DOE Grids CA
Certificate Policy
and
Certification Practice Statement
Version 2.10
Editor: Michael Helm
March 28, 2008
1.3 Community and Applicability
1.3.1 Certification Authorities
1.3.2 Registration Authorities
2.1.3 Relying Party Obligations
2.4 Interpretation and Enforcement
2.6 Publication and Repositories
2.6.1 Publication of CA information
2.6.2 Frequency of Publication
2.9 Intellectual Property Rights
3 Identification and Authentication
3.1.4 Method to Prove Possession of Private Key
3.1.5 Authentication of Individual Identity
4.2 Certificate Request cancellation
4.5 Certificate Suspension and Revocation
4.5.1 Circumstances for Revocation
4.5.2 Who Can Request Revocation
4.5.3 Procedure for Revocation Request
4.5.4 Circumstances for Suspension
4.5.6 Online Revocation/status checking availability
4.5.7 Online Revocation checking requirements
4.5.8 Other forms of revocation advertisement available
4.7.2 Retention Period for Archives
4.9 Compromise and Disaster Recovery
5 Physical, Procedural and Personnel Security Controls
5.1 Physical Security Controls
5.3 Personnel Security Controls
6.1 Key Pair Generation and Installation
6.1.2 Private Key Delivery to Entity
6.1.3 Public Key Delivery to Certificate Issuer
6.1.4 CA Public Key Delivery to Users
6.1.6 Public Key Parameters Generation
6.1.7 Parameter Quality Checking
6.1.8 Hardware/Software Key Generation
6.2.1 Private Key (n out of m) Multi person control
6.2.3 Private Key Archival and Backup
6.3 Other Aspects of Key Pair Management
6.5 Computer Security Controls
6.5.1 Specific Computer Security Technical Requirements
6.5.2 Computer Security Rating
6.6 Life-Cycle Security Controls
6.8 Cryptographic Module Engineering Controls
7 Certificate and CRL Profiles
7.1.3 Algorithm Object identifiers
7.1.6 Certificate Policy Object Identifier
7.1.7 Usage of Policy Constraints Extensions
7.1.8 Policy qualifier syntax and semantics
7.2.2 CRL and CRL Entry Extensions
8 Specification Administration
8.1 Specification Change Procedures
8.2 Publication and Notification Procedures
Appendix A: General Guidelines for DOEGrids Registration Authorities, Agents and Grid Admins
A.3 Agreements for Registration Authority, Agents and Grid Admins
A.3.1 RA declaration to DOEGrids PMA
A.3.2 Letter requesting assignment of RA Agent Role
A.3.3 Letter requesting RA Agent Role
Appendix B: PPDG RA operational procedure
B.2.2 Point of Contact (POC) with DOE GRIDS CA
B.4.1 Authentication of individual identity.
B.4.3 Steps in authentication for certification
1. A person requests a certificate from the DOE GRIDS CA community RM.
B.4.3.2 Host or Service Certificate
Appendix C: National Fusion Collaboratory's RA operational Procedures
C.2.2 Point of Contact (POC) with DOE GRIDS CA (agent)
C.4.1 Authentication of individual identity.
C.4.3 Steps in authentication for certification
C.4.3.2 Host or Service Certificate
Appendix D: NERSC RA operational procedures
D.2.2 Point of Contact (POC) with DOE GRIDS CA
D.4.1 Authentication of individual identity.
D.4.3 Steps in authentication for certification
Appendix E: Lawrence Berkeley Lab's RA operational Procedures
E.2.2 Point of Contact (POC) with DOE GRIDS CA
E.4.1 Authentication of individual identity
E.4.3 Steps in Authentication for Certification
Appendix F: ORNL RA operational procedures
F.2.2 Point of Contact (POC) with DOE GRIDS CA
F.4.1 Authentication of individual identity.
F.4.3 Steps in authentication for certification
Appendix G: ANL RA operational procedures
G.2.2 Point of Contact (POC) with DOEGrids CA
G.2.3 Authentication to DOEGrids CA
G.2.4 Communication with DOEGrids CA
G.4.1 Authentication of individual identity
G.4.3 Steps in authentication for certification
Appendix H: PNNL RA operational procedures
H.2.2 Point of Contact (POC) with DOE GRIDS CA
H.4.1 Authentication of individual identity.
H.4.3 Steps in authentication for certification
Appendix I: iVDGL RA operational procedures
I.4.1 Authentication of individual identity.
I.4.3 Steps in authentication for personal certification
I.4.4 Steps in authentication for host/service certification
Appendix J: ESG RA operational procedures
J.2.2 Point of Contact (POC) with DOE GRIDS CA
J.4.1 Authentication of individual identity.
J.4.3 Steps in authentication for certification
J.4.3.2 Host or Service Certificate
Appendix K: FNAL RA operational procedures
K.2.2 Point of Contact (POC) with DOE GRIDS CA
K.4.1 Authentication of individual identity
K.4.3 Steps in authentication for certification
Appendix L: Guidelines for Security Incident Response and Resolution
Appendix M: LCG RA operational procedures
M.2.2 Point of Contact (POC) with DOE GRIDS CA
M.4.1 Authentication of individual identity.
M.4.3 Steps in authentication for certification
Appendix N: Open Science Grid (OSG) RA operational procedures
N.2.2 Point of Contact (POC) with DOE GRIDS CA
N.4.1 Authentication of individual identity.
N.4.3 Steps in authentication for certification
1. A person requests a certificate from the DOE GRIDS CA.
Appendix O: General Guidelines for DOEGrids CA operations
Appendix P: Philips Research (US) RA operational procedures
P.2 Philips Research (US) RA staff
P.2.2 Point of Contact (POC) with DOE GRIDS CA
P.3 Philips Research (US) Community
P.4.1 Authentication of individual identity
P.4.3 Steps in authentication for certification
This document is structured according to RFC 2527 [RFC2527]. Not all sections of RFC 2527 are used. Sections that are not included have a default value of "No stipulation".
This document describes the set of rules and procedures established by the DOE Grids Policy management Authority for the operations of the DOE Grids PKI service. ESnet operates the DOE Grids Public Key infrastructure under the authority of the DOE Grids PMA. ESnet and the data center housing the PKI servers are located at Lawrence Berkeley National Laboratory, Berkeley, California.
This document will include both the Certificate Policy and the Certification Practice Statement for the DOE Grids PKI. The general architecture is a certificate authority with multiple Registration Authorities. The certificate authority is a subordinate of the ESnet root CA. There is a Registration Authority for each DOE GRIDS site or Virtual Organization. Each Registration Authority is responsible for the vetting of user identities of their community. Special guidelines for the individual RAs of the DOE GRIDS PKI are covered in the specific VO or Site Appendixes in this document.
DOEGrids PKI is a Traditional X.509 Public Key Certification Authority that complies with the IGTF Profile for a traditional X.509 Public Key Certification Authorities with secure infrastructure, version 4.0. It is the intent of the DOE Grids PKI to issue Identity and service certificates for use in Grids. These certificates are for DOE researchers and their colleagues. These certificates will be compatible with the Globus middleware that is used on these Grids.
The DOEGrids personal certificates by themselves are not to be used for determining Authorization. The DOEGrids personal certificate can be used only to assert the identity of the individual it was assigned to. Authorization decisions must be based on other criteria then the DOEGrids personal certificate.
Activation Data
Data values, other than keys, that are required to operate cryptographic
modules and that need to be protected (e.g., a PIN, a pass phrase, or a
manually-held key share).
Certification
Authority (CA)
The entity / system that issues X.509 identity certificates (places a subject
name and public key in a document and then digitally signs that document using
the private key of the CA
Certificate Policy (CP)
A named set of rules that indicates the applicability of a certificate to a
particular community and/or class of application with common security
requirements. For example, a particular certificate policy might indicate
applicability of a type of certificate to the authentication of electronic data
interchange transactions for the trading of goods within a given price range.
Certification
Practice Statement (CPS)
A statement of the practices, which a certification authority employs in
issuing certificates.
Community
RM
One or more RMs that serve multiple, low request rate, sites / Virtual
Organizations.
DOE
Grids PKI
Refers to the whole of the PKI including the electronic services, the CA
managers, RA's, RAg's.
DOE
Grids PKI members
Refers to the CA managers and the RA Points of Contact, who comprise a large
subset of the PMA.
DOE
Grids PKI service
Refers to the electronic services of the PKI, computers, web interfaces, email,
etc.
End
Entity
A system entity or person that is
the subject of a public-key certificate and that is permitted and able to use,
the matching private key only for a purpose or purposes other than signing an
X.509 public key certificate; i.e., an entity that is not a CA.
Host
Certificate
A Certificate for server certification and encryption of communications
(SSL/TSL). It will represent a single machine. Host Certificates are used
internally by the PKI service and are not issued to other sites/VOs
Owner
The human individual or
organizational group that has valid rights to exclusive use of a subject name
in a certificate. The process of registering the end entity of a certificate
request is what maintains the binding between an owner and the subject name
(DN).
Person
Certificate
A certificate associated with a unique human being.
Policy
Management Authority (PMA)
For the DOEGrids PKI this is a committee composed of the CA managers and
representatives from the site/VO Registration Authorities. The PMA has direct
responsibility for the CP/CPS and oversight of ESnet operations of the PKI.
Policy
Qualifier
The policy-dependent information that accompanies a certificate policy
identifier in an X.509 certificate.
Point of Contact
The member of a site/VO RA that has been chosen to handle all communications about policy matters with the DOE GRIDS PMA.
Private
RM
RMs that serve high certificate request rate sites / Virtual Organizations, and
that are operated by the site/VO.
Registration
Authority (RA)
An entity that is responsible for identification and authentication of
certificate subjects, but that does not sign or issue certificates (i.e., an RA
is delegated certain tasks on behalf of a CA).
Registration
Agent (RAg) or "Agent"
RAg is the entity that interacts with the RM in order to cause the CA to issue
certificates.
Registration
Manager (RM)
The RM is a front-end Web server for the CA that provides a Web user interface
for CA subscribers and agents. The RM forwards certificate-signing requests to
the actual CA (DOE GRIDS) to issue X.509 certificates.
Registered
Owner
Once a certificate request has been
verified, the ownership of the DN validated, and a certificate issued, the
owner is considered to be the "registered owner" of the DN. See above for
definition of "Owner".
Relying
Party
A recipient of a certificate who acts in reliance on that certificate and/or
digital signatures verified using that certificate.
Security
Incident
An incident that has the potential of private key loss or compromise,
regardless of if the compromise or loss was successful. Such incidents include
but are not limited to user credential compromise, privilege escalation on
systems known to contain private keys, accidental exposure of private key