PKI Framework

CA's services adminstration processes and procedures

 

CA Business Practices Disclosure

The Certification Authority discloses its business practices, including but not limited to the following:

 

General

Identification of each CP and CPS for which the CA issues certificates Community and applicability, including a description of the types of entities within the PKI and the applicability of certificates issued by the CA Contact details and administrative provisions, including:

  • Contact person
  • Identification of Policy Authority
  • Street address
  • Version and effective date(s) of each CP and CPS

Any applicable provisions regarding apportionment of liability Financial responsibility, including:

  • Indemnification by relying parties
  • Fiduciary relationships

Interpretation and enforcement, including:

  • Governing law
  • Severability, survival, merger, and notice
  • Dispute resolution procedures

Fees, including:

  • Certificate issuance or renewal fees
  • Certificate access fees
  • Revocation or status information access fees
  • Fees for other services such as policy information
  • Refund policy

Publication and repository requirements, including:

  • Publication of CA information
  • Frequency of publication
  • Access controls

Compliance audit requirements including:

  • Frequency of entity compliance audit
  • Auditor's relationship to audited party
  • Topics covered by audit
  • Actions taken as a result of deficiency
  • Communication of results

Description of the conditions for applicability of certificates issued by the CA that reference a specific Certificate Policy, including:

  • Specific permitted uses for the certificates if such use is limited to specific applications
  • Limitations on the use of certificates if there are specified prohibited uses for such certificates

CA and/or RA obligations:

  • Notification of issuance of a certificate to the subscriber who is the subject of the certificate being issued
  • Notification of issuance of a certificate to others than the subject of the certificate
  • Notification of revocation or suspension of a certificate to the subscriber whose certificate is being revoked or suspended
  • Notification of revocation or suspension of a certificate to others than the subject whose certificate is being revoked or suspended.

RA obligations, including:

  • Identification and authentication of subscribers
  • Validation of revocation and suspension requests
  • Verification of subscriber renewal or rekey requests

Repository obligations, including:

  • Timely publication of certificates and Certificate Revocation

Lists Subscriber obligations, including:

  • Accuracy of representations in certificate application
  • Protection of the subscriber's private key
  • Restrictions on private key and certificate use
  • Notification upon private key compromise

Relying party obligations, including:

  • Purposes for which certificate is used
  • Digital signature verification responsibilities
  • Revocation and suspension checking responsibilities
  • Acknowledgment of applicable liability caps and warranties

Any applicable reliance or financial limits for certificate usage

 

Certificate Life Cycle Management

Whether certificate suspension is supported Initial registration, including a description of the CA's requirements for the identification and authentication of subscribers and validation of certificate requests during entity registration or certificate issuance:

  • Types of names assigned to the subject and rules for interpreting various name forms
  • Whether names have to be meaningful or not
  • Whether names have to be unique
  • How name claim disputes are resolved
  • Recognition, authentication, and role of trademarks
  • If and how the subject must prove possession of the companion private key for the public key being provided for a certificate
  • How the subscriber's public key is provided securely to the CA for issuance of a certificate
  • Authentication requirements for organizational identity of subject
  • Authentication of individual identity
  • Required certificate request data
  • How the CA verifies the authority of the subscriber to request a certificate
  • How the CA verifies the accuracy of the information included in the subscriber's certificate request
  • Whether the CA checks certificate requests for errors or omissions

Registration requirements where external Registration Authorities are used, including the CA's procedures for:

  • Validating the identity of external Registration Authorities
  • Authorizing external Registration Authorities
  • Requirements for the external Registration Authority to secure that part of the certificate application, certificate renewal, and certificate rekey processes for which the RA assumes responsibility
  • How the CA verifies the authenticity of certificate request submissions received from an external RA

Certificate renewal, including a description of the CA's procedures for the following:

  • Notifying subscribers of the need for renewal
  • Identification and authentication
  • Renewal request verification

Certificate issuance, including a description of the requirements regarding the following:

  • Issuance of a certificates
  • Notification to the applicant of such issuance
  • Certificate format requirements
  • Validity period requirements
  • Extension field requirements (meaning, what extension fields are honored, and how they are to be populated)

Certificate acceptance, including a description of the requirements regarding acceptance of an issued certificate and for consequent publication of certificates

 

Certificate revocation, including:

  • Circumstances under which a certificate may or must be revoked
  • Identification and authentication procedures required for revocation requests
  • Procedures used for initiation, authorization, and verification of certificate revocation requests
  • Revocation request grace period available to the subscriber
  • Any variations on the preceding stipulations in the event that the revocation is the result of private key compromise (as opposed to other reasons for revocation)
  • Procedures to provide a means of rapid communication to facilitate the secure and authenticated revocation of:
    • one or more certificates of one or more entities;
    • the set of all certificates issued by a CA based on a single public/private key pair used by a CA to generate certificates; and
    • all certificates issued by a CA, regardless of the public/private key pair used
  • Procedures for notifying the subscriber upon revocation of the subscriber's certificate
  • Whether the external Registration Authority is notified upon the revocation of a subscriber's certificate for which the revocation request was processed by the external RA
  • How and when the subscriber's certificate status information is updated upon certificate revocation