draft-ietf-sidr-cps-irs-01.txt   draft-ietf-sidr-cps-irs-02.txt 
Secure Inter-Domain Routing (sidr) Kong, D. Secure Inter-Domain Routing (sidr) Kong, D.
Internet Draft Seo, K. Internet Draft Seo, K.
Expires: August 2007 Kent, S. Expires: January 2008 Kent, S.
Intended Status: Informational BBN Technologies Intended Status: Informational BBN Technologies
February 2007
Template for an Template for an
Internet Registry's Certification Practice Statement (CPS) Internet Registry's Certification Practice Statement (CPS)
for the Internet IP Address and AS Number (PKI) for the Internet IP Address and AS Number (PKI)
draft-ietf-sidr-cps-irs-01.txt draft-ietf-sidr-cps-irs-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that By submitting this Internet-Draft, each author represents that
any applicable patent or other IPR claims of which he or she is any applicable patent or other IPR claims of which he or she is
aware have been or will be disclosed, and any of which he or she aware have been or will be disclosed, and any of which he or she
becomes aware will be disclosed, in accordance with Section 6 of becomes aware will be disclosed, in accordance with Section 6 of
BCP 79. BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
skipping to change at page 1, line 37 skipping to change at page 1, line 35
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on July 31, 2007. This Internet-Draft will expire on January 8, 2008.
Abstract Abstract
This document contains a template to be used for creating a This document contains a template to be used for creating a
Certification Practice Statement (CPS) for an Internet Registry Certification Practice Statement (CPS) for an Internet Registry
(e.g., NIR or RIR) that is part of the Internet IP Address and (e.g., NIR or RIR) that is part of the Internet IP Address and
Autonomous System (AS) Number Public Key Infrastructure (PKI). Autonomous System (AS) Number Public Key Infrastructure (PKI).
Conventions used in this document Conventions used in this document
skipping to change at page 3, line 22 skipping to change at page 3, line 22
4.1.2. Enrollment process and responsibilities.............20 4.1.2. Enrollment process and responsibilities.............20
4.2. Certificate application processing.......................20 4.2. Certificate application processing.......................20
4.2.1. Performing identification and authentication functions 4.2.1. Performing identification and authentication functions
...........................................................20 ...........................................................20
4.2.2. Approval or rejection of certificate applications...20 4.2.2. Approval or rejection of certificate applications...20
4.2.3. Time to process certificate applications............21 4.2.3. Time to process certificate applications............21
4.3. Certificate issuance.....................................21 4.3. Certificate issuance.....................................21
4.3.1. CA actions during certificate issuance..............21 4.3.1. CA actions during certificate issuance..............21
4.3.2. Notification to subscriber by the CA of issuance of 4.3.2. Notification to subscriber by the CA of issuance of
certificate................................................21 certificate................................................21
4.4. Certificate acceptance...................................22 4.4. Certificate acceptance...................................21
4.4.1. Conduct constituting certificate acceptance.........22 4.4.1. Conduct constituting certificate acceptance.........21
4.4.2. Publication of the certificate by the CA............22 4.4.2. Publication of the certificate by the CA............21
4.5. Key pair and certificate usage...........................22 4.5. Key pair and certificate usage...........................21
4.5.1. Subscriber private key and certificate usage........22 4.5.1. Subscriber private key and certificate usage........22
4.5.2. Relying party public key and certificate usage......22 4.5.2. Relying party public key and certificate usage......22
4.6. Certificate renewal......................................23 4.6. Certificate renewal......................................22
4.6.1. Circumstance for certificate renewal................23 4.6.1. Circumstance for certificate renewal................22
4.6.2. Who may request renewal.............................23 4.6.2. Who may request renewal.............................23
4.6.3. Processing certificate renewal requests.............23 4.6.3. Processing certificate renewal requests.............23
4.6.4. Notification of new certificate issuance to subscriber 4.6.4. Notification of new certificate issuance to subscriber
...........................................................23 ...........................................................23
4.6.5. Conduct constituting acceptance of a renewal 4.6.5. Conduct constituting acceptance of a renewal
certificate................................................23 certificate................................................23
4.6.6. Publication of the renewal certificate by the CA....24 4.6.6. Publication of the renewal certificate by the CA....23
4.6.7. Notification of certificate issuance by the CA to other 4.6.7. Notification of certificate issuance by the CA to other
entities [OMITTED].........................................24 entities [OMITTED].........................................23
4.7. Certificate re-key.......................................24 4.7. Certificate re-key.......................................23
4.7.1. Circumstance for certificate re-key.................24 4.7.1. Circumstance for certificate re-key.................23
4.7.2. Who may request certification of a new public key...24 4.7.2. Who may request certification of a new public key...24
4.7.3. Processing certificate re-keying requests...........25 4.7.3. Processing certificate re-keying requests...........24
4.7.4. Notification of new certificate issuance to subscriber 4.7.4. Notification of new certificate issuance to subscriber
...........................................................25 ...........................................................24
4.7.5. Conduct constituting acceptance of a re-keyed 4.7.5. Conduct constituting acceptance of a re-keyed
certificate................................................25 certificate................................................24
4.7.6. Publication of the re-keyed certificate by the CA...25 4.7.6. Publication of the re-keyed certificate by the CA...24
4.7.7. Notification of certificate issuance by the CA to other 4.7.7. Notification of certificate issuance by the CA to other
entities [OMITTED].........................................25 entities [OMITTED].........................................25
4.8. Certificate modification.................................25 4.8. Certificate modification.................................25
4.8.1. Circumstance for certificate modification...........25 4.8.1. Circumstance for certificate modification...........25
4.8.2. Who may request certificate modification............26 4.8.2. Who may request certificate modification............25
4.8.3. Processing certificate modification requests........26 4.8.3. Processing certificate modification requests........25
4.8.4. Notification of modified certificate issuance to 4.8.4. Notification of modified certificate issuance to
subscriber.................................................26 subscriber.................................................26
4.8.5. Conduct constituting acceptance of modified certificate 4.8.5. Conduct constituting acceptance of modified certificate
...........................................................26 ...........................................................26
4.8.6. Publication of the modified certificate by the CA...26 4.8.6. Publication of the modified certificate by the CA...26
4.8.7. Notification of certificate issuance by the CA to other 4.8.7. Notification of certificate issuance by the CA to other
entities [OMITTED].........................................26 entities [OMITTED].........................................26
4.9. Certificate revocation and suspension....................27 4.9. Certificate revocation and suspension....................26
4.9.1. Circumstances for revocation........................27 4.9.1. Circumstances for revocation........................26
4.9.2. Who can request revocation..........................27 4.9.2. Who can request revocation..........................26
4.9.3. Procedure for revocation request....................27 4.9.3. Procedure for revocation request....................26
4.9.4. Revocation request grace period.....................27 4.9.4. Revocation request grace period.....................27
4.9.5. Time within which CA must process the revocation 4.9.5. Time within which CA must process the revocation
request....................................................27 request....................................................27
4.9.6. Revocation checking requirement for relying parties.27 4.9.6. Revocation checking requirement for relying parties.27
4.9.7. CRL issuance frequency..............................28 4.9.7. CRL issuance frequency..............................27
4.9.8. Maximum latency for CRLs............................28 4.9.8. Maximum latency for CRLs............................27
4.9.9. On-line revocation/status checking availability 4.9.9. On-line revocation/status checking availability
[OMITTED]..................................................28 [OMITTED]..................................................28
4.9.10. On-line revocation checking requirements [OMITTED].28 4.9.10. On-line revocation checking requirements [OMITTED].28
4.9.11. Other forms of revocation advertisements available 4.9.11. Other forms of revocation advertisements available
[OMITTED]..................................................28 [OMITTED]..................................................28
4.9.12. Special requirements re key compromise [OMITTED]...28 4.9.12. Special requirements re key compromise [OMITTED]...28
4.9.13. Circumstances for suspension [OMITTED].............28 4.9.13. Circumstances for suspension [OMITTED].............28
4.9.14. Who can request suspension [OMITTED]...............28 4.9.14. Who can request suspension [OMITTED]...............28
4.9.15. Procedure for suspension request [OMITTED].........28 4.9.15. Procedure for suspension request [OMITTED].........28
4.9.16. Limits on suspension period [OMITTED]..............28 4.9.16. Limits on suspension period [OMITTED]..............28
4.10. Certificate status services.............................28 4.10. Certificate status services.............................28
4.10.1. Operational characteristics [OMITTED]..............29 4.10.1. Operational characteristics [OMITTED]..............28
4.10.2. Service availability [OMITTED].....................29 4.10.2. Service availability [OMITTED].....................28
4.10.3. Optional features [OMITTED]........................29 4.10.3. Optional features [OMITTED]........................28
4.11. End of subscription [OMITTED]...........................29 4.11. End of subscription [OMITTED]...........................28
4.12. Key escrow and recovery [OMITTED].......................29 4.12. Key escrow and recovery [OMITTED].......................28
4.12.1. Key escrow and recovery policy and practices [OMITTED] 4.12.1. Key escrow and recovery policy and practices [OMITTED]
...........................................................29 ...........................................................28
4.12.2. Session key encapsulation and recovery policy and 4.12.2. Session key encapsulation and recovery policy and
practices [OMITTED]........................................29 practices [OMITTED]........................................28
5. Facility, Management, And Operational Controls................30 5. Facility, Management, And Operational Controls................29
5.1. Physical controls........................................30 5.1. Physical controls........................................29
5.1.1. Site location and construction......................30 5.1.1. Site location and construction......................29
5.1.2. Physical access.....................................30 5.1.2. Physical access.....................................29
5.1.3. Power and air conditioning..........................30 5.1.3. Power and air conditioning..........................29
5.1.4. Water exposures.....................................30 5.1.4. Water exposures.....................................29
5.1.5. Fire prevention and protection......................30 5.1.5. Fire prevention and protection......................29
5.1.6. Media storage.......................................30 5.1.6. Media storage.......................................29
5.1.7. Waste disposal......................................30 5.1.7. Waste disposal......................................29
5.1.8. Off-site backup.....................................30 5.1.8. Off-site backup.....................................29
5.2. Procedural controls......................................30 5.2. Procedural controls......................................29
5.2.1. Trusted roles.......................................30 5.2.1. Trusted roles.......................................29
5.2.2. Number of persons required per task.................30 5.2.2. Number of persons required per task.................29
5.2.3. Identification and authentication for each role.....30 5.2.3. Identification and authentication for each role.....29
5.2.4. Roles requiring separation of duties................30 5.2.4. Roles requiring separation of duties................29
5.3. Personnel controls.......................................30 5.3. Personnel controls.......................................29
5.3.1. Qualifications, experience, and clearance requirements 5.3.1. Qualifications, experience, and clearance requirements
...........................................................31 ...........................................................30
5.3.2. Background check procedures.........................31 5.3.2. Background check procedures.........................30
5.3.3. Training requirements...............................31 5.3.3. Training requirements...............................30
5.3.4. Retraining frequency and requirements...............31 5.3.4. Retraining frequency and requirements...............30
5.3.5. Job rotation frequency and sequence.................31 5.3.5. Job rotation frequency and sequence.................30
5.3.6. Sanctions for unauthorized actions..................31 5.3.6. Sanctions for unauthorized actions..................30
5.3.7. Independent contractor requirements.................31 5.3.7. Independent contractor requirements.................30
5.3.8. Documentation supplied to personnel.................31 5.3.8. Documentation supplied to personnel.................30
5.4. Audit logging procedures.................................31 5.4. Audit logging procedures.................................30
5.4.1. Types of events recorded............................31 5.4.1. Types of events recorded............................30
5.4.2. Frequency of processing log.........................31 5.4.2. Frequency of processing log.........................30
5.4.3. Retention period for audit log......................31 5.4.3. Retention period for audit log......................30
5.4.4. Protection of audit log.............................32 5.4.4. Protection of audit log.............................31
5.4.5. Audit log backup procedures.........................32 5.4.5. Audit log backup procedures.........................31
5.4.6. Audit collection system (internal vs. external) 5.4.6. Audit collection system (internal vs. external)
[OMITTED]..................................................32 [OMITTED]..................................................31
5.4.7. Notification to event-causing subject [OMITTED].....32 5.4.7. Notification to event-causing subject [OMITTED].....31
5.4.8. Vulnerability assessments...........................32 5.4.8. Vulnerability assessments...........................31
5.5. Records archival [OMITTED]...............................32 5.5. Records archival [OMITTED]...............................31
5.5.1. Types of records archived [OMITTED].................32 5.5.1. Types of records archived [OMITTED].................31
5.5.2. Retention period for archive [OMITTED]..............32 5.5.2. Retention period for archive [OMITTED]..............31
5.5.3. Protection of archive [OMITTED].....................32 5.5.3. Protection of archive [OMITTED].....................31
5.5.4. Archive backup procedures [OMITTED].................32 5.5.4. Archive backup procedures [OMITTED].................31
5.5.5. Requirements for time-stamping of records [OMITTED].32 5.5.5. Requirements for time-stamping of records [OMITTED].31
5.5.6. Archive collection system (internal or external) 5.5.6. Archive collection system (internal or external)
[OMITTED]..................................................32 [OMITTED]..................................................31
5.5.7. Procedures to obtain and verify archive information 5.5.7. Procedures to obtain and verify archive information
[OMITTED]..................................................32 [OMITTED]..................................................31
5.6. Key changeover...........................................32 5.6. Key changeover...........................................31
5.7. Compromise and disaster recovery [OMITTED]...............33 5.7. Compromise and disaster recovery [OMITTED]...............32
5.7.1. Incident and compromise handling procedures [OMITTED]33 5.7.1. Incident and compromise handling procedures [OMITTED]32
5.7.2. Computing resources, software, and/or data are 5.7.2. Computing resources, software, and/or data are
corrupted [OMITTED]........................................33 corrupted [OMITTED]........................................32
5.7.3. Entity private key compromise procedures [OMITTED]..33 5.7.3. Entity private key compromise procedures [OMITTED]..32
5.7.4. Business continuity capabilities after a disaster 5.7.4. Business continuity capabilities after a disaster
[OMITTED]..................................................33 [OMITTED]..................................................32
5.8. CA or RA termination.....................................33 5.8. CA or RA termination.....................................32
6. Technical Security Controls...................................34 6. Technical Security Controls...................................33
6.1. Key pair generation and installation.....................34 6.1. Key pair generation and installation.....................33
6.1.1. Key pair generation.................................34 6.1.1. Key pair generation.................................33
6.1.2. Private key delivery to subscriber..................34 6.1.2. Private key delivery to subscriber..................33
6.1.3. Public key delivery to certificate issuer...........34 6.1.3. Public key delivery to certificate issuer...........33
6.1.4. CA public key delivery to relying parties...........34 6.1.4. CA public key delivery to relying parties...........33
6.1.5. Key sizes...........................................35 6.1.5. Key sizes...........................................34
6.1.6. Public key parameters generation and quality checking35 6.1.6. Public key parameters generation and quality checking34
6.1.7. Key usage purposes (as per X.509 v3 key usage field)35 6.1.7. Key usage purposes (as per X.509 v3 key usage field)34
6.2. Private Key Protection and Cryptographic Module Engineering 6.2. Private Key Protection and Cryptographic Module Engineering
Controls......................................................35 Controls......................................................34
6.2.1. Cryptographic module standards and controls.........35 6.2.1. Cryptographic module standards and controls.........34
6.2.2. Private key (n out of m) multi-person control.......35 6.2.2. Private key (n out of m) multi-person control.......34
6.2.3. Private key escrow..................................35 6.2.3. Private key escrow..................................34
6.2.4. Private key backup..................................36 6.2.4. Private key backup..................................35
6.2.5. Private key archival................................36 6.2.5. Private key archival................................35
6.2.6. Private key transfer into or from a cryptographic 6.2.6. Private key transfer into or from a cryptographic
module.....................................................36 module.....................................................35
6.2.7. Private key storage on cryptographic module.........36 6.2.7. Private key storage on cryptographic module.........35
6.2.8. Method of activating private key....................36 6.2.8. Method of activating private key....................35
6.2.9. Method of deactivating private key..................36 6.2.9. Method of deactivating private key..................35
6.2.10. Method of destroying private key...................36 6.2.10. Method of destroying private key...................35
6.2.11. Cryptographic Module Rating........................36 6.2.11. Cryptographic Module Rating........................35
6.3. Other aspects of key pair management.....................37 6.3. Other aspects of key pair management.....................36
6.3.1. Public key archival.................................37 6.3.1. Public key archival.................................36
6.3.2. Certificate operational periods and key pair usage 6.3.2. Certificate operational periods and key pair usage
periods....................................................37 periods....................................................36
6.4. Activation data..........................................37 6.4. Activation data..........................................36
6.4.1. Activation data generation and installation.........37 6.4.1. Activation data generation and installation.........36
6.4.2. Activation data protection..........................37 6.4.2. Activation data protection..........................36
6.4.3. Other aspects of activation data....................37 6.4.3. Other aspects of activation data....................36
6.5. Computer security controls...............................37 6.5. Computer security controls...............................36
6.5.1. Specific computer security technical requirement....37 6.5.1. Specific computer security technical requirement....36
6.5.2. Computer security rating [OMITTED]..................38 6.5.2. Computer security rating [OMITTED]..................37
6.6. Life cycle technical controls............................38 6.6. Life cycle technical controls............................37
6.6.1. System development controls.........................38 6.6.1. System development controls.........................37
6.6.2. Security management controls........................38 6.6.2. Security management controls........................37
6.6.3. Life cycle security controls........................38 6.6.3. Life cycle security controls........................37
6.7. Network security controls................................38 6.7. Network security controls................................37
6.8. Time-stamping............................................38 6.8. Time-stamping............................................37
7. Certificate and CRL Profiles..................................39 7. Certificate and CRL Profiles..................................38
Please refer to the Certificate and CRL Profile [draft-ietf-sidr- Please refer to the Certificate and CRL Profile [draft-ietf-sidr-
res-certs-01].................................................39 res-certs-01].................................................38
7.1. Certificate profile [OMITTED]............................39 7.1. Certificate profile [OMITTED]............................38
7.1.1. Version number(s) [OMITTED].........................39 7.1.1. Version number(s) [OMITTED].........................38
7.1.2. Certificate extensions [OMITTED]....................39 7.1.2. Certificate extensions [OMITTED]....................38
7.1.3. Algorithm object identifiers [OMITTED]..............39 7.1.3. Algorithm object identifiers [OMITTED]..............38
7.1.4. Name forms [OMITTED]................................39 7.1.4. Name forms [OMITTED]................................38
7.1.5. Name constraints [OMITTED]..........................39 7.1.5. Name constraints [OMITTED]..........................38
7.1.6. Certificate policy object identifier [OMITTED]......39 7.1.6. Certificate policy object identifier [OMITTED]......38
7.1.7. Usage of Policy Constraints extension [OMITTED].....39 7.1.7. Usage of Policy Constraints extension [OMITTED].....38
7.1.8. Policy qualifiers syntax and semantics [OMITTED]....39 7.1.8. Policy qualifiers syntax and semantics [OMITTED]....38
7.1.9. Processing semantics for the critical Certificate 7.1.9. Processing semantics for the critical Certificate
Policies extension [OMITTED]...............................39 Policies extension [OMITTED]...............................38
7.2. CRL profile [OMITTED]....................................39 7.2. CRL profile [OMITTED]....................................38
7.2.1. Version number(s) [OMITTED].........................39 7.2.1. Version number(s) [OMITTED].........................38
7.2.2. CRL and CRL entry extensions [OMITTED]..............39 7.2.2. CRL and CRL entry extensions [OMITTED]..............38
7.3. OCSP profile [OMITTED]...................................39 7.3. OCSP profile [OMITTED]...................................38
7.3.1. Version number(s) [OMITTED].........................39 7.3.1. Version number(s) [OMITTED].........................38
7.3.2. OCSP extensions [OMITTED]...........................40 7.3.2. OCSP extensions [OMITTED]...........................38
8. Compliance Audit and Other Assessments........................41 8. Compliance Audit and Other Assessments........................39
8.1. Frequency or circumstances of assessment.................41 8.1. Frequency or circumstances of assessment.................39
8.2. Identity/qualifications of assessor......................41 8.2. Identity/qualifications of assessor......................39
8.3. Assessor's relationship to assessed entity...............41 8.3. Assessor's relationship to assessed entity...............39
8.4. Topics covered by assessment.............................41 8.4. Topics covered by assessment.............................39
8.5. Actions taken as a result of deficiency..................41 8.5. Actions taken as a result of deficiency..................39
8.6. Communication of results.................................41 8.6. Communication of results.................................39
9. Other Business And Legal Matters..............................42 9. Other Business And Legal Matters..............................40
9.1. Fees.....................................................42 9.1. Fees.....................................................40
9.1.1. Certificate issuance or renewal fees................42 9.1.1. Certificate issuance or renewal fees................40
9.1.2. Fees for other services (if applicable).............42 9.1.2. Fees for other services (if applicable).............40
9.1.3. Refund policy.......................................42 9.1.3. Refund policy.......................................40
9.2. Financial responsibility.................................42 9.2. Financial responsibility.................................40
9.2.1. Insurance coverage..................................42 9.2.1. Insurance coverage..................................40
9.2.2. Other assets........................................42 9.2.2. Other assets........................................40
9.2.3. Insurance or warranty coverage for end-entities.....42 9.2.3. Insurance or warranty coverage for end-entities.....40
9.3. Confidentiality of business information..................42 9.3. Confidentiality of business information..................40
9.3.1. Scope of confidential information...................42 9.3.1. Scope of confidential information...................40
9.3.2. Information not within the scope of confidential 9.3.2. Information not within the scope of confidential
information................................................42 information................................................40
9.3.3. Responsibility to protect confidential information..42 9.3.3. Responsibility to protect confidential information..40
9.4. Privacy of personal information..........................42 9.4. Privacy of personal information..........................40
9.4.1. Privacy plan........................................42 9.4.1. Privacy plan........................................40
9.4.2. Information treated as private......................42 9.4.2. Information treated as private......................40
9.4.3. Information not deemed private......................42 9.4.3. Information not deemed private......................40
9.4.4. Responsibility to protect private information.......42 9.4.4. Responsibility to protect private information.......40
9.4.5. Notice and consent to use private information.......42 9.4.5. Notice and consent to use private information.......40
9.4.6. Disclosure pursuant to judicial or administrative 9.4.6. Disclosure pursuant to judicial or administrative
process....................................................43 process....................................................41
9.4.7. Other information disclosure circumstances..........43 9.4.7. Other information disclosure circumstances..........41
9.5. Intellectual property rights (if applicable).............43 9.5. Intellectual property rights (if applicable).............41
9.6. Representations and warranties...........................43 9.6. Representations and warranties...........................41
9.6.1. CA representations and warranties...................43 9.6.1. CA representations and warranties...................41
9.6.2. Subscriber representations and warranties...........43 9.6.2. Subscriber representations and warranties...........41
9.6.3. Relying party representations and warranties........43 9.6.3. Relying party representations and warranties........41
9.6.4. Representations and warranties of other participants 9.6.4. Representations and warranties of other participants
[OMITTED]..................................................43 [OMITTED]..................................................41
9.7. Disclaimers of warranties................................43 9.7. Disclaimers of warranties................................41
9.8. Limitations of liability.................................43 9.8. Limitations of liability.................................41
9.9. Indemnities..............................................43 9.9. Indemnities..............................................41
9.10. Term and termination....................................43 9.10. Term and termination....................................41
9.10.1. Term...............................................43 9.10.1. Term...............................................41
9.10.2. Termination........................................43 9.10.2. Termination........................................41
9.10.3. Effect of termination and survival.................43 9.10.3. Effect of termination and survival.................41
9.11. Individual notices and communications with participants.43 9.11. Individual notices and communications with participants.41
9.12. Amendments..............................................43 9.12. Amendments..............................................41
9.12.1. Procedure for amendment............................43 9.12.1. Procedure for amendment............................41
9.12.2. Notification mechanism and period..................43 9.12.2. Notification mechanism and period..................41
9.12.3. Circumstances under which OID must be changed 9.12.3. Circumstances under which OID must be changed
[OMITTED]..................................................43 [OMITTED]..................................................41
9.13. Dispute resolution provisions...........................43 9.13. Dispute resolution provisions...........................41
9.14. Governing law...........................................43 9.14. Governing law...........................................41
9.15. Compliance with applicable law..........................43 9.15. Compliance with applicable law..........................41
9.16. Miscellaneous provisions................................43 9.16. Miscellaneous provisions................................41
9.16.1. Entire agreement...................................44 9.16.1. Entire agreement...................................42
9.16.2. Assignment.........................................44 9.16.2. Assignment.........................................42
9.16.3. Severability.......................................44 9.16.3. Severability.......................................42
9.16.4. Enforcement (attorneys' fees and waiver of rights).44 9.16.4. Enforcement (attorneys' fees and waiver of rights).42
9.16.5. Force Majeure......................................44 9.16.5. Force Majeure......................................42
9.17. Other provisions [OMITTED]..............................44 9.17. Other provisions [OMITTED]..............................42
10. Security Considerations......................................45 10. Security Considerations......................................43
11. IANA Considerations..........................................45 11. IANA Considerations..........................................43
12. Acknowledgments..............................................45 12. Acknowledgments..............................................43
13. References...................................................45 13. References...................................................43
13.1. Normative References....................................45 13.1. Normative References....................................43
13.2. Informative References..................................46 13.2. Informative References..................................44
Author's Addresses...............................................46 Author's Addresses...............................................44
Intellectual Property Statement..................................47 Intellectual Property Statement..................................45
Disclaimer of Validity...........................................47 Disclaimer of Validity...........................................45
Copyright Statement..............................................47 Copyright Statement..............................................45
Preface Preface
This document contains a template to be used for creating a This document contains a template to be used for creating a
Certification Practice Statement (CPS) for an Internet Registry Certification Practice Statement (CPS) for an Internet Registry
(e.g., an NIR or RIR) that is part of the Internet IP Address and (e.g., an NIR or RIR) that is part of the Internet IP Address and
Autonomous System (AS) Number Public Key Infrastructure (PKI). The Autonomous System (AS) Number Public Key Infrastructure (PKI). The
user of this document should user of this document should
1. substitute a title page for page 1 saying, e.g., "<Name of 1. substitute a title page for page 1 saying, e.g., "<Name of
skipping to change at page 9, line 33 skipping to change at page 9, line 33
in the Introduction below. This information should be left in the in the Introduction below. This information should be left in the
CPS as an explanation to the user. CPS as an explanation to the user.
1. Introduction 1. Introduction
This document is the Certification Practice Statement (CPS) of <Name This document is the Certification Practice Statement (CPS) of <Name
of Registry>. It describes the practices employed by the <Name of of Registry>. It describes the practices employed by the <Name of
Registry> Certification Authority (CA) in the Internet IP Address Registry> Certification Authority (CA) in the Internet IP Address
and Autonomous System (AS) Number PKI. These practices are defined and Autonomous System (AS) Number PKI. These practices are defined
in accordance with the requirements of the Certificate Policy (CP, in accordance with the requirements of the Certificate Policy (CP,
[RFCxxxx]) of this PKI. [CP]) of this PKI.
The Internet IP Address and AS Number PKI is aimed at supporting The Internet IP Address and AS Number PKI is aimed at supporting
verifiable attestations about resource controls, e.g., for improved verifiable attestations about resource controls, e.g., for improved
routing security. The goal is that each entity that allocates IP routing security. The goal is that each entity that allocates IP
addresses or AS numbers to an entity will, in parallel, issue a addresses or AS numbers to an entity will, in parallel, issue a
certificate reflecting this allocation. These certificates will certificate reflecting this allocation. These certificates will
enable verification that the holder of the associated private key enable verification that the holder of the associated private key
has been allocated the resources indicated in the certificate, and has been allocated the resources indicated in the certificate, and
is the current, unique holder of these resources. The certificates is the current, unique holder of these resources. The certificates
and CRLs, in conjunction with ancillary digitally signed data and CRLs, in conjunction with ancillary digitally signed data
skipping to change at page 15, line 31 skipping to change at page 15, line 31
2.3. Time or Frequency of Publication 2.3. Time or Frequency of Publication
<Describe here your procedures for publication (via the repository) <Describe here your procedures for publication (via the repository)
of the certificates and CRLs that you issue. If you choose to of the certificates and CRLs that you issue. If you choose to
outsource publication of PKI data, you still need to provide this outsource publication of PKI data, you still need to provide this
information for relying parties.> information for relying parties.>
As per the CP, the following standards exist for publication times As per the CP, the following standards exist for publication times
and frequency: and frequency:
A certificate will be published within 24 hours after a CA has A certificate will be published within 24 hours after issuance.
received acknowledgement from the subject of the certificate that
the certificate is accurate.
The <Name of Registry> CA will publish its CRL prior to the The <Name of Registry> CA will publish its CRL prior to the
nextScheduledUpdate value in the scheduled CRL previously issued by nextScheduledUpdate value in the scheduled CRL previously issued by
the CA. Within 24 hours of effecting revocation, the CA will publish the CA. Within 24 hours of effecting revocation, the CA will publish
a CRL with an entry for the revoked certificate. a CRL with an entry for the revoked certificate.
2.4. Access controls on repositories 2.4. Access controls on repositories
Access to the repository system, for modification of entries, must Access to the repository system, for modification of entries, must
be controlled to prevent denial of service attacks. All data be controlled to prevent denial of service attacks. All data
skipping to change at page 21, line 19 skipping to change at page 21, line 19
4.2.3. Time to process certificate applications 4.2.3. Time to process certificate applications
<You may declare here your expected time frame for processing <You may declare here your expected time frame for processing
certificate applications.> certificate applications.>
4.3. Certificate issuance 4.3. Certificate issuance
4.3.1. CA actions during certificate issuance 4.3.1. CA actions during certificate issuance
<Describe in this section the following (referring to subsequent <Describe in this section your procedures for issuance of a
sections as appropriate): certificate.>
Procedures for generation of a draft certificate and form of the
draft. Typically a draft certificate is a complete certificate
except for the issuer's signature.
Procedure for making the draft available to the applicant for
review. For example, you may directly transmit the draft certificate
to the subscriber (applying PKCS #7 or other defined syntax).
Alternatively, you might establish a repository where draft
certificates can be examined.
Procedure for subscriber approval/rejection of the draft (Section
4.4.1)
If the draft is approved, procedure for finalization of the draft
and subsequent publication (Section 4.4.2)
If the draft is rejected, procedure for modification of the rejected
certificate (Section 4.8 might be useful) or submission of a new
certificate request.>
4.3.2. Notification to subscriber by the CA of issuance of certificate 4.3.2. Notification to subscriber by the CA of issuance of certificate
<Describe your procedure for notification of a subscriber when a <Describe your procedure for notification of a subscriber when a a
draft certificate is ready for review.> certificate has been issued.>
Notification of certificate issuance by the CA to other entities 4.3.3. Notification of certificate issuance by the CA to other entities
[OMITTED> [OMITTED]
4.4. Certificate acceptance 4.4. Certificate acceptance
4.4.1. Conduct constituting certificate acceptance 4.4.1. Conduct constituting certificate acceptance
When a draft certificate is generated and the subscriber is When a certificate is issued, the CA will place it in the repository
notified, it is required that the subscriber review the proposed and notify the subscriber. This will be done without subscriber
certificate and either approve or reject it within <X - This should review and acceptance.
be 30 or fewer as per the CP> days. <Describe what constitutes
acceptance or rejection from the certificate applicant.>
If a certificate remains unprocessed by the requester after <X>
days, <Describe your policy for handling certificates that have not
been acknowledged (either positively or negatively) after X days.
For example, at your option, you may either cancel the certificate
or finalize it and place it in the repository.>
4.4.2. Publication of the certificate by the CA 4.4.2. Publication of the certificate by the CA
Certificates will be published in the Repository system once Certificates will be published in the Repository system once issued
approved. <Describe your procedures for publication of the approved following the conduct described in 4.4.1. <Describe your procedures
certificate.> for publication of the approved certificate.>
4.5. Key pair and certificate usage 4.5. Key pair and certificate usage
A summary of the use model for the IP Address and AS Number PKI is A summary of the use model for the IP Address and AS Number PKI is
provided below. provided below.
4.5.1. Subscriber private key and certificate usage 4.5.1. Subscriber private key and certificate usage
The certificates issued by this registry to resource holders are CA The certificates issued by this registry to resource holders are CA
certificates. The private key associated with each of these certificates. The private key associated with each of these
skipping to change at page 23, line 49 skipping to change at page 23, line 25
This must include verification that the certificate in question has This must include verification that the certificate in question has
not been revoked.> not been revoked.>
4.6.4. Notification of new certificate issuance to subscriber 4.6.4. Notification of new certificate issuance to subscriber
<Describe your procedure for notification of new certificate <Describe your procedure for notification of new certificate
issuance to the subscriber. This should be consistent with 4.3.2.> issuance to the subscriber. This should be consistent with 4.3.2.>
4.6.5. Conduct constituting acceptance of a renewal certificate 4.6.5. Conduct constituting acceptance of a renewal certificate
<Describe your definition of what constitutes acceptance of a When a renewal certificate is issued, the CA will place it in the
renewed certificate. This should be consistent with 4.4.1.> repository and notify the subscriber. This will be done without
subscriber review and acceptance.
4.6.6. Publication of the renewal certificate by the CA 4.6.6. Publication of the renewal certificate by the CA
<Describe your policy and procedures for publication of a renewed <Describe your policy and procedures for publication of a renewed
certificate. This should be consistent with 4.4.2.> certificate. This should be consistent with 4.4.2.>
4.6.7. Notification of certificate issuance by the CA to other entities 4.6.7. Notification of certificate issuance by the CA to other entities
[OMITTED] [OMITTED]
4.7. Certificate re-key 4.7. Certificate re-key
skipping to change at page 25, line 20 skipping to change at page 24, line 41
4.7.4. Notification of new certificate issuance to subscriber 4.7.4. Notification of new certificate issuance to subscriber
<Describe your policy regarding notifying the subscriber re: <Describe your policy regarding notifying the subscriber re:
availability of the new certificate. This should be consistent with availability of the new certificate. This should be consistent with
the notification process for any new certificate issuance (see the notification process for any new certificate issuance (see
section 4.3.2).> section 4.3.2).>
4.7.5. Conduct constituting acceptance of a re-keyed certificate 4.7.5. Conduct constituting acceptance of a re-keyed certificate
<Describe your policy regarding acceptance of the new certificate by When a re-keyed certificate is issued, the CA will place it in the
the subscriber. This should be consistent with the acceptance repository and notify the subscriber. This will be done without
process for any new certificate (see section 4.4.1).> subscriber review and acceptance.
4.7.6. Publication of the re-keyed certificate by the CA 4.7.6. Publication of the re-keyed certificate by the CA
<Describe your policy regarding publication of the new certificate. <Describe your policy regarding publication of the new certificate.
This should be consistent with the publication process for any new This should be consistent with the publication process for any new
certificate (see section 4.4.2).> certificate (see section 4.4.2).>
4.7.7. Notification of certificate issuance by the CA to other entities 4.7.7. Notification of certificate issuance by the CA to other entities
[OMITTED] [OMITTED]
skipping to change at page 26, line 36 skipping to change at page 26, line 13
and 4.3.1.> and 4.3.1.>
4.8.4. Notification of modified certificate issuance to subscriber 4.8.4. Notification of modified certificate issuance to subscriber
<Describe your procedure for notification of issuance of a modified <Describe your procedure for notification of issuance of a modified
certificate. This should be consistent with the notification certificate. This should be consistent with the notification
process for any new certificate (see section 4.3.2).> process for any new certificate (see section 4.3.2).>
4.8.5. Conduct constituting acceptance of modified certificate 4.8.5. Conduct constituting acceptance of modified certificate
<Describe your criteria for acceptance of a modified certificate. When a modified certificate is issued, the CA will place it in the
This should be consistent with the acceptance process for any new repository and notify the subscriber. This will be done without
certificate (see section 4.4.1).> subscriber review and acceptance.
4.8.6. Publication of the modified certificate by the CA 4.8.6. Publication of the modified certificate by the CA
<Describe your procedure for publication of a modified certificate. <Describe your procedure for publication of a modified certificate.
This should be consistent with the publication process for any new This should be consistent with the publication process for any new
certificate (see section 4.4.2).> certificate (see section 4.4.2).>
4.8.7. Notification of certificate issuance by the CA to other entities 4.8.7. Notification of certificate issuance by the CA to other entities
[OMITTED] [OMITTED]
skipping to change at page 39, line 7 skipping to change at page 38, line 7
operation. These should be commensurate with the network security operation. These should be commensurate with the network security
controls employed for the computers used for managing allocation of controls employed for the computers used for managing allocation of
IP addresses and AS numbers.> IP addresses and AS numbers.>
6.8. Time-stamping 6.8. Time-stamping
The PKI in question does not make use of time stamping. The PKI in question does not make use of time stamping.
7. Certificate and CRL Profiles 7. Certificate and CRL Profiles
Please refer to the Certificate and CRL Profile [draft-ietf-sidr- Please refer to the Certificate and CRL Profile [RESCERT].
res-certs-01].
7.1. Certificate profile [OMITTED] 7.1. Certificate profile [OMITTED]
7.1.1. Version number(s) [OMITTED] 7.1.1. Version number(s) [OMITTED]
7.1.2. Certificate extensions [OMITTED] 7.1.2. Certificate extensions [OMITTED]
7.1.2.1. Required certificate extensions [OMITTED] 7.1.2.1. Required certificate extensions [OMITTED]
7.1.2.2. Deprecated certificate extensions [OMITTED] 7.1.2.2. Deprecated certificate extensions [OMITTED]
skipping to change at page 45, line 37 skipping to change at page 43, line 37
the PKI entities such as CA, RA, repository, subscriber systems, and the PKI entities such as CA, RA, repository, subscriber systems, and
relying party systems. relying party systems.
11. IANA Considerations 11. IANA Considerations
None. None.
12. Acknowledgments 12. Acknowledgments
The authors would like to thank Geoff Huston for reviewing this The authors would like to thank Geoff Huston for reviewing this
document. document and Matt Houston for his help with the formatting.
13. References 13. References
13.1. Normative References 13.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3280] Housley, R., Polk, W. Ford, W., Solo, D., "Internet [RFC3280] Housley, R., Polk, W. Ford, W., Solo, D., "Internet
X.509 Public Key Infrastructure Certificate and Certificate X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile", BCP 14, RFC 2119, March 1997. Revocation List (CRL) Profile", BCP 14, RFC 2119, March 1997.
[RFCxxxx] Seo, K., Watro, R., Kong, D., and Kent, S. , [CP] Seo, K., Watro, R., Kong, D., and Kent, S., "Certificate
"Certificate Policy for the Internet IP Address and AS Number Policy for the Internet IP Address and AS Number PKI", draft-
PKI", RFC xxxx. ietf-sidr-cp, July 2007 (work in progress).
[draft-ietf-sidr-res-certs-01] Huston, G., Loomans, R., [RESCERT] Huston, G., Loomans, R., Michaelson, G., "A Profile for
Michaelson, G., "A Profile for X.509 PKIX Resource X.509 PKIX Resource Certificates", draft-ietf-sidr-res-certs,
Certificates", work in progress, June 19, 2006. June 2007 (work in progress).
13.2. Informative References 13.2. Informative References
[BGP4] Y. Rekhter, T. Li (editors), A Border Gateway Protocol 4 [BGP4] Y. Rekhter, T. Li (editors), A Border Gateway Protocol 4
(BGP-4). IETF RFC 1771, March 1995. (BGP-4). IETF RFC 1771, March 1995.
[FIPS] Federal Information Processing Standards Publication 140-2 [FIPS] Federal Information Processing Standards Publication 140-2
(FIPS PUB 140-2), "Security Requirements for Cryptographic (FIPS PUB 140-2), "Security Requirements for Cryptographic
Modules", Information Technology Laboratory, National Modules", Information Technology Laboratory, National
Institute of Standards and Technology, May 25, 2001. Institute of Standards and Technology, May 25, 2001.
 End of changes. 46 change blocks. 
264 lines changed or deleted 232 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/