Certification Practices Statement (CPS) For Use With ARIN Internet Resource Registration Systems

Transcription

1 Certification Practices Statement (CPS) For Use With ARIN Internet Resource Registration Systems OID Published April 18, 2004

2 1. Introduction ARIN CPS Published April 18, 2004 OID This Certificate Practice Statement ( CPS ) is a legally binding document that contains a statement of practices that the American Registry for Internet Numbers ( ARIN ) Certificate Authority ( CA ) employs in issuing publickey certificates ( certificates ) to qualified Points of Contact ( POCs ) solely for the purposes of authenticating ed registration templates and general-purpose prose requests sent to ARIN. This authentication method is referred to in this CPS as the ARIN PKI. This CPS also provides the terms and conditions under which ARIN provides the ARIN PKI. ARIN members must read, understand, and agree to this CPS in order to use the ARIN PKI. BY ACCEPTING AND USING A CERTIFICATE, YOU, INDIVIDUALLY AND ON BEHALF OF YOUR SUBSCRIBER MEMBER ORGANIZATION ( SMO ), AGREE TO BE LEGALLY BOUND TO ALL OF THE TERMS AND CONDITIONS OF THIS CPS, INCLUDING, WITHOUT LIMITATION, THE PROVISIONS ARIN MAKES FOR THE SECURITY OF THE ARIN PKI AND LIMITATIONS OF SUCH PROVISIONS. IF YOU DO NOT AGREE TO BE LEGALLY BOUND BY ALL OF THE TERMS AND CONDITIONS OF THIS CPS, YOU MAY NOT USE THE ARIN PKI. The ARIN PKI is a more secure alternative to the existing MAIL-FROM authentication method for database change requests. The implementation of the ARIN PKI is not intended to cause major changes to existing facilities or significantly change existing practices. Likewise, this CPS does not modify the Registration Services Agreement between ARIN and SMOs, except as specifically provided for below. The outline for this CPS has been adopted from the outline provided in "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework," RFC 3647 of the IETF document series. In instances where sections recommended by the RFC are not present in this CPS, the sections would have simply stated no stipulation, and as such, these components have been omitted for clarity and brevity and ARIN assumes no obligation relating to the practices addressed in omitted sections. Where no stipulation or a similar phrase is used, it means that ARIN has no obligation with respect to the practices addressed in the corresponding sections of the RFC. In addition to this CPS, ARIN has drafted an ARIN PKI FAQ to provide information about the ARIN PKI in narrative format. This FAQ is for general informational purposes only, and is not part of this CPS. The FAQ can be found at Overview The ARIN CA issues public keys to qualified POCs in the ARIN database. POCs may use certificates issued by the ARIN CA solely to digitally sign containing ARIN registration request templates or prose text sent to ARIN for legitimate ARIN business. NO OTHER USE OF THE CERTIFICATES IS PERMITTED. When digitally signing to POCs, ARIN will not use a certificate issued by the ARIN CA. No use of certificates of any kind, for purposes of signing sent by ARIN to POCs, is stipulated. When a POC object in the ARIN database is marked as having been issued a certificate, the MAIL-FROM authentication method is disabled. If a POC is marked as having received a certificate from ARIN's CA, that POC is not permitted to change the ARIN database unless it has a valid certificate Identification ARIN has been assigned the Object Identifier ( OID ) arc by the Internet Assigned Numbers Authority (IANA) as a Private Enterprise Number. The policy described in this CPS has been assigned the OID This OID will appear in certificate extension fields of all certificates subject to this CPS. 2

3 1.3. Community and Applicability Certificate Authorities ARIN owns and operates a single CA, located in the ARIN offices in Chantilly, Virginia, USA. The ARIN CA issues certificates and Certificate Revocation Lists ( CRLs ) subject to the procedures, terms, and conditions described in this CPS Registration Authorities ARIN owns and operates a single Registration Authority ( RA ), located in the ARIN offices. The RA provides the interface between the CA and the end entities subject to the procedures, terms, and conditions described in this CPS End Entities The end entities in the ARIN PKI are the people and role accounts represented by eligible POCs listed in the ARIN database and ARIN itself. No other end entities are stipulated. For POCs, eligibility for a certificate is determined by ARIN at time of application in its sole discretion; subsequent database actions that modify the qualifying criteria have no bearing upon the POC s ability to continue to hold and use the issued certificate, but will affect the POC s ability to modify the ARIN database. The following types of POCs are eligible to apply to use the ARIN PKI: (i) Administrative POCs associated with an individual (not a role account) at an SMO in good standing; (ii) Technical POCs associated with an individual at an SMO in good standing; and (iii) role account POCs that are registered Technical POCs for SMOs in good standing, but only if: (a) that SMO s Administrative POC already holds a valid ARIN CA certificate and (b) the address of the role account POC is from a domain that is recognized by ARIN as being associated with the applicable SMO. For clarity and without limitation, Administrative POCs that are role accounts are ineligible to apply for a certificate. For clarity, an SMO is a category of membership in ARIN, as described at A subscriber, as that term is used in this CPS, means a person responsible for the eligible POC object, even if the eligible POC object represents a role account. This use of the term subscriber is consistent with its use in Certificate Practice Statements published by third parties. Subscribers will manage their key pairs, submit requests for certificates, receive certificates, and digitally sign containing registration templates and prose. ARIN will use the signatures, certificates, and CRLs to verify the authenticity of signed . ARIN is the sole relying party on the authenticity of the subscriber vis-à-vis the certificate. No other entity is permitted to rely upon certificates issued pursuant to this CPS for any purpose whatsoever. If the relationship between a subscriber and its SMO is terminated, ARIN reserves the right to revoke a certificate held by such a subscriber and will not renew a certificate held by, or issue a new certificate to, such a subscriber. In addition, the subscriber may not attempt to access or change the ARIN database. The SMO must revoke the subscriber s authority to do so and notify ARIN of the termination. ARIN will not be liable for any unauthorized access to the ARIN database arising from, relating to, or connected with a subscriber s unauthorized access to the ARIN database or an SMO s failure to revoke a subscriber s authority to change the ARIN database (as applicable). 3

4 Applicability The ARIN CA issues all certificates in accordance with this CPS. Certificates that are issued by the ARIN CA pursuant to this CPS may only be used by subscribers for: Digitally signing to ARIN containing ARIN registration templates. Digitally signing to ARIN containing prose. No other uses by other entities or for other purposes are permitted Contact Details The responsibility for the contents of this CPS lies with the President of ARIN. Responsibility for maintenance of the CPS lies with the ARIN staff. All comments, questions, suggestions, and complaints related to the operation of the ARIN PKI, this CPS, should be directed to: American Registry for Internet Numbers 3635 Concorde Parkway, Suite 200 Chantilly, Virginia, USA,

5 2. General Provisions 2.1. Obligations ARIN CPS Published April 18, 2004 OID CA Obligations As the sole CA in the ARIN PKI, ARIN, in accordance with the terms and conditions in this CPS, will use commercially reasonable efforts to: Create, issue, renew, and revoke certificates. Inform the RA of the revocation of any certificate. Verify that the information relating to the certificate owner, certificate request, and certificate policy contained within a certificate issued by the ARIN CA is accurate and without omission at the time of signing, where that information is verifiable at the time of signing. Manage the certificates that it issues, until the certificate either expires or is revoked. Base the generation of new certificates only upon information provided to it by the RA. Protect the CA s private key, as described in sections 5 and 6 below RA Obligations As the sole RA in the ARIN PKI, ARIN, in accordance with the terms and conditions in this CPS, will use commercially reasonable efforts to: Inspect certificate applications submitted by subscribers, but solely for the very limited purposes expressly stipulated in this CPS. Identify individuals who apply for certificates ( applicants ), before passing their certificate-request information on to the CA in accordance with Section Notify applicants of the issuance of certificates to them. Notify subscribers of the revocation of their certificates. Notify subscribers of the attempted revocation of their certificates. Notify subscribers of any attempted change in the authentication mechanism of their POC objects. Identify subscribers before passing any certificate management information or requests on to the CA by using the challenge/response method. Maintain the RA services in a reasonably secure environment, as described in sections 5 and 6 below. Maintain a CRL. Maintain records and audit logs of all CA-related activity, including physical and logical attempts (both successful and failed attempts) to access the CA platform, services, logs, and other systems. 5

6 POC Obligations As a condition precedent to using the ARIN PKI, each POC using or applying to use the ARIN PKI must: Submit complete and accurate information in the certificate application or when rekeying a certificate, and provide updated information if the information submitted with the application changes. Comply fully with the procedures provided on ARIN s website and other instructions from ARIN relating to requests for, retrieval of, and use of certificates. Protect its private key and related information (e.g., responses to the challenge/answer method described below) to ensure that no other entity has access to it. Take full responsibility for use of any certificate issued to it, regardless of whether such use is authorized. Not give, lend, sell, or otherwise transfer any of its certificates. Observe the restrictions on private key and certificate use provided to subscribers by ARIN or posted on ARIN s website. Notify ARIN immediately if: (i) it (or any person associated with it, if the POC corresponds to a role account) has terminated or will terminate its relationship with its associated SMO or (ii) it has its authority to access or modify the ARIN database revoked. Notify ARIN immediately if it has reason to believe that its certificate, private key, or account has been or may be obtained or used by any unauthorized person or entity. Notify ARIN immediately if it becomes aware of any other breach or attempted breach of the security of the ARIN database. Only use certificates issued by the ARIN CA and only interact with the ARIN PKI in accordance with the terms and conditions in this CPS. Not attempt to mislead, compromise, confuse, or defraud ARIN, or any of ARIN s systems and/or staff. Comply with all applicable laws, rules, and regulations. If a POC fails to comply with any of the obligations listed above, ARIN may revoke that POC s certificate(s) and pursue any other remedies that it may have in law or in equity. An SMO will be liable for any breach of this CPS by any POC associated with it Relying Party Obligations As the sole relying party in the ARIN PKI, ARIN, in accordance with the terms and conditions in this CPS, will use commercially reasonable efforts to: Observe the purposes for which certificates are used. Authenticate the digital signature of any parties seeking access to the ARIN database. Determine whether a certificate attached to an has been revoked. 6

7 2.2. Liability ARIN CPS Published April 18, 2004 OID DISCLAIMER OF WARRANTIES ARIN PROVIDES THE ARIN PKI ON AN AS-IS BASIS. ARIN DOES NOT REPRESENT OR WARRANT THAT THE ARIN PKI OR ITS USE (i) WILL BE UNINTERRUPTED OR SECURE, (ii) WILL BE FREE OF DEFECTS, INACCURACIES, OR ERRORS, (iii) WILL MEET ALL SUBSCRIBERS REQUIREMENTS, OR (iv) WILL OPERATE IN THE CONFIGURATION OR WITH OTHER HARDWARE OR SOFTWARE ITS SUBSCRIBERS USE. ARIN MAKES NO WARRANTIES AND HEREBY DISCLAIMS ANY AND ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. ARIN IS THE ONLY PARTY PERMITTED TO RELY ON CERTIFICATES. ARIN MAKES NO WARRANTY FOR ANY USE BY OTHER ENTITIES PRESUMING TO RELY ON CERTIFICATES FOR ANY PURPOSE WHATSOEVER. ANY PARTY THAT DOES SO, DOES SO AT ITS OWN RISK. ARIN WILL NOT BE LIABLE FOR ANY CHANGE MADE TO THE ARIN DATABASE THAT OCCURS BASED ON A POC S OR SMO S FAILURE TO COMPLY WITH ANY OF THE TERMS AND CONDITIONS OF THIS CPS, INCLUDING, WITHOUT LIMITATION, THE OBLIGATIONS TO PREVENT UNAUTHORIZED USE OF ITS PRIVATE KEY, OR NOTIFY ARIN OF THE SUSPECTED COMPROMISE THEREOF OR ANY CHANGES TO THE EMPLOYMENT STATUS OR AUTHORIZATION OF PARTICULAR PERSONS OR ENTITIES TO ACCESS THE ARIN DATABASE EXCLUSION OF DAMAGES ARIN WILL NOT BE LIABLE TO ANY POC, SMO, OR ANY THIRD PARTY FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, PUNITIVE, OR SPECIAL DAMAGES (INCLUDING DAMAGES RELATING TO LOST PROFITS, LOST DATA, OR LOSS OF GOODWILL) ARISING OUT OF, RELATING TO, OR CONNECTED WITH THE USE OF THE ARIN PKI, BASED ON ANY CAUSE OF ACTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES LIMITATION OF LIABILITY EXCEPT IN CONNECTION WITH THE INDEMNITY OBLIGATIONS UNDER THIS CPS, IN NO EVENT WILL THE LIABILITY OF ARIN, A POC, OR AN SMO ARISING FROM, RELATING TO, OR IN CONNECTION WITH THIS CPS EXCEED THE GREATER OF (i) THE AMOUNT PAID DURING THE SIX MONTHS IMMEDIATELY PRECEDING THE EVENT THAT GIVES RISE TO SUCH CLAIM BY THE SMO OR POC (AS APPLICABLE) ASSERTING A CLAIM AGAINST ARIN OR AGAINST WHOM ARIN IS ASSERTING A CLAIM OR (ii) $100. ARIN WILL NOT BE HELD LIABLE IN ANY WAY, FOR ANY DAMAGES OF ANY KIND, ARISING OUT OF, RELATING TO, OR CONNECTED WITH FRAUDULENT OR MISLEADING ACTIVITIES, WHERE IT CAN BE SHOWN THAT ARIN HAS SUBSTANTIALLY COMPLIED WITH THIS CPS. ARIN SHALL NOT BE HELD LIABLE TO ANY PERSON OTHER THAN AN SMO Force Majeure ARIN will not be liable in any way, for any damages of any kind, arising from, relating to, or connected with circumstances outside ARIN s control, including but not limited to, flaws or failures in third-party software, hardware or other systems, acts of war or terrorism, labor disputes, or acts of God. 7

8 Representations and Warranties All POCs and SMOs represent and warrant to ARIN that: (i) all the information the POC provides to ARIN is complete and accurate; (ii) the POC has been and will remain the only person or entity possessing the private key (and related information) and no unauthorized person has had or will have access to it; and (iii) the POC will use its certificate exclusively for purposes authorized by this CPS and its associated SMO Financial Responsibility Indemnification by SMO An SMO will indemnify and hold ARIN and its employees, representatives, agents, attorneys, affiliates, directors, officers, managers, and shareholders (the Indemnified Parties ) harmless from any damage, loss, cost, or expense (including without limitation, attorneys fees and costs) incurred in connection with any thirdparty claim, demand, or action ( Claim ) brought or asserted against any of the Indemnified Parties alleging facts or circumstances that would constitute: (i) a breach of any provision of this CPS by that SMO or any of its POCs; (ii) a breach of any provision of the Registration Services Agreement by that SMO; or (iii) any unauthorized use of a certificate or private key issued to a POC for that SMO. If an SMO is obligated to provide indemnification pursuant to this provision, ARIN may, at its sole discretion, control the disposition of any Claim at that SMO s sole cost and expense. Without limitation of the foregoing, an SMO may not settle, compromise, or in any other manner dispose of any Claim without the consent of ARIN Relationship Between SMOs and ARIN ARIN and its SMOs (and associated POCs) are independent contractors, and no agency, fiduciary partnership, joint venture, or employee-employer relationship is intended or created by the implementation of the ARIN PKI, this CPS, or the ARIN Registration Services Agreement Administrative Processes No accounting or audit of financial provisions are stipulated in this CPS because the ARIN PKI serves only as an authentication method for the ARIN database and ARIN charges no fees for use of the ARIN PKI Interpretation and Enforcement Governing Law and Venue This CPS shall be enforced and interpreted according to the laws of the Commonwealth of Virginia and federal laws of the USA. Any legal action arising from, relating to, or connected with this CPS shall be brought exclusively in a state or federal court located in Fairfax County, Virginia, USA, and all SMOs and POCs consent to the exclusive jurisdiction and venue of the United States District Court for the Eastern District of Virginia, Alexandria Division. If there is no jurisdiction in the United States District Court for the Eastern District of Virginia, Alexandria Division, then jurisdiction shall be in the Circuit Court of Fairfax County, Fairfax, Virginia Integration This CPS and the Registration Services Agreement contains the entire understanding of all parties regarding the ARIN PKI, and supersedes all prior and contemporaneous agreements and understandings between the parties regarding its subject matter. If there is a conflict or inconsistency between this CPS and the Registration Services Agreement, this CPS will govern and be given precedence. 8

9 Miscellaneous This CPS will be binding upon all parties hereto and its successors and permitted assigns. This CPS will not be assignable or transferable without the prior written consent of ARIN. Any certificates issued pursuant to this CPS will not be assignable or transferable. No failure or delay by a party in exercising any right, power, or privilege under this CPS will operate as a waiver thereof, nor will any single or partial exercise of any right, power, or privilege preclude any other or further exercise thereof or the exercise of any other right, power, or privilege under this CPS. The invalidity or unenforceability of any provision of this CPS will not affect the validity or enforceability of any other provision of this CPS, all of which will remain in full force and effect No Third Party Beneficiaries This CPS does not create, and shall not be construed as creating, any rights enforceable by any person not a party to this CPS Notice Any notice required or permitted under this CPS, including, without limitation, relating to disputes arising over the use and management of certificates are to be addressed to (as applicable): (i) ARIN at the contact address in Section 1.4 above and such notice will be effective upon receipt, or (ii) a POC and SMO at the contact information provided in the certificate application process and such notice will be effective twenty-four hours after dispatch Dispute Resolution Procedures SMO or POC complaints arising over the use or management of the ARIN PKI must be addressed to ARIN at the contact address above. If ARIN has a dispute with an SMO arising from, relating to, or connected with the use of the ARIN PKI, it may exercise any of its rights under this Agreement or that it may have at law or in equity. ARIN may exercise any such rights without notice. Please see Section regarding jurisdiction and venue for any court action arising under, related to, or connected with this CPS Fees ARIN does not charge a fee for providing the ARIN PKI. Accordingly, it makes no stipulation regarding fees or practices relating to fees, such as refunds Publication and Repository The only provision for publication of certificate data (external to ARIN) is in the distribution of certificates to subscribers. ARIN does not otherwise publish certificate data or other CA information externally. Accordingly, no stipulation is made regarding: (i) Frequency of Publication, (ii) Access Controls, or (iii) Repositories Compliance Audit As the sole relying party, ARIN has an interest in conducting compliance audits and will do so or not as it sees fit. But as no other party is permitted to rely upon certificates issued pursuant to this CPS, release of any information related to audits is not stipulated. Similarly, no stipulation is made regarding any other aspect of compliance audits. 9

10 2.8. Confidentiality ARIN CPS Published April 18, 2004 OID Confidential Information The ARIN CA and RA will use commercially reasonable efforts to keep the following information confidential (the Confidential Information ), by protecting it according to its then-current practices: Information that an applicant provides when applying for a certificate that is neither included in a subscriber s certificate nor in the WHOIS service. Auditing, logging, and other records relating to a subscriber s use of a certificate. ARIN CA Private key information Types of Information Not Considered Confidential ARIN will have no obligation to keep any information confidential, other that the Confidential Information. For clarity and without limitation, the following types of information do not constitute Confidential Information: (i) information published as part of a subscriber certificate or CRL, (ii) information available through the ARIN WHOIS service, or (iii) information available to the public Disclosure of Certificate Revocation Information Certificate revocation information will not be treated as Confidential Information, but as certificate revocation information has limited use, no special arrangements are made to make this data accessible outside ARIN Release to Law Enforcement Officials ARIN will disclose any Confidential Information requested by any law enforcement authority Release as Part of Civil Litigation ARIN will disclose any Confidential Information requested or ordered in the course of civil litigation, arbitration, or comparable judicial, administrative, or government proceedings Disclosure Upon Owner s Request ARIN will disclose a subscriber s Confidential Information if that subscriber requests that it be disclosed Other Information Release Circumstances ARIN reserves the right to disclose Confidential Information without the applicable subscriber s consent to prevent an emergency, to protect or enforce ARIN s rights, to protect or enforce the rights of a third party, or as required or permitted by law Intellectual Property Rights Property Rights in Certificates and CRLs As between ARIN and POCs and SMOs, ARIN will retain all intellectual property and other rights in and to the public and private keys, certificates and CRLs issued, its database, and all other information and materials used in providing the ARIN PKI and its services generally. Subscribers may not reproduce or distribute certificates or CRLs. 10

11 Property Rights in Specifications ARIN will retain all intellectual property and other rights in and to the specifications of and all information, materials, and technology used in providing the ARIN PKI Property Rights in Names SMOs will retain rights to any name, trademark, service mark, or trade name submitted to the ARIN PKI by their associated POCs Property Rights in Keys and Key Material Key materials corresponding to POCs are the property of their SMOs. Key materials corresponding to the ARIN PKI are the property of ARIN. 11

12 3. Identification and Authentication 3.1. Initial Registration Types of Names The only name specific to a subscriber will be the database-assigned POC object handle. The means by which handles are assigned to subscribers and other ARIN members are not stipulated in this CPS, but are described at Procedures relating to the selection of names, disputes regarding names, and the like are also not stipulated, because names are issued based solely on POC object handles Method to Prove Possession of Private Key A POC making a certificate request will submit a standard PKCS#10 or SPKAC (Signed Public Key and Challenge) certificate request message in an ARIN request template. ARIN will verify the request to verify possession of the private key Authentication of Organization Identity Certificates are not issued to organizations. Accordingly, no stipulation is made for authenticating the identity of an organization. SMOs bear full responsibility for use of a certificate by their associated POCs Authentication of Individual Identity When requesting a certificate for a POC object, applicants (whether representing themselves as individual POCs or the responsible party for an eligible role account POC) will be required to submit supporting materials to prove that the applicant is represented by the POC. The list of requested materials is not stipulated in this CPS, but will be provided by ARIN during the application process. During the process of authentication, a challenge/response method will be established for use in rekey and revocation procedures Routine Rekey For subscribers, submission of certificate requests signed by existing valid keys is supported to expedite the issuance of a certificate for the new key. In addition to a signed request, the subscriber will be contacted to supply the challenge/response answer. Rekeying the CA and RA are not stipulated as these functions are performed internally by ARIN Rekey After Revocation A subscriber may apply for a new certificate if an old certificate has been revoked, provided that the subscriber is still qualified to use certificates. The challenge/response method may be used to expedite the issuance of new certificates, or ARIN, at its discretion, may also request supporting materials to support identification. If a subscriber is registered as using certificates but does not have a currently valid certificate, requested database updates and modifications will not be processed. If a POC is no longer qualified to use a certificate or the Registration Services Agreement between ARIN and the POC s SMO is terminated, ARIN will not issue a new certificate to that POC. 12

13 3.4. Revocation Request A POC can request the revocation of a certificate at any time by telephone call to ARIN s Help Desk at or by to hostmaster@arin.net. Verification of POC identity will be conducted using the challenge/response method to verify identity before ARIN revokes the certificate. 13

14 4. Operational Requirements 4.1. Certificate Application In order to request a certificate, an applicant must contact ARIN through its website and follow the instructions provided on the website. If the applicant successfully follows these instructions, then ARIN will automatically e- mail a certificate request template to the applicant, which will be completed based on the responses generated from the applicant s interactions with the ARIN website. This template bears a PKCS #10 or SPKAC formatted Certificate Signing Request (CSR). The applicant must then verify the contents of the template and it to hostmaster@arin.net. ARIN will request supporting documentation and otherwise ascertain the identity of the applicant and determine whether the applicant is qualified to use certificates Certificate Issuance If ARIN issues a certificate to an applicant, ARIN will place the certificate on an unadvertised page of the ARIN website. ARIN will then send an message to the address provided by the applicant with the URL to retrieve the certificate. Generally, applicants retrieve certificates into a web browser's certificate cache. By using this method, the certificate cache and subscriber private key will most likely be available to the mail user agent used to compose, sign, and send to ARIN. Applicants may have to take additional steps, other than those provided above, such as exporting a certificate from the cache, in order to use a certificate Certificate Acceptance The applicant becomes a subscriber when it accepts the certificate by submitting a (digitally) signed message to ARIN confirming the acceptance and ARIN is able to verify the certificate's proper function. This action and further use of certificates indicates the subscriber s agreement with the terms and conditions contained in this CPS. Once ARIN has verified certificate acceptance, the subscriber must sign all communications with ARIN with an ARIN-issued certificate until its revocation or expiration Certificate Suspension and Revocation Circumstances for Revocation A subscriber may revoke its own certificate for any reason or no reason upon notice to ARIN. Use of the ARIN PKI is a privilege, not a right. Accordingly, ARIN may revoke a subscriber s certificate for any of the following reasons: ARIN believes that the subscriber s private key may have been compromised. ARIN believes that the subscriber s SMO may have breached any of the terms and conditions of this CPS or the ARIN Registration Services Agreement. The Registration Services Agreement with subscriber s SMO is terminated. ARIN has other business reasons to do so. 14

15 Who Can Request Revocation As noted in Section 4.4.1, ARIN may revoke a certificate or a subscriber may request that a certificate be revoked Procedure for Revocation Request A subscriber may request revocation via telephone or . In either case, ARIN will use commercially reasonable efforts to authenticate a subscriber s revocation request via a telephone call to the subscriber, using the established challenge/response method. Revocation will take place following such authentication. ARIN will revoke certificates internally when it has grounds to do so under Section ARIN will generally provide contemporaneous notice of such revocation to the subscriber whose certificate is being revoked. ARIN, however, reserves the right to revoke certificates without notice Revocation Request Grace Period No grace period is stipulated. Once a revocation request is authenticated, a revoked certificate will no longer be valid and a new certificate will be required Suspension Certificates may not be suspended. Accordingly, no stipulation is made relating to the suspension of certificates Security Audit Procedures No stipulation Records Archival No stipulation Key Changeover The ARIN CA will change keys every six months. A self-signed certificate for an ARIN CA key pair will be valid for three years, to cover the two-year validity of subscriber certificates. The ARIN CA certificate that signed a subscriber s certificate is made available on ARIN s website at the time of certificate pickup. A copy of the ARIN CA certificate may be necessary for the subscriber to use the certificate in certain third-party browsers and mail user agents. ARIN also makes available a text version of its CA certificate by request to hostmaster@arin.net. Since the ARIN CA certificate will change every six months, requests must include the subscriber certificate s serial number and POC Handle for accurate processing Compromise and Disaster Recovery Since the ARIN PKI is subordinate to ARIN s registration system, it is subject to whatever controls and procedures may be in place for that system, if any. Accordingly, this section only addresses circumstances unique to the use of the ARIN PKI, and does not include a comprehensive description of the measures that ARIN may take in the event of a disaster or compromise. In the event of a disaster or compromise, ARIN reserves the right (but does not undertake the obligation) to take any action that it deems necessary in its sole discretion. 15

16 Computing Resources, Software, and/or Data are Corrupted Corruption of computing resources, software, or data related to the ARIN PKI may require evaluation to assess the damage or loss related to the event. If evaluation results in ARIN determining it may be necessary to restore data from backup media or repair system assets, it may do so. ARIN may, at its discretion, decide to revoke and reissue any certificates affected by any such damage or loss Entity Public Key is Revoked Since ARIN acts as both the RA and the CA in the ARIN PKI, and is also the only relying party, the Entity Public Key will not be revoked unless the entity private key is compromised Entity Private Key is Compromised If the entity private key is compromised, the integrity of any certificate issued and signed by the key may be compromised. As a result, ARIN may revoke all associated certificates, if it deems this necessary. If ARIN does so, a new key pair will be generated, stored, and backed up according to procedures outlined in this CPS, and holders of certificates will be notified and subsequently issued new certificates to replace revoked certificates. To minimize the impact of individual key compromise, ARIN uses commercially reasonable efforts to implement a key rotation scheme that distributes certificates across multiple CA certificates. For security reasons, the key rotation plan is not described in this document beyond what is identified in section Secure Facility after a Natural or Other Type of Disaster In the event of a disaster or key compromise, ARIN may, at its discretion, revoke and reissue affected certificates ARIN CA Termination Certificates are used only to authenticate communications to ARIN. If ARIN ceases operations, the ARIN CA will cease operations as well. If ARIN terminates the CA, it will either revert to a MAIL-FROM authentication method or implement a replacement authentication method. 16

17 5. Physical, Procedural, and Personnel Security Controls 5.1. No Guarantee of Security BECAUSE IT IS IMPOSSIBLE TO ANTICIPATE ALL POTENTIAL SECURITY BREACHES THAT MIGHT OCCUR, ARIN, CONSISTENT WITH SECTION 2.2.1, UNDERTAKES NO RESPONSIBILITY TO ENSURE THE PHYSICAL OR OTHER SECURITY OF THE ARIN PKI OR DATABASE, OTHER THAN AS EXPRESSLY PROVIDED FOR IN THIS SECTION 5. ARIN DOES NOT OTHERWISE REPRESENT OR WARRANT THAT THE ARIN PKI WILL BE SECURE. NOR DOES ARIN ASSUME ANY LIABILITY FOR UNAUTHORIZED ACCESS OR MODIFICATIONS TO THE ARIN DATABASE Physical Controls In providing the ARIN PKI, the ARIN CA will use the existing physical assets of ARIN, including security of the facilities. However, CA itself will not be electronically connected to the rest of the ARIN infrastructure (although the CA will be in existing access-controlled portion of the facilities). Certification activity will take place at ARIN's main facility in Chantilly, Virginia. ARIN will use commercially reasonable efforts to implement the following security features and practices: During normal business hours, all entryways will require card key access or assistance of a staff member to enter. Visitors must register at the front desk and wear a badge at all times. During unattended hours, a security alarm system will be in place. Security sensitive rooms, such as archives and operations rooms, will have additional measures, such as keypad locks. Visitors (such as maintenance personnel) entering these rooms will be escorted by an authorized staff member. ARIN reserves the right to change its procedures, as it deems necessary and at its sole discretion, without notice Procedural Controls/Trusted Roles No stipulation is made, since ARIN is both the CA and RA for the ARIN PKI Personnel Controls A subset of ARIN staff will perform all of the roles required for the ARIN PKI. No special policies are stipulated. 17

18 6. Technical Security Controls 6.1. No Guarantee of Security BECAUSE IT IS IMPOSSIBLE TO ANTICIPATE ALL POTENTIAL SECURITY BREACHES THAT MIGHT OCCUR, ARIN, CONSISTENT WITH SECTION 2.2.1, UNDERTAKES NO RESPONSIBILITY TO ENSURE THE TECHNICAL SECURITY OF THE ARIN PKI OR DATABASE, OTHER THAN AS EXPRESSLY PROVIDED FOR IN THIS SECTION 6. ARIN DOES NOT OTHERWISE REPRESENT OR WARRANT THAT THE ARIN PKI WILL BE SECURE. NOR DOES ARIN ASSUME ANY LIABILITY FOR UNAUTHORIZED ACCESS OR MODIFICATIONS TO THE ARIN DATABASE Key Pair Generation and Installation Key Pair Generation ARIN CA key pairs are generated at the ARIN CA. Key pairs are automatically generated by software, in the CA itself. Since the CA's key pairs are generated on the CA computer, there is no stipulation for delivery of the CA's private key to the CA. Subscribers key pairs are generated on the subscribers computers, within the software of the subscribers web browser or other generating software. Since the subscribers key pairs are generated on the subscribers computers, there is no stipulation for delivery of keys to the subscriber Private Key Delivery to Entity Subscriber private keys are NOT delivered by ARIN. Instead, subscribers must generate them on the computers where they will be used. Subscribers are free to physically move their private keys, so long as the security of the keys is maintained and subscribers otherwise comply with all of the terms and conditions of this CPS Public Key Delivery to Certificate Issuer Public keys are delivered by ARIN via , encoded in either PKCS#10 or SPKAC formatted Certificate Signing Request (CSR) CA Public Key Delivery to Users The ARIN CA public key will be delivered as part of the certificate delivery to subscribers Key Sizes All CA signing keys will be at least 2048-bit RSA keys. All subscriber keys will be at least 1024-bit RSA keys Public Key Parameters Generation No stipulation Parameter Quality Checking No stipulation. 18

19 Hardware/Software Key Generation No stipulation Key Usage Purposes (as per X.509v3 key usage field) All certificates issued under this CPS will specify the following restrictions in these X.509v3 fields: X509v3 Basic Constrains: CA - false Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non-repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, Protection Netscape Comment: User certificate of ARIN 6.3. Private Key Protection ARIN will only undertake to protect the ARIN CA private key through ARIN s commercially reasonable efforts to separate electronically and physically the CA from any other ARIN facility. ARIN will use commercially reasonable efforts to limit access to the private key to the ARIN staff that has access to the CA facility. No further stipulation is made for the protection of the ARIN CA private key. No stipulation is made for the protection of subscriber keys, as the protection of subscriber keys is the sole responsibility of subscribers Other Aspects of Key Management Public Key Archival ARIN does not archive its retired public keys. (A retired CA key is one whose certificate has expired.) No stipulation is made about other public keys in the ARIN PKI, such as those of subscribers Usage Periods for the Public and Private Keys The ARIN CA will generate a key pair every six months, which will be operational at the time it is generated. The ARIN CA certificate will be distributed within ARIN and to subscribers whose certificates are signed by that certificate, and will be valid for three years. Once a new key pair is generated, the current key pair will be retired, with the retiring keys' certificate remaining in use until it separately expires. Subscriber certificates will be valid for two years. 19

20 7. Certificate and CRL Profiles 7.1. Certificate Profile Version Number(s) All ARIN CA certificates will conform to X.509v Certificate Extensions The following extensions will appear in subscriber certificates. X509v3 Basic Constraints, Netscape Cert Type, X509v3 Key Usage, X509v3 Extended Key Usage, Netscape Comment, X509v3 Authority Key Identifier, X509v3 Subject Key Identifier, X509v3 Certificate Policies, X509v3 Subject Alternate Name ( ), X509v3 Issuer Alternate Name ( ), Netscape CA Revocation URL, Netscape Revocation URL, X509v3 CRL Distribution Points Algorithm Object Identifiers sha1withrsaencryption Name Forms Subscriber Distinguished Names (DN) will consist of the certificate serial number, a CN equal to the POC object handle, O= American Registry for Internet Numbers, C=US. Issuer DN will consist of an address, CN=American Registry for Internet Numbers, O=ARIN, C=US Certificate Policy Object Identifier OID is

21 8. CPS Administration ARIN CPS Published April 18, 2004 OID CPS Change Procedures Because of frequent changes in technology and applicable law, ARIN reserves the right to modify this CPS at any time. Continued use of the ARIN PKI following such modifications constitutes acceptance of them. Comments on the CPS should be sent to the address listed in section 1.4. No formal procedure is stipulated for comments on the CPS. Given that the ARIN PKI is subsidiary to the ARIN database, comments on the CPS can be discussed in the existing forums for discussing the operation of the ARIN database Publication and Notification Policies The current version of this CPS will appear on the ARIN website CPS Approval Procedures No stipulation is made for CPS Approval Procedures. 21