1.

Qualifications, Experience, and Clearance Requirements

Identity and Background Verification


5.3.2.

Background Check Procedures

Important to address


5.3.3.

Training Requirements and Procedures

Training and Skill Level


5.3.4.

Retraining Frequency and Requirements

Training and Skill Level


5.3.5.

Job Rotation Frequency and Sequence

No Stipulation


5.3.6.

Sanctions for Unauthorized Actions

Important to address


5.3.7.

Independent Contractor Controls

Delegation of Functions, General


5.3.8.

Documentation Supplied to Personnel

Important to address


5.4.

Audit logging procedures

 


5.4.1.

Types of Events Recorded

Documentation, Event Logging, Events, Actions


5.4.2.

Frequency for Processing and Archiving Audit Logs

Important to address


5.4.3.

Retention Period for Audit Logs

Events and Actions


5.4.4.

Protection of Audit Log

Important to address


5.4.5.

Audit Log Backup Procedures

No Stipulation


5.4.6.

Audit Log Accumulation System (internal vs. external)

No Stipulation


5.4.7.

Notification to Event-Causing Subject

No Stipulation


5.4.8.

Vulnerability Assessments

Risk Assessment


5.5.

Records archival

 


5.5.1.

Types of Records Archived

Important to address


5.5.2.

Retention Period for Archive

Documentation Retention


5.5.3.

Protection of Archive

Important to address


5.5.4.

Archive Backup Procedures

No Stipulation


5.5.5.

Requirements for Time-stamping of Records

No Stipulation


5.5.6.

Archive Collection System (internal or external)

No Stipulation


5.5.7.

Procedures to Obtain and Verify Archive Information

No Stipulation


5.6.

Key changeover

No Stipulation


5.7.

Compromise and disaster recovery

 


5.7.1.

Incident and Compromise Handling Procedures

Business Continuity


5.7.2.

Recovery Procedures if Computing Resources, ... Are Corrupted

Important to address


5.7.3.

Recovery Procedures After Key Compromise

Important to address


5.7.4.

Business Continuity Capabilities after a Disaster

See Section 5.7.1.


5.8.

CA or RA termination

Important to address


6

TECHNICAL SECURITY CONTROLS

 


6.1.

Key pair generation and installation

 


6.1.1.

Key Pair Generation

 


6.1.1.1

CA Key Pair Generation

Key Generation Ceremony


6.1.1.2

RA Key Pair Generation

Important to address


6.1.1.3

Subscriber Key Pair Generation

Public Key


6.1.2.

Private Key Delivery to Subscriber

Subscriber Privvate Key


6.1.3.

Public Key Delivery to Certificate Issuer

Potential content


6.1.4.

CA Public Key Delivery to Relying Parties

Potential content


6.1.5.

Key Sizes

Cryptographic Algorithm and Key Requirements


6.1.6.

Public Key Parameters Generation and Quality Checking

Cryptographic Algorithm and Key Requirements


6.1.7.

Key Usage Purposes

Certificate Issuance by a Root CA


6.2.

Private Key Protection and Cryptographic Module Engineering Controls

Private Key Protection


6.2.1.

Cryptographic Module Standards and Controls

Potential content


6.2.2.

Private Key (n out of m) Multi-person Control

No Stipulation


6.2.3.

Private Key Escrow

No Stipulation


6.2.4.

Private Key Backup

 


6.2.5.

See Section 5.2.2.Private Key Archival

Subordinate CA Private Key


6.2.6.

Private Key Transfer into or from a Cryptographic Module

Subordinate CA Private Key


6.2.7.

Private Key Storage on Cryptographic Module

Private Key Protection


6.2.8.

Activating Private Keys

Important to address


6.2.9.

Deactivating Private Keys

Important to address


6.2.10.

Destroying Private Keys

Important to address


6.2.11.

Cryptographic Module Capabilities

No Stipulation


6.3.

Other aspects of key pair management

No Stipulation


6.3.1.

Public Key Archival

No Stipulation


6.3.2.

Certificate Operational Periods and Key Pair Usage Periods

Subscriber Certificates, Validity Period


6.4.

Activation data

Potential content


6.5.

Computer security controls

 


6.5.1.

Specific Computer Security Technical Requirements

System Security 


6.5.2.

Computer Security Rating

No Stipulation


6.6.

Life cycle technical controls

Important to address


6.7.

Network security controls

Important to address


6.8.

Time-stamping

Potential content

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150512/a66c4a5f/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150512/a66c4a5f/attachment.p7s>

More information about the Public mailing list