Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

Transcription

1 Raytheon Company Public Key Infrastructure (PKI) Certificate Policy Version 1.17 April 7, /08/2016

2 Signature Page Jeffrey C. Brown Digitally signed by Jeffrey C. Brown DN: dc=com, dc=raytheon, o=cas, ou=class3, ou=users, = , cn=jeffrey C. Brown Date: :47:21-04'00' Jeffrey C Brown Raytheon Chief Information Security Officer DATE Digitally signed by Laura A Kohler DN: dc=com, dc=raytheon, o=cas, ou=class3-g2, ou=users, cn=laura A Kohler, = Date: :15:39-05'00' Laura A Kohler Laura A Kohler Raytheon Policy Management Authority Chair 2 DATE 03/08/2016

3 Table of Contents 1 INTRODUCTION Overview Certificate Policy (CP) Relationship between this CP & the Raytheon CPS Scope Document Identification PKI Participants PKI Authorities Registration Authority (RA) Subscribers Relying Parties Other Participants Applicability Certificate Usage Appropriate Certificate Uses Prohibited Certificate Uses Policy Administration Organization administering the document Contact Person Person Determining Certification Practice Statement Suitability for the Policy CPS Approval Procedures Waivers PUBLICATION & PKI REPOSITORY RESPONSIBILITIES PKI Repositories Repository Obligations Publication of Certificate Information Publication of CA Information Interoperability Time or Frequency of Publication Access Controls on PKI Repositories IDENTIFICATION & AUTHENTICATION Naming Types of Names Need for Names to be Meaningful Anonymity or Pseudonymity of Subscribers Rules for Interpreting Various Name Forms Uniqueness of Names /08/2016

4 3.1.6 Recognition, Authentication & Role of Trademarks Name Claim Dispute Resolution Procedure Initial Identity Validation Method to Prove Possession of Private Key Authentication of Organization Identity Authentication of Individual Identity Non-verified Subscriber Information Validation of Authority Criteria for Interoperation Identification and Authentication for Re-Key Requests Identification and Authentication for Routine Re-key Identification and Authentication for Re-key after Revocation Identification and Authentication for Revocation Request CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS Certificate Application Submission of Certificate Application Enrollment Process and Responsibilities Certificate Application Processing Performing Identification and Authentication Functions Approval or Rejection of Certificate Applications Time to Process Certificate Applications Certificate Issuance CA Actions during Certificate Issuance Notification to Subscriber of Certificate Issuance Certificate Acceptance Conduct Constituting Certificate Acceptance Publication of the Certificate by the CA Notification of Certificate Issuance by the CA to Other Entities Key Pair and Certificate Usage Subscriber Private Key and Certificate Usage Relying Party Public Key and Certificate Usage Certificate Renewal Circumstance for Certificate Renewal Who may Request Renewal Processing Certificate Renewal Requests Notification of New Certificate Issuance to Subscriber Conduct Constituting Acceptance of a Renewal Certificate Publication of the Renewal Certificate by the CA /08/2016

5 4.6.7 Notification of Certificate Issuance by the CA to Other Entities Certificate Re-Key Circumstance for Certificate Re-key Who may Request Certification of a New Public Key Processing Certificate Re-keying Requests Notification of New Certificate Issuance to Subscriber Conduct Constituting Acceptance of a Re-keyed Certificate Publication of the Re-keyed Certificate by the CA Notification of Certificate Issuance by the CA to Other Entities Certificate Modification Circumstance for Certificate Modification Who may Request Certificate Modification Processing Certificate Modification Requests Notification of New Certificate Issuance to Subscriber Conduct Constituting Acceptance of Modified Certificate Publication of the Modified Certificate by the CA Notification of Certificate Issuance by the CA to Other Entities Certificate Revocation and Suspension Circumstance for Revocation of a Certificate Who Can Request Revocation of a Certificate Procedure for Revocation Request Revocation Request Grace Period Time within which CA must Process the Revocation Request Revocation Checking Requirements for Relying Parties CRL Issuance Frequency Maximum Latency for CRLs Online Revocation Checking Availability Online Revocation Checking Requirements Other Forms of Revocation Advertisements Available Special Requirements Related To Key Compromise Circumstances for Suspension Who can Request Suspension Procedure for Suspension Request Limits on Suspension Period Certificate Status Services Operational Characteristics Service Availability /08/2016

6 Optional Features End Of Subscription Key Escrow and Recovery Key Escrow and Recovery Policy and Practices Session Key Encapsulation and Recovery Policy and Practices FACILITY MANAGEMENT & OPERATIONAL CONTROLS Physical Controls Site Location & Construction Physical Access Power and Air Conditioning Water Exposures Fire Prevention & Protection Media Storage Waste Disposal Off-Site backup Procedural Controls Trusted Roles Number of Persons Required per Task Identification and Authentication for Each Role Roles Requiring Separation of Duties Personnel Controls Qualifications, Experience, and Clearance Requirements Background Check Procedures Training Requirements Retraining Frequency and Requirements Job Rotation Frequency and Sequence Sanctions for Unauthorized Actions Independent Contractor Requirements Documentation Supplied To Personnel Audit Logging Procedures Types of Events Recorded Frequency of Processing Audit Logs Retention Period for Audit Logs Protection of Audit Logs Audit Log Backup Procedures Audit Collection System (internal vs. external) Notification to Event-Causing Subject /08/2016

7 5.4.8 Vulnerability Assessments Records Archival Types of Records Archived Retention Period for Archive Protection of Archive Archive Backup Procedures Requirements for Time-Stamping of Records Archive Collection System (internal or external) Procedures to Obtain & Verify Archive Information Key Changeover Compromise and Disaster Recovery Incident and Compromise Handling Procedures Computing Resources, Software, and/or Data Corruption Private Key Compromise Procedures Business Continuity Capabilities after a Disaster CA, CSA, and RA Termination TECHNICAL SECURITY CONTROLS Key Pair Generation and Installation Key Pair Generation Private Key Delivery to Subscriber Public Key Delivery to Certificate Issuer CA Public Key Delivery to Relying Parties Key Sizes Public Key Parameters Generation and Quality Checking Key Usage Purposes (as per X.509 v3 key usage field) Private Key Protection and Cryptographic Module Engineering Controls Cryptographic Module Standards and Controls Private Key Multi-Person Control Private Key Escrow Private Key Backup Private Key Archival Private Key Transfer into or from a Cryptographic Module Private Key Storage on Cryptographic Module Method of Activating Private Key Methods of Deactivating Private Key Method of Destroying Private Key Cryptographic Module Rating /08/2016

8 6.3 Other Aspects of Key Management Public Key Archival Certificate Operational Periods/Key Usage Periods Activation Data Activation Data Generation and Installation Activation Data Protection Other Aspects of Activation Data Computer Security Controls Specific Computer Security Technical Requirements Computer Security Rating Life-Cycle Technical Controls System Development Controls Security Management Controls Life Cycle Security Controls Network Security Controls Time Stamping CERTIFICATE, CRL AND OCSP PROFILES Certificate Profile Version Numbers Certificate Extensions Algorithm Object Identifiers Name Forms Name Constraints Certificate Policy Object Identifier Usage of Policy Constraints Extension Policy Qualifiers Syntax and Semantics Processing Semantics for the Critical Certificate Policy Extension CRL Profile Version Numbers CRL and CRL Entry Extensions OCSP Profile Version Number OCSP Extensions COMPLIANCE AUDIT AND OTHER ASSESSMENTS Frequency or Circumstances of Assessments Identity and Qualifications of Assessor Assessor s Relationship To Assessed Entity Topics Covered by Assessment Actions Taken as a Result of Deficiency Communication of Results /08/2016

9 9 OTHER BUSINESS AND LEGAL MATTERS Fees Certificate Issuance and Renewal Fees Certificate Access Fees Revocation or Status Information Access Fees Fees for Other Services Refund Policy Financial Responsibility Insurance Coverage Other Assets Insurance or Warranty Coverage for End-Entities Confidentiality of Business Information Privacy of Personal Information Intellectual Property Rights Property Rights in Certificates and Revocation Information Property Rights in the CPS Property Rights in Names Property Rights in Keys Representations and Warranties CA Representations and Warranties Subscriber Relying Party Registration Authority Representations and Warranties of Other Participants Disclaimers of Warranties Limitations of Liabilities Indemnities Indemnification by Cross Certified CAs Indemnification by Relying Parties Term and Termination Term Termination Effect of Termination and Survival Individual Notices and Communications with Participants Amendments Procedure for Amendment Notification Mechanism and Period Circumstances under Which OID Must be Changed Dispute Resolution Provisions /08/2016

10 Disputes among Raytheon and Customers Alternate Dispute Resolution Provisions Governing Law Compliance with Applicable Law Miscellaneous Provisions Entire Agreement Assignment Severability Waiver of Rights Force Majeure Other Provisions CERTIFICATE, CRL, AND OCSP FORMATS Raytheon Root CA CBCA Cross-Certificate PKCS 10 Request Raytheon Root CA Certificate (RRCA) High Assurance Subscriber Signature Certificate High Assurance Subscriber Encryption Certificate Medium Assurance Signing CA Certificate (MASCA) Medium Assurance Subscriber Signature Certificate Medium Assurance Subscriber Encryption Certificate Medium Assurance Subscriber Authentication Certificate Medium Assurance Code Signing Certificate Medium Assurance Application Certificate Medium Assurance Device or Server Certificate Medium Assurance Domain Controller Certificate Medium Assurance Role Signature Certificate Medium Assurance Role Encryption Certificate OCSP Responder Certificate Raytheon Root CA CRL Format Medium Assurance CA CRL Format OCSP Request Format OCSP Response Format Extended Key Usage PKI REPOSITORY INTEROPERABILITY PROFILE Protocol Authentication Naming Object Class Attributes BIBLIOGRAPHY ACRONYMS & ABBREVIATIONS GLOSSARY /08/2016

11 1 INTRODUCTION This Certificate Policy (CP) governs the operation of a Public Key Infrastructure (PKI) consisting of products and services that provide and manage X.509 certificates for public-key cryptography. Certificates identify the individual named in the certificate, and bind that person to a particular public/private key pair. This CP defines several certificate policies that represent the test, low-software, low-hardware, medium-software, medium-cbp-software 1, medium-device-software, medium-hardware, medium-cbp-hardware, medium-device-hardware, and high-hardware assurance levels for public key certificates. The word assurance used in this CP means how well a Relying Party can be certain of the identity binding between the public key and the individual whose subject name is cited in the certificate. In addition, it also reflects how well the Relying Party can be certain that the individual whose subject name is cited in the certificate is controlling the use of the private key that corresponds to the public key in the certificate, and how securely the system which was used to produce the certificate and (if appropriate) deliver the private key to the subscriber performs its task. To assist in the transition from SHA 1 based signatures to SHA 2 based signatures, this CP covers a set of SHA2- policy OIDs for the medium-cbp-software, medium-cbp-hardware, medium-software, medium-hardware, and high levels of assurance. Raytheon plans to operate a Certification Authority (CA) based on the policies in this CP to facilitate cross-certification with the CertiPath Bridge Certification Authority (CBCA) for interoperation among Aerospace PKIs. Raytheon programs require services such as authentication, confidentiality, technical nonrepudiation, and access control. These services are met with an array of network security devices such as users, workstations, firewalls, routers, network encryptors, and trusted database servers. The operation of these devices is supported and completed by use of publickey cryptography. As a system solution, the devices share the burden of the total system security. The use of public key certificates does not add any security services in a poorly designed or implemented system. Security management services provided by the PKI include: Key Generation/Storage/Recovery Certificate Generation, Update, Renewal, Re-key, and Distribution Certificate Revocation List (CRL) Generation and Distribute Directory Management of Certificate Related Items Certificate Update, Renewal, Re-key, and Recovery Certificate token initialization/programming/management System Management functions (e.g. security audit, configuration management, archive, etc.) The security of these services is ensured by defining requirements on PKI activities, including the following: Subscriber identification and authorization verification Control of computer and cryptographic systems 1 Note: CBP stands for Commercial Best Practices 11 03/08/2016

12 Operation of computer and cryptographic systems Usage of keys and public-key certificates by Subscribers and Relying Parties Definition of rules to limit liability and to provide a high degree of certainty that the stipulations of the policies in this CP are being met The reliability of the public-key cryptography portion of the security solution is a direct result of the secure and trustworthy operation of an established PKI, including equipment, facilities, personnel, and procedures. Electronic commerce is one important PKI application. The use of public key cryptography for electronic commerce applications should be determined on the basis of a review of the security services provided by the public key certificates, the value of the electronic commerce applications, and the risk associated with the applications. The applicability statements in one or more of the policies in this CP shall be considered minimum requirements; application accreditors may require higher levels of assurance than specified in this CP for the stated applications. This CP is consistent with the Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (IETF PKIX) RFC 3647, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practice Statement Framework. 1.1 Overview The Raytheon Certificate Policy (CP) is the unified policy under which all Certification Authorities (CA) operated by Raytheon are established and operate. This document shall be reviewed and updated as described in section 9.12, based on operational experience, changing threats, new technology, and further analysis. This document defines the creation and management of Version 3 X.509 public-key certificates for use in applications requiring communication between networked computer-based systems. Such applications include, but are not limited to, electronic mail; secure transmission of data; signature of electronic forms; contract formation signatures and authentication of infrastructure devices such as web servers, firewalls, and desktops. The intended network backbone for these network security products is the Internet Certificate Policy (CP) Certificates contain one or more registered certificate policy object identifiers (OID), which may be used by a Relying Party to decide whether a certificate is trusted for a particular purpose. The party that registers the OIDs (in this case, Raytheon Company) also publishes the CP, for examination by Relying Parties. Each OID corresponds to a specific level of assurance established by this Certificate Policy (CP) which shall be available to Relying Parties. Each certificate issued by a Raytheon CA shall assert the appropriate level of assurance in the certificatepolicies extension. Cross certificates issued by the Raytheon Root CA shall, in the policymappings extension and in whatever other fashion is determined by the Raytheon Policy Management Authority (described in Section ) to be necessary for interoperability, reflect what mappings exist between this CP and the cross certified PKI CP Relationship between this CP & the Raytheon CPS This Certificate Policy (CP) states what assurance can be placed in a certificate issued by the Raytheon certificate servers. The Certification Practice Statement (CPS) states how the respective certification authorities establish that assurance /08/2016

13 1.1.3 Scope The following diagram represents the scope of the Raytheon PKI. The Raytheon Root CA shall cross-certify with the CertiPath Bridge CA. Subscriber certificates shall be issued by the Raytheon Signing CA. Figure 1 Scope of Raytheon PKI Architecture This CP imposes requirements on the following Raytheon CAs involved in Signing certificates: Raytheon Root Certification Authority (RRCA) Raytheon Signing CAs The Raytheon Root CA shall issue CA certificates only to the following: Raytheon CAs approved by the RPMA to issue certificates to subscribers External CAs approved by the RPMA to cross-certify to the Raytheon PKI The RRCA may also issue certificates to PKI Trusted Roles who operate the CA. The scope of this CP in terms of subscriber (i.e., end entity) certificate types is limited to those listed in Section 10 and repeated here: identity, signature, encryption, web server, code signing, role signature, and role encryption. Within this document, the term CA, when used without qualifier, shall refer to any certification authority subject to the requirements of this certificate policy, including the RRCA and Signing CAs. Requirements that apply to a specific CA type shall be denoted by specify the CA type, e.g., RRCA or Signing CA /08/2016

14 14 03/08/2016

15 1.2 Document Identification There are multiple levels of assurance in this Certificate Policy, which are defined in subsequent sections. Each level of assurance has an OID, to be asserted in certificates issued by the RRCA and the CAs subordinate to the RRCA, which comply with the policy stipulations herein. The OIDs are registered under the id-infosec arc as follows: id-raytheon ::= id-pki id-certificate-policy id-raytheon-high id-raytheon-mediumhardware id-raytheon-mediumsoftware id-raytheon-mediumcbphardware id-raytheon-mediumcbpsoftware id-raytheon-lowhardware id-raytheon-lowsoftware id-raytheon-medium-device-hardware id-raytheon-medium-device-software id-raytheon-sha2-high id-raytheon-sha2-mediumhardware id-raytheon-sha2-mediumsoftware ::= { id-raytheon-10} ::= { id-pki-1} ::= {Raytheon-certificate-policy-1} ::= {Raytheon-certificate-policy-2} ::= {Raytheon-certificate-policy-3} ::= {Raytheon-certificate-policy-4} ::= {Raytheon-certificate-policy-5} ::= {Raytheon-certificate-policy-6} ::= {Raytheon-certificate-policy-7} ::= {Raytheon-certificate-policy-8} ::= {Raytheon-certificate-policy-9} ::= {Raytheon-certificate-policy-11} ::= {Raytheon-certificate-policy-12} ::= {Raytheon-certificate-policy-13} id-raytheon-sha2-mediumcbphardware id-raytheon-sha2-mediumcbpsoftware {iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) Raytheon(1569) pki(10) certificatepolicy(1)} id-raytheon-sha2-medium-device- Hardware id-raytheon-sha2-medium-device- Software id-raytheon-test ::= {Raytheon-certificate-policy-14} ::= {Raytheon-certificate-policy-15} ::= {Raytheon-certificate-policy-18} ::= {Raytheon-certificate-policy-19} ::= {Raytheon-certificate-policy-20} 15 03/08/2016

16 Unless otherwise stated, a requirement stated in this CP applies to all assurance levels. The requirements associated with CBP (commercial best practice) assurance levels are identical to the corresponding non-cbp assurance level with the exception of trusted role personnel citizenship requirements (see section 5.3.1). All of the requirements for id-raytheon-sha2.. are the same as those for the corresponding certificate policy OID without SHA2- in it except that the CAs not asserting id-raytheon- SHA2.. may use SHA-1 for generation of PKI objects such as certificates, Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responses after December 31, For example: 1. The CAs asserting id-raytheon-sha2-highhardware must meet all the highhardware requirements stipulated in this CP; 2. The CAs asserting id-raytheon-sha2-mediumhardware must meet all the mediumhardware requirements stipulated in this CP; 3. The CAs asserting id-raytheon-sha2-mediumhardware use at least SHA-256 for end entity certificates issued after December 31, 2010; and 4. The CAs asserting id-raytheon-mediumhardware may use SHA-1 for end entity certificates issued after December 31, The requirements associated with the id-raytheon-medium-device... and id-raytheon-sha2- medium-device... policies are identical to those defined for other medium assurance policies with the exception of identity proofing, backup and activation data. The use of these policies is restricted to devices and systems (e.g. software applications and hardware devices). Certificates issued to end-entity devices after October 1, 2016 shall assert one or more of the following policies: id-raytheon-sha2-medium-device-hardware, id-raytheon-sha2-mediumdevice-software, id-raytheon-medium-device-hardware, or id-raytheon- mediumdevicesoftware. Other devices (such as content signers, OCSP responders, etc.) may assert appropriate policy OIDs. The requirements associated with the Medium CBP Software (commercial best practice) Assurance policy are identical to those defined for the Medium Software Assurance policy; with the exception of personnel security requirements (see Section 5.3.1). The requirements associated with the Medium CBP Hardware Assurance policy are identical to those defined for the Medium Hardware Assurance policy; with the exception of personnel security requirements (see Section 5.3.1). The Raytheon Root CA may issue certificates to other subordinate CAs, but the subordinate CAs must assert one of the certificate policies listed above.. The low assurance policy is for internal Raytheon company use only. This certificate shall not be trusted by any external entity. The low assurance certificate registration process will not be via In Person Authentication, but rather uses the Raytheon Corporate Directory Services for authentication per corporate policy. The test assurance policy is for issuance of test certificates that shall not be trusted by any relying party /08/2016

17 1.3 PKI Participants This section contains a description of the roles relevant to the administration and operation of the RRCA and Signing CAs PKI Authorities Raytheon Policy Management Authority (RPMA) The Raytheon PMA is responsible for: Overseeing the creation and update of the Raytheon Certificate Policies, including evaluation of changes requested by Raytheon businesses and/or programs, and oversee plans for implementing any accepted changes; Providing timely and responsive coordination to approved Raytheon CAs; Reviewing the Certification Practice Statements (CPS) of Raytheon operated CAs that provide services meeting the stipulations of this CP; Reviewing the results of CA compliance audits to determine if the CAs are adequately meeting the stipulations of this CP and associated approved CPS documents, and make recommendations to the CAs regarding corrective actions, or other measures that might be appropriate, such as revocation of CA certificates or changes to this CP; Accepting applications from CAs desiring to interoperate with the Raytheon PKI; Accepting applications from Subject CAs desiring to cross certify with the Raytheon PKI; Determining the mappings between certificates issued by applicant CAs and the levels of assurance set forth in this CP (which shall include objective and subjective evaluation of the respective CP contents and any other facts deemed relevant by the RPMA), and; Ensuring continued conformance of all CAs approved by the RPMA for interoperation with the RRCA. In addition to the responsibilities listed above, the RPMA provides recommendations regarding the oversight and policy compliance of the Raytheon PKI to the Raytheon Chief Information Security Officer (CISO). The final authority for the Raytheon PKI resides with the CISO as described in the RPMA Charter. A complete description of RPMA roles and responsibilities are provided in the RPMA Charter. In the event the RRCA cross-certifies with another Entity CA, Raytheon shall enter into a Memorandum of Agreement (MOA), or equivalent agreement with an organization, setting forth the respective responsibilities and obligations of both parties, and the mappings between the certificate levels of assurance contained in this CP and those in the Entity CP. The Raytheon PMA shall consult Raytheon Supply Chain prior to entering into a MOA. The term MOA as used in this CP shall always refer to the Agreement cited in this paragraph Raytheon Operational Authority (ROA) The Raytheon Operational Authority is the organization that operates the RRCA and the Signing CAs, including issuing certificates when directed by the RPMA Chair, posting those certificates, Certificate Revocation Lists (CRLs) into the Raytheon PKI Repository, and ensuring the continued availability of the PKI Repository to all users. The Operational Authority acts upon approval of the PMA. The ROA activities are subject to review by the RPMA in order to ensure compliance with this CP and applicable CPS /08/2016

18 Raytheon Operational Authority Manager The Raytheon Operational Authority Manager is the individual within the Raytheon corporate management who has principal responsibility for overseeing the proper operation of the Raytheon CAs including the Raytheon PKI Repository, and who oversees the appointment of the Operational Authority staff. The Manager is a voting member of the RPMA and participates in oversight of the Raytheon PKI Raytheon Operational Authority Officers These officers are the individuals within the Operational Authority, selected by the Manager, who operate the Raytheon CAs and the Raytheon PKI Repository including executing the RPMA direction to issue and revoke certificates to CAs 2 or taking other action to effect interoperability between the RRCA and CBCA. The Operational Authority roles include the Administrator, Officer, Auditor, and Operator, are all described in Section of this CP Certification Authority (CA) A Certification Authority is an entity authorized by the RPMA to create, sign, and issue public key certificates. A CA is responsible for all aspects of the issuance and management of a certificate, including control over the registration process, the identification and authentication process, the certificate manufacturing process, publication of certificates, revocation of certificates, and re-key; and for ensuring that all aspects of the CA services and CA operations and infrastructure related to certificates issued under this CP are performed in accordance with the requirements, representations, and warranties of this CP. CA is an inclusive term, and includes all types of CAs. Any CA requirement expressed in this CP applies to all CA types unless expressly stated otherwise Principal CA (PCA) The Principal CA (PCA) is a CA within a PKI that has been designated to interoperate directly with the CBCA (e.g., through the exchange of cross-certificates). It should be noted that an Entity may request that the CBCA interoperate with more than one CA within the Entity; that is, an Entity may have more than one Principal CA. A PCA may or may not be a Root CA (trust anchor) for its PKI Enterprise Root CA A Root CA is a trust anchor for subscribers of a PKI domain when the subscribers act as a relying party. In the Raytheon PKI, the Root CA acts as the PCA and trust anchor for the Raytheon relying parties. The Raytheon Root CA shall be an offline CA Intermediate CA An Intermediate CA is a CA that is not a Root CA and whose primary function is to issue certificates to other CAs. Intermediate CAs may or may not issue some end entity certificates. In the Raytheon PKI, there is no Intermediate CA Signing CA A Signing CA is a CA whose primary function is to issue certificates to the end entities. A Signing CA does not issue certificates to other CAs Cross Certified CA 2 RRCA issues cross certificates to the PCAs. RRCA issues Signing CA certificates to the Enterprise CAs who want to operate under the Raytheon Root CA /08/2016

19 A Cross Certified CA is an organization that is operating a CA that has cross-certified with Raytheon through the Raytheon Root CA (RRCA) Certificate Status Authority (CSA) A CSA is an authority that provides status of certificates or certification paths. A CSA can be operated in conjunction with the CAs or independent of the CAs. Examples of CSA are: Online Certificate Status Protocol (OCSP) Responders that provide revocation status of certificates. Simple Certificate Validation Protocol (SCVP) Servers that validate certifications paths or provide revocation status checking services 3. OCSP Responders that are keyless and simply repeat responses signed by other Responders and SCVP Servers that do not provide certificate validation services adhere to the same security requirements as repositories Certificate Management Authorities (CMA) Both Certification Authorities and Registration Authorities (RA) are Certificate Management Authorities (CMAs). This CP shall use the term CMA when a function may be assigned to either a CA or a RA, or when a requirement applies to both CAs and RAs. The term Registration Authority includes entities such as Local Registration Authorities. The division of Subscriber registration responsibilities between the CA and RA may vary among implementations of this certificate policy. This division of responsibilities shall be described in the applicable CPS. CSAs operated by Raytheon or issued certificates by Raytheon PKI are also considered CMAs Registration Authority (RA) A Registration Authority (RA) is the entity that collects and verifies each Subscribers identity and the information that is to be entered into his or her public key certificates. An RA interacts with the CA to enter and approve the subscriber certificate request information. The Raytheon Operational Authority acts as the RA for the Raytheon CAs. The RA performs its function in accordance with a CPS approved by the RPMA Subscribers A Subscriber is the entity whose name appears as the subject in an end-entity certificate, and who agrees to use its key and certificate in accordance with the certificate policy asserted in the certificate, and does not itself issue certificates. The targeted Raytheon PKI Subscribers include, but are not limited to, the following categories of entities that may wish to communicate securely and have demonstrated a bona fide need for a PKI certificate: Raytheon employees and eligible contractors; Raytheon business partners customer, partner, supplier; Non-US personnel and eligible contractors; and Workstations, applications, firewalls, routers, and network encryptors, trusted servers (e.g., database, FTP, and WWW), and other infrastructure devices. These devices 3 There are three types of SCVP Servers: path development, path validation with revocation checking, and path validation without revocation checking. The path development servers are not considered within the scope of this policy since the corruption of these servers does not adversely impact security and hence they need not be subject of a CP /08/2016

20 must be under the cognizance of humans, to accept the certificate and are responsible for the correct protection and use of the associated private key. CAs are sometimes technically considered subscribers in a PKI. However, the term Subscriber as used in this document refers only to those who request certificates for uses other than signing and issuing certificates or certificate status information Relying Parties A Relying Party is the entity that relies on the validity of the binding of the Subscriber's name to a public key. The Relying Party is responsible for deciding whether or how to check the validity of the certificate by checking the appropriate certificate status information. The Relying Party can use the certificate to verify the integrity of a digitally signed message, to identify the creator of a message, or to establish confidential communications with the holder of the certificate. A Relying Party may use information in the certificate (such as certificate policy identifiers) to determine the suitability of the certificate for a particular use Other Participants Related Authorities The Raytheon Root CA and Signing CAs operating under this CP shall require the services of other security, community, and application authorities, such as compliance auditors and attribute authorities. The Root CPS shall identify the parties responsible for providing such services and the mechanisms used to support these services. The Signing CA CPS shall identify the parties responsible for providing such services to the Root CA, and the mechanisms used to support these services Trusted Agent A Trusted Agent is the entity that collects and verifies each Subscriber s identity and information on behalf of an RA. A Trusted Agent does not have privileged access to the CA to enter or approve subscriber information Applicability The sensitivity of the information processed or protected using certificates issued by Raytheon CAs shall vary significantly. Relying Party Entities must evaluate the environment and the associated threats and vulnerabilities and determine the level of risk they are willing to accept based on the sensitivity or significance of the information. This evaluation is performed by each Entity for each application and is not controlled by this CP. To provide sufficient granularity, this CP specifies security requirements for the assurance levels listed in Section 1.2. The certificate levels of assurance contained in this CP are set forth below, as well as a brief and non-binding description of the applicability for applications suited to each level. Assurance Level Applicability 20 03/08/2016

21 Medium-software or Medium-CBPsoftware Medium-hardware or Medium-CBPhardware High-hardware This level is relevant to environments where risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is substantial. Subscriber private keys are stored in software at this assurance level. This level is relevant to environments where risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is substantial. Subscriber private keys are stored in hardware at this assurance level. This level is relevant to environments where risks and consequences of data compromise are high. This may include transactions having high monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is high. Subscriber private keys are stored in hardware at this assurance level Factors in Determining Usage The Relying Party must first determine the level of assurance required for an application, and then select the certificate appropriate for meeting the needs of that application. This shall be determined by evaluating various risk factors including the value of the information, the threat environment, and the existing protection of the information environment. These determinations are made by the Relying Party and are not controlled by the RPMA or the Raytheon Operational Authority. Nonetheless, this CP contains some helpful guidance, set forth herein, which Relying Parties may consider in making their decisions Obtaining Certificates This CP requires publication and access to CA certificates and CRLs. This CP imposes no requirements in terms of publication and access to end entity (i.e., subscriber) certificates. The relying party applications must make their own agreements for obtaining the subscriber certificates. This could be trivially done for signature applications by including the signer certificate in the application protocol. For encryption applications, the relying party must develop a means to access subscriber certificates. Use of X.500 and LDAP Repositories is one way to achieve this, but this CP does not mandate which mechanism a Relying Party must use. 1.4 Certificate Usage Appropriate Certificate Uses Certificates asserting a Policy OID defined in this document shall only be used for transactions related to Raytheon business in accordance with Raytheon policy. CAs must state this requirement in their CPS and impose a requirement on Subscribers to abide by this limitation Prohibited Certificate Uses See section above /08/2016

22 1.5 Policy Administration Organization administering the document The Raytheon PMA shall review and provide recommendations to the Raytheon CISO for this CP. The Raytheon CISO is responsible for all aspects of this CP Contact Person Questions regarding this CP shall be directed to the Chair of the RPMA. The current RPMA Chair can be found at: or via at Person Determining Certification Practice Statement Suitability for the Policy The RPMA shall approve the Raytheon CPS. The Raytheon CPS must conform to the corresponding Certificate Policy. The determination of suitability shall be based on an independent compliance assessor s results and recommendations. The compliance assessor shall be from a firm, which is independent from the entity being audited. The compliance assessor may not be the author of this CP or the subject CPS. The RPMA shall determine whether a compliance assessor meets these requirements. (See Section 8 for complete assessor requirements) CPS Approval Procedures The term CPS is defined in the Internet RFC 3647, X.509 Public Key Infrastructure Certificate Policy and Certificate Practices Framework as: "A statement of the practices, which a Certification Authority employs in issuing certificates." It is a comprehensive description of such details as the precise implementation of service offerings and detailed procedures of certificate life-cycle management. The Raytheon CPS which is contained in a separate document published by the Raytheon Operational Authority and approved by the RPMA, specifies how this CP and any Agreements that the RPMA has approved shall be implemented to ensure compliance with their provisions Waivers There shall be no waivers to this CP /08/2016

23 2 PUBLICATION & PKI REPOSITORY RESPONSIBILITIES 2.1 PKI Repositories The Raytheon PKI repository shall be available over the Internet to the CertiPath relying parties. The PKI Repositories shall contain the information necessary to support interoperation of the Entity PKI domains that employ the CertiPath CAs for this purpose Repository Obligations The Raytheon Operational Authority may use a variety of mechanisms for posting information into PKI repositories as required by this CP. These mechanisms at a minimum shall include: Availability of the information as required by the certificate information posting and retrieval stipulations of this CP; Access control mechanisms sufficient to protect repository information as described in later Sections. Contain the information necessary to support interoperation of the Raytheon PKI with the CBCA. 2.2 Publication of Certificate Information Publication of CA Information All Raytheon CAs, at a minimum, shall post CA certificates and CRLs. The PKI Repositories containing certificates and certificate status information shall be deployed so as to provide 24 hour per day / 365 day per year availability. Raytheon shall implement features to provide high levels of PKI Repository reliability (99% availability or better) Interoperability No Stipulation beyond Section Time or Frequency of Publication Certificates and certificate status information shall be published as specified in this CP in Section and Section Access Controls on PKI Repositories Any PKI Repository information not intended for public dissemination or modification shall be protected. Public keys and certificate status information in the Raytheon PKI Repository shall be publicly available through the Internet /08/2016

24 3.1 Naming 3 IDENTIFICATION & AUTHENTICATION Types of Names The CAs shall generate and sign certificates containing an X.500 Distinguished Name (DN) in the Issuer and in Subject fields; the X.500 DN may contain domain component elements. Alternative Subject Name may be used, if marked non-critical Need for Names to be Meaningful The certificates issued pursuant to this CP are meaningful only if the names that appear in the certificates can be understood and used by Relying Parties. Names used in the certificates must identify the person or object to which they are assigned in a meaningful way. All DNs shall accurately reflect organizational structures. When User Principal Name (UPN) is used, it shall be unique and accurately reflect organizational structure. When DNs are used, it is preferable that the common name represents the subscriber in a way that is easily understandable for humans. For people, this will typically be a legal name. For equipment, this may be a model name and serial number, or an application process. The CA shall use DNs in certificates it issues. When DNs are used, the common name must respect name space uniqueness requirements and must not be misleading. This does not preclude the use of pseudonymous certificates as defined in Section The CAs asserting one or more of the policies in this CP shall only sign certificates with subject names from within a name-space approved by the RPMA. In the case where one CA certifies another CA, the certifying CA must impose restrictions on the name space authorized in the subordinate CA, which are at least as restrictive as its own name constraints. Raytheon reserves the right to assert name constraints in CA certificates issued by the Raytheon CA in order to limit the name space of the subject CAs to name spaces that are appropriate for subject CA domains Anonymity or Pseudonymity of Subscribers A Raytheon CA shall not issue anonymous certificates. Raytheon CA certificates shall not contain anonymous or pseudonymous identities. DNs in certificates issued to end entities may contain a pseudonym to meet local privacy regulations as long as name space uniqueness requirements are met and as long as such name is unique and traceable to the actual entity Rules for Interpreting Various Name Forms Rules for interpreting name forms are contained in the applicable certificate profile. The Raytheon Operational Authority (ROA) shall be the authority responsible for CA name control space Uniqueness of Names Name uniqueness across the Raytheon domains, including cross-certified domains shall be enforced. The CAs and RAs shall enforce name uniqueness within the X.500 name space, which they have been authorized. The ROA shall be responsible for ensuring name uniqueness in certificates issued by the Raytheon CAs. Raytheon CAs shall include the following information in their CPS: 24 03/08/2016

25 What name forms shall be used, and How they will allocate names within the Subscriber community to guarantee name uniqueness among current and past Subscribers (e.g., if Joe Smith leaves a CA s community of Subscribers, and a new, different Joe Smith enters the community of Subscribers, how will these two people be provided unique names?) Recognition, Authentication & Role of Trademarks A Raytheon CMA is not required to issue a name that contains a requested trademark. A CMA shall not knowingly issue a certificate including a name and may withdraw an issued name, where a court of competent jurisdiction has determined the name in question infringes the trademark of another. A CMA is not subsequently required to issue a name containing a trademark if the CMA has already issued a name sufficient for identification within Raytheon. A CMA is not obligated to research trademarks or resolve trademark disputes Name Claim Dispute Resolution Procedure The ROA shall resolve any name collisions brought to its attention that may affect interoperability. 3.2 Initial Identity Validation Method to Prove Possession of Private Key In all cases where the Subscriber generates keys, the Subscriber shall be required to prove possession of the private key that corresponds to the public key in the certificate request. For signature keys, this proof of possession may be done by signing the request. For encryption keys, the CA or RA may encrypt the Subscriber s certificate in a confirmation request message. The Subscriber can then decrypt and return the certificate to the CA or RA in a confirmation message. The RPMA may allow other mechanisms that are at least as secure as those cited here to be acceptable Authentication of Organization Identity Requests for cross certificates in the name of an organization shall include the CA name, address, and documentation of the existence of the CA. Before issuing cross certificates, the issuing CA shall verify the information provided, in addition to the authenticity of the requesting representative, and that representative's authorization to act in the name of the CA Authentication of Individual Identity The Raytheon CA or an RA shall ensure that the applicant s identity information is verified and checked in accordance with this CP and the applicable CPS. The CA or RA shall ensure that the applicant s identity information and public key are properly bound. Additionally, the CA or RA shall record the process that was followed for issuance of each certificate. Process information shall depend upon the certificate level of assurance and shall be addressed in the applicable CPS. The process documentation and authentication requirements shall include the following: The identity of the person performing the identity verification; A signed declaration by that person that he or she verified the identity of the applicant as required by the applicable certificate policy which may be met by establishing how the applicant is known to the verifier as required by this certificate policy, using the format set forth at 28 U.S.C (declaration under penalty of perjury) or comparable procedure under local law; The signature on the declaration 25 03/08/2016