| draft-ietf-sidr-cps-isp-00.txt | draft-ietf-sidr-cps-isp-01.txt | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing (sidr) Kong, D. | Secure Inter-Domain Routing (sidr) Kong, D. | |||
| Internet Draft Seo, K. | Internet Draft Seo, K. | |||
| Expires: August 2007 Kent, S. | Expires: January 2008 Kent, S. | |||
| Intended Status: Informational BBN Technologies | Intended Status: Informational BBN Technologies | |||
| February 2007 | ||||
| Template for an Internet Service Provider's Certification Practice | Template for an Internet Service Provider's Certification Practice | |||
| Statement (CPS) for the Internet IP address and AS Number PKI | Statement (CPS) for the Internet IP address and AS Number PKI | |||
| draft-ietf-sidr-cps-isp-00.txt | draft-ietf-sidr-cps-isp-01.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that | By submitting this Internet-Draft, each author represents that | |||
| any applicable patent or other IPR claims of which he or she is | any applicable patent or other IPR claims of which he or she is | |||
| aware have been or will be disclosed, and any of which he or she | aware have been or will be disclosed, and any of which he or she | |||
| becomes aware will be disclosed, in accordance with Section 6 of | becomes aware will be disclosed, in accordance with Section 6 of | |||
| BCP 79. | BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| skipping to change at page 1, line 36 | skipping to change at page 1, line 34 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||
| This Internet-Draft will expire on July 25, 2007. | This Internet-Draft will expire on January 8, 2008. | |||
| Abstract | Abstract | |||
| This document contains a template to be used for creating a | This document contains a template to be used for creating a | |||
| Certification Practice Statement (CPS) for a Local Internet Registry | Certification Practice Statement (CPS) for a Local Internet Registry | |||
| (LIR) or Internet Service Provider (ISP) that is part of the Internet | (LIR) or Internet Service Provider (ISP) that is part of the Internet | |||
| IP Address and Autonomous System (AS) Number Public Key | IP Address and Autonomous System (AS) Number Public Key | |||
| Infrastructure (PKI). | Infrastructure (PKI). | |||
| Conventions used in this document | Conventions used in this document | |||
| skipping to change at page 3, line 23 | skipping to change at page 3, line 22 | |||
| 4.1.2. Enrollment process and responsibilities.............21 | 4.1.2. Enrollment process and responsibilities.............21 | |||
| 4.2. Certificate application processing.......................21 | 4.2. Certificate application processing.......................21 | |||
| 4.2.1. Performing identification and authentication functions21 | 4.2.1. Performing identification and authentication functions21 | |||
| 4.2.2. Approval or rejection of certificate applications...21 | 4.2.2. Approval or rejection of certificate applications...21 | |||
| 4.2.3. Time to process certificate applications............22 | 4.2.3. Time to process certificate applications............22 | |||
| 4.3. Certificate issuance.....................................22 | 4.3. Certificate issuance.....................................22 | |||
| 4.3.1. CA actions during certificate issuance..............22 | 4.3.1. CA actions during certificate issuance..............22 | |||
| 4.3.2. Notification to subscriber by the CA of issuance of | 4.3.2. Notification to subscriber by the CA of issuance of | |||
| certificate................................................22 | certificate................................................22 | |||
| 4.3.3. Notification of certificate issuance by the CA to other | 4.3.3. Notification of certificate issuance by the CA to other | |||
| entities [OMITTED].........................................23 | entities [OMITTED].........................................22 | |||
| 4.4. Certificate acceptance...................................23 | 4.4. Certificate acceptance...................................22 | |||
| 4.4.1. Conduct constituting certificate acceptance.........23 | 4.4.1. Conduct constituting certificate acceptance.........22 | |||
| 4.4.2. Publication of the certificate by the CA............23 | 4.4.2. Publication of the certificate by the CA............22 | |||
| 4.5. Key pair and certificate usage...........................23 | 4.5. Key pair and certificate usage...........................22 | |||
| 4.5.1. Subscriber private key and certificate usage........23 | 4.5.1. Subscriber private key and certificate usage........23 | |||
| 4.5.2. Relying party public key and certificate usage......23 | 4.5.2. Relying party public key and certificate usage......23 | |||
| 4.6. Certificate renewal......................................24 | 4.6. Certificate renewal......................................23 | |||
| 4.6.1. Circumstance for certificate renewal................24 | 4.6.1. Circumstance for certificate renewal................23 | |||
| 4.6.2. Who may request renewal.............................24 | 4.6.2. Who may request renewal.............................23 | |||
| 4.6.3. Processing certificate renewal requests.............24 | 4.6.3. Processing certificate renewal requests.............24 | |||
| 4.6.4. Notification of new certificate issuance to subscriber24 | 4.6.4. Notification of new certificate issuance to subscriber24 | |||
| 4.6.5. Conduct constituting acceptance of a renewal certificate | 4.6.5. Conduct constituting acceptance of a renewal certificate | |||
| ...........................................................24 | ...........................................................24 | |||
| 4.6.6. Publication of the renewal certificate by the CA....25 | 4.6.6. Publication of the renewal certificate by the CA....24 | |||
| 4.6.7. Notification of certificate issuance by the CA to other | 4.6.7. Notification of certificate issuance by the CA to other | |||
| entities [OMITTED].........................................25 | entities [OMITTED].........................................24 | |||
| 4.7. Certificate re-key.......................................25 | 4.7. Certificate re-key.......................................24 | |||
| 4.7.1. Circumstance for certificate re-key.................25 | 4.7.1. Circumstance for certificate re-key.................24 | |||
| 4.7.2. Who may request certification of a new public key...25 | 4.7.2. Who may request certification of a new public key...25 | |||
| 4.7.3. Processing certificate re-keying requests...........25 | 4.7.3. Processing certificate re-keying requests...........25 | |||
| 4.7.4. Notification of new certificate issuance to subscriber26 | 4.7.4. Notification of new certificate issuance to subscriber25 | |||
| 4.7.5. Conduct constituting acceptance of a re-keyed | 4.7.5. Conduct constituting acceptance of a re-keyed | |||
| certificate................................................26 | certificate................................................25 | |||
| 4.7.6. Publication of the re-keyed certificate by the CA...26 | 4.7.6. Publication of the re-keyed certificate by the CA...25 | |||
| 4.7.7. Notification of certificate issuance by the CA to other | 4.7.7. Notification of certificate issuance by the CA to other | |||
| entities [OMITTED].........................................26 | entities [OMITTED].........................................26 | |||
| 4.8. Certificate modification.................................26 | 4.8. Certificate modification.................................26 | |||
| 4.8.1. Circumstance for certificate modification...........26 | 4.8.1. Circumstance for certificate modification...........26 | |||
| 4.8.2. Who may request certificate modification............26 | 4.8.2. Who may request certificate modification............26 | |||
| 4.8.3. Processing certificate modification requests........27 | 4.8.3. Processing certificate modification requests........26 | |||
| 4.8.4. Notification of modified certificate issuance to | 4.8.4. Notification of modified certificate issuance to | |||
| subscriber.................................................27 | subscriber.................................................26 | |||
| 4.8.5. Conduct constituting acceptance of modified certificate | 4.8.5. Conduct constituting acceptance of modified certificate | |||
| ...........................................................27 | ...........................................................27 | |||
| 4.8.6. Publication of the modified certificate by the CA...27 | 4.8.6. Publication of the modified certificate by the CA...27 | |||
| 4.8.7. Notification of certificate issuance by the CA to other | 4.8.7. Notification of certificate issuance by the CA to other | |||
| entities [OMITTED].........................................27 | entities [OMITTED].........................................27 | |||
| 4.9. Certificate revocation and suspension....................27 | 4.9. Certificate revocation and suspension....................27 | |||
| 4.9.1. Circumstances for revocation........................27 | 4.9.1. Circumstances for revocation........................27 | |||
| 4.9.2. Who can request revocation..........................27 | 4.9.2. Who can request revocation..........................27 | |||
| 4.9.3. Procedure for revocation request....................28 | 4.9.3. Procedure for revocation request....................27 | |||
| 4.9.4. Revocation request grace period.....................28 | 4.9.4. Revocation request grace period.....................28 | |||
| 4.9.5. Time within which CA must process the revocation request | 4.9.5. Time within which CA must process the revocation request | |||
| ...........................................................28 | ...........................................................28 | |||
| 4.9.6. Revocation checking requirement for relying parties.28 | 4.9.6. Revocation checking requirement for relying parties.28 | |||
| 4.9.7. CRL issuance frequency..............................28 | 4.9.7. CRL issuance frequency..............................28 | |||
| 4.9.8. Maximum latency for CRLs............................28 | 4.9.8. Maximum latency for CRLs............................28 | |||
| 4.9.9. On-line revocation/status checking availability | 4.9.9. On-line revocation/status checking availability | |||
| [OMITTED]..................................................29 | [OMITTED]..................................................29 | |||
| 4.9.10. On-line revocation checking requirements [OMITTED].29 | 4.9.10. On-line revocation checking requirements [OMITTED].29 | |||
| 4.9.11. Other forms of revocation advertisements available | 4.9.11. Other forms of revocation advertisements available | |||
| skipping to change at page 8, line 6 | skipping to change at page 8, line 5 | |||
| 9.4.2. Information treated as private......................43 | 9.4.2. Information treated as private......................43 | |||
| 9.4.3. Information not deemed private......................43 | 9.4.3. Information not deemed private......................43 | |||
| 9.4.4. Responsibility to protect private information.......43 | 9.4.4. Responsibility to protect private information.......43 | |||
| 9.4.5. Notice and consent to use private information.......43 | 9.4.5. Notice and consent to use private information.......43 | |||
| 9.4.6. Disclosure pursuant to judicial or administrative | 9.4.6. Disclosure pursuant to judicial or administrative | |||
| process....................................................43 | process....................................................43 | |||
| 9.4.7. Other information disclosure circumstances..........43 | 9.4.7. Other information disclosure circumstances..........43 | |||
| 9.5. Intellectual property rights (if applicable).............43 | 9.5. Intellectual property rights (if applicable).............43 | |||
| 9.6. Representations and warranties...........................43 | 9.6. Representations and warranties...........................43 | |||
| 9.6.1. CA representations and warranties...................43 | 9.6.1. CA representations and warranties...................43 | |||
| 9.6.2. Subscriber representations and warranties...........43 | 9.6.2. Subscriber representations and warranties...........44 | |||
| 9.6.3. Relying party representations and warranties........44 | 9.6.3. Relying party representations and warranties........44 | |||
| 9.6.4. Representations and warranties of other participants | 9.6.4. Representations and warranties of other participants | |||
| [OMITTED]..................................................44 | [OMITTED]..................................................44 | |||
| 9.7. Disclaimers of warranties................................44 | 9.7. Disclaimers of warranties................................44 | |||
| 9.8. Limitations of liability.................................44 | 9.8. Limitations of liability.................................44 | |||
| 9.9. Indemnities..............................................44 | 9.9. Indemnities..............................................44 | |||
| 9.10. Term and termination....................................44 | 9.10. Term and termination....................................44 | |||
| 9.10.1. Term...............................................44 | 9.10.1. Term...............................................44 | |||
| 9.10.2. Termination........................................44 | 9.10.2. Termination........................................44 | |||
| 9.10.3. Effect of termination and survival.................44 | 9.10.3. Effect of termination and survival.................44 | |||
| skipping to change at page 8, line 31 | skipping to change at page 8, line 30 | |||
| 9.12.3. Circumstances under which OID must be changed [OMITTED] | 9.12.3. Circumstances under which OID must be changed [OMITTED] | |||
| ...........................................................44 | ...........................................................44 | |||
| 9.13. Dispute resolution provisions...........................44 | 9.13. Dispute resolution provisions...........................44 | |||
| 9.14. Governing law...........................................44 | 9.14. Governing law...........................................44 | |||
| 9.15. Compliance with applicable law..........................44 | 9.15. Compliance with applicable law..........................44 | |||
| 9.16. Miscellaneous provisions................................44 | 9.16. Miscellaneous provisions................................44 | |||
| 9.16.1. Entire agreement...................................44 | 9.16.1. Entire agreement...................................44 | |||
| 9.16.2. Assignment.........................................44 | 9.16.2. Assignment.........................................44 | |||
| 9.16.3. Severability.......................................44 | 9.16.3. Severability.......................................44 | |||
| 9.16.4. Enforcement (attorneys' fees and waiver of rights).44 | 9.16.4. Enforcement (attorneys' fees and waiver of rights).44 | |||
| 9.16.5. Force Majeure......................................44 | 9.16.5. Force Majeure......................................45 | |||
| 9.17. Other provisions [OMITTED]..............................44 | 9.17. Other provisions [OMITTED]..............................45 | |||
| 10. Security Considerations......................................45 | 10. Security Considerations......................................45 | |||
| 11. IANA Considerations..........................................45 | 11. IANA Considerations..........................................45 | |||
| 12. Acknowledgments..............................................45 | 12. Acknowledgments..............................................45 | |||
| 13. References...................................................46 | 13. References...................................................46 | |||
| 13.1. Normative References....................................46 | 13.1. Normative References....................................46 | |||
| 13.2. Informative References..................................46 | 13.2. Informative References..................................46 | |||
| Author's Addresses...............................................47 | Author's Addresses...............................................47 | |||
| Intellectual Property Statement..................................48 | Intellectual Property Statement..................................48 | |||
| Disclaimer of Validity...........................................48 | Disclaimer of Validity...........................................48 | |||
| Copyright Statement..............................................48 | Copyright Statement..............................................48 | |||
| Preface | Preface | |||
| This document contains a template to be used for creating a | This document contains a template to be used for creating a | |||
| Certification Practice Statement (CPS) for a Local Internet Registry | Certification Practice Statement (CPS) for a Local Internet Registry | |||
| or an Internet Service Provider that is part of the Internet IP | or an Internet Service Provider that is part of the Internet IP | |||
| Address and Autonomous System (AS) Number Public Key Infrastructure | Address and Autonomous System (AS) Number Public Key Infrastructure | |||
| (PKI). The user of this document should | (PKI). The user of this document should | |||
| 1. substitute a title page for page 1 saying, e.g., ''<Name of | 1. substitute a title page for page 1 saying, e.g., "<Name of | |||
| LIR/ISP> Certification Practice Statement for the Internet IP | LIR/ISP> Certification Practice Statement for the Internet IP | |||
| Address and AS Number Public Key Infrastructure (PKI)'' with | Address and AS Number Public Key Infrastructure (PKI)" with | |||
| date, author, etc. | date, author, etc. | |||
| 2. leave the table of contents | 2. leave the table of contents | |||
| 3. delete this Preface | 3. delete this Preface | |||
| 4. fill in the information indicated below by <text in angle | 4. fill in the information indicated below by <text in angle | |||
| brackets> | brackets> | |||
| 5. delete sections 10, 11, 12, 13.1, Acknowledgments, Author's | 5. delete sections 10, 11, 12, 13.1, Acknowledgments, Author's | |||
| Addresses, Intellectual Property Statement, Disclaimer of | Addresses, Intellectual Property Statement, Disclaimer of | |||
| Validity, Copyright Statement, Acknowledgments; leaving a | Validity, Copyright Statement, Acknowledgments; leaving a | |||
| reference section with just the references in 13.2 | reference section with just the references in 13.2 | |||
| 6. update the table of contents to reflect the changes required by | 6. update the table of contents to reflect the changes required by | |||
| steps 4 and 5 above . | steps 4 and 5 above . | |||
| Note: This CPS is based on the template specified in RFC 3647. A | Note: This CPS is based on the template specified in RFC 3647. A | |||
| number of sections contained in the template were omitted from this | number of sections contained in the template were omitted from this | |||
| CPS because they did not apply to this PKI. However, we have retained | CPS because they did not apply to this PKI. However, we have retained | |||
| section heading ''place holders'' for these omitted sections, in | section heading "place holders" for these omitted sections, in order | |||
| order to facilitate comparison with the section numbering scheme | to facilitate comparison with the section numbering scheme employed | |||
| employed in that RFC, i.e., the relevant section headings are | in that RFC, i.e., the relevant section headings are included and | |||
| included and marked [OMITTED]. In the Table of Contents the relevant | marked [OMITTED]. In the Table of Contents the relevant sections are | |||
| sections are also marked [OMITTED]. There is a note to this effect | also marked [OMITTED]. There is a note to this effect in the | |||
| in the Introduction below. This information should be left in the | Introduction below. This information should be left in the CPS as an | |||
| CPS as an explanation to the user. | explanation to the user. | |||
| 1. Introduction | 1. Introduction | |||
| This document is the Certification Practice Statement (CPS) of <Name | This document is the Certification Practice Statement (CPS) of <Name | |||
| of LIR/ISP>. It describes the practices employed by the <Name of | of LIR/ISP>. It describes the practices employed by the <Name of | |||
| LIR/ISP> Certification Authority (CA) in the Internet IP Address and | LIR/ISP> Certification Authority (CA) in the Internet IP Address and | |||
| Autonomous System (AS) Number PKI. These practices are defined in | Autonomous System (AS) Number PKI. These practices are defined in | |||
| accordance with the requirements of the Certificate Policy (CP, | accordance with the requirements of the Certificate Policy (CP, [CP]) | |||
| [RFCxxxx]) of this PKI. | of this PKI. | |||
| The Internet IP Address and AS Number PKI is aimed at supporting | The Internet IP Address and AS Number PKI is aimed at supporting | |||
| improved routing security. The goal is that each entity that | improved routing security. The goal is that each entity that | |||
| allocates IP addresses or AS numbers to an entity will, in parallel, | allocates IP addresses or AS numbers to an entity will, in parallel, | |||
| issue a certificate reflecting this allocation. These certificates | issue a certificate reflecting this allocation. These certificates | |||
| will enable verification that the holder of the associated private | will enable verification that the holder of the associated private | |||
| key has been allocated the resources indicated in the certificate, | key has been allocated the resources indicated in the certificate, | |||
| and is the current, unique holder of these resources. The | and is the current, unique holder of these resources. The | |||
| certificates and CRLs, in conjunction with ancillary digitally signed | certificates and CRLs, in conjunction with ancillary digitally signed | |||
| data structures, will provide critical inputs for routing security | data structures, will provide critical inputs for routing security | |||
| skipping to change at page 10, line 36 | skipping to change at page 10, line 36 | |||
| For this particular CPS, it should be noted that LIRs/ISPs do not | For this particular CPS, it should be noted that LIRs/ISPs do not | |||
| allocate AS numbers to their subscribers; instead subscribers receive | allocate AS numbers to their subscribers; instead subscribers receive | |||
| AS numbers from the RIR for their region. Thus, the certificates | AS numbers from the RIR for their region. Thus, the certificates | |||
| issued by <Name of LIR/ISP> cover only IP address allocations. | issued by <Name of LIR/ISP> cover only IP address allocations. | |||
| However, in places in this document, text applying to the overall PKI | However, in places in this document, text applying to the overall PKI | |||
| may refer to both IP address space and AS numbers. | may refer to both IP address space and AS numbers. | |||
| Note: This CPS is based on the template specified in RFC 3647. A | Note: This CPS is based on the template specified in RFC 3647. A | |||
| number of sections contained in the template were omitted from this | number of sections contained in the template were omitted from this | |||
| CPS because they did not apply to this PKI. However, we have retained | CPS because they did not apply to this PKI. However, we have retained | |||
| section heading ''place holders'' for these omitted sections, in | section heading "place holders" for these omitted sections, in order | |||
| order to facilitate comparison with the section numbering scheme | to facilitate comparison with the section numbering scheme employed | |||
| employed in that RFC, i.e., the relevant section headings are | in that RFC, i.e., the relevant section headings are included and | |||
| included and marked [OMITTED]. In the Table of Contents the relevant | marked [OMITTED]. In the Table of Contents the relevant sections are | |||
| sections are also marked [OMITTED]. | also marked [OMITTED]. | |||
| 1.1. Overview | 1.1. Overview | |||
| This CPS describes: | This CPS describes: | |||
| o Participants | o Participants | |||
| o Distribution of the certificates and CRLs | o Distribution of the certificates and CRLs | |||
| o How certificates are issued, managed, and revoked | o How certificates are issued, managed, and revoked | |||
| skipping to change at page 11, line 19 | skipping to change at page 11, line 19 | |||
| o Audit procedures | o Audit procedures | |||
| o Business and legal issues | o Business and legal issues | |||
| The PKI encompasses several types of certificates (see appendix in | The PKI encompasses several types of certificates (see appendix in | |||
| the CP for more details): | the CP for more details): | |||
| o CA certificates for each organization allocating address blocks | o CA certificates for each organization allocating address blocks | |||
| and/or AS numbers, and for each address space (AS number) holder | and/or AS numbers, and for each address space (AS number) holder | |||
| o End entity (''shadow'') certificates for organizations to use in | o End entity ("shadow") certificates for organizations to use in | |||
| verifying Route Origination Authorizations (ROAs) and other (non- | verifying Route Origination Authorizations (ROAs) and other (non- | |||
| certificate/CRL) signed objects | certificate/CRL) signed objects | |||
| o In the future, the PKI also may include end entity certificates in | o In the future, the PKI also may include end entity certificates in | |||
| support of access control for the repository system | support of access control for the repository system | |||
| 1.2. Document name and identification | 1.2. Document name and identification | |||
| The name of this document is ''<Name of LIR/ISP>'s Certification | The name of this document is "<Name of LIR/ISP>'s Certification | |||
| Practice Statement for the Internet IP Address and AS Number PKI''. | Practice Statement for the Internet IP Address and AS Number PKI". | |||
| 1.3. PKI participants | 1.3. PKI participants | |||
| Note: In a PKI, the term ''subscriber'' refers to an individual or | Note: In a PKI, the term "subscriber" refers to an individual or | |||
| organization that is a Subject of a certificate issued by a CA. The | organization that is a Subject of a certificate issued by a CA. The | |||
| term is used in this fashion throughout this document, without | term is used in this fashion throughout this document, without | |||
| qualification, and should not be confused with the networking use of | qualification, and should not be confused with the networking use of | |||
| the term to refer to an individual or organization that receives | the term to refer to an individual or organization that receives | |||
| service from an ISP. Thus, in this PKI, the term ''subscriber'' can | service from an ISP. Thus, in this PKI, the term "subscriber" can | |||
| refer both to ISPs, which can be subscribers of RIRs, NIRs, and LIRs, | refer both to ISPs, which can be subscribers of RIRs, NIRs, and LIRs, | |||
| and also to organizations that are not ISPs, but which are | and also to organizations that are not ISPs, but which are | |||
| subscribers of LIRs/ISPs in the networking sense of the term. Also | subscribers of LIRs/ISPs in the networking sense of the term. Also | |||
| note that, for brevity, this document always refers to subscribers as | note that, for brevity, this document always refers to subscribers as | |||
| organizations, even though some subscribers are individuals. When | organizations, even though some subscribers are individuals. When | |||
| necessary, the phrase ''network subscriber'' is used to refer to an | necessary, the phrase "network subscriber" is used to refer to an | |||
| organization that receives network services from an LIR/ISP. | organization that receives network services from an LIR/ISP. | |||
| 1.3.1. Certification authorities | 1.3.1. Certification authorities | |||
| <Name of LIR/ISP> will operate a CA, the primary function of which is | <Name of LIR/ISP> will operate a CA, the primary function of which is | |||
| the issuance of certificates to organizations to which address space | the issuance of certificates to organizations to which address space | |||
| is allocated by <Name of LIR/ISP>. This CA will also issue end entity | is allocated by <Name of LIR/ISP>. This CA will also issue end entity | |||
| (''shadow'') certificates for use in verifying signatures of ROAs. In | ("shadow") certificates for use in verifying signatures of ROAs. In | |||
| the future, this CA may also issue other types of end entity (EE) | the future, this CA may also issue other types of end entity (EE) | |||
| certificates, e.g., EE certificates to operations personnel in | certificates, e.g., EE certificates to operations personnel in | |||
| support of repository maintenance. | support of repository maintenance. | |||
| 1.3.2. Registration authorities | 1.3.2. Registration authorities | |||
| For the certificates issued by this LIR/ISP under this PKI, this | For the certificates issued by this LIR/ISP under this PKI, this | |||
| function is provided by the LIR/ISP per se. The LIR/ISP already | function is provided by the LIR/ISP per se. The LIR/ISP already | |||
| performs this function -- establishing a formal relationship with | performs this function -- establishing a formal relationship with | |||
| each subscriber and assuming responsibility for allocating and | each subscriber and assuming responsibility for allocating and | |||
| tracking the current allocation of address space. Since the LIR/ISP | tracking the current allocation of address space. Since the LIR/ISP | |||
| operates the CA, there is no distinct RA. | operates the CA, there is no distinct RA. | |||
| 1.3.3. Subscribers | 1.3.3. Subscribers | |||
| The primary types of organizations that receive allocations of IP | The primary types of organizations that receive allocations of IP | |||
| addresses from this CA and thus are subscribers in the PKI sense are | addresses from this CA and thus are subscribers in the PKI sense are | |||
| network subscribers. <If appropriate, add ''Additionally, this LIR | network subscribers. <If appropriate, add "Additionally, this LIR | |||
| issues address space to ISPs, who are thus also subscribers.''> | issues address space to ISPs, who are thus also subscribers."> | |||
| 1.3.4. Relying parties | 1.3.4. Relying parties | |||
| Entities that need to validate claims of address space current | Entities that need to validate claims of address space current | |||
| holdings are relying parties. Thus, for example, entities that make | holdings are relying parties. Thus, for example, entities that make | |||
| use of address certificates in support of improved routing security | use of address certificates in support of improved routing security | |||
| are relying parties. This includes LIRs/ISPs, multi-homed | are relying parties. This includes LIRs/ISPs, multi-homed | |||
| organizations exchanging BGP [BGP4] traffic with LIRs/ISPs, and | organizations exchanging BGP [BGP4] traffic with LIRs/ISPs, and | |||
| subscribers who have received an allocation of address space from one | subscribers who have received an allocation of address space from one | |||
| ISP or from a registry, but want to authorize an (or another) LIR/ISP | ISP or from a registry, but want to authorize an (or another) LIR/ISP | |||
| to originate routes to this space. | to originate routes to this space. | |||
| To the extent that repositories make use of certificates for access | To the extent that repositories make use of certificates for access | |||
| control -- checking for authorization to upload certificate, CRL, and | control - checking for authorization to upload certificate, CRL, and | |||
| ROA updates -- they too act as relying parties. | ROA updates -- they too act as relying parties. | |||
| 1.3.5. Other participants [OMITTED] | 1.3.5. Other participants [OMITTED] | |||
| 1.4. Certificate usage | 1.4. Certificate usage | |||
| 1.4.1. Appropriate certificate uses | 1.4.1. Appropriate certificate uses | |||
| The certificates issued under this hierarchy are for authorization in | The certificates issued under this hierarchy are for authorization in | |||
| support of validation of claims of current holdings of address space | support of validation of claims of current holdings of address space | |||
| skipping to change at page 15, line 33 | skipping to change at page 15, line 33 | |||
| 2.3. Time or Frequency of Publication | 2.3. Time or Frequency of Publication | |||
| <Describe here your procedures for publication (to the global | <Describe here your procedures for publication (to the global | |||
| repository system) of the certificates and CRLs that you issue. If | repository system) of the certificates and CRLs that you issue. If | |||
| you choose to outsource publication of PKI data, you still need to | you choose to outsource publication of PKI data, you still need to | |||
| provide this information for relying parties.> | provide this information for relying parties.> | |||
| As per the CP, the following standards exist for publication times | As per the CP, the following standards exist for publication times | |||
| and frequency: | and frequency: | |||
| o A certificate will be published within 24 hours after a CA has | o A certificate will be published within 24 hours after issuance. | |||
| received acknowledgement from the subject of the certificate that the | ||||
| certificate is accurate. | ||||
| o The <Name of LIR/ISP> CA will publish its CRL prior to the | o The <Name of LIR/ISP> CA will publish its CRL prior to the | |||
| nextScheduledUpdate value in the scheduled CRL previously issued by | nextScheduledUpdate value in the scheduled CRL previously issued by | |||
| the CA. Within 12 hours of effecting revocation, the CA will publish | the CA. Within 12 hours of effecting revocation, the CA will publish | |||
| a CRL with an entry for the revoked certificate. | a CRL with an entry for the revoked certificate. | |||
| o A new ROA will be published before a predecessor ROA has expired, or | o A new ROA will be published before a predecessor ROA has expired, or | |||
| within 24 hours after an address space holder has changed the set of | within 24 hours after an address space holder has changed the set of | |||
| ASes that is authorized to advertise the address blocks it holds. | ASes that is authorized to advertise the address blocks it holds. | |||
| skipping to change at page 17, line 24 | skipping to change at page 17, line 24 | |||
| 3.1.2. Need for names to be meaningful | 3.1.2. Need for names to be meaningful | |||
| The Subject name in each subscriber certificate will be unique | The Subject name in each subscriber certificate will be unique | |||
| relative to all certificates issued by <Name of LIR/ISP>. However, | relative to all certificates issued by <Name of LIR/ISP>. However, | |||
| there is no guarantee that the subject name will be globally unique | there is no guarantee that the subject name will be globally unique | |||
| in this PKI. | in this PKI. | |||
| Note: The certificates issued under this PKI are used for | Note: The certificates issued under this PKI are used for | |||
| authorization in support of routing security, not for identification. | authorization in support of routing security, not for identification. | |||
| The name of the holder of an address block need not be ''meaningful'' | The name of the holder of an address block need not be "meaningful" | |||
| in the conventional, human-readable sense. | in the conventional, human-readable sense. | |||
| 3.1.3. Anonymity or pseudonymity of subscribers | 3.1.3. Anonymity or pseudonymity of subscribers | |||
| Although Subject names in certificates issued by this LIR/ISP need | Although Subject names in certificates issued by this LIR/ISP need | |||
| not be meaningful, and may appear ''random,'' anonymity is not a | not be meaningful, and may appear "random," anonymity is not a | |||
| function of this PKI, and thus no explicit support for this feature | function of this PKI, and thus no explicit support for this feature | |||
| is provided. | is provided. | |||
| 3.1.4. Rules for interpreting various name forms | 3.1.4. Rules for interpreting various name forms | |||
| None | None | |||
| 3.1.5. Uniqueness of names | 3.1.5. Uniqueness of names | |||
| <Name of LIR/ISP> certifies Subject names that are unique among the | <Name of LIR/ISP> certifies Subject names that are unique among the | |||
| skipping to change at page 19, line 42 | skipping to change at page 19, line 42 | |||
| organization requesting a re-key is the legitimate holder of the | organization requesting a re-key is the legitimate holder of the | |||
| certificate (and associated address space) to be re-keyed. This | certificate (and associated address space) to be re-keyed. This | |||
| should also include the method employed for verifying PoP of the | should also include the method employed for verifying PoP of the | |||
| private key corresponding to the new public key. With respect to | private key corresponding to the new public key. With respect to | |||
| authentication of the holder of the address space, the procedures | authentication of the holder of the address space, the procedures | |||
| should be commensurate with those you already employ in the | should be commensurate with those you already employ in the | |||
| maintenance of address allocation. Note that your organization can | maintenance of address allocation. Note that your organization can | |||
| choose to require periodic re-keying consistent with contractual | choose to require periodic re-keying consistent with contractual | |||
| agreements with the recipient.> | agreements with the recipient.> | |||
| 3.3.2. Identification and authentication for re-key after revocation | 3.3.2. Identification and authentication for re-key after | |||
| revocation | ||||
| <Describe the procedures that will be used to ensure that an | <Describe the procedures that will be used to ensure that an | |||
| organization requesting a re-key after revocation is the legitimate | organization requesting a re-key after revocation is the legitimate | |||
| holder of the address space in the certificate being re-keyed. This | holder of the address space in the certificate being re-keyed. This | |||
| should also include the method employed for verifying PoP of the | should also include the method employed for verifying PoP of the | |||
| private key corresponding to the new public key. With respect to | private key corresponding to the new public key. With respect to | |||
| authentication of the resource holder, the procedures should be | authentication of the resource holder, the procedures should be | |||
| commensurate with those you already employ in the maintenance of | commensurate with those you already employ in the maintenance of | |||
| resource allocation records.> | resource allocation records.> | |||
| skipping to change at page 21, line 14 | skipping to change at page 21, line 14 | |||
| 4. Certificate Life-Cycle Operational Requirements | 4. Certificate Life-Cycle Operational Requirements | |||
| 4.1. Certificate Application | 4.1. Certificate Application | |||
| 4.1.1. Who can submit a certificate application | 4.1.1. Who can submit a certificate application | |||
| The following entities may submit a certificate application to this | The following entities may submit a certificate application to this | |||
| CA: | CA: | |||
| o <Insert if appropriate: ''Any ISP subordinate to this LIR.''> | o <Insert if appropriate: "Any ISP subordinate to this LIR."> | |||
| o Any entity that holds address space assigned by this LIR/ISP | o Any entity that holds address space assigned by this LIR/ISP | |||
| 4.1.2. Enrollment process and responsibilities | 4.1.2. Enrollment process and responsibilities | |||
| <Describe your enrollment process for issuing certificates both for | <Describe your enrollment process for issuing certificates both for | |||
| initial deployment of the PKI and as an ongoing process. Note that | initial deployment of the PKI and as an ongoing process. Note that | |||
| most of the certificates in this PKI are issued as part of ISP normal | most of the certificates in this PKI are issued as part of ISP normal | |||
| business practices, as an adjunct to address space allocation, and | business practices, as an adjunct to address space allocation, and | |||
| thus a separate application to request a certificate may not be | thus a separate application to request a certificate may not be | |||
| skipping to change at page 22, line 17 | skipping to change at page 22, line 17 | |||
| 4.2.3. Time to process certificate applications | 4.2.3. Time to process certificate applications | |||
| <You may declare here your expected time frame for processing | <You may declare here your expected time frame for processing | |||
| certificate applications.> | certificate applications.> | |||
| 4.3. Certificate issuance | 4.3. Certificate issuance | |||
| 4.3.1. CA actions during certificate issuance | 4.3.1. CA actions during certificate issuance | |||
| <Describe in this section the following (referring to subsequent | <Describe in this section your procedures for issuance of a | |||
| sections as appropriate): | certificate.> | |||
| o Procedures for generation of a draft certificate and form of the | ||||
| draft. Typically a draft certificate is a complete certificate except | ||||
| for the issuer's signature. | ||||
| o Procedure for making the draft available to the applicant for review. | ||||
| For example, you may directly transmit the draft certificate to the | ||||
| subscriber (applying PKCS #7 or other defined syntax). | ||||
| Alternatively, you might establish a repository where draft | ||||
| certificates can be examined. | ||||
| o Procedure for subscriber approval/rejection of the draft (Section | ||||
| 4.4.1) | ||||
| o If draft is approved, procedure for finalization of draft and | ||||
| subsequent publication (Section 4.4.2) | ||||
| o If draft is rejected, procedure for modification of the rejected | ||||
| certificate (Section 4.8 might be useful) or submission of a new | ||||
| certificate request.> | ||||
| 4.3.2. Notification to subscriber by the CA of issuance of certificate | 4.3.2. Notification to subscriber by the CA of issuance of | |||
| certificate | ||||
| <Describe your procedure for notification of a subscriber when a | <Describe in this section your procedures for notification of a | |||
| draft certificate is ready for review.> | subscriber when a certificate has been issued.> | |||
| 4.3.3. Notification of certificate issuance by the CA to other entities | 4.3.3. Notification of certificate issuance by the CA to other | |||
| [OMITTED] | entities [OMITTED] | |||
| 4.4. Certificate acceptance | 4.4. Certificate acceptance | |||
| 4.4.1. Conduct constituting certificate acceptance | 4.4.1. Conduct constituting certificate acceptance | |||
| When a draft certificate is generated and the subscriber is notified, | When a certificate is issued, the CA will place it in the repository | |||
| it is required that the subscriber review the proposed certificate | and notify the subscriber. This will be done without subscriber | |||
| and either approve or reject it within <X -- This should be 30 or | review and acceptance. | |||
| fewer as per the CP.> days. <Describe what constitutes acceptance or | ||||
| rejection from the certificate applicant.> | ||||
| If a certificate remains unprocessed by the requester after <X> days, | ||||
| <Describe your policy for handling certificates that have not been | ||||
| acknowledged (either positively or negatively) after X days. For | ||||
| example, at your option, you may either cancel the certificate or | ||||
| finalize it and place it in the repository.> | ||||
| 4.4.2. Publication of the certificate by the CA | 4.4.2. Publication of the certificate by the CA | |||
| Certificates will be published in the Repository system once | Certificates will be published in the Repository system once issued | |||
| approved. <Describe your procedures for publication of the approved | following the conduct described in 4.4.1. <Describe your procedures | |||
| certificate.> | for publication of the approved certificate.> | |||
| 4.5. Key pair and certificate usage | 4.5. Key pair and certificate usage | |||
| Use of the credentials from the IP Address and AS Number PKI is | A summary of the use model for the IP Address and AS Number PKI is | |||
| discussed in detail in the Appendix of the CP. | provided below. | |||
| 4.5.1. Subscriber private key and certificate usage | 4.5.1. Subscriber private key and certificate usage | |||
| The certificates issued by this LIR/ISP to resource holders are CA | The certificates issued by this LIR/ISP to resource holders are CA | |||
| certificates. The private key associated with each of these | certificates. The private key associated with each of these | |||
| certificates is used to sign subordinate (CA or EE) certificates and | certificates is used to sign subordinate (CA or EE) certificates and | |||
| CRLs. Resource holders who are LIRs/ISPs will issue CA certificates | CRLs. Resource holders who are LIRs/ISPs will issue CA certificates | |||
| to any organizations which they allocate IP address space, one or | to any organizations which they allocate IP address space, one or | |||
| more end entity ''shadow'' certificates for use in verifying | more end entity "shadow" certificates for use in verifying signatures | |||
| signatures on ROAs, and end entity certificates to operators in | on ROAs, and end entity certificates to operators in support of | |||
| support of repository access control. Non-LIR/ISP resource holders | repository access control. Non-LIR/ISP resource holders will issue | |||
| will issue just the latter two kinds of certificates since they | just the latter two kinds of certificates since they will not be | |||
| will not be allocating address space to other organizations. | allocating address space to other organizations. | |||
| 4.5.2. Relying party public key and certificate usage | 4.5.2. Relying party public key and certificate usage | |||
| The primary relying parties in this PKI are LIRs/ISPs, who will use | The primary relying parties in this PKI are LIRs/ISPs, who will use | |||
| shadow certificates to verify ROAs, e.g., in support of generating | shadow certificates to verify ROAs, e.g., in support of generating | |||
| route filters. Repositories will use operator certificates to verify | route filters. Repositories will use operator certificates to verify | |||
| the authorization of entities to engage in repository maintenance | the authorization of entities to engage in repository maintenance | |||
| activities, and thus repositories represent a secondary type of | activities, and thus repositories represent a secondary type of | |||
| relying party. | relying party. | |||
| 4.6. Certificate renewal | 4.6. Certificate renewal | |||
| 4.6.1. Circumstance for certificate renewal | 4.6.1. Circumstance for certificate renewal | |||
| As per the CP, a certificate will be processed for renewal based on | As per the CP, a certificate will be processed for renewal based on | |||
| its expiration date or a renewal request from the certificate | its expiration date or a renewal request from the certificate | |||
| Subject. If <Name of LIR/ISP> initiates the renewal process based on | Subject. If <Name of LIR/ISP> initiates the renewal process based on | |||
| the certificate expiration date, then <Name of LIR/ISP> will notify | the certificate expiration date, then <Name of LIR/ISP> will notify | |||
| the resource holder <insert the period of advance warning, e.g., ''2 | the resource holder <insert the period of advance warning, e.g., "2 | |||
| weeks in advance of the expiration date'', or the general policy, | weeks in advance of the expiration date", or the general policy, | |||
| e.g., ''in conjunction with notification of service expiration''.> | e.g., "in conjunction with notification of service expiration".> The | |||
| The validity interval of the new (renewed) certificate will overlap | validity interval of the new (renewed) certificate will overlap that | |||
| that of the previous certificate by <insert length of overlap period, | of the previous certificate by <insert length of overlap period, | |||
| e.g., 1 week>, to ensure uninterrupted coverage. | e.g., 1 week>, to ensure uninterrupted coverage. | |||
| Certificate renewal will incorporate the same public key as the | Certificate renewal will incorporate the same public key as the | |||
| previous certificate, unless the private key has been reported as | previous certificate, unless the private key has been reported as | |||
| compromised. If a new key pair is being used, the stipulations of | compromised. If a new key pair is being used, the stipulations of | |||
| Section 4.7 will apply. | Section 4.7 will apply. | |||
| 4.6.2. Who may request renewal | 4.6.2. Who may request renewal | |||
| The certificate holder or <Name of LIR/ISP> may initiate the renewal | The certificate holder or <Name of LIR/ISP> may initiate the renewal | |||
| skipping to change at page 24, line 41 | skipping to change at page 24, line 12 | |||
| The certificate holder or <Name of LIR/ISP> may initiate the renewal | The certificate holder or <Name of LIR/ISP> may initiate the renewal | |||
| process. <For the case of the certificate holder, describe what steps | process. <For the case of the certificate holder, describe what steps | |||
| will be taken to verify the identity and authorization of the entity | will be taken to verify the identity and authorization of the entity | |||
| requesting the renewal.> | requesting the renewal.> | |||
| 4.6.3. Processing certificate renewal requests | 4.6.3. Processing certificate renewal requests | |||
| <Describe your procedures for handling certificate renewal requests. | <Describe your procedures for handling certificate renewal requests. | |||
| This must include verification that the certificate in question has | This must include verification that the certificate in question has | |||
| not been revoked.> | not been revoked.> | |||
| 4.6.4. Notification of new certificate issuance to subscriber | 4.6.4. Notification of new certificate issuance to subscriber | |||
| <Describe your procedure for notification of new certificate issuance | <Describe your procedure for notification of new certificate issuance | |||
| to the subscriber. This should be consistent with 4.3.2.> | to the subscriber. This should be consistent with 4.3.2.> | |||
| 4.6.5. Conduct constituting acceptance of a renewal certificate | 4.6.5. Conduct constituting acceptance of a renewal certificate | |||
| <Describe your definition of what constitutes acceptance of a renewed | When a renewal certificate is issued, the CA will place it in the | |||
| certificate. This should be consistent with 4.4.1.> | repository and notify the subscriber. This will be done without | |||
| subscriber review and acceptance. | ||||
| 4.6.6. Publication of the renewal certificate by the CA | 4.6.6. Publication of the renewal certificate by the CA | |||
| <Describe your policy and procedures for publication of a renewed | <Describe your policy and procedures for publication of a renewed | |||
| certificate. This should be consistent with 4.4.2.> | certificate. This should be consistent with 4.4.2.> | |||
| 4.6.7. Notification of certificate issuance by the CA to other entities | 4.6.7. Notification of certificate issuance by the CA to other | |||
| [OMITTED] | entities [OMITTED] | |||
| 4.7. Certificate re-key | 4.7. Certificate re-key | |||
| 4.7.1. Circumstance for certificate re-key | 4.7.1. Circumstance for certificate re-key | |||
| As per the CP, re-key of a certificate will be performed only when | As per the CP, re-key of a certificate will be performed only when | |||
| required, based on: | required, based on: | |||
| 1. knowledge or suspicion of compromise or loss of the associated | 1. knowledge or suspicion of compromise or loss of the associated | |||
| private key, or | private key, or | |||
| skipping to change at page 26, line 14 | skipping to change at page 25, line 34 | |||
| 4.7.4. Notification of new certificate issuance to subscriber | 4.7.4. Notification of new certificate issuance to subscriber | |||
| <Describe your policy regarding notifying the subscriber re: | <Describe your policy regarding notifying the subscriber re: | |||
| availability of the new certificate. This should be consistent with | availability of the new certificate. This should be consistent with | |||
| the notification process for any new certificate issuance (see | the notification process for any new certificate issuance (see | |||
| section 4.3.2).> | section 4.3.2).> | |||
| 4.7.5. Conduct constituting acceptance of a re-keyed certificate | 4.7.5. Conduct constituting acceptance of a re-keyed certificate | |||
| <Describe your policy regarding acceptance of the new certificate by | When a re-keyed certificate is issued, the CA will place it in the | |||
| the subscriber. This should be consistent with the acceptance | repository and notify the subscriber. This will be done without | |||
| process for any new certificate (see section 4.4.1).> | subscriber review and acceptance. | |||
| 4.7.6. Publication of the re-keyed certificate by the CA | 4.7.6. Publication of the re-keyed certificate by the CA | |||
| <Describe your policy regarding publication of the new certificate. | <Describe your policy regarding publication of the new certificate. | |||
| This should be consistent with the publication process for any new | This should be consistent with the publication process for any new | |||
| certificate (see section 4.4.2).> | certificate (see section 4.4.2).> | |||
| 4.7.7. Notification of certificate issuance by the CA to other entities | 4.7.7. Notification of certificate issuance by the CA to other | |||
| [OMITTED] | entities [OMITTED] | |||
| 4.8. Certificate modification | 4.8. Certificate modification | |||
| 4.8.1. Circumstance for certificate modification | 4.8.1. Circumstance for certificate modification | |||
| As per the CP, modification of a certificate occurs to implement | As per the CP, modification of a certificate occurs to implement | |||
| changes to the RFC 3779 extension values in a certificate. A | changes to the RFC 3779 extension values in a certificate. A | |||
| subscriber can request a certificate modification when this | subscriber can request a certificate modification when this | |||
| information in a currently valid certificate has changed, as a result | information in a currently valid certificate has changed, as a result | |||
| of changes in the resource holdings of the subscriber. | of changes in the resource holdings of the subscriber. | |||
| skipping to change at page 27, line 14 | skipping to change at page 26, line 43 | |||
| holder, state here what steps will be taken to verify the identity | holder, state here what steps will be taken to verify the identity | |||
| and authorization of the entity requesting the modification.> | and authorization of the entity requesting the modification.> | |||
| 4.8.3. Processing certificate modification requests | 4.8.3. Processing certificate modification requests | |||
| <Describe your procedures for verification of the modification | <Describe your procedures for verification of the modification | |||
| request and procedures for the issuance of a new certificate. These | request and procedures for the issuance of a new certificate. These | |||
| should be consistent with the processes described in Sections 4.2 and | should be consistent with the processes described in Sections 4.2 and | |||
| 4.3.1.> | 4.3.1.> | |||
| 4.8.4. Notification of modified certificate issuance to subscriber | 4.8.4. Notification of modified certificate issuance to | |||
| subscriber | ||||
| <Describe your procedure for notification of issuance of a modified | <Describe your procedure for notification of issuance of a modified | |||
| certificate. This should be consistent with the notification process | certificate. This should be consistent with the notification process | |||
| for any new certificate (see section 4.3.2).> | for any new certificate (see section 4.3.2).> | |||
| 4.8.5. Conduct constituting acceptance of modified certificate | 4.8.5. Conduct constituting acceptance of modified certificate | |||
| <Describe your criteria for acceptance of a modified certificate. | When a modified certificate is issued, the CA will place it in the | |||
| This should be consistent with the acceptance process for any new | repository and notify the subscriber. This will be done without | |||
| certificate (see section 4.4.1).> | subscriber review and acceptance. | |||
| 4.8.6. Publication of the modified certificate by the CA | 4.8.6. Publication of the modified certificate by the CA | |||
| <Describe your procedure for publication of a modified certificate. | <Describe your procedure for publication of a modified certificate. | |||
| This should be consistent with the publication process for any new | This should be consistent with the publication process for any new | |||
| certificate (see section 4.4.2).> | certificate (see section 4.4.2).> | |||
| 4.8.7. Notification of certificate issuance by the CA to other entities | 4.8.7. Notification of certificate issuance by the CA to other | |||
| [OMITTED] | entities [OMITTED] | |||
| 4.9. Certificate revocation and suspension | 4.9. Certificate revocation and suspension | |||
| 4.9.1. Circumstances for revocation | 4.9.1. Circumstances for revocation | |||
| As per the CP, certificates can be revoked for several reasons. | As per the CP, certificates can be revoked for several reasons. | |||
| Either <Name of ISP> or the subject may choose to end the | Either <Name of ISP> or the subject may choose to end the | |||
| relationship expressed in the certificate, thus creating cause to | relationship expressed in the certificate, thus creating cause to | |||
| revoke the certificate. A certificate also may be revoked due to | revoke the certificate. A certificate also may be revoked due to | |||
| loss or compromise of the private key corresponding to the public key | loss or compromise of the private key corresponding to the public key | |||
| skipping to change at page 29, line 9 | skipping to change at page 29, line 9 | |||
| 4.9.8. Maximum latency for CRLs | 4.9.8. Maximum latency for CRLs | |||
| A CRL will be posted to the repository system with minimal delay | A CRL will be posted to the repository system with minimal delay | |||
| after generation. | after generation. | |||
| 4.9.9. On-line revocation/status checking availability [OMITTED] | 4.9.9. On-line revocation/status checking availability [OMITTED] | |||
| 4.9.10. On-line revocation checking requirements [OMITTED] | 4.9.10. On-line revocation checking requirements [OMITTED] | |||
| 4.9.11. Other forms of revocation advertisements available [OMITTED] | 4.9.11. Other forms of revocation advertisements available | |||
| [OMITTED] | ||||
| 4.9.12. Special requirements re key compromise [OMITTED] | 4.9.12. Special requirements re key compromise [OMITTED] | |||
| 4.9.13. Circumstances for suspension [OMITTED] | 4.9.13. Circumstances for suspension [OMITTED] | |||
| 4.9.14. Who can request suspension [OMITTED] | 4.9.14. Who can request suspension [OMITTED] | |||
| 4.9.15. Procedure for suspension request [OMITTED] | 4.9.15. Procedure for suspension request [OMITTED] | |||
| 4.9.16. Limits on suspension period [OMITTED] | 4.9.16. Limits on suspension period [OMITTED] | |||
| skipping to change at page 29, line 37 | skipping to change at page 29, line 38 | |||
| 4.10.2. Service availability [OMITTED] | 4.10.2. Service availability [OMITTED] | |||
| 4.10.3. Optional features [OMITTED] | 4.10.3. Optional features [OMITTED] | |||
| 4.11. End of subscription [OMITTED] | 4.11. End of subscription [OMITTED] | |||
| 4.12. Key escrow and recovery [OMITTED] | 4.12. Key escrow and recovery [OMITTED] | |||
| 4.12.1. Key escrow and recovery policy and practices [OMITTED] | 4.12.1. Key escrow and recovery policy and practices [OMITTED] | |||
| 4.12.2. Session key encapsulation and recovery policy and practices | 4.12.2. Session key encapsulation and recovery policy and | |||
| [OMITTED] | practices [OMITTED] | |||
| 5. Facility, Management, and Operational Controls | 5. Facility, Management, and Operational Controls | |||
| 5.1. Physical controls | 5.1. Physical controls | |||
| <As per the CP, describe the physical controls that you employ for | <As per the CP, describe the physical controls that you employ for | |||
| certificate management. These should be commensurate to those used in | certificate management. These should be commensurate to those used in | |||
| the management of address space allocation.> | the management of address space allocation.> | |||
| 5.1.1. Site location and construction | 5.1.1. Site location and construction | |||
| skipping to change at page 32, line 40 | skipping to change at page 32, line 40 | |||
| 5.5.1. Types of records archived [OMITTED] | 5.5.1. Types of records archived [OMITTED] | |||
| 5.5.2. Retention period for archive [OMITTED] | 5.5.2. Retention period for archive [OMITTED] | |||
| 5.5.3. Protection of archive [OMITTED] | 5.5.3. Protection of archive [OMITTED] | |||
| 5.5.4. Archive backup procedures [OMITTED] | 5.5.4. Archive backup procedures [OMITTED] | |||
| 5.5.5. Requirements for time-stamping of records [OMITTED] | 5.5.5. Requirements for time-stamping of records [OMITTED] | |||
| 5.5.6. Archive collection system (internal or external) [OMITTED] | 5.5.6. Archive collection system (internal or external) | |||
| [OMITTED] | ||||
| 5.5.7. Procedures to obtain and verify archive information [OMITTED] | 5.5.7. Procedures to obtain and verify archive information | |||
| [OMITTED] | ||||
| 5.6. Key changeover | 5.6. Key changeover | |||
| The <Name of LIR/ISP> CA certificate will contain a validity period | The <Name of LIR/ISP> CA certificate will contain a validity period | |||
| that encompasses that of all certificates verifiable using this CA | that encompasses that of all certificates verifiable using this CA | |||
| certificate. To support this, <Name of LIR/ISP> will create a new | certificate. To support this, <Name of LIR/ISP> will create a new | |||
| signature key pair, and acquire and publish a new certificate | signature key pair, and acquire and publish a new certificate | |||
| containing the public key of the pair, <specify here the minimum | containing the public key of the pair, <specify here the minimum | |||
| amount of lead time, e.g., ''a minimum of 6 months''> in advance | amount of lead time, e.g., "a minimum of 6 months"> in advance of the | |||
| of the scheduled change of the current signature key pair. | scheduled change of the current signature key pair. | |||
| 5.7. Compromise and disaster recovery [OMITTED] | 5.7. Compromise and disaster recovery [OMITTED] | |||
| 5.7.1. Incident and compromise handling procedures [OMITTED] | 5.7.1. Incident and compromise handling procedures [OMITTED] | |||
| 5.7.2. Computing resources, software, and/or data are corrupted | 5.7.2. Computing resources, software, and/or data are corrupted | |||
| [OMITTED] | [OMITTED] | |||
| 5.7.3. Entity private key compromise procedures [OMITTED] | 5.7.3. Entity private key compromise procedures [OMITTED] | |||
| 5.7.4. Business continuity capabilities after a disaster [OMITTED] | 5.7.4. Business continuity capabilities after a disaster | |||
| [OMITTED] | ||||
| 5.8. CA or RA termination | 5.8. CA or RA termination | |||
| <Describe the fallback policy for management of your CA's IP address | <Describe the fallback policy for management of your CA's IP address | |||
| space allocations in case of its own termination.> | space allocations in case of its own termination.> | |||
| 6. Technical Security Controls | 6. Technical Security Controls | |||
| This section describes the security controls used by <Name of | This section describes the security controls used by <Name of | |||
| LIR/ISP>. | LIR/ISP>. | |||
| skipping to change at page 35, line 46 | skipping to change at page 35, line 46 | |||
| Controls | Controls | |||
| 6.2.1. Cryptographic module standards and controls | 6.2.1. Cryptographic module standards and controls | |||
| The <Name of LIR/ISP> CA employs a cryptographic module evaluated | The <Name of LIR/ISP> CA employs a cryptographic module evaluated | |||
| under FIPS 140-2, at level 4 [FIPS]. | under FIPS 140-2, at level 4 [FIPS]. | |||
| 6.2.2. Private key (n out of m) multi-person control | 6.2.2. Private key (n out of m) multi-person control | |||
| <If you choose to use multi-person controls to constrain access to | <If you choose to use multi-person controls to constrain access to | |||
| this CA's private keys, then insert the following text. ''There will | this CA's private keys, then insert the following text. "There will | |||
| be private key <insert here n> out of <insert here m> multi-person | be private key <insert here n> out of <insert here m> multi-person | |||
| control.''> | control."> | |||
| 6.2.3. Private key escrow | 6.2.3. Private key escrow | |||
| No private key escrow procedures are required for this PKI. | No private key escrow procedures are required for this PKI. | |||
| 6.2.4. Private key backup | 6.2.4. Private key backup | |||
| <Describe the procedures used for backing up your CA's private key. | <Describe the procedures used for backing up your CA's private key. | |||
| The following aspects should be included. (1) The copying should be | The following aspects should be included. (1) The copying should be | |||
| done under the same multi-party control as is used for controlling | done under the same multi-party control as is used for controlling | |||
| skipping to change at page 37, line 17 | skipping to change at page 37, line 17 | |||
| The cryptographic module will be certified FIPS 140-2, at level 2 or | The cryptographic module will be certified FIPS 140-2, at level 2 or | |||
| 3 [FIPS]. | 3 [FIPS]. | |||
| 6.3. Other aspects of key pair management | 6.3. Other aspects of key pair management | |||
| 6.3.1. Public key archival | 6.3.1. Public key archival | |||
| Because this PKI does not support non-repudiation, there is no need | Because this PKI does not support non-repudiation, there is no need | |||
| to archive public keys. | to archive public keys. | |||
| 6.3.2. Certificate operational periods and key pair usage periods | 6.3.2. Certificate operational periods and key pair usage | |||
| periods | ||||
| The <Name of LIR/ISP> CA's key pair will have a validity interval of | The <Name of LIR/ISP> CA's key pair will have a validity interval of | |||
| <insert number of years -- LIR/ISP key pairs and certificates should | <insert number of years - LIR/ISP key pairs and certificates should | |||
| have reasonably long validity intervals, e.g., 10 years, to minimize | have reasonably long validity intervals, e.g., 10 years, to minimize | |||
| the disruption caused by key changeover.> | the disruption caused by key changeover.> | |||
| 6.4. Activation data | 6.4. Activation data | |||
| 6.4.1. Activation data generation and installation | 6.4.1. Activation data generation and installation | |||
| <Describe how activation data for your CA will be generated.> | <Describe how activation data for your CA will be generated.> | |||
| 6.4.2. Activation data protection | 6.4.2. Activation data protection | |||
| Activation data for the CA private key will be protected by <Describe | Activation data for the CA private key will be protected by <Describe | |||
| your procedures here>. | your procedures here>. | |||
| 6.4.3. Other aspects of activation data | 6.4.3. Other aspects of activation data | |||
| <Add here any details you wish to provide with regard to the | <Add here any details you wish to provide with regard to the | |||
| activation data for your CA. If there are none, say ''None.''> | activation data for your CA. If there are none, say "None."> | |||
| 6.5. Computer security controls | 6.5. Computer security controls | |||
| 6.5.1. Specific computer security technical requirement | 6.5.1. Specific computer security technical requirement | |||
| <Describe your security requirements for the computers used to | <Describe your security requirements for the computers used to | |||
| support this PKI, e.g., requirements for authenticated logins, audit | support this PKI, e.g., requirements for authenticated logins, audit | |||
| capabilities, etc. These requirements should be commensurate with | capabilities, etc. These requirements should be commensurate with | |||
| those used for the computers used for managing allocation of IP | those used for the computers used for managing allocation of IP | |||
| addresses.> | addresses.> | |||
| skipping to change at page 39, line 7 | skipping to change at page 39, line 7 | |||
| operation. These should be commensurate with the network security | operation. These should be commensurate with the network security | |||
| controls employed for the computers used for managing allocation of | controls employed for the computers used for managing allocation of | |||
| IP addresses.> | IP addresses.> | |||
| 6.8. Time-stamping | 6.8. Time-stamping | |||
| The PKI in question does not make use of time stamping. | The PKI in question does not make use of time stamping. | |||
| 7. Certificate and CRL Profiles | 7. Certificate and CRL Profiles | |||
| Please refer to the Certificate and CRL Profile [draft-ietf-sidr-res- | Please refer to the Certificate and CRL Profile [RESCERT]. | |||
| certs-01. | ||||
| 7.1. Certificate profile [OMITTED] | 7.1. Certificate profile [OMITTED] | |||
| 7.1.1. Version number(s) [OMITTED] | 7.1.1. Version number(s) [OMITTED] | |||
| 7.1.2. Certificate extensions [OMITTED] | 7.1.2. Certificate extensions [OMITTED] | |||
| 7.1.2.1. Required certificate extensions [OMITTED] | 7.1.2.1. Required certificate extensions [OMITTED] | |||
| 7.1.2.2. Deprecated certificate extensions [OMITTED] | 7.1.2.2. Deprecated certificate extensions [OMITTED] | |||
| skipping to change at page 39, line 34 | skipping to change at page 39, line 33 | |||
| 7.1.4. Name forms [OMITTED] | 7.1.4. Name forms [OMITTED] | |||
| 7.1.5. Name constraints [OMITTED] | 7.1.5. Name constraints [OMITTED] | |||
| 7.1.6. Certificate policy object identifier [OMITTED] | 7.1.6. Certificate policy object identifier [OMITTED] | |||
| 7.1.7. Usage of Policy Constraints extension [OMITTED] | 7.1.7. Usage of Policy Constraints extension [OMITTED] | |||
| 7.1.8. Policy qualifiers syntax and semantics [OMITTED] | 7.1.8. Policy qualifiers syntax and semantics [OMITTED] | |||
| 7.1.9. Processing semantics for the critical Certificate Policies | 7.1.9. Processing semantics for the critical Certificate | |||
| extension [OMITTED] | Policies extension [OMITTED] | |||
| 7.2. CRL profile [OMITTED] | 7.2. CRL profile [OMITTED] | |||
| 7.2.1. Version number(s) [OMITTED] | 7.2.1. Version number(s) [OMITTED] | |||
| 7.2.2. CRL and CRL entry extensions [OMITTED] | 7.2.2. CRL and CRL entry extensions [OMITTED] | |||
| 7.2.2.1. Required CRL extensions [OMITTED] | 7.2.2.1. Required CRL extensions [OMITTED] | |||
| 7.2.2.2. Deprecated CRL extensions [OMITTED] | 7.2.2.2. Deprecated CRL extensions [OMITTED] | |||
| skipping to change at page 43, line 25 | skipping to change at page 43, line 25 | |||
| 9.2.1. Insurance coverage | 9.2.1. Insurance coverage | |||
| 9.2.2. Other assets | 9.2.2. Other assets | |||
| 9.2.3. Insurance or warranty coverage for end-entities | 9.2.3. Insurance or warranty coverage for end-entities | |||
| 9.3. Confidentiality of business information | 9.3. Confidentiality of business information | |||
| 9.3.1. Scope of confidential information | 9.3.1. Scope of confidential information | |||
| 9.3.2. Information not within the scope of confidential information | 9.3.2. Information not within the scope of confidential | |||
| information | ||||
| 9.3.3. Responsibility to protect confidential information | 9.3.3. Responsibility to protect confidential information | |||
| 9.4. Privacy of personal information | 9.4. Privacy of personal information | |||
| 9.4.1. Privacy plan | 9.4.1. Privacy plan | |||
| 9.4.2. Information treated as private | 9.4.2. Information treated as private | |||
| 9.4.3. Information not deemed private | 9.4.3. Information not deemed private | |||
| skipping to change at page 44, line 7 | skipping to change at page 44, line 9 | |||
| 9.5. Intellectual property rights (if applicable) | 9.5. Intellectual property rights (if applicable) | |||
| 9.6. Representations and warranties | 9.6. Representations and warranties | |||
| 9.6.1. CA representations and warranties | 9.6.1. CA representations and warranties | |||
| 9.6.2. Subscriber representations and warranties | 9.6.2. Subscriber representations and warranties | |||
| 9.6.3. Relying party representations and warranties | 9.6.3. Relying party representations and warranties | |||
| 9.6.4. Representations and warranties of other participants [OMITTED] | 9.6.4. Representations and warranties of other participants | |||
| [OMITTED] | ||||
| 9.7. Disclaimers of warranties | 9.7. Disclaimers of warranties | |||
| 9.8. Limitations of liability | 9.8. Limitations of liability | |||
| 9.9. Indemnities | 9.9. Indemnities | |||
| 9.10. Term and termination | 9.10. Term and termination | |||
| 9.10.1. Term | 9.10.1. Term | |||
| skipping to change at page 46, line 5 | skipping to change at page 45, line 40 | |||
| Other Assessments are oriented towards ensuring secure operation of | Other Assessments are oriented towards ensuring secure operation of | |||
| the PKI entities such as CA, RA, repository, subscriber systems, and | the PKI entities such as CA, RA, repository, subscriber systems, and | |||
| relying party systems. | relying party systems. | |||
| 11. IANA Considerations | 11. IANA Considerations | |||
| None. | None. | |||
| 12. Acknowledgments | 12. Acknowledgments | |||
| The authors would like to thank Matt Lepinski for his help with the | ||||
| formatting of this document. | ||||
| 13. References | 13. References | |||
| 13.1. Normative References | 13.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3280] Housley, R., Polk, W. Ford, W., Solo, D., "Internet X.509 | [RFC3280] Housley, R., Polk, W. Ford, W., Solo, D., "Internet X.509 | |||
| Public Key Infrastructure Certificate and Certificate | Public Key Infrastructure Certificate and Certificate | |||
| Revocation List (CRL) Profile", BCP 14, RFC 2119, March | Revocation List (CRL) Profile", BCP 14, RFC 2119, March | |||
| 1997. | 1997. | |||
| [RFCxxxx] Seo, K., Watro, R., Kong, D., and Kent, S., "Certificate | [CP] Seo, K., Watro, R., Kong, D., and Kent, S., "Certificate | |||
| Policy for the Internet IP Address and AS Number PKI", RFC | Policy for the Internet IP Address and AS Number PKI", | |||
| xxxx. | draft-ietf-sidr-cp, July 2007 (work in progress). | |||
| [RFCYYYY] Huston, G., Loomans, R., Michaelson, G., ''A Profile for | [RESCERT] Huston, G., Loomans, R., Michaelson, G., "A Profile for | |||
| X.509 PKIX Resource Certificates'', work in progress, June | X.509 PKIX Resource Certificates", draft-ietf-sidr-res- | |||
| 19, 2006. | certs, June 2007 (work in progress). | |||
| 13.2. Informative References | 13.2. Informative References | |||
| [BGP4] Y. Rekhter, T. Li (editors), A Border Gateway Protocol 4 | [BGP4] Y. Rekhter, T. Li (editors), A Border Gateway Protocol 4 | |||
| (BGP-4). IETF RFC 1771, March 1995. | (BGP-4). IETF RFC 1771, March 1995. | |||
| [FIPS] Federal Information Processing Standards Publication 140-2 | [FIPS] Federal Information Processing Standards Publication 140-2 | |||
| (FIPS PUB 140-2), "Security Requirements for Cryptographic | (FIPS PUB 140-2), "Security Requirements for Cryptographic | |||
| Modules", Information Technology Laboratory, National | Modules", Information Technology Laboratory, National | |||
| Institute of Standards and Technology, May 25, 2001. | Institute of Standards and Technology, May 25, 2001. | |||
| End of changes. 68 change blocks. | ||||
| 152 lines changed or deleted | 134 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||