Note: My Web pages are best viewed with style sheets enabled.
|
Note: My Web pages are best viewed with style sheets enabled. |
Unrated |
Version 28Dec08-2.1.0
Verification of the requirements in this section will generally be done through on-site observations of the operations of the certificate authority.
C.3 Maintaining Root Certificates
C.4 Maintaining Intermediate Certificates
C.5 Generating Subscriber Certificates
C.6 Signing Subscriber Certificates
| Req. # | WT | Requirement | Verified | Comments |
|---|---|---|---|---|
| C.1.a | 9 | The CA has been repeatedly observed to operate in general conformance with its CP. | ||
| C.1.b | 9 | The CA has been repeatedly observed to operate in general conformance with its CPS. | ||
| C.1.c | 9 | The CA has been repeatedly observed to operate in general conformance with its privacy policy. | ||
| C.1.d | 43 | CA personnel demonstrate knowledge of disaster recovery procedures (see §A.3.l). |
| Req. # | WT | Requirement | Verified | Comments |
|---|---|---|---|---|
| C.2.a | 43 | CA personnel demonstrate knowledge of proper security practices (see §A.5). | ||
| C.2.b | 18, 43 | The CA maintains current protection against:
| ||
| C.2.c | 18, 43 | The CA maintains current protection against "hacking", snooping, and other electronic intrusions into its computer systems (see §A.5.f). | ||
| C.2.d | 18, 43 | The CA protects computer systems and other hardware involved in certificate operations and subscriber records against theft and unauthorized physical and electronic access (see §A.5.f and §A.5.g). |
| Req. # | WT | Requirement | Verified | Comments |
|---|---|---|---|---|
| C.3.a | 20 | The root certificate public key is readily available for downloading and installation by subscribers and the general public. | ||
| C.3.b | 20 | The root certificate public key can be readily authenticated by subscribers and the general public. | ||
| C.3.c | 18 | The root certificate private key is stored secure from electronic and physical compromise. | ||
| C.3.d | 18 | The root certificate private key is stored by the CA and not by any outside party. | ||
| C.3.e | 18 | The root certificate private key pass-phrase (i.e. password) is not stored electronically or physically. | ||
| C.3.f | 18 | The root certificate private key pass-phrase (or parts thereof) is known only to CA personnel. | ||
| C.3.g | 18 | Provision is made to prevent loss of the root certificate through a single-point of failure of electronic equipment (including physical destruction of such equipment). | ||
| C.3.h | 18 | Provision is made to prevent loss of use of the root certificate resulting from the loss of one key person. | ||
| C.3.i | 18 | Use of the root certificate private key requires cooperative action by at least two CA personnel. | ||
| C.3.j | 21 | All subscribers are notified immediately if the root certificate is revoked. | ||
| C.3.k | 21 | Provision is made for prompt re-signing of affected non-expired, non-revoked subscriber certificates with a new root certificate if the root certificate is revoked. | ||
| C.3.l | 18 | Expired and revoked root certificates are archived. |
| Req. # | WT | Requirement | Verified | Comments |
|---|---|---|---|---|
| C.4.a | 20 | Intermediate certificate public keys are readily available for downloading and installation by subscribers and the general public. | ||
| C.4.b | 18 | The intermediate certificate private keys are stored secure from electronic and physical compromise. | ||
| C.4.c | None | The intermediate certificates are created by the CA and not by any outside party. | ||
| C.4.d | 18 | The intermediate certificate private key pass-phrases (or parts thereof) are known only to CA personnel. | ||
| C.4.e | 18 | The intermediate certificate private key pass-phrases are stored securely. | ||
| C.4.f | 21 | All affected subscribers are notified immediately if an intermediate certificate is revoked. | ||
| C.4.g | 21 | Provision is made for prompt re-signing of affected non-expired, non-revoked subscriber certificates with a new intermediate certificate if an intermediate certificate is revoked. | ||
| C.4.h | 18 | Expired and revoked intermediate certificates are archived. |
| Req. # | WT | Requirement | Verified | Comments |
|---|---|---|---|---|
| C.5.a | 19 | If the CA generates certificates for its subscribers, all requirements for signing subscriber certificates are met (see §C.6). | ||
| C.5.b | 19, 23 | If the CA generates certificates for its subscribers, a subscriber's private key is stored with the same security as the CA's key that signed the subscriber's certificate. | ||
| C.5.c | 22 | If the CA generates certificates for its subscribers, a subscriber's private key is communicated to the subscriber in a secure manner. | ||
| C.5.d | None | If the CA generates certificates for its subscribers, a subscriber is immediately advised to change its certificate's pass-phrase. | ||
| C.5.e | None | Pass-phrases for CA-generated subscriber certificates are randomly generated. | ||
| C.5.f | 23 | A record of the pass-phrase for a CA-generated subscriber certificate is not retained beyond delivery of the certificate to the subscriber. | ||
| C.5.g | None | The pass-phrase for a CA-generated subscriber certificate is communicated to the subscriber in a secure manner separately from the corresponding private key. | ||
| C.5.h | None | If the CA generates certificates for its subscribers, the user ID chosen by the subscriber properly appears in the certificate. |
| Req. # | WT | Requirement | Verified | Comments |
|---|---|---|---|---|
| C.6.a | 25 | Positive identity of a subscriber is obtained prior to signing a subscriber's certificate. | ||
| C.6.b | 22, 25 | Prior to signing a subscriber's certificate, the purposes contained within the certificate is verified to agree with the purposes in the subscriber's request for signatures (see §A.2.l). | ||
| C.6.c | 25 | For subscriber E-mail certificates, the E-mail address in the certificate matches the address in the subscriber's application for signature (see §A.2.g). | ||
| C.6.d | 25 | For subscriber site certificates, the domain in the certificate matches the domain in the subscriber's application for signature (see §A.2.h). | ||
| C.6.e | 25 | When an individual requests a certificate to be signed and the subscriber is an organization, the following are positively verified:
| ||
| C.6.f | 11 | Certificates are signed in a timely manner. | ||
| C.6.g | 13 | The public list of subscriber certificates (see §B.2.h) is updated in a timely manner to show newly signed certificates. |
| Req. # | WT | Requirement | Verified | Comments |
|---|---|---|---|---|
| C.7.a | 27 | The CA notifies the affected subscriber in a timely manner when a certificate generated by the CA is about to expire. | ||
| C.7.b | 27, 29 | The same care is taken during the renewal of a certificate generated by the CA as was taken during the certificate's initial issue (see §C.5). | ||
| C.7.c | 27 | The CA notifies the affected subscriber in a timely manner when the CA's signature on a certificate is about to expire. | ||
| C.7.d | 27, 29 | The same care is taken during the renewal of a certificate's signature as was taken during the certificate's initial signing (see §C.6). | ||
| C.7.e | 27, 29 | Replacing a certificate that already expired is handled in accord with the CP (see §A.2.s) with the same care as for a certificate about to expire (as indicated in this §C.7). | ||
| C.7.f | None | Before renewing a site certificate, the domain registration is verified that the domain owner has not changed. |
| Req. # | WT | Requirement | Verified | Comments |
|---|---|---|---|---|
| C.8.a | 33 | Revoking a subscriber's certificate is performed in accord with the CP (see §A.2.p). | ||
| C.8.b | 33 | Positive identity of a subscriber is obtained before the CA acts on the subscriber's request to revoke a certificate. | ||
| C.8.c | 33 | Certificates are revoked promptly. | ||
| C.8.d | 33 | A subscriber is required to notify the CA promptly if the subscriber revokes its own key. Such notification must include positive identification of the subscriber. | ||
| C.8.e | None | Replacing a revoked certificate is handled in accord with the CP (see §A.2.s) and with the same care as for a certificate about to expire (see §C.7). | ||
| C.8.f | 33, 35 | The public list of revoked certificates (see §B.2.j) is updated promptly. |
| Req. # | WT | Requirement | Verified | Comments |
|---|---|---|---|---|
| C.9.a | 25, 26 | When the CA uses an external registration authority (RA), each RA is positively identified by CA personnel before being authorized to verify identities of subscribers and authorizations of individuals to represent organizational subscribers (see §A.2.v). | ||
| C.9.b | 26 | RAs provide the CA with complete documentation on each verified applicant for a certificate (see §A.2.w). | ||
| C.9.c | 26 | RAs provide the CA with complete documentation on each verified authorized individual representing an organizational subscriber (see §A.2.x). |
Last updated 2 July 2007
 David Ross home |
 |
 CA Review home |
