Commonwealth of Pennsylvania JNET. Certificate Practice Statement

Transcription

1 JNET Phone: Technology Park Harrisburg State Hospital Grounds Fax: Harrisburg, PA jnet@state.pa.us Commonwealth of Pennsylvania JNET Certificate Practice Statement

2 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - Table of Contents Table of Contents...1 Revision History Overview Document Name and Identification PKI Participants Certificate Authorities Registration Authorities End Entities...14 a) Users...14 b) Operators...14 c) Applications / Servers Certificate Usage Policy Administration Specification administration organization Contact Person Person determining CPS suitability for the policy Definitions and Acronyms Acronyms Definitions Obligations CA obligations RA obligations Subscriber obligations Relying party obligations Repository obligations...25

3 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES Publication and Repository Publication of CA information Frequency of publication Access controls Naming Types of names Need for names to be meaningful and unique Rules for allowing anonymous or pseudonymous subscribers Recognition, authentication and role of trademarks Initial identity Validation Method to prove possession of private key Authentication of organization identity Authentication of individual identity Identification and Authentication for Re-key Requests Subscriber Re-key Request CA Re-key Request RA Re-key Request Identification and Authentication for Revocation Requests CA Revocation Request RA Revocation Request Subscriber Revocation Request Certificate Application Certificate Application Processing Certificate Issuance Certificate Acceptance Key Pair and Certificate Usage Certificate Renewal...31

4 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES Certificate Re-Key Certificate Modification Certificate Revocation and Suspension Circumstances for revocation Who can request revocation Procedure for revocation request Revocation request grace period Circumstances for suspension Who can request suspension Procedure for suspension request Limits on suspension period CRL issuance frequency CRL checking requirements On-line revocation/status checking availability On-line revocation checking requirements Other forms of revocation advertisements available Checking requirements for other forms of revocation advertisements Certificate Status Services CRL OCSP Thumbprint match / JNET directory End of Subscription Key Escrow and Recovery Security Audit Procedures Types of event recorded Frequency of processing log Retention period for audit log...36

5 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES Protection of audit log Audit log backup procedures Audit collection system (internal vs. external) Notification to event-causing subject Vulnerability assessments Viewing Audit Logs Physical Security Controls Site location and construction Physical access Power and air conditioning Water exposures Fire prevention and protection Media storage Waste disposal Off-site backup Procedural Controls Trusted roles Number of persons required per task Identification and authentication for each role Personnel Security Controls Background, qualifications, experience, and clearance requirements Background check procedures Training requirements Retraining frequency and requirements Job rotation frequency and sequence Sanctions for unauthorized actions Contracting personnel requirements...40

6 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES Documentation supplied to personnel Need for separation of privileges Audit Logging Procedures Records Archival Types of event recorded Retention period for archive Protection of archive Archive backup procedures Requirements for time-stamping of records Archive collection system (internal or external) Procedures to obtain and verify archive information Viewing archived records (1.0) Key changeover Compromise and Disaster Recovery Incident and Compromise Reporting and Handling Procedures Recovery Procedures for Computing Resources, Software, and/or Data corruption Recovery Procedures for Entity Key compromise Business Continuity and Disaster Recovery CA Termination Key Pair Generation and Installation Key pair generation and Installation Private key delivery to entity Public key delivery to certificate issuer CA public key delivery to users Key sizes Public key parameters generation Key usage purposes (as per X.509 v3 key usage field)...45

7 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES Private Key Protection and Cryptographic Module Engineering Controls Standards for cryptographic module Private key (2 out of 3) multi-person control Encryption Private key escrow Private key backup Private key archival Private key entry into cryptographic module Private key storage Method of activating private key Method of deactivating private key Method of destroying private key Crypto Module Capabilities Other Aspects of Key Pair Management Public key archival Usage periods for the public and private keys Activation Data Activation data generation and installation Activation data protection Computer Security Controls Specific computer security technical requirements Computer security rating Life Cycle Technical Controls System development controls Security management controls Life cycle security ratings Network Security Controls Time-stamping...48

8 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES Certificate Profile Version number(s) Certificate extensions Algorithm object identifiers Name forms Name constraints Certificate policy Object Identifier Usage of Policy Constraints extension Policy qualifiers syntax and semantics Processing semantics for the critical certificate policy extension CRL Profile Version number(s) CRL and CRL entry extensions OCSP Profile Specification change procedures Publication and notification policies CPS approval procedures Fees Certificate issuance or renewal fees Certificate access fees Revocation or status information access fees Fees for other services such as policy information Refund policy Financial responsibility Indemnification by relying parties Fiduciary relationships Administrative processes...52

9 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES Confidentiality of Business Information Types of information to be kept confidential Types of information not considered confidential Disclosure of certificate revocation/suspension information Release to law enforcement officials Release as part of civil discovery Disclosure upon owner's request Other information release circumstances Privacy of Personal Information Intellectual Property Rights Representations and Warranties Disclaimers of Warranties Limitations of Liability CA liability RA liability Subscriber liability Indemnities Term and Termination Individual Notices and Communications with Participants Amendments Dispute Resolution Procedures Governing Law Compliance with Applicable Law Miscellaneous Provisions Other Provisions...56

10 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES -

11 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - Revision History Version Date Description Author 1.0 Initial Version Mahesh Rengaswamy 2.0 April 23, July 20,2004 Updated to conform with IETF RFC 3647; Updated for new CA implementation; Updated to conform to VeriSign CPS v2.2 Updated to Include SSL (server certificate) practices Darrell Candis Darrell Candis

12 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - 1. Introduction 1.1 Overview JNET is a common secure platform for sharing criminal justice information. Former Governor Tom Ridge of the Commonwealth of Pennsylvania established the JNET Mission as stated below: To enhance public safety through the integration of criminal justice information throughout the Commonwealth of Pennsylvania by adopting business practices which promote cost effectiveness, information sharing and timely and appropriate access to information while recognizing the independence of each agency. The mission statement identified the significance of information sharing and stresses the access to information authorized by an individual s job function. Numerous technology options are present to achieve this goal. Public Key Infrastructure (PKI) refers to the set of security services and processes that enable the use of public key cryptography, X.509 digital certificates and digital signatures. PKI as a business practice addresses the processes of authentication, authorization, data integrity and non-repudiation, each of which speaks directly to the mission statement. JNET comprises 16 Commonwealth agencies and numerous counties, federal and local government agencies that participate in information sharing by making it available to a community of criminal justice workers who use this information as part of their daily job functions. It is critical for this sensitive information to be available to the criminal justice community in a timely and secure manner. JNET users authenticate to the myriad services and systems made available via a common yet secure web infrastructure. In the JNET security framework, a user must present a digital certificate (which identifies the user in much the same way that a drivers license identifies an individual) in order to authenticate to a JNET web server and gain access to JNET resources. Through use of public key technology provided by the PKI, all data transmitted between the browser client and the servers are encrypted, ensuring data confidentiality. Public key technology and digital signatures are also used to digitally sign messages (ensuring non-repudiation) and enable secure transmission of messages (thus providing for data integrity). JNET utilizes the VeriSign Trust Network (VTN) Managed Public Key Infrastructure (MPKI) service for its digital certificate services. Since VeriSign is the manager of the JNET Root CA, VeriSign's own CP and CPS directly affect JNET and its ability to ensure a trust model with VeriSign. Throughout this CPS, the VeriSign CP and CPS will be referenced as well as included as an attachment to this document. It is important to note that JNET uses VeriSign class 3 digital certificates. References to class 1 and 2 certificates in the VeriSign CP and CPS are not applicable. The current version of the VeriSign CPS as of this writing is version 2.2. The VeriSign CPS is still based on the

13 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - obsolete IETF RFC Therefore, there are significant format differences between the JNET CPS and the VeriSign CPS. This Certification Practice Statement (CPS) describes the JNET Certification Authority (CA) and the actual procedures it follows in creating and managing digital certificates under the JNET Certificate Policy. This CPS shall apply to all certificates issued in support of applications, , and news under the Commonwealth of Pennsylvania Justice Network (JNET). Version 1.0 of this CPS has been effective since December 31, 1999 and has since been updated to conform with the Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (IETF PKIX) RFC 3647, Certificate Policy and Certification Practice Statement Framework, November 2003, which supersedes the obsolete RFC Document Name and Identification The JNET Certificate Policy does not yet posses an OID (Object Identifier) that has been registered with the National Institute of Standards and Technology (NIST). An effort is currently underway to address these issues and this section of the CP will be updated accordingly. 1.3 PKI Participants Certificates issued under JNET will be used for identification and authentication to the JNET applications, web servers, mail servers, and VPN servers. These certificates will also be used to secure communications and transactions (using Secure Sockets Layer (SSL)) between the client and server as well as between the servers, support secure e- mail (using S/MIME), and digitally sign messages. The following sections introduce the JNET CA and roles involved in issuing certificates and managing the certificate life cycle process Certificate Authorities The JNET Certification Authority (CA) will generate, sign, and issue digital certificates to support the JNET transactions described above. The JNET Office will serve as the JNET CA Controller/Administrator and as such is responsible for the management, day-to-day operations, and distribution of the JNET CA responsibilities. In this role, the JNET Office will oversee the issuance and revocation of all JNET certificates, the operation of equipment used in managing certificates, the activities of the JNET Registrars, and the collection and maintenance of records. Specifically, the JNET CA Controller/Administrator shall ensure that the following functions are performed in accordance with the stipulations of this policy: o Certificate generation and revocation Certificates will be generated and revoked in accordance with the VeriSign CP and CPS. The VeriSign KMS manual explains the technical process used to perform this operation.

14 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - o Posting certificates and certificate revocation lists (CRLs) to the JNET directory The JNET PKI Design Document details the process by which certificates and CRLs are written to the JNET directory o Performance of daily and/or weekly backups These procedures are governed by the Standard Operating Procedures of the JNET Operations team. o Administrative functions such as compromise reporting and system and records maintenance The VeriSign KMS manual contains procedures on performing these functions. o Programming and management of any hardware cryptographic modules This work is to be performed by VeriSign. Note that oversight responsibilities should not be confused with control over all of the above functions since separation of duties is required for the trustworthy operation of the JNET CA. Trained and vetted personnel should perform actual operational duties. During system audits and assessments, the CA Controller/Administrator shall be available to external auditors to facilitate their review Registration Authorities The JNET Registrar acts as the Registration Authority and is responsible for the registration/enrollment of users to JNET. The JNET Office acts as the Registration Authority for SSL and IPSec certificate requests. In this role, the Registrar will: o Inspect the information in the JNET User Access Request Form and verify that the requested access level is consistent with the responsibilities of the user, The JNET Registration Policies and Procedures document contains specific information regarding all registrar roles and responsibilities. o Ensure that any collateral authorizations (e.g., CLEAN certification) needed to grant particular access levels to users are available, The JNET Registration Policies and Procedures document contains specific information regarding all registrar roles and responsibilities. o Create and maintain user entries in the JNET Directory, The JNET Registrar Gateway Instructions document contains all information regarding the performance of this function. o Generate and distribute the authentication code (via a secure, out-of-band method) to the end entities so that they may enroll and retrieve the certificates, and

15 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - The JNET Registrar Gateway Instructions document contains all information regarding the performance of this function. o o Maintain records of the registration/enrollment actions and provide the appropriate records and/or reports to the JNET Office upon request for archive and audit purposes. (Placeholder for SSL / IPSec) The Registrar is also responsible for validating and coordinating the certificate revocation and key recovery requests with the JNET Office. The JNET Help Desk performs this function, and may be reached at Registrars are assigned to specific agencies and/or counties according to user population size and resource availability. Registrar responsibilities may be delegated to one or more individuals per agency or county. The business requirements of a particular agency or county determine the number of registrars assigned End Entities a) Users JNET users are individuals affiliated with Commonwealth of Pennsylvania Agencies, Counties and municipalities and Federal bodies recognized and approved by the JNET Steering Committee as needing access to criminal justice information through JNET and such information is required as part of the individuals day-to-day business function. These users are issued digital certificates by JNET and can access JNET resources by presenting this digital credential. Users are required to follow the requirements as outlined in the JNET User Access Request Form. b) Operators Operators are responsible for the day-to-day operations and maintenance of the servers and infrastructure needed to support the JNET CA. Operators include contractor staff supporting the JNET hub as well as agency staff or contractors supporting JNET servers located at the various agencies. The CP requires the individuals in these roles to operate the JNET CA in a lawful and responsible manner to support the JNET operations and mechanisms for safeguarding the information and system resources. c) Applications / Servers Applications and servers operating within JNET shall also hold certificates for the purpose of authenticating to user clients or other servers and applications. The individuals operating these systems shall also follow the CP and ensure their systems operate in a consistent manner. 1.4 Certificate Usage Certificates issued under this policy and the associated public/private key pairs shall only be used for their intended purpose within JNET. This certificate policy applies to all

16 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - certificates issued to JNET end entities. JNET end entities include users, operators, and applications/servers using or supporting JNET. JNET issued certificates may only be used for the following purposes: Authentication to JNET authorized and approved web sites o Subscriber may either install his/her digital certificate in his/her JNET supported browser or JNET approved roaming certificate solution. Authentication and encryption within the JNET secure system. o The authentication/signing certificate will be used for authentication into the mail system. o The encryption certificate will be used to encrypt all messages. Authentication and access to the JNET VPN Service. o The authentication/signing certificate will be used for authentication into the JNET VPN Service. Authentication and encryption between messaging servers. o The authentication/signing certificate will be used for authentication of channels between messaging servers. o The encryption certificate will be used to encrypt all messages. Authentication and access to approved Commonwealth of Pennsylvania computer systems o There is no current stipulation for certificate usage with Commonwealth computer systems. The CPS will be updated at a later date when such a stipulation becomes available. 1.5 Policy Administration Specification administration organization The JNET Office and the JNET Steering Committee will address issues relating to this CPS and will approve modifications and additions as they see fit Contact Person This policy was approved by the JNET Steering Committee and is maintained by the JNET Office. For issues related to this CPS, contact: JNET Office 5 Technology Park

17 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - Harrisburg State Hospital Grounds Harrisburg PA Phone: Fax: jnet@state.pa.us Person determining CPS suitability for the policy The JNET Steering Committee and associated Security Subcommittee oversee the provision of this CPS and decide the applicability of the CP. 1.6 Definitions and Acronyms Acronyms Agency A term used to identify all Commonwealth agencies participating in JNET. CA Certification Authority CMA Certificate Manufacturing Authority CP Certificate Policy CPS Certificate Practice Statement CRL Certificate Revocation List DN Distinguished Name DSA Digital Signature Algorithm IETF Internet Engineering Task Force ISO International Organization for Standards ITU International Telecommunications Union LDAP Lightweight Directory Access Protocol MOA Memorandum of Agreement OCSP Online Certificate Status Protocol OID Object Identifier PKI Public Key Infrastructure PKIX Public Key Infrastructure X.509 RA Registration Authority RSA Rivest-Shamir-Adleman (encryption algorithm) SHA-1 Secure Hash Algorithm S/MIME Secure/Multipurpose Internet Mail Extension SSL Secure Sockets Layer URL Uniform Resource Locater WWW World Wide Web Definitions Access Ability to make use of any information system (IS) resource [NS4009]

18 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - Access control Accreditation Activation Data Agency Agency CA Applicant Archive Attribute Authority Audit Audit Data Authentication Backup Binding Biometric Certificate Certificate Authority (CA) CA Facility Certificate Management Authority Certificate Authority Software Process of granting access to information system resources only to authorized users, programs, processes, or other systems [NS4009] Formal declaration by a Designated Approving Authority that an Information System is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. [NS4009] Data values, other than keys, that are required to operate cryptographic modules and that need to be protected (e.g., a PIN, a passphrase, or a manually-held key share). Any department, subordinate element of a department, or independent organizational entity that is statutorily or constitutionally recognized as being part of the Commonwealth of Pennsylvania. A CA that acts on behalf of an Agency, and is under the operational control of an Agency. The subscriber is sometimes also called an "applicant" after applying to a certification authority for a certificate, but before the certificate issuance procedure is completed. [ABA footnote 32] Long-term, physically separate storage. An entity, recognized by the FPKIPA or comparable Agency body as having the authority to verify the association of attributes to an identity. Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. [NS4009] Chronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event. [NS4009 audit trail ] The process of establishing that individuals, organizations, or things are who or what they claim to be. In the context of a PKI, authentication can be the process of establishing that an individual or organization applying for or seeking access to something under a certain name is, in fact, the proper individual or organization. This corresponds to the second process involved with identification, as shown in the definition of "identification" below. Authentication can also refer to a security service that provides assurances that individuals, organizations, or things are who or what they claim to be or that a message or other data originated from a specific individual, organization, or device. Thus, it is said that a digital signature of a message authenticates the message's sender. Copy of files and programs made to facilitate recovery if necessary. [NS4009] Process of associating two related elements of information. [NS4009] A physical or behavioral characteristic of a human being. A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its subscriber, (3) contains the subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it. [ABADSG]. As used in this Policy, the term "Certificate" refers to certificates that expressly reference the OID of this policy in the "Certificate Policies" field of an X.509 v.3 certificate. An authority trusted by one or more users to issue and manage X.509 Public Key Certificates and CRLs. The collection of equipment, personnel, procedures and structures that are used by a Certification Authority to perform certificate issuance and revocation A Certification Authority or a Registration Authority Key Management and cryptographic software used to manage certificates issued to subscribers.

19 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - Certificate Policy (CP) Certificate-Related Information Certificate Revocation List (CRL) Certification Practice Statement (CPS) Certification Path Client (application) Common Criteria Component Private Key Compromise Computer Security Objects Registry (CSOR) Confidentiality Cross-Certificate Cryptographic Module Cryptoperiod Data Integrity Digital Signature Duration E-commerce Encrypted Network Encryption Certificate End Entity Firewall A Certificate Policy is a specialized form of administrative policy tuned to electronic transactions performed during certificate management. A CP addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery and administration of digital certificates. Indirectly, a CP can also govern the transactions conducted using a communications system protected by a certificate based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications. Information, such as a subscriber s postal address, that is not included in a certificate. May be used by a CA managing certificates. A list maintained by a CA of its issued certificates that were revoked prior to the stated expiration dates. A statement of the practices that a CA employs in issuing, suspending, revoking and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this CP, or requirements specified in a contract for services). An ordered sequence of certificates that, together with the public key of the initial object in the path, can be processed to obtain that of the final object in the path. A system entity, usually a computer process acting on behalf of a human user, that makes use of a service provided by a server. A set of internationally accepted semantic tools and constructs for describing the security needs of customers and the security attributes of products. Private Key associated with a function of the certificate issuing equipment, as opposed to being associated with an operator or administrator Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object many have occurred. [NS4009] Computer Security Objects Registry operated by the National Institute of Standards and Technology Assurance that information is not disclosed to unauthorized entities or processes [NS4009] A certificate used to establish a trust relationship between two CAs The set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the cryptographic boundary of the module [FIPS1401]. Time span during which each key setting remains in effect [NS4009] Assurance that the data are unchanged from creation to reception The result of a transformation of a message by means of a cryptographic system using keys such that a Replying Party can determine: (1) whether the transformation was created using the private key that corresponds to the public key in the signer s digital certificate; and (2) whether the message has been altered since the transformation was made. A field within a certificate, which is composed of two subfields; date of issue and date of next issue. The use of network technology (especially the Internet) to buy or sell goods and services. A network that is protected from outside access by NSA approved high-grade (Type I) cryptography. Examples are SIPRNET and TOP SECRET networks. A certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes. Relying Parties and Subscribers Gateway that limits access between networks in accordance with local security policy [NS4009]

20 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - High Assurance Guard (HAG) Identification Information System Security Officer (ISSO) Inside threat Integrity Intellectual Property Intermediate CA Key Escrow Key Exchange Key Generation Material Key Pair Local Registration Authority (LRA) Memorandum of Agreement (MOA) Mission Support Information Mutual Authentication Naming Authority An enclave boundary protection device that controls access between a local area network that an enterprise system has a requirement to protect, and an external network that is outside the control of the enterprise system, with a high degree of assurance. The process of establishing the identity of an individual or organization, i.e., to show that an individual or organization is a specific individual or organization. In the context of a PKI, identification refers to two processes: (1) Establishing that a given name of an individual or organization corresponds to a real-world identity of an individual or organization, and (2) Establishing that an individual or organization applying for or seeking access to something under that name is, in fact, the named individual or organization. A person seeking identification may be a certificate applicant, an applicant for employment in a trusted position within a PKI participant, or a person seeking access to a network or software application, such as a CA administrator seeking access to CA systems. Issuing certification authority (issuing CA) - In the context of a particular certificate, the issuing CA is the CA that issued the certificate (see also Subject certification authority). Person responsible to the designated approving authority for ensuring the security of an information system throughout its life cycle, from design through disposal. [NS4009] An entity with authorized access that has the potential to harm an IS through destruction, disclosure, modification of data, and/or denial of service. Protection against unauthorized modification or destruction of information. [NS4009]. A state in which information has remained unaltered from the point it was produced by a source, during transmission, storage, and eventual receipt by the destination. Useful artistic, technical, and/or industrial information, knowledge or ideas that convey ownership and control of tangible or virtual usage and/or representation. A CA that is subordinate to another CA, and has a CA subordinate to itself. A deposit of the private key of a subscriber and other pertinent information pursuant to an escrow agreement or similar contract binding upon the subscriber, the terms of which require one or more agents to hold the subscriber's private key for the benefit of the subscriber, an employer, or other party, upon provisions set forth in the agreement. [adapted from ABADSG, "Commercial key escrow service] The process of exchanging public keys in order to establish secure communication. Random numbers, pseudo-random numbers, and cryptographic parameters used in generating cryptographic keys Two mathematically related keys having the properties that (1) one key can be used to encrypt a message that can only be decrypted using the other key, and (ii) even knowing one key, it is computationally infeasible to discover the other key. A Registration Authority with responsibility for a local community. Agreement between the JNET CA and an Agency allowing interoperability between the JNET and the Agency. Information that is important to the support of deployed and contingency forces. Occurs when parties at both ends of a communication activity authenticate each other (see authentication). An organizational entity responsible for assigning distinguished names (DNs) and for assuring that each DN is meaningful and unique within its domain.

21 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - National Security System Non-repudiation Object Identifier (OID) Out-of-Band Outside Threat Physically Isolated Network Participant PKI Disclosure Statement (PDS) PKI Sponsor Policy Management Authority (PMA) Privacy Private Key Public Key Public Key Infrastructure (PKI) PKI Disclosure Statement (PDS) Registration Authority (RA) Re-key (a certificate) Any telecommunications or information system operated by the United States Government, the function, operation, or use of which involves intelligence activities; involves crypto logic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions, but does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). [ITMRA] Assurance that the sender is provided with proof of delivery and that the recipient is provided with proof of the sender's identity so that neither can later deny having processed the data. [NS4009] A specialized formatted number that is registered with an internationally recognized standards organization. The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the federal government PKI they are used to uniquely identify each of the four policies and cryptographic algorithms supported. Communication between parties utilizing a means or method that differs from the current method of communication (e.g., one party uses U.S. Postal mail to communicate with another party where current communication is occurring online). An unauthorized entity from outside the domain perimeter that has the potential to harm an Information System through destruction, disclosure, modification of data, and/or denial of service. A network that is not connected to entities or systems outside a physically controlled space. An individual or organization that plays a role within a given PKI as a subscriber, relying party, CA, RA, certificate manufacturing authority, repository service provider, or similar entity. An instrument that supplements a CP or CPS by disclosing critical information about the policies and practices of a CA/PKI. A PDS is a vehicle for disclosing and emphasizing information normally covered in detail by associated CP and/or CPS documents. Consequently, a PDS is not intended to replace a CP or CPS. Fills the role of a Subscriber for non-human system components that are named as public key certificate subjects, and is responsible for meeting the obligations of Subscribers as defined throughout this CP. Body established to oversee the creation and update of Certificate Policies, review Certification Practice Statements, review the results of CA audits for policy compliance, evaluate non-domain policies for acceptance within the domain, and generally oversee and manage the PKI certificate policies. Restricting access to subscriber or relying party information in accordance with Federal law and agency policy. (1) The signing key pair used to create a digital signature. (2) The key of an encryption key pair that is used to decrypt confidential information. In both cases, this key must be kept secret. (1) The signing key pair used to validate a digital signature. (2) The key of an encryption key pair that is used to encrypt confidential information. In both cases, this key is made publicly available normally in the form of a digital certificate. A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates. An instrument that supplements a CP or CPS by disclosing critical information about the policies and practices of a CA/PKI. A PDS is a vehicle for disclosing and emphasizing information normally covered in detail by associated CP and/or CPS documents. Consequently, a PDS is not intended to replace a CP or CPS. An entity that is responsible for one or more of the following functions: the identification and authentication of certificate applicants, the approval or rejection of certificate applications, initiating certificate revocations or suspensions under certain circumstances, processing subscriber requests to revoke or suspend their certificates, and approving or rejecting requests by subscribers to renew or re-key their certificates. RAs, however, do not sign or issue certificates (i.e., an RA is delegated certain tasks on behalf of a CA). [Note: The term Local Registration Authority (LRA) is sometimes used in other documents for the same concept.] To change the value of a cryptographic key that is being used in a cryptographic system application.

22 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - Relying Party Relying Party Agreement (RPA) Renew (a certificate) Repository Responsible Individual Revoke (a certificate) Risk Risk Tolerance Root CA Secret Key Server Signature Certificate Subordinate CA Subscriber Superior CA System Equipment Configuration System High Technical nonrepudiation Threat Trust List Trusted Agent Trusted Certificate Trusted Timestamp A recipient of a certificate who acts in reliance on that certificate and/or any digital signatures verified using that certificate. In this document, the terms "certificate user" and "relying party" are used interchangeably. An agreement between a certification authority and relying party that typically establishes the rights and responsibilities between those parties regarding the verification of digital signatures or other uses of certificates. The act or process of extending the validity of the data binding asserted by a public key certificate by issuing a new certificate. A database containing information and data relating to certificates as specified in this CP; may also be referred to as a directory. A trustworthy person designated by a sponsoring organization to authenticate individual applicants seeking certificates on the basis of their affiliation with the sponsor. To prematurely end the operational period of a certificate effective at a specific date and time. An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. The level of risk an entity is willing to assume in order to achieve a potential desired result. In a hierarchical PKI, the CA whose public key serves as the most trusted datum (i.e., the beginning of trust paths) for a security domain. A shared secret used in symmetric cryptography, wherein users are authenticated based on a password, Personal Identification Number (PIN), or other information shared between the user and the remote host or server. A single key is shared between the two parties: the sender, to encrypt a transmission, and the recipient, to decrypt the transmission, with the shared key being generated with an algorithm agreed to beforehand by the transacting parties. A system entity that provides a service in response to requests from clients. A public key certificate that contains a public key intended for verifying the digital signatures rather than encrypting data or performing any other cryptographic functions. In a hierarchical PKI, a CA whose certificate signature key is certified by another CA, and who activities are constrained by that other CA (See Superior CA). A Subscriber is an entity that (1) is the subject named or identified in a certificate issued to that entity; (2) holds a private key that corresponds to the public key listed in the certificate, and (3) does not itself issue certificates to another party. This includes, but is not limited to, an individual or network device. In a hierarchical PKI, a CA who has certified the certificate signature key of another CA, and who constrains the activities of that CA (See subordinate CA). A comprehensive accounting of all systems hardware and software types and settings. The highest security level supported by an IS. [NS4009] The contribution public key mechanisms to the provision of technical evidence supporting a non-repudiation security service. Any circumstance or event with the potential to cause harm to an IS in the form of destruction, disclosure, adverse modification of data, and/or denial of service. [NS4009] Collection of trusted certificates used by Relying Parties to authenticate other certificates. Entity authorized to act as a representative of an Agency in confirming Subscriber identification during the registration process. Trusted agents do not have automated interfaces with Certification Authorities. A certificate that is trusted by the Relying Party on the basis of secure and authenticated delivery. The public keys included in trusted certificates are used to start certification paths. Also knows an trust anchors. A digitally signed assertion by a trusted authority that a specific digital object existed at a particular time.

23 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES - Trustworthy System Two-person Control Update (a certificate) Validation Zeroize Computer hardware, software and procedures that: (1) are reasonably secure from intrusion and misuse; (2) provide a reasonable level of availability, reliability, and correct operation; (3) are reasonably suited to perform their internal functions; and (4) adhere to generally accepted security procedures. Continuous surveillance and control of positive control material at all times by minimum of two authorized individuals, each capable of detecting incorrect and/or unauthorized procedures with respect to the task being performed, and each familiar with established security and safety requirements. [NS4009] The act or process by which data items bound in an existing public key certificate, especially authorizations granted to the subject, are changed by issuing a new certificate. The process of identification of certificate applicants. "Validation" is a subset of "identification" and refers to identification in the context of establishing the identity of certificate applicants. A method of erasing electronically stored data by altering the contents of the data storage so as to prevent the recovery of the data. [FIPS140-1]

24 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES Publication and Repository Responsibilities 2.1 Obligations CA obligations The JNET CA will: Issue, post, update, and revoke certificates; Procedures for performing these functions are included in the JNET PKI Design Document, the VeriSign KMS manual and the VeriSign CPS. Implement this CPS and update as appropriate to ensure that it reflects actual CA practices; This CPS will be implemented upon its completion. Monitor and maintain conformance with the JNET Certificate Policy; and Yearly review to and update to be carried out by the JNET Office in conjunction and approval of the JNET Steering Committee. Maintain and enforce access controls and separation of privileges on all JNET CA resources. The JNET Office is charged with ensuring that administrative certificates are kept separate and assigned to two, named JNET management staff, who must be Commonwealth of Pennsylvania employees RA obligations JNET does not currently have a registration authority; a registrar performs this function. The JNET Registrar is responsible for registering users. In addition to registering users, the JNET registrar is responsible for: Completing and signing the JNET Registrar Agreement; Forwarding the JNET Registrar Agreement to the JNET Office; Completing Registrar training;

25 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES -- Maintaining JNET Sponsor Agreements so you can validate the sponsor s signature(s) and contact him/her if there are any registration issues; Acting as the Agency/County point of contact with respect to user registration issues; Assisting users with scheduling appropriate JNET Training; Reporting violations of JNET Policy and Procedures to the Agency/County JTAC, MTAC, or the JNET Office; Managing the digital certificate renewal process in the Agency/County; Initiating key recovery; Deleting a user from the JNET directory in the case of certificate revocation, or when employees retire, transfer out, or separate from the organization; Acting as the Agency/County JNET records keeping repository by; Maintaining a JNET user file that contains the user s JNET Access Request Forms and associated correspondence pertaining to JNET access, Maintaining these user records for three years after the user leaves the organization or relinquishes access to JNET, and Reviewing records on a yearly basis and destroying inactive records that are three years old or older; Forwarding Criminal History Access Request(s) to the JTAC; and Notifying the JNET Office of any circumstance that might affect the user s enrollment status (Arrests, Retirements, Transfers, Separations, etc.) Subscriber obligations JNET users and operators will be responsible for the appropriate handling and safeguarding of their private keys, use of the JNET environment, use and safeguarding of information obtained from JNET resources, and the reliability of the information they provide or communicate through JNET. End entities are obligated to:

26 COMMONWEALTH OF PENNSYLVANIA JNET CERTIFICATE PRACTICE STATEMENT: USER CERTIFICATES -- Accurately represent themselves in all communications with the JNET CA and Registrar; Protect their private keys at all times, in accordance with JNET Certificate Policy, the JNET Security Policy, local procedures, and as stipulated in the certificate acceptance agreements; Notify, in a timely manner, the JNET CA of suspicion that their private keys have been compromised or lost. Such notification will be made directly, or indirectly through mechanisms consistent with this CPS; Abide by all the terms, conditions, and restrictions levied upon the use of their private keys and certificates. Individuals or entities that fail to fulfill their obligations as set forth in this CPS and the JNET Certificate Policy will have their access privileges revoked and may be subject to disciplinary action, termination, or legal action Relying party obligations Parties who rely upon the certificates issued by the JNET CA are obligated to: Use the certificate for lawful work-related activities; and Check each certificate for validity prior to reliance using procedures described in the X.509 standard. The JNET CA will report any unlawful or unauthorized actions it detects related to the use of certificates issued by the JNET CA. Individuals or entities that fail to check the validity of JNET certificates prior to each reliance will have no claim against JNET in the event of a dispute, and may jeopardize any claims against the subject of the certificate Repository obligations The JNET CA will use and maintain a directory (subsequently referred to as the JNET Directory) for the propagation of certificates, CRLs, and other access control information. The Directory will be accessible to all JNET users using the lightweight directory access protocol (LDAP), but will implement enough controls to prevent unauthorized modifications and interception of communications. The Registrars are responsible for the creation and maintenance of user entries in the JNET Directory. These entries will also contain location, identification, access privileges, and group membership information used by servers and other JNET relying parties. The creation of a directory entry with all the required identification and authentication information will be a prerequisite for issuing certificates to new end entities. Revoked certificates will be removed from the Directory so that an application that fails to check the CRL will be unable to grant access based on a revoked certificate. Revoked certificates are still escrowed by VeriSign for recovery purposes.