| draft-ietf-sidr-cps-irs-01.txt | draft-ietf-sidr-cps-irs-02.txt | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing (sidr) Kong, D. | Secure Inter-Domain Routing (sidr) Kong, D. | |||
| Internet Draft Seo, K. | Internet Draft Seo, K. | |||
| Expires: August 2007 Kent, S. | Expires: January 2008 Kent, S. | |||
| Intended Status: Informational BBN Technologies | Intended Status: Informational BBN Technologies | |||
| February 2007 | ||||
| Template for an | Template for an | |||
| Internet Registry's Certification Practice Statement (CPS) | Internet Registry's Certification Practice Statement (CPS) | |||
| for the Internet IP Address and AS Number (PKI) | for the Internet IP Address and AS Number (PKI) | |||
| draft-ietf-sidr-cps-irs-01.txt | draft-ietf-sidr-cps-irs-02.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that | By submitting this Internet-Draft, each author represents that | |||
| any applicable patent or other IPR claims of which he or she is | any applicable patent or other IPR claims of which he or she is | |||
| aware have been or will be disclosed, and any of which he or she | aware have been or will be disclosed, and any of which he or she | |||
| becomes aware will be disclosed, in accordance with Section 6 of | becomes aware will be disclosed, in accordance with Section 6 of | |||
| BCP 79. | BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| skipping to change at page 1, line 37 | skipping to change at page 1, line 35 | |||
| months and may be updated, replaced, or obsoleted by other documents | months and may be updated, replaced, or obsoleted by other documents | |||
| at any time. It is inappropriate to use Internet-Drafts as | at any time. It is inappropriate to use Internet-Drafts as | |||
| reference material or to cite them other than as "work in progress." | reference material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||
| This Internet-Draft will expire on July 31, 2007. | This Internet-Draft will expire on January 8, 2008. | |||
| Abstract | Abstract | |||
| This document contains a template to be used for creating a | This document contains a template to be used for creating a | |||
| Certification Practice Statement (CPS) for an Internet Registry | Certification Practice Statement (CPS) for an Internet Registry | |||
| (e.g., NIR or RIR) that is part of the Internet IP Address and | (e.g., NIR or RIR) that is part of the Internet IP Address and | |||
| Autonomous System (AS) Number Public Key Infrastructure (PKI). | Autonomous System (AS) Number Public Key Infrastructure (PKI). | |||
| Conventions used in this document | Conventions used in this document | |||
| skipping to change at page 3, line 22 | skipping to change at page 3, line 22 | |||
| 4.1.2. Enrollment process and responsibilities.............20 | 4.1.2. Enrollment process and responsibilities.............20 | |||
| 4.2. Certificate application processing.......................20 | 4.2. Certificate application processing.......................20 | |||
| 4.2.1. Performing identification and authentication functions | 4.2.1. Performing identification and authentication functions | |||
| ...........................................................20 | ...........................................................20 | |||
| 4.2.2. Approval or rejection of certificate applications...20 | 4.2.2. Approval or rejection of certificate applications...20 | |||
| 4.2.3. Time to process certificate applications............21 | 4.2.3. Time to process certificate applications............21 | |||
| 4.3. Certificate issuance.....................................21 | 4.3. Certificate issuance.....................................21 | |||
| 4.3.1. CA actions during certificate issuance..............21 | 4.3.1. CA actions during certificate issuance..............21 | |||
| 4.3.2. Notification to subscriber by the CA of issuance of | 4.3.2. Notification to subscriber by the CA of issuance of | |||
| certificate................................................21 | certificate................................................21 | |||
| 4.4. Certificate acceptance...................................22 | 4.4. Certificate acceptance...................................21 | |||
| 4.4.1. Conduct constituting certificate acceptance.........22 | 4.4.1. Conduct constituting certificate acceptance.........21 | |||
| 4.4.2. Publication of the certificate by the CA............22 | 4.4.2. Publication of the certificate by the CA............21 | |||
| 4.5. Key pair and certificate usage...........................22 | 4.5. Key pair and certificate usage...........................21 | |||
| 4.5.1. Subscriber private key and certificate usage........22 | 4.5.1. Subscriber private key and certificate usage........22 | |||
| 4.5.2. Relying party public key and certificate usage......22 | 4.5.2. Relying party public key and certificate usage......22 | |||
| 4.6. Certificate renewal......................................23 | 4.6. Certificate renewal......................................22 | |||
| 4.6.1. Circumstance for certificate renewal................23 | 4.6.1. Circumstance for certificate renewal................22 | |||
| 4.6.2. Who may request renewal.............................23 | 4.6.2. Who may request renewal.............................23 | |||
| 4.6.3. Processing certificate renewal requests.............23 | 4.6.3. Processing certificate renewal requests.............23 | |||
| 4.6.4. Notification of new certificate issuance to subscriber | 4.6.4. Notification of new certificate issuance to subscriber | |||
| ...........................................................23 | ...........................................................23 | |||
| 4.6.5. Conduct constituting acceptance of a renewal | 4.6.5. Conduct constituting acceptance of a renewal | |||
| certificate................................................23 | certificate................................................23 | |||
| 4.6.6. Publication of the renewal certificate by the CA....24 | 4.6.6. Publication of the renewal certificate by the CA....23 | |||
| 4.6.7. Notification of certificate issuance by the CA to other | 4.6.7. Notification of certificate issuance by the CA to other | |||
| entities [OMITTED].........................................24 | entities [OMITTED].........................................23 | |||
| 4.7. Certificate re-key.......................................24 | 4.7. Certificate re-key.......................................23 | |||
| 4.7.1. Circumstance for certificate re-key.................24 | 4.7.1. Circumstance for certificate re-key.................23 | |||
| 4.7.2. Who may request certification of a new public key...24 | 4.7.2. Who may request certification of a new public key...24 | |||
| 4.7.3. Processing certificate re-keying requests...........25 | 4.7.3. Processing certificate re-keying requests...........24 | |||
| 4.7.4. Notification of new certificate issuance to subscriber | 4.7.4. Notification of new certificate issuance to subscriber | |||
| ...........................................................25 | ...........................................................24 | |||
| 4.7.5. Conduct constituting acceptance of a re-keyed | 4.7.5. Conduct constituting acceptance of a re-keyed | |||
| certificate................................................25 | certificate................................................24 | |||
| 4.7.6. Publication of the re-keyed certificate by the CA...25 | 4.7.6. Publication of the re-keyed certificate by the CA...24 | |||
| 4.7.7. Notification of certificate issuance by the CA to other | 4.7.7. Notification of certificate issuance by the CA to other | |||
| entities [OMITTED].........................................25 | entities [OMITTED].........................................25 | |||
| 4.8. Certificate modification.................................25 | 4.8. Certificate modification.................................25 | |||
| 4.8.1. Circumstance for certificate modification...........25 | 4.8.1. Circumstance for certificate modification...........25 | |||
| 4.8.2. Who may request certificate modification............26 | 4.8.2. Who may request certificate modification............25 | |||
| 4.8.3. Processing certificate modification requests........26 | 4.8.3. Processing certificate modification requests........25 | |||
| 4.8.4. Notification of modified certificate issuance to | 4.8.4. Notification of modified certificate issuance to | |||
| subscriber.................................................26 | subscriber.................................................26 | |||
| 4.8.5. Conduct constituting acceptance of modified certificate | 4.8.5. Conduct constituting acceptance of modified certificate | |||
| ...........................................................26 | ...........................................................26 | |||
| 4.8.6. Publication of the modified certificate by the CA...26 | 4.8.6. Publication of the modified certificate by the CA...26 | |||
| 4.8.7. Notification of certificate issuance by the CA to other | 4.8.7. Notification of certificate issuance by the CA to other | |||
| entities [OMITTED].........................................26 | entities [OMITTED].........................................26 | |||
| 4.9. Certificate revocation and suspension....................27 | 4.9. Certificate revocation and suspension....................26 | |||
| 4.9.1. Circumstances for revocation........................27 | 4.9.1. Circumstances for revocation........................26 | |||
| 4.9.2. Who can request revocation..........................27 | 4.9.2. Who can request revocation..........................26 | |||
| 4.9.3. Procedure for revocation request....................27 | 4.9.3. Procedure for revocation request....................26 | |||
| 4.9.4. Revocation request grace period.....................27 | 4.9.4. Revocation request grace period.....................27 | |||
| 4.9.5. Time within which CA must process the revocation | 4.9.5. Time within which CA must process the revocation | |||
| request....................................................27 | request....................................................27 | |||
| 4.9.6. Revocation checking requirement for relying parties.27 | 4.9.6. Revocation checking requirement for relying parties.27 | |||
| 4.9.7. CRL issuance frequency..............................28 | 4.9.7. CRL issuance frequency..............................27 | |||
| 4.9.8. Maximum latency for CRLs............................28 | 4.9.8. Maximum latency for CRLs............................27 | |||
| 4.9.9. On-line revocation/status checking availability | 4.9.9. On-line revocation/status checking availability | |||
| [OMITTED]..................................................28 | [OMITTED]..................................................28 | |||
| 4.9.10. On-line revocation checking requirements [OMITTED].28 | 4.9.10. On-line revocation checking requirements [OMITTED].28 | |||
| 4.9.11. Other forms of revocation advertisements available | 4.9.11. Other forms of revocation advertisements available | |||
| [OMITTED]..................................................28 | [OMITTED]..................................................28 | |||
| 4.9.12. Special requirements re key compromise [OMITTED]...28 | 4.9.12. Special requirements re key compromise [OMITTED]...28 | |||
| 4.9.13. Circumstances for suspension [OMITTED].............28 | 4.9.13. Circumstances for suspension [OMITTED].............28 | |||
| 4.9.14. Who can request suspension [OMITTED]...............28 | 4.9.14. Who can request suspension [OMITTED]...............28 | |||
| 4.9.15. Procedure for suspension request [OMITTED].........28 | 4.9.15. Procedure for suspension request [OMITTED].........28 | |||
| 4.9.16. Limits on suspension period [OMITTED]..............28 | 4.9.16. Limits on suspension period [OMITTED]..............28 | |||
| 4.10. Certificate status services.............................28 | 4.10. Certificate status services.............................28 | |||
| 4.10.1. Operational characteristics [OMITTED]..............29 | 4.10.1. Operational characteristics [OMITTED]..............28 | |||
| 4.10.2. Service availability [OMITTED].....................29 | 4.10.2. Service availability [OMITTED].....................28 | |||
| 4.10.3. Optional features [OMITTED]........................29 | 4.10.3. Optional features [OMITTED]........................28 | |||
| 4.11. End of subscription [OMITTED]...........................29 | 4.11. End of subscription [OMITTED]...........................28 | |||
| 4.12. Key escrow and recovery [OMITTED].......................29 | 4.12. Key escrow and recovery [OMITTED].......................28 | |||
| 4.12.1. Key escrow and recovery policy and practices [OMITTED] | 4.12.1. Key escrow and recovery policy and practices [OMITTED] | |||
| ...........................................................29 | ...........................................................28 | |||
| 4.12.2. Session key encapsulation and recovery policy and | 4.12.2. Session key encapsulation and recovery policy and | |||
| practices [OMITTED]........................................29 | practices [OMITTED]........................................28 | |||
| 5. Facility, Management, And Operational Controls................30 | 5. Facility, Management, And Operational Controls................29 | |||
| 5.1. Physical controls........................................30 | 5.1. Physical controls........................................29 | |||
| 5.1.1. Site location and construction......................30 | 5.1.1. Site location and construction......................29 | |||
| 5.1.2. Physical access.....................................30 | 5.1.2. Physical access.....................................29 | |||
| 5.1.3. Power and air conditioning..........................30 | 5.1.3. Power and air conditioning..........................29 | |||
| 5.1.4. Water exposures.....................................30 | 5.1.4. Water exposures.....................................29 | |||
| 5.1.5. Fire prevention and protection......................30 | 5.1.5. Fire prevention and protection......................29 | |||
| 5.1.6. Media storage.......................................30 | 5.1.6. Media storage.......................................29 | |||
| 5.1.7. Waste disposal......................................30 | 5.1.7. Waste disposal......................................29 | |||
| 5.1.8. Off-site backup.....................................30 | 5.1.8. Off-site backup.....................................29 | |||
| 5.2. Procedural controls......................................30 | 5.2. Procedural controls......................................29 | |||
| 5.2.1. Trusted roles.......................................30 | 5.2.1. Trusted roles.......................................29 | |||
| 5.2.2. Number of persons required per task.................30 | 5.2.2. Number of persons required per task.................29 | |||
| 5.2.3. Identification and authentication for each role.....30 | 5.2.3. Identification and authentication for each role.....29 | |||
| 5.2.4. Roles requiring separation of duties................30 | 5.2.4. Roles requiring separation of duties................29 | |||
| 5.3. Personnel controls.......................................30 | 5.3. Personnel controls.......................................29 | |||
| 5.3.1. Qualifications, experience, and clearance requirements | 5.3.1. Qualifications, experience, and clearance requirements | |||
| ...........................................................31 | ...........................................................30 | |||
| 5.3.2. Background check procedures.........................31 | 5.3.2. Background check procedures.........................30 | |||
| 5.3.3. Training requirements...............................31 | 5.3.3. Training requirements...............................30 | |||
| 5.3.4. Retraining frequency and requirements...............31 | 5.3.4. Retraining frequency and requirements...............30 | |||
| 5.3.5. Job rotation frequency and sequence.................31 | 5.3.5. Job rotation frequency and sequence.................30 | |||
| 5.3.6. Sanctions for unauthorized actions..................31 | 5.3.6. Sanctions for unauthorized actions..................30 | |||
| 5.3.7. Independent contractor requirements.................31 | 5.3.7. Independent contractor requirements.................30 | |||
| 5.3.8. Documentation supplied to personnel.................31 | 5.3.8. Documentation supplied to personnel.................30 | |||
| 5.4. Audit logging procedures.................................31 | 5.4. Audit logging procedures.................................30 | |||
| 5.4.1. Types of events recorded............................31 | 5.4.1. Types of events recorded............................30 | |||
| 5.4.2. Frequency of processing log.........................31 | 5.4.2. Frequency of processing log.........................30 | |||
| 5.4.3. Retention period for audit log......................31 | 5.4.3. Retention period for audit log......................30 | |||
| 5.4.4. Protection of audit log.............................32 | 5.4.4. Protection of audit log.............................31 | |||
| 5.4.5. Audit log backup procedures.........................32 | 5.4.5. Audit log backup procedures.........................31 | |||
| 5.4.6. Audit collection system (internal vs. external) | 5.4.6. Audit collection system (internal vs. external) | |||
| [OMITTED]..................................................32 | [OMITTED]..................................................31 | |||
| 5.4.7. Notification to event-causing subject [OMITTED].....32 | 5.4.7. Notification to event-causing subject [OMITTED].....31 | |||
| 5.4.8. Vulnerability assessments...........................32 | 5.4.8. Vulnerability assessments...........................31 | |||
| 5.5. Records archival [OMITTED]...............................32 | 5.5. Records archival [OMITTED]...............................31 | |||
| 5.5.1. Types of records archived [OMITTED].................32 | 5.5.1. Types of records archived [OMITTED].................31 | |||
| 5.5.2. Retention period for archive [OMITTED]..............32 | 5.5.2. Retention period for archive [OMITTED]..............31 | |||
| 5.5.3. Protection of archive [OMITTED].....................32 | 5.5.3. Protection of archive [OMITTED].....................31 | |||
| 5.5.4. Archive backup procedures [OMITTED].................32 | 5.5.4. Archive backup procedures [OMITTED].................31 | |||
| 5.5.5. Requirements for time-stamping of records [OMITTED].32 | 5.5.5. Requirements for time-stamping of records [OMITTED].31 | |||
| 5.5.6. Archive collection system (internal or external) | 5.5.6. Archive collection system (internal or external) | |||
| [OMITTED]..................................................32 | [OMITTED]..................................................31 | |||
| 5.5.7. Procedures to obtain and verify archive information | 5.5.7. Procedures to obtain and verify archive information | |||
| [OMITTED]..................................................32 | [OMITTED]..................................................31 | |||
| 5.6. Key changeover...........................................32 | 5.6. Key changeover...........................................31 | |||
| 5.7. Compromise and disaster recovery [OMITTED]...............33 | 5.7. Compromise and disaster recovery [OMITTED]...............32 | |||
| 5.7.1. Incident and compromise handling procedures [OMITTED]33 | 5.7.1. Incident and compromise handling procedures [OMITTED]32 | |||
| 5.7.2. Computing resources, software, and/or data are | 5.7.2. Computing resources, software, and/or data are | |||
| corrupted [OMITTED]........................................33 | corrupted [OMITTED]........................................32 | |||
| 5.7.3. Entity private key compromise procedures [OMITTED]..33 | 5.7.3. Entity private key compromise procedures [OMITTED]..32 | |||
| 5.7.4. Business continuity capabilities after a disaster | 5.7.4. Business continuity capabilities after a disaster | |||
| [OMITTED]..................................................33 | [OMITTED]..................................................32 | |||
| 5.8. CA or RA termination.....................................33 | 5.8. CA or RA termination.....................................32 | |||
| 6. Technical Security Controls...................................34 | 6. Technical Security Controls...................................33 | |||
| 6.1. Key pair generation and installation.....................34 | 6.1. Key pair generation and installation.....................33 | |||
| 6.1.1. Key pair generation.................................34 | 6.1.1. Key pair generation.................................33 | |||
| 6.1.2. Private key delivery to subscriber..................34 | 6.1.2. Private key delivery to subscriber..................33 | |||
| 6.1.3. Public key delivery to certificate issuer...........34 | 6.1.3. Public key delivery to certificate issuer...........33 | |||
| 6.1.4. CA public key delivery to relying parties...........34 | 6.1.4. CA public key delivery to relying parties...........33 | |||
| 6.1.5. Key sizes...........................................35 | 6.1.5. Key sizes...........................................34 | |||
| 6.1.6. Public key parameters generation and quality checking35 | 6.1.6. Public key parameters generation and quality checking34 | |||
| 6.1.7. Key usage purposes (as per X.509 v3 key usage field)35 | 6.1.7. Key usage purposes (as per X.509 v3 key usage field)34 | |||
| 6.2. Private Key Protection and Cryptographic Module Engineering | 6.2. Private Key Protection and Cryptographic Module Engineering | |||
| Controls......................................................35 | Controls......................................................34 | |||
| 6.2.1. Cryptographic module standards and controls.........35 | 6.2.1. Cryptographic module standards and controls.........34 | |||
| 6.2.2. Private key (n out of m) multi-person control.......35 | 6.2.2. Private key (n out of m) multi-person control.......34 | |||
| 6.2.3. Private key escrow..................................35 | 6.2.3. Private key escrow..................................34 | |||
| 6.2.4. Private key backup..................................36 | 6.2.4. Private key backup..................................35 | |||
| 6.2.5. Private key archival................................36 | 6.2.5. Private key archival................................35 | |||
| 6.2.6. Private key transfer into or from a cryptographic | 6.2.6. Private key transfer into or from a cryptographic | |||
| module.....................................................36 | module.....................................................35 | |||
| 6.2.7. Private key storage on cryptographic module.........36 | 6.2.7. Private key storage on cryptographic module.........35 | |||
| 6.2.8. Method of activating private key....................36 | 6.2.8. Method of activating private key....................35 | |||
| 6.2.9. Method of deactivating private key..................36 | 6.2.9. Method of deactivating private key..................35 | |||
| 6.2.10. Method of destroying private key...................36 | 6.2.10. Method of destroying private key...................35 | |||
| 6.2.11. Cryptographic Module Rating........................36 | 6.2.11. Cryptographic Module Rating........................35 | |||
| 6.3. Other aspects of key pair management.....................37 | 6.3. Other aspects of key pair management.....................36 | |||
| 6.3.1. Public key archival.................................37 | 6.3.1. Public key archival.................................36 | |||
| 6.3.2. Certificate operational periods and key pair usage | 6.3.2. Certificate operational periods and key pair usage | |||
| periods....................................................37 | periods....................................................36 | |||
| 6.4. Activation data..........................................37 | 6.4. Activation data..........................................36 | |||
| 6.4.1. Activation data generation and installation.........37 | 6.4.1. Activation data generation and installation.........36 | |||
| 6.4.2. Activation data protection..........................37 | 6.4.2. Activation data protection..........................36 | |||
| 6.4.3. Other aspects of activation data....................37 | 6.4.3. Other aspects of activation data....................36 | |||
| 6.5. Computer security controls...............................37 | 6.5. Computer security controls...............................36 | |||
| 6.5.1. Specific computer security technical requirement....37 | 6.5.1. Specific computer security technical requirement....36 | |||
| 6.5.2. Computer security rating [OMITTED]..................38 | 6.5.2. Computer security rating [OMITTED]..................37 | |||
| 6.6. Life cycle technical controls............................38 | 6.6. Life cycle technical controls............................37 | |||
| 6.6.1. System development controls.........................38 | 6.6.1. System development controls.........................37 | |||
| 6.6.2. Security management controls........................38 | 6.6.2. Security management controls........................37 | |||
| 6.6.3. Life cycle security controls........................38 | 6.6.3. Life cycle security controls........................37 | |||
| 6.7. Network security controls................................38 | 6.7. Network security controls................................37 | |||
| 6.8. Time-stamping............................................38 | 6.8. Time-stamping............................................37 | |||
| 7. Certificate and CRL Profiles..................................39 | 7. Certificate and CRL Profiles..................................38 | |||
| Please refer to the Certificate and CRL Profile [draft-ietf-sidr- | Please refer to the Certificate and CRL Profile [draft-ietf-sidr- | |||
| res-certs-01].................................................39 | res-certs-01].................................................38 | |||
| 7.1. Certificate profile [OMITTED]............................39 | 7.1. Certificate profile [OMITTED]............................38 | |||
| 7.1.1. Version number(s) [OMITTED].........................39 | 7.1.1. Version number(s) [OMITTED].........................38 | |||
| 7.1.2. Certificate extensions [OMITTED]....................39 | 7.1.2. Certificate extensions [OMITTED]....................38 | |||
| 7.1.3. Algorithm object identifiers [OMITTED]..............39 | 7.1.3. Algorithm object identifiers [OMITTED]..............38 | |||
| 7.1.4. Name forms [OMITTED]................................39 | 7.1.4. Name forms [OMITTED]................................38 | |||
| 7.1.5. Name constraints [OMITTED]..........................39 | 7.1.5. Name constraints [OMITTED]..........................38 | |||
| 7.1.6. Certificate policy object identifier [OMITTED]......39 | 7.1.6. Certificate policy object identifier [OMITTED]......38 | |||
| 7.1.7. Usage of Policy Constraints extension [OMITTED].....39 | 7.1.7. Usage of Policy Constraints extension [OMITTED].....38 | |||
| 7.1.8. Policy qualifiers syntax and semantics [OMITTED]....39 | 7.1.8. Policy qualifiers syntax and semantics [OMITTED]....38 | |||
| 7.1.9. Processing semantics for the critical Certificate | 7.1.9. Processing semantics for the critical Certificate | |||
| Policies extension [OMITTED]...............................39 | Policies extension [OMITTED]...............................38 | |||
| 7.2. CRL profile [OMITTED]....................................39 | 7.2. CRL profile [OMITTED]....................................38 | |||
| 7.2.1. Version number(s) [OMITTED].........................39 | 7.2.1. Version number(s) [OMITTED].........................38 | |||
| 7.2.2. CRL and CRL entry extensions [OMITTED]..............39 | 7.2.2. CRL and CRL entry extensions [OMITTED]..............38 | |||
| 7.3. OCSP profile [OMITTED]...................................39 | 7.3. OCSP profile [OMITTED]...................................38 | |||
| 7.3.1. Version number(s) [OMITTED].........................39 | 7.3.1. Version number(s) [OMITTED].........................38 | |||
| 7.3.2. OCSP extensions [OMITTED]...........................40 | 7.3.2. OCSP extensions [OMITTED]...........................38 | |||
| 8. Compliance Audit and Other Assessments........................41 | 8. Compliance Audit and Other Assessments........................39 | |||
| 8.1. Frequency or circumstances of assessment.................41 | 8.1. Frequency or circumstances of assessment.................39 | |||
| 8.2. Identity/qualifications of assessor......................41 | 8.2. Identity/qualifications of assessor......................39 | |||
| 8.3. Assessor's relationship to assessed entity...............41 | 8.3. Assessor's relationship to assessed entity...............39 | |||
| 8.4. Topics covered by assessment.............................41 | 8.4. Topics covered by assessment.............................39 | |||
| 8.5. Actions taken as a result of deficiency..................41 | 8.5. Actions taken as a result of deficiency..................39 | |||
| 8.6. Communication of results.................................41 | 8.6. Communication of results.................................39 | |||
| 9. Other Business And Legal Matters..............................42 | 9. Other Business And Legal Matters..............................40 | |||
| 9.1. Fees.....................................................42 | 9.1. Fees.....................................................40 | |||
| 9.1.1. Certificate issuance or renewal fees................42 | 9.1.1. Certificate issuance or renewal fees................40 | |||
| 9.1.2. Fees for other services (if applicable).............42 | 9.1.2. Fees for other services (if applicable).............40 | |||
| 9.1.3. Refund policy.......................................42 | 9.1.3. Refund policy.......................................40 | |||
| 9.2. Financial responsibility.................................42 | 9.2. Financial responsibility.................................40 | |||
| 9.2.1. Insurance coverage..................................42 | 9.2.1. Insurance coverage..................................40 | |||
| 9.2.2. Other assets........................................42 | 9.2.2. Other assets........................................40 | |||
| 9.2.3. Insurance or warranty coverage for end-entities.....42 | 9.2.3. Insurance or warranty coverage for end-entities.....40 | |||
| 9.3. Confidentiality of business information..................42 | 9.3. Confidentiality of business information..................40 | |||
| 9.3.1. Scope of confidential information...................42 | 9.3.1. Scope of confidential information...................40 | |||
| 9.3.2. Information not within the scope of confidential | 9.3.2. Information not within the scope of confidential | |||
| information................................................42 | information................................................40 | |||
| 9.3.3. Responsibility to protect confidential information..42 | 9.3.3. Responsibility to protect confidential information..40 | |||
| 9.4. Privacy of personal information..........................42 | 9.4. Privacy of personal information..........................40 | |||
| 9.4.1. Privacy plan........................................42 | 9.4.1. Privacy plan........................................40 | |||
| 9.4.2. Information treated as private......................42 | 9.4.2. Information treated as private......................40 | |||
| 9.4.3. Information not deemed private......................42 | 9.4.3. Information not deemed private......................40 | |||
| 9.4.4. Responsibility to protect private information.......42 | 9.4.4. Responsibility to protect private information.......40 | |||
| 9.4.5. Notice and consent to use private information.......42 | 9.4.5. Notice and consent to use private information.......40 | |||
| 9.4.6. Disclosure pursuant to judicial or administrative | 9.4.6. Disclosure pursuant to judicial or administrative | |||
| process....................................................43 | process....................................................41 | |||
| 9.4.7. Other information disclosure circumstances..........43 | 9.4.7. Other information disclosure circumstances..........41 | |||
| 9.5. Intellectual property rights (if applicable).............43 | 9.5. Intellectual property rights (if applicable).............41 | |||
| 9.6. Representations and warranties...........................43 | 9.6. Representations and warranties...........................41 | |||
| 9.6.1. CA representations and warranties...................43 | 9.6.1. CA representations and warranties...................41 | |||
| 9.6.2. Subscriber representations and warranties...........43 | 9.6.2. Subscriber representations and warranties...........41 | |||
| 9.6.3. Relying party representations and warranties........43 | 9.6.3. Relying party representations and warranties........41 | |||
| 9.6.4. Representations and warranties of other participants | 9.6.4. Representations and warranties of other participants | |||
| [OMITTED]..................................................43 | [OMITTED]..................................................41 | |||
| 9.7. Disclaimers of warranties................................43 | 9.7. Disclaimers of warranties................................41 | |||
| 9.8. Limitations of liability.................................43 | 9.8. Limitations of liability.................................41 | |||
| 9.9. Indemnities..............................................43 | 9.9. Indemnities..............................................41 | |||
| 9.10. Term and termination....................................43 | 9.10. Term and termination....................................41 | |||
| 9.10.1. Term...............................................43 | 9.10.1. Term...............................................41 | |||
| 9.10.2. Termination........................................43 | 9.10.2. Termination........................................41 | |||
| 9.10.3. Effect of termination and survival.................43 | 9.10.3. Effect of termination and survival.................41 | |||
| 9.11. Individual notices and communications with participants.43 | 9.11. Individual notices and communications with participants.41 | |||
| 9.12. Amendments..............................................43 | 9.12. Amendments..............................................41 | |||
| 9.12.1. Procedure for amendment............................43 | 9.12.1. Procedure for amendment............................41 | |||
| 9.12.2. Notification mechanism and period..................43 | 9.12.2. Notification mechanism and period..................41 | |||
| 9.12.3. Circumstances under which OID must be changed | 9.12.3. Circumstances under which OID must be changed | |||
| [OMITTED]..................................................43 | [OMITTED]..................................................41 | |||
| 9.13. Dispute resolution provisions...........................43 | 9.13. Dispute resolution provisions...........................41 | |||
| 9.14. Governing law...........................................43 | 9.14. Governing law...........................................41 | |||
| 9.15. Compliance with applicable law..........................43 | 9.15. Compliance with applicable law..........................41 | |||
| 9.16. Miscellaneous provisions................................43 | 9.16. Miscellaneous provisions................................41 | |||
| 9.16.1. Entire agreement...................................44 | 9.16.1. Entire agreement...................................42 | |||
| 9.16.2. Assignment.........................................44 | 9.16.2. Assignment.........................................42 | |||
| 9.16.3. Severability.......................................44 | 9.16.3. Severability.......................................42 | |||
| 9.16.4. Enforcement (attorneys' fees and waiver of rights).44 | 9.16.4. Enforcement (attorneys' fees and waiver of rights).42 | |||
| 9.16.5. Force Majeure......................................44 | 9.16.5. Force Majeure......................................42 | |||
| 9.17. Other provisions [OMITTED]..............................44 | 9.17. Other provisions [OMITTED]..............................42 | |||
| 10. Security Considerations......................................45 | 10. Security Considerations......................................43 | |||
| 11. IANA Considerations..........................................45 | 11. IANA Considerations..........................................43 | |||
| 12. Acknowledgments..............................................45 | 12. Acknowledgments..............................................43 | |||
| 13. References...................................................45 | 13. References...................................................43 | |||
| 13.1. Normative References....................................45 | 13.1. Normative References....................................43 | |||
| 13.2. Informative References..................................46 | 13.2. Informative References..................................44 | |||
| Author's Addresses...............................................46 | Author's Addresses...............................................44 | |||
| Intellectual Property Statement..................................47 | Intellectual Property Statement..................................45 | |||
| Disclaimer of Validity...........................................47 | Disclaimer of Validity...........................................45 | |||
| Copyright Statement..............................................47 | Copyright Statement..............................................45 | |||
| Preface | Preface | |||
| This document contains a template to be used for creating a | This document contains a template to be used for creating a | |||
| Certification Practice Statement (CPS) for an Internet Registry | Certification Practice Statement (CPS) for an Internet Registry | |||
| (e.g., an NIR or RIR) that is part of the Internet IP Address and | (e.g., an NIR or RIR) that is part of the Internet IP Address and | |||
| Autonomous System (AS) Number Public Key Infrastructure (PKI). The | Autonomous System (AS) Number Public Key Infrastructure (PKI). The | |||
| user of this document should | user of this document should | |||
| 1. substitute a title page for page 1 saying, e.g., "<Name of | 1. substitute a title page for page 1 saying, e.g., "<Name of | |||
| skipping to change at page 9, line 33 | skipping to change at page 9, line 33 | |||
| in the Introduction below. This information should be left in the | in the Introduction below. This information should be left in the | |||
| CPS as an explanation to the user. | CPS as an explanation to the user. | |||
| 1. Introduction | 1. Introduction | |||
| This document is the Certification Practice Statement (CPS) of <Name | This document is the Certification Practice Statement (CPS) of <Name | |||
| of Registry>. It describes the practices employed by the <Name of | of Registry>. It describes the practices employed by the <Name of | |||
| Registry> Certification Authority (CA) in the Internet IP Address | Registry> Certification Authority (CA) in the Internet IP Address | |||
| and Autonomous System (AS) Number PKI. These practices are defined | and Autonomous System (AS) Number PKI. These practices are defined | |||
| in accordance with the requirements of the Certificate Policy (CP, | in accordance with the requirements of the Certificate Policy (CP, | |||
| [RFCxxxx]) of this PKI. | [CP]) of this PKI. | |||
| The Internet IP Address and AS Number PKI is aimed at supporting | The Internet IP Address and AS Number PKI is aimed at supporting | |||
| verifiable attestations about resource controls, e.g., for improved | verifiable attestations about resource controls, e.g., for improved | |||
| routing security. The goal is that each entity that allocates IP | routing security. The goal is that each entity that allocates IP | |||
| addresses or AS numbers to an entity will, in parallel, issue a | addresses or AS numbers to an entity will, in parallel, issue a | |||
| certificate reflecting this allocation. These certificates will | certificate reflecting this allocation. These certificates will | |||
| enable verification that the holder of the associated private key | enable verification that the holder of the associated private key | |||
| has been allocated the resources indicated in the certificate, and | has been allocated the resources indicated in the certificate, and | |||
| is the current, unique holder of these resources. The certificates | is the current, unique holder of these resources. The certificates | |||
| and CRLs, in conjunction with ancillary digitally signed data | and CRLs, in conjunction with ancillary digitally signed data | |||
| skipping to change at page 15, line 31 | skipping to change at page 15, line 31 | |||
| 2.3. Time or Frequency of Publication | 2.3. Time or Frequency of Publication | |||
| <Describe here your procedures for publication (via the repository) | <Describe here your procedures for publication (via the repository) | |||
| of the certificates and CRLs that you issue. If you choose to | of the certificates and CRLs that you issue. If you choose to | |||
| outsource publication of PKI data, you still need to provide this | outsource publication of PKI data, you still need to provide this | |||
| information for relying parties.> | information for relying parties.> | |||
| As per the CP, the following standards exist for publication times | As per the CP, the following standards exist for publication times | |||
| and frequency: | and frequency: | |||
| A certificate will be published within 24 hours after a CA has | A certificate will be published within 24 hours after issuance. | |||
| received acknowledgement from the subject of the certificate that | ||||
| the certificate is accurate. | ||||
| The <Name of Registry> CA will publish its CRL prior to the | The <Name of Registry> CA will publish its CRL prior to the | |||
| nextScheduledUpdate value in the scheduled CRL previously issued by | nextScheduledUpdate value in the scheduled CRL previously issued by | |||
| the CA. Within 24 hours of effecting revocation, the CA will publish | the CA. Within 24 hours of effecting revocation, the CA will publish | |||
| a CRL with an entry for the revoked certificate. | a CRL with an entry for the revoked certificate. | |||
| 2.4. Access controls on repositories | 2.4. Access controls on repositories | |||
| Access to the repository system, for modification of entries, must | Access to the repository system, for modification of entries, must | |||
| be controlled to prevent denial of service attacks. All data | be controlled to prevent denial of service attacks. All data | |||
| skipping to change at page 21, line 19 | skipping to change at page 21, line 19 | |||
| 4.2.3. Time to process certificate applications | 4.2.3. Time to process certificate applications | |||
| <You may declare here your expected time frame for processing | <You may declare here your expected time frame for processing | |||
| certificate applications.> | certificate applications.> | |||
| 4.3. Certificate issuance | 4.3. Certificate issuance | |||
| 4.3.1. CA actions during certificate issuance | 4.3.1. CA actions during certificate issuance | |||
| <Describe in this section the following (referring to subsequent | <Describe in this section your procedures for issuance of a | |||
| sections as appropriate): | certificate.> | |||
| Procedures for generation of a draft certificate and form of the | ||||
| draft. Typically a draft certificate is a complete certificate | ||||
| except for the issuer's signature. | ||||
| Procedure for making the draft available to the applicant for | ||||
| review. For example, you may directly transmit the draft certificate | ||||
| to the subscriber (applying PKCS #7 or other defined syntax). | ||||
| Alternatively, you might establish a repository where draft | ||||
| certificates can be examined. | ||||
| Procedure for subscriber approval/rejection of the draft (Section | ||||
| 4.4.1) | ||||
| If the draft is approved, procedure for finalization of the draft | ||||
| and subsequent publication (Section 4.4.2) | ||||
| If the draft is rejected, procedure for modification of the rejected | ||||
| certificate (Section 4.8 might be useful) or submission of a new | ||||
| certificate request.> | ||||
| 4.3.2. Notification to subscriber by the CA of issuance of certificate | 4.3.2. Notification to subscriber by the CA of issuance of certificate | |||
| <Describe your procedure for notification of a subscriber when a | <Describe your procedure for notification of a subscriber when a a | |||
| draft certificate is ready for review.> | certificate has been issued.> | |||
| Notification of certificate issuance by the CA to other entities | 4.3.3. Notification of certificate issuance by the CA to other entities | |||
| [OMITTED> | [OMITTED] | |||
| 4.4. Certificate acceptance | 4.4. Certificate acceptance | |||
| 4.4.1. Conduct constituting certificate acceptance | 4.4.1. Conduct constituting certificate acceptance | |||
| When a draft certificate is generated and the subscriber is | When a certificate is issued, the CA will place it in the repository | |||
| notified, it is required that the subscriber review the proposed | and notify the subscriber. This will be done without subscriber | |||
| certificate and either approve or reject it within <X - This should | review and acceptance. | |||
| be 30 or fewer as per the CP> days. <Describe what constitutes | ||||
| acceptance or rejection from the certificate applicant.> | ||||
| If a certificate remains unprocessed by the requester after <X> | ||||
| days, <Describe your policy for handling certificates that have not | ||||
| been acknowledged (either positively or negatively) after X days. | ||||
| For example, at your option, you may either cancel the certificate | ||||
| or finalize it and place it in the repository.> | ||||
| 4.4.2. Publication of the certificate by the CA | 4.4.2. Publication of the certificate by the CA | |||
| Certificates will be published in the Repository system once | Certificates will be published in the Repository system once issued | |||
| approved. <Describe your procedures for publication of the approved | following the conduct described in 4.4.1. <Describe your procedures | |||
| certificate.> | for publication of the approved certificate.> | |||
| 4.5. Key pair and certificate usage | 4.5. Key pair and certificate usage | |||
| A summary of the use model for the IP Address and AS Number PKI is | A summary of the use model for the IP Address and AS Number PKI is | |||
| provided below. | provided below. | |||
| 4.5.1. Subscriber private key and certificate usage | 4.5.1. Subscriber private key and certificate usage | |||
| The certificates issued by this registry to resource holders are CA | The certificates issued by this registry to resource holders are CA | |||
| certificates. The private key associated with each of these | certificates. The private key associated with each of these | |||
| skipping to change at page 23, line 49 | skipping to change at page 23, line 25 | |||
| This must include verification that the certificate in question has | This must include verification that the certificate in question has | |||
| not been revoked.> | not been revoked.> | |||
| 4.6.4. Notification of new certificate issuance to subscriber | 4.6.4. Notification of new certificate issuance to subscriber | |||
| <Describe your procedure for notification of new certificate | <Describe your procedure for notification of new certificate | |||
| issuance to the subscriber. This should be consistent with 4.3.2.> | issuance to the subscriber. This should be consistent with 4.3.2.> | |||
| 4.6.5. Conduct constituting acceptance of a renewal certificate | 4.6.5. Conduct constituting acceptance of a renewal certificate | |||
| <Describe your definition of what constitutes acceptance of a | When a renewal certificate is issued, the CA will place it in the | |||
| renewed certificate. This should be consistent with 4.4.1.> | repository and notify the subscriber. This will be done without | |||
| subscriber review and acceptance. | ||||
| 4.6.6. Publication of the renewal certificate by the CA | 4.6.6. Publication of the renewal certificate by the CA | |||
| <Describe your policy and procedures for publication of a renewed | <Describe your policy and procedures for publication of a renewed | |||
| certificate. This should be consistent with 4.4.2.> | certificate. This should be consistent with 4.4.2.> | |||
| 4.6.7. Notification of certificate issuance by the CA to other entities | 4.6.7. Notification of certificate issuance by the CA to other entities | |||
| [OMITTED] | [OMITTED] | |||
| 4.7. Certificate re-key | 4.7. Certificate re-key | |||
| skipping to change at page 25, line 20 | skipping to change at page 24, line 41 | |||
| 4.7.4. Notification of new certificate issuance to subscriber | 4.7.4. Notification of new certificate issuance to subscriber | |||
| <Describe your policy regarding notifying the subscriber re: | <Describe your policy regarding notifying the subscriber re: | |||
| availability of the new certificate. This should be consistent with | availability of the new certificate. This should be consistent with | |||
| the notification process for any new certificate issuance (see | the notification process for any new certificate issuance (see | |||
| section 4.3.2).> | section 4.3.2).> | |||
| 4.7.5. Conduct constituting acceptance of a re-keyed certificate | 4.7.5. Conduct constituting acceptance of a re-keyed certificate | |||
| <Describe your policy regarding acceptance of the new certificate by | When a re-keyed certificate is issued, the CA will place it in the | |||
| the subscriber. This should be consistent with the acceptance | repository and notify the subscriber. This will be done without | |||
| process for any new certificate (see section 4.4.1).> | subscriber review and acceptance. | |||
| 4.7.6. Publication of the re-keyed certificate by the CA | 4.7.6. Publication of the re-keyed certificate by the CA | |||
| <Describe your policy regarding publication of the new certificate. | <Describe your policy regarding publication of the new certificate. | |||
| This should be consistent with the publication process for any new | This should be consistent with the publication process for any new | |||
| certificate (see section 4.4.2).> | certificate (see section 4.4.2).> | |||
| 4.7.7. Notification of certificate issuance by the CA to other entities | 4.7.7. Notification of certificate issuance by the CA to other entities | |||
| [OMITTED] | [OMITTED] | |||
| skipping to change at page 26, line 36 | skipping to change at page 26, line 13 | |||
| and 4.3.1.> | and 4.3.1.> | |||
| 4.8.4. Notification of modified certificate issuance to subscriber | 4.8.4. Notification of modified certificate issuance to subscriber | |||
| <Describe your procedure for notification of issuance of a modified | <Describe your procedure for notification of issuance of a modified | |||
| certificate. This should be consistent with the notification | certificate. This should be consistent with the notification | |||
| process for any new certificate (see section 4.3.2).> | process for any new certificate (see section 4.3.2).> | |||
| 4.8.5. Conduct constituting acceptance of modified certificate | 4.8.5. Conduct constituting acceptance of modified certificate | |||
| <Describe your criteria for acceptance of a modified certificate. | When a modified certificate is issued, the CA will place it in the | |||
| This should be consistent with the acceptance process for any new | repository and notify the subscriber. This will be done without | |||
| certificate (see section 4.4.1).> | subscriber review and acceptance. | |||
| 4.8.6. Publication of the modified certificate by the CA | 4.8.6. Publication of the modified certificate by the CA | |||
| <Describe your procedure for publication of a modified certificate. | <Describe your procedure for publication of a modified certificate. | |||
| This should be consistent with the publication process for any new | This should be consistent with the publication process for any new | |||
| certificate (see section 4.4.2).> | certificate (see section 4.4.2).> | |||
| 4.8.7. Notification of certificate issuance by the CA to other entities | 4.8.7. Notification of certificate issuance by the CA to other entities | |||
| [OMITTED] | [OMITTED] | |||
| skipping to change at page 39, line 7 | skipping to change at page 38, line 7 | |||
| operation. These should be commensurate with the network security | operation. These should be commensurate with the network security | |||
| controls employed for the computers used for managing allocation of | controls employed for the computers used for managing allocation of | |||
| IP addresses and AS numbers.> | IP addresses and AS numbers.> | |||
| 6.8. Time-stamping | 6.8. Time-stamping | |||
| The PKI in question does not make use of time stamping. | The PKI in question does not make use of time stamping. | |||
| 7. Certificate and CRL Profiles | 7. Certificate and CRL Profiles | |||
| Please refer to the Certificate and CRL Profile [draft-ietf-sidr- | Please refer to the Certificate and CRL Profile [RESCERT]. | |||
| res-certs-01]. | ||||
| 7.1. Certificate profile [OMITTED] | 7.1. Certificate profile [OMITTED] | |||
| 7.1.1. Version number(s) [OMITTED] | 7.1.1. Version number(s) [OMITTED] | |||
| 7.1.2. Certificate extensions [OMITTED] | 7.1.2. Certificate extensions [OMITTED] | |||
| 7.1.2.1. Required certificate extensions [OMITTED] | 7.1.2.1. Required certificate extensions [OMITTED] | |||
| 7.1.2.2. Deprecated certificate extensions [OMITTED] | 7.1.2.2. Deprecated certificate extensions [OMITTED] | |||
| skipping to change at page 45, line 37 | skipping to change at page 43, line 37 | |||
| the PKI entities such as CA, RA, repository, subscriber systems, and | the PKI entities such as CA, RA, repository, subscriber systems, and | |||
| relying party systems. | relying party systems. | |||
| 11. IANA Considerations | 11. IANA Considerations | |||
| None. | None. | |||
| 12. Acknowledgments | 12. Acknowledgments | |||
| The authors would like to thank Geoff Huston for reviewing this | The authors would like to thank Geoff Huston for reviewing this | |||
| document. | document and Matt Houston for his help with the formatting. | |||
| 13. References | 13. References | |||
| 13.1. Normative References | 13.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3280] Housley, R., Polk, W. Ford, W., Solo, D., "Internet | [RFC3280] Housley, R., Polk, W. Ford, W., Solo, D., "Internet | |||
| X.509 Public Key Infrastructure Certificate and Certificate | X.509 Public Key Infrastructure Certificate and Certificate | |||
| Revocation List (CRL) Profile", BCP 14, RFC 2119, March 1997. | Revocation List (CRL) Profile", BCP 14, RFC 2119, March 1997. | |||
| [RFCxxxx] Seo, K., Watro, R., Kong, D., and Kent, S. , | [CP] Seo, K., Watro, R., Kong, D., and Kent, S., "Certificate | |||
| "Certificate Policy for the Internet IP Address and AS Number | Policy for the Internet IP Address and AS Number PKI", draft- | |||
| PKI", RFC xxxx. | ietf-sidr-cp, July 2007 (work in progress). | |||
| [draft-ietf-sidr-res-certs-01] Huston, G., Loomans, R., | [RESCERT] Huston, G., Loomans, R., Michaelson, G., "A Profile for | |||
| Michaelson, G., "A Profile for X.509 PKIX Resource | X.509 PKIX Resource Certificates", draft-ietf-sidr-res-certs, | |||
| Certificates", work in progress, June 19, 2006. | June 2007 (work in progress). | |||
| 13.2. Informative References | 13.2. Informative References | |||
| [BGP4] Y. Rekhter, T. Li (editors), A Border Gateway Protocol 4 | [BGP4] Y. Rekhter, T. Li (editors), A Border Gateway Protocol 4 | |||
| (BGP-4). IETF RFC 1771, March 1995. | (BGP-4). IETF RFC 1771, March 1995. | |||
| [FIPS] Federal Information Processing Standards Publication 140-2 | [FIPS] Federal Information Processing Standards Publication 140-2 | |||
| (FIPS PUB 140-2), "Security Requirements for Cryptographic | (FIPS PUB 140-2), "Security Requirements for Cryptographic | |||
| Modules", Information Technology Laboratory, National | Modules", Information Technology Laboratory, National | |||
| Institute of Standards and Technology, May 25, 2001. | Institute of Standards and Technology, May 25, 2001. | |||
| End of changes. 46 change blocks. | ||||
| 264 lines changed or deleted | 232 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||