Version 1.2.2
04.06.2021
Document OID: 1.3.6.1.4.1.22139.1.1.2.2
04.06.2021
Table of Contents
Table of Contents
This Certification Policy and Practice Statement (CP/CPS) is structured according to RFC 3647. It describes the set of rules used by RDIG Certification Authority (RDIG CA), operated by the Grid team of the National Research Centre “Kurchatov Institute” (NRC KI). RDIG stands for Russian Data-Intensive Grid.
This document can be referred as RDIG Certification Authority Certificate Policy and Certification Practice Statement version 1.2.2 or OID 1.3.6.1.4.1.22139.1.1.2.2.
RDIG CA is one-level certification authority that issues X.509-certificates directly to its clients serving the respective (client) organizations.
RDIG CA Registration Authorities are nominated by the organizations from their staff members. One may consult the list of Registration Authorities if he/she seeks for more specific information.
RDIG CA subscribers are entities who are employed by or associated with the client organizations.
The set of RDIG CA relying parties is not strictly controlled: any relying party who finds RDIG CA and its practices suitable may elect themselves to put trust on the material issued by our CA and its processes, staff and infrastructure.
All issued certificates must not be used for purposes that violate the applicable laws.
Issued certificates may not be used for financial transactions and for qualified digital signatures as described in Russian federal laws «On the electronic digital signatures» and related documents.
The RDIG CA is operated by: Eygene Ryabinkin, NRC KI, Russia, 123128, Moscow, Kurchatov square, 1. Phone: +7 499 196-77-77, e-mail: rea@grid.kiae.ru.
The RDIG CA operates its own repository of all associated material: issued certificates, list of RAs, CRL, CP/CPS, guidelines, how-to documents and contact information. It is available online.
All described information is freely accessible to anyone.
All certificates are published upon their issuance and are kept available at least till they get superseded, revoked or expired,
New CRL is published upon its issuance. Issuances are done after each revocation and at least 7 days before expiration of previous CRL. The CRL validity time is 30 days.
New organizations are added to the subscribers list after their approval by RDIG management and short internal audit by the CA staff.
Contact information for new RA is published after reception of their initial contact details.
Other material is kept online since the beginning of CA operations and is refreshed on the “as needed” basis.
Table of Contents
RDIG CA uses the following types of names for different types of certificates:
CN component of distinguished name for a personal certificate must contain the person's first and last names.
An optional OU attribute can be inserted between OU=Organisation component and the CN component in the cases when sole organisation name is not enough to clearly identify the administrative domain for the certificate holder. One example of such a situation is the organisation with rich administrative infrastructure and the loose administrative coupling between its units.
All distinguished names are unique: no different entities that are identified by RDIG CA certificates will posses the same DNs. In cases when user's first and last names coincide with existing (certified) ones, middle name or initial may be inserted into the CN field of the distinguished name. Other disambiguation types that add extra information to the first/last names pair can also be used.
Each request must be signed with the private key corresponding to the public key provided in certificate request.
RDIG CA users fill the paper form, where the part of the request public key (10 initial and 10 ending digits) are specified: request generation procedure requires this. This form is presented to the RDIG CA Registration Authority, who checks the parts of the public key against the incoming electronic certificate request. Since the latter is digitally signed with the corresponding private key, this procedure both enables Registration Authority to prove user's possession of the private key (via the digital signature check) and the lack of electronic request modification (via the public key validation).
RDIG CA will neither generate nor store any private keys for subscribers.
RDIG CA Registration Authority verifies the organization identity by checking:
The RDIG CA Registration Authority verifies person's identity and its affiliation with the claimed organisation entity by face-to-face meeting with the person, who requests the certificate.
Person's identity is validated via the national ID or institutional ID (if the latter is created using person's personal data and is subjected to the data verification during creation/renewal; the details of the institutional ID issuance process are specific to each organization and Registration Authorities are obliged to make themselves to be familiar with the technical details for every type of IDs they intend to use during the validation).
Paper form for each request contains first and last names for the requestor (certificate user, host/service administrator); they are also a subject to this check. Additionally, for user certificates the Common Name component of the requested DN are requred to contain first and last names of the certificate owner (consult the section called “Naming” for the relevant details on DN components).
Registration Authority, being the natural person, must be authenticated via the outlined mechanisms for the ordinary users, but in addition he/she must present the official paper request stamped and signed by responsible person within the organization he requests RA rights for.
Registration Authorities can authenticate themselves in the re-keying process by signing their new CSR with the existing non-expired key of their current certificate.
If RA personal certificate is expired at the re-key time, he/she uses the ordinary route for authentication (the same as for the initial request authentication, see the section called “Initial Identity Validation”).
All other users follow the procedure of initial requets authentication for each re-key request.
Re-signing of an existing public key will not be done in any curcumstances.
RDIG CA will not recertify a revoked key. User of a revoked certificate must obtain a new one following the procedure of initial registration, described in the section called “Initial Identity Validation”.
Revocation request must be authenticated, unless RDIG CA can independently verify that a key compromise has happened. The preferred method for authentification is electronic mail message, digitally signed with a non-expired and previously non-revoked certificate issued by RDIG CA.
If this is not possible, subscriber must contact the RDIG CA Registration Authority that verifies user's identity using procedures similar to those described in the section called “Method to prove possession of private key”.
Table of Contents
Applicants must generate their own key pair themselves; RDIG CA will never generate a key pair for an applicant. RDIG CA will not accept private key escrow responsibilities and will reject any certificate request containing the private key.
The minimum key length for all applications is 2048 bits. The maximum validity time for each certificate is one year and 31 days.
Generated certificate request must be sent via electronic mail or CA Web interface form to the designated RDIG CA certificate processing endpoint. This is attempted to be done automatically by request generation software; in the case of failure user is provided with detailed instructions on the manual application process.
RDIG CA will reject all non-legitimate certification requests; in the case of rejection applicant will be notified by electronic mail, except for obvious nonsense requests that will be rejected silently.
Legitimate requests will be made available to the respective registration authorities. Applicants will be supplied with the unique request identification number they can use to refer to their request at all times.
Upon a receipt of a certificate request that is qualified to be valid according to this CP/CPS, RDIG CA Registration Authority will verify the request and authenticate applicant as described in the section called “Initial Identity Validation”. After successful verification and authentication, RDIG CA Registration Authority digitally signs new request and transfers it to RDIG CA, where certificate will be issued.
The applicant will be notified of issuance by electronic mail or using another means of communication, if requested by a subscriber. If communication fails permanently, the certificate will be revoked without further notice.
A certification request is normally handled in the period of one week, however, during vacation or national holidays periods the response time can increase to three weeks.
Valid certificate issued by the RDIG CA must pass the following requirements:
No special steps must be taken by the applicant to constitute certificate acceptance.
RDIG CA will publish the issued certificate at its Web site.
Subscribers and relying parties must use/validate certificate usage basing on the set of the key usage fields present in the respective certificate.
No renewals are allowed.
Certificate re-key can take place at any time and may be the result of nearing or actual certificate expiration, certificate revocation due to any curcumstances or loss of access to the corresponding private key.
Re-key process technically coincides with the oridinary certificate application process; its authentication is described in the section called “Identification and Authentication for Re-key Requests”.
No certificate modifications are done.
A certificate will be revoked when
The certificate holder or any other entity presenting proof of knowledge of the private key compromise or subscriber's data variation can request a certificate revocation.
RDIG CA will handle any revocation request, authenticated or unauthenticated. If RDIG CA can independently verify that a certificate has been compromised or misused, RDIG CA will revoke the certificate. In all other cases, the revocation request will be authenticated as described in the section called “Identification and Authentication for Revocation Requests”.
Revocation request must be passed to the RDIG CA Registration Authority who signed the certificate request for the certificate to be revoked or his peer RA from the same administrative domain. The rules for passing revocation request to the RDIG CA Registration Authority are described in the section called “Identification and Authentication for Revocation Requests”.
Revocation request can be canceled within 24 hours after it was received at the RDIG CA. But in the case of proved compromise the certificate will be revoked immediately.
For cancellation of the revocation request the certificate holder must contact the same RA, as for the revocation request in question. The rules for passing cancellation request to the RDIG CA Registration Authority are just the same as in the section called “Identification and Authentication for Revocation Requests”.
New CRL is published upon its issuance. Issuances are done after each revocation and at least 7 days before expiration of previous CRL. The CRL validity time is 30 days.
RDIG CA maintains its CRL and publishes its up-to-date version at http://ice.grid.kiae.ru/ca/RDIG/cacrl.der. RDIG CA technical staff makes all efforts to make the above endpoint to be available on the 24x7 basis.
When RDIG CA subscriber decides to finish its usage of CA services (including all issued certificates) it notifies Registration Authority or CA personnel of this decision. Subscriber authentication steps are described in the section called “Identification and Authentication for Revocation Requests”.
All active certificates associated with this subscriber are revoked upon verification of termination request.
No such services are provided by RDIG CA.
Table of Contents
The RDIG CA is located at the National Research Centre “Kurchatov Institute” in Moscow, Russia and is hosted on a professional military-grade co-location area.
The RDIG CA signing machine and the RDIG CA Web server are both protected with uninterruptable power supplies. Environmental temperature in room containing RDIG CA related equipment is maintained at appropriate level by an air conditioning system.
Buildings containing RDIG CA facilities obey to the Russian laws regarding fire prevention and protection of buildings.
The RDIG CA key is kept on several removable storage media. Backup copies of CAname; related information are kept on CD-ROM and flash disks.
Both key material and backup copies are kept in the locked safe in the rooms accessible only by an authorized personnel.
Waste carrying potential confidential information such as old storage media are physically destroyed before being trashed.
No stipulation.
RDIG CA personnel is recruited from the “Kurchatov Institute” Grid team. Registration Authorities personnel is recruited from the staff of the corresponding institutions/organizations.
No other personnel is authorized to access RDIG CA facilities without the physical presence of and guidance by RDIG CA personnel.
Internal training is given to the RDIG CA operators and Registration Authorities operators.
Repeated training is given on every change of this document or used software.
All personnel is supplied with copies of this document and RDIG CA Operation Manual.
The following events are recorded:
Audit logs may be consulted only by:
Audit logs are copied to an offline medium. Online audit logs are protected using the file system security.
Digital audit logs are copied to an offline medium.
Paper-based audit logs are kept in the secured archival area of RDIG CA facilities.
Public keys are distributed by electronic mail or using online system at the following URL: http://ca.grid.kiae.ru/RDIG/certificates/.
In case the RDIG CA private key is compromised the RDIG CA will:
In case the RDIG CA Registration Authority private key is compromised the RDIG CA will:
Upon termination RDIG CA will:
Table of Contents
Each subscriber must generate its own key pair. RDIG CA does not generate private keys for subscribers.
Public keys are delivered by electronic mail. They are also accessible from public Web page at http://ca.grid.kiae.ru/RDIG/certificates/.
RDIG CA public key is accessible from public Web page at http://ca.grid.kiae.ru/RDIG/cacrt.pem.
The minimum key length for user, host or host application certificate is 2048 bits. The RDIG CA key length is 2048 bits.
Each copy of the RDIG CA private key is protected by its own passphrase which is at least 22 characters long.
Private keys which correspond to the user certificates (be it an ordinary user or Registration Authority) must be protected by password with length of 15 or more characters.
All private keys must be protected with filesystem security controls which are configured on the “least sufficient privilege set”.
No private keys are to be made accessible to
Maximal lifetime for each certificate is one year and 31 days.
See the section called “Private Key Protection”.
The RDIG CA operating systems are maintained at a high level of security by applying all relevant patches. Monitoring is performed to detect unauthorized software changes.
No stipulation.
The RDIG CA public-interface machine is protected by a firewall. The server access is restricted to a few stations.
No stipulation.
Table of Contents
The following extensions may be included in the certificate issued by RDIG CA:
Certificates and certificate revocation lists must use at least SHA-256 signature digest and may use SHA-384 and SHA-512 digests.
Issuer: C=RU,O=RDIG,CN=Russian Data-Intensive Grid CA. For Subject field name forms check the section called “Naming”.
Subject attribute constraints:
No stipulation.
RDIG CA can be audited by the accredited EUGridPMA CA managers to confirm its compliance to the EUGridPMA and/or IGTF Minimum Requirements.
Frequency of EUGridPMA is determined by EUGridPMA/IGTF rules and best practices.
Table of Contents
RDIG CA does not require its subscribers to pay any fees for any provided services.
RDIG CA accepts no financial responsibilities of any kind.
RDIG CA collects subscriber's full name, organization and unit names and electronic mailing address. Subscriber's organization, unit name, e-mail address and full name is included in the user certificate. All collected information is not confidential.
RDIG CA by no means wants to access user's, host's or host application's private key. Private key is generated only by users or host/service administrators and must not be disclosed to anyone else. RDIG CA by no means asks users to pass their private keys along with the certificate requests.
Publicly-accessible sensitive data, such as user e-mail, will be mangled to avoid simple data gathering attempts by general-purpose automated grabbers. No attempts to withstand the grabbing by the specialized (for RDIG CA or some subset of world CAs) software are generally made, but CA security team acts on the best-effort basis to protect the published data from automated grabbing.
RDIG CA acts in the “only needed knowledge” paradigm and publishes the smallest possible subset of personal information that is needed for its operations. Users are made aware of the types of data and no publications are made without their prior agreement. RDIG CA doesn't disclose other types of user information to the third parties of any kind.
RDIG CA does not claim any intellectual property rights on issued certificates and Certificate Revocation Lists.
Parts of this document are inspired by the following sources: RFC 2527; RFC 3647; EuroPKI Certificate Policy; TrustID Certificate Policy; NCSA Certificate Policy; INFN Certificate Policy and Certificate Practice Statement; NIKHEF Certificate Policy and Certificate Practice Statement; Russian DataGrid Certificate Policy and Certificate Practice Statement.
The certification service is run with a reasonable level of security but is provided on a best effort basis. RDIG CA takes no responsibility for problems arising from its operation or from the use of certificates it provides. RDIG CA denies any financial or other kind of responsibility for damages or inpayments resulting from its operation.
CP/CPS is valid until the next version is rolled out and made publicly available.
This document must be treated according to the current law of Russian Federation. Legal disputes arising from the operation of the RDIG CA will be resolved according to the Russian Federation law.
Table of Contents
Changes since 1.2.1:
Changes since 1.2:
Changes since 1.1:
Changes since 1.0: