RDIG Certification Authority
Certificate Policy and
Certification Practice Statement
| |
Version: | 1.2 |
Date: | February 12, 2008 |
OID: | 1.3.6.1.4.1.22139.1.1.2 |
| |
| |
- 1 Introduction
- 2 General Provisions
- 3 Identification and authentication
- 4 Operational Requirements
- 5 Physical, procedural and personnel security controls
- 6 Technical security controls
- 7 Certificate and CRL profile
- 8 Specification administration
- 9 Versions
- 9.1 Change log
- 9.1.1 Version 1.2, February 12, 2008
- 9.1.2 Version 1.1, 24 August, 2005
- 9.1.3 Version 1.0, 14 June, 2005
- 9.1.4 Version 0.5 drafted 26 May, 2005
- 9.1.5 Version 0.4 drafted 18 May, 2005
- 9.1.6 Version 0.3 drafted 04 May, 2005
- 9.1.7 Version 0.2 drafted 04 May, 2005
- 9.1.8 Version 0.1 drafted August, 2005
- 9.1.9 Version 0.0 drafted December, 2004
This Certification Policy and Practice Statement (CP/CPS) is structured
according to RFC2527. It describes the set of rules used by
RDIG Certification Authority (RDIG-CA), operated by the Grid team of the
Russian Research Centre ``Kurchatov Institute'' (RRC KI). RDIG stands for
Russian Data Intensive Grid.
This document can be referred as
RDIG Certification Authority Certificate Policy
and Certification Practice Statement version 1.2 or OID 1.3.6.1.4.1.22139.1.1.2.
Document name: |
RDIG Certification Authority Certificate Policy and |
| Certification Practice Statement. |
Version: | 1.2. |
Date: | February 12, 2008. |
OID: | 1.3.6.1.4.1.22139.1.1.2. |
RDIG Certification Authority is the root certification authority for RDIG
consortium.
The current list of registration authorities for RDIG-CA may be obtained
from the following URL:
http://ca.grid.kiae.ru/RDIG/ra-list.html.
RDIG-CA may issue certificates for people, hosts and host applications
(services) involved in the Russian Data Intensive Grid consortium.
- The person certificates may be used for user authentication and data
integrity checking in various applications: Globus, LCG, gLite and similar GRID
middleware, electronic mail, Web server access, etc.
- The host certificates may be used for server authentication and
communication encryption.
- The host application certificates may be used for server applications
authentication and communication encryption.
The certificates issued by RDIG-CA may not be used in financial transactions
of any sort.
The RDIG-CA is operated by:
Eygene Ryabinkin, RRC KI, |
Russia, 123128, Moscow, Kurchatov square, 1. |
phone: +7 499 196-95-19. |
e-mail: rea@grid.kiae.ru. |
Generic contact for the RDIG-CA:
e-mail: rdig-ca-support@grid.kiae.ru. |
The contact person for this CP/CPS is:
Eygene Ryabinkin, RRC KI, |
Russia, 123182, Moscow, Kurchatov square, 1. |
phone: +7 499 196-95-19. |
e-mail: rea@grid.kiae.ru. |
General URL:
http://ca.grid.kiae.ru/RDIG/.
Policy documents:
http://ca.grid.kiae.ru/RDIG/policy/.
Certificate repository:
http://ca.grid.kiae.ru/RDIG/certificates/.
Certificate revocation list:
http://ice.grid.kiae.ru/ca/RDIG/cacrl.pem.
CA root certificate:
http://ca.grid.kiae.ru/RDIG/cacrt.pem.
The RDIG-CA:
- accepts all requests validated by the registration authorities,
- creates and delivers certificates to registration authorities,
- publishes the issued certificates to publicly-accessible on-line stores,
- accepts all revocations from the registration authorities,
- issues and publishes a CRL,
- revoke any issued certificate if RDIG-CA possesses the proofs of
certificate compromise or certificate usage that violates the RDIG-CA CP/CPS.
The RDIG-CA Registration Authorities:
- authenticates the person requesting a person certificate,
- (for user certificate)
determines if the person has the right to have a RDIG-CA certificate,
- sends validated person certificate requests to the RDIG-CA,
- (for a host or host application certificate)
determines if the host has the right to have a RDIG-CA certificate,
- sends validated host and host application certificate requests to
the RDIG-CA,
- delivers certificates to the subscribers if it was not done by the
RDIG-CA itself,
- creates and sends revocation requests to the CA,
- communicates with RDIG-CA using signed electronic mail or via
voice conversations with known persons.
It is up to the Registration Authority to decide wheither user or host has the
rights to have a RDIG-CA certificate. In the process of making such a
decision, Registration Authority can contact the superior person of a requester
to verify the requester's participation in the RDIG consortium projects.
Subscribers:
- must be involved in the RDIG consortium projects,
- must provide accurate information in their certificate requests,
- (for a user certificate) must protect their private key with the
strong password, that is at least fifteen characters in length,
- (for a user certificate) must not keep their private key in
unencrypted form and must not keep private key password along with
the key itself,
- must immediately notify the RDIG-CA Registration Authority in the case
of actual or suspected key loss, disclosure or other compromise.
- must be familiar with the RDIG-CA CP/CPS document and follow the rules
of the certificate usage specified in the CP/CPS document.
- should ask for certificate revocation if the certificate is no longer
needed or the certificated entity is no longer takes part in the projects
of the RDIG consortium.
- should ask for certificate revocation if the data provided in the
certificate is no longer valid.
Relying party:
- must be familiar with this CP/CPS before making any decisions on a
thrustworthness of a certificate issued by RDIG-CA,
- must use the certificate only for purposes that are permitted by this
CP/CPS,
- must check the authencity of RDIG-CA root certificate before using it,
- must verify the current CRL before validating a certificate,
- should update local CRL copy at least once per day.
RDIG-CA will upload all issued certificates to the publicly-accessible
on-line repository. RDIG-CA will maintain Certificate Revocation List (CRL).
RDIG-CA may publish information about pending certificate requests.
The certification service is run with a reasonable level of security but is
provided on a best effort basis. RDIG-CA takes no responsibility for problems
arising from its operation or from the use of certificates it provides.
RDIG-CA denies any financial or other kind of responsibility for damages or
inpayments resulting from its operation.
No financial responsibility is accepted.
This document must be treated according to the current law of Russian
Federation. Legal disputes arising from the operation of the
RDIG-CA will be resolved according with the Russian Federation law.
No fees are charged.
RDIG-CA operates a public web site http://ca.grid.kiae.ru/RDIG/ that contains:
- the certificate for CA signing key,
- current Certificate Revocation List (CRL) signed by RDIG-CA,
- all certificates issued by RDIG-CA,
- past and current versions of RDIG-CA CP/CPS document,
- various information about RDIG-CA and certificates, that can be helpful
to users of RDIG-CA.
The user, host and host application certificates are published as soon as they
are generated. The new Certificate Revocation List (CRL) is issued after each
revocation and at least 7 days before expiration of previous CRL.
The CRL has 30 days validity time.
No access controls to these publications are performed.
RDIG-CA can be audited by the accredited EUGridPMA CA managers to confirm
its compliance to the EUGridPMA Minimum Requirements.
RDIG-CA collects subscriber's full name, organization and unit names and
electronic mailing address. Subscriber's organization, unit name and full name
is included in the user certificate. All collected information is not
confidential. RDIG-CA will not publish subscriber's electronic mailing
address in the list of issued certificates on the RDIG-CA web site.
RDIG-CA by no means wants to access user's, host's or host application's
private key.
Private key is generated only by users or host/service administrators
and must not be disclosed to anyone else. RDIG-CA by no means asks users
to pass their private keys along with the certificate requests.
RDIG-CA does not claim any intellectual property rights on issued
certificates and Certificate Revocation Lists.
Parts of this document are inspired by the following sources:
RFC 2527; EuroPKI Certificate Policy; TrustID Certificate Policy;
NCSA Certificate Policy; INFN Certificate Policy and Certificate Practice
Statement; NIKHEF Certificate Policy and Certificate Practice Statement;
Russian DataGrid Certificate Policy and Certificate Practice Statement.
3.1 Initial Registration
3.1.1 Types of names
RDIG-CA uses the following types of names for different types of certificates:
- distinguished names for a person certificate:
/C=RU/O=RDIG/OU=users/OU=Organisation/CN=Name,
- distinguished name for a host certificate:
/C=RU/O=RDIG/OU=hosts/OU=Organisation/CN=FQDN,
- distinguished name for a host application certificate:
/C=RU/O=RDIG/OU=services/OU=Organisation/CN=service name/FQDN.
CN component of distinguished name for a person certificate must contain the
person's first and last names.
An optional OU attribute can be inserted between OU=Organisation
component and the CN component in the cases, when organisation name
is not enough to clearly identify the administrative domain
for the certificate holder. One example of such a situation is the organisation
with rich administrative infrastructure and the loose administrative coupling
between its units.
All distinguished names are unique. In cases when user's
first name and last name coincide with existing certificate ones,
middle name or initial may be inserted into the CN field of the
distinguished name.
3.1.2 Method to prove possession of private key
Each request must be signed with the private key corresponding to the
public key provided in certificate request.
RDIG-CA will neither generate nor store any private keys for subscribers.
RDIG-CA Registration Authority verifies the organization identity by checking:
- that the organisation is known to participate in RDIG consortium,
- and the organisation is located in Russia or ex-USSR, by checking
organisational contact information.
3.1.4 Authentication of
individual identity
The RDIG-CA Registration Authority verifies the person identity and it's
affiliation with the claimed organisation entity by face-to-face meeting
with the person, who request the certificate.
Routine re-keying is allowed to current subscribers of RDIG-CA and must take
place before expiration of subscriber's current certificate. The re-key request
must be consisted of certificate request with the new key pair and is to be
signed with the private key of subscriber's current certificate. Resigning of
existing public key is not allowed.
RDIG-CA will not recertify a revoked key. User of a revoked certificate must
obtain a new one following the procedure of initial registration, described in
section 3.1.
3.4 Revocation request
Revocation request must be authenticated, unless RDIG-CA can independently
verify that a key compromise has happened. The preferred method for
authentification is electronic mail message, digitally signed with a non-expired
and previously non-revoked certificate issued by RDIG-CA.
If this is not possible, subscriber
must contact the RDIG-CA Registration Authority which verifies user's
identity using procedures simular to those described in section
3.1.2.
Applicants must generate their own key pair themselves; RDIG-CA will
never generate a key pair for an applicant. RDIG-CA will not accept
private key escrow responsibilities and will reject any certificate request
containing the private key.
The minimum key length for all applications is 1024 bits. The maximum validity
time for each certificate is one year and 31 days.
Generated certificate request must be sent by electronic mail to the
corresponding RDIG-CA Registration Authority. Mail message must be sent from
electronic mail address that does exists and can be mailed to.
RDIG-CA will reject all non-legitimate certification requests; in the case
of rejection applicant will be notified by electronic mail, except for obvious
nonsense requests that will be rejected silently.
Upon a receipt of a certificate request, that is qualified to be valid according
to this CP/CPS, RDIG-CA Registration Authority will verify the request
and authenticate applicant as described in section 3.1. After
successful verification and authentication, RDIG-CA Registration Authority
digitally signs new request and transfers it to RDIG-CA, where certificate
will be issued. The applicant will be notified of issuance by electronic mail
or using another means of communication, if requested by a subscriber. If
communication fails permanently, the certificate will be revoked without
further notice.
A certification request is normally handled in the period of one week, however,
during vacation or national holidays periods the response time can increase
to three weeks.
Valid certificate issued by the RDIG-CA must pass the following requirements:
- Certificate must not be expired.
- Distinguished name must be in the RDIG-CA name space, i.e. it must match
one of the name templates described in section 3.1.1.
- Certificate must have a valid RDIG-CA signature which can be validated with
RDIG-CA certificate, that is available on the URL http://ca.grid.kiae.ru/RDIG/cacrt.pem.
- Certificate must not be listed in the Certificate Revocaton List (CRL)
issued by RDIG-CA, that is available on the URL http://ice.grid.kiae.ru/ca/RDIG/cacrl.pem.
- The CRL must have a valid RDIG-CA signature and must not be expired,
- To guarantee the maximum level of security one should check for new CRL just
before validating the certificate.
A certificate will be revoked when
- the information it contains is no longer correct or proved
to be incorrect, or
- the private key is lost or suspected to be compromised, or
- the certification entity is no longer participated in the RDIG
consortium projects, or
- RDIG-CA have the proofs that certificate usage violates
RDIG-CA CP/CPS rules.
The certificate holder or any other entity presenting proof of knowledge of the
private key compromise or subscriber's data variation can request a
certificate revocation.
RDIG-CA will handle any revocation request, authenticated or unauthenticated.
If RDIG-CA can independently verify that a certificate has been compromised
or misused, RDIG-CA will revoke the certificate. In all other cases, the
revocation request will be authenticated as described in section
3.4.
Revocation request must be passed to the RDIG-CA Registration Authority
who signed the certificate request for the certificate to be revoked.
The rules for passing revocation request to the RDIG-CA
Registration Authority are described in section 3.4.
Revocation request can be canceled within 24 hours after it was received at the
RDIG-CA. But in the case of proved compromise the certificate will be revoked
immediately.
For cancellation of the revocation request the certificate holder
must contact the same RA, as for revocation request.
The rules for passing cancellation request to the RDIG-CA
Registration Authority are just the same as in section 3.4.
4.4.5 Circumstances for suspension
Certificate suspension is not currently supported.
Certificate suspension is not currently supported.
Certificate suspension is not currently supported.
Certificate suspension is not currently supported.
The Certificate Revocation List (CRL) is issued after each revocation and
at least every 7 days. The lifetime of CRL is 30 days. CRL will be made
available for downloading as soon as it was published.
- The CRL must have a valid RDIG-CA signature and must not be expired.
- To guarantee the maximum level of security one should download the new CRL
just before validating the certificate.
All valid certificates issued by RDIG-CA are available online the following
URL:
http://ca.grid.kiae.ru/RDIG/certificates/.
Not applicable.
The certificate holder is notified if some other person asks for his/her
certificate revocation.
Not applicable.
When the certificate revocation is a result of a private key compromise all
RDIG-CA Registration Authorities and the holder of the private key
are notified by email about this case immediately after new CRL issuance.
The following events are recorded:
- certificate requests (by persons),
- certificate acceptations (by Registration Authority),
- revocation requests (by Registration Authority),
- certificate issuance,
- certificate rekey and renewal requests.
Not defined.
Audit logs will be kept for at least 3 years.
Audit logs may be consulted only by:
- RDIG-CA personnel,
- authorized external auditors, including accredited EUGridPMA CA managers.
Audit logs are copied to an offline medium. Online audit logs are protected
using the file system security.
Audit logs are copied to an offline medium.
The audit logs archive is internal to the RDIG-CA.
No stipulation.
Operational audit is performed twice per year and includes auditing of all
RDIG-CA staff including Registration Authorities.
The following types of events are recorded:
- certificate requests (by persons),
- certificate acceptations (by Registration Authority),
- revocation requests (by Registration Authority),
- certificate issuance,
- CRL issuance,
- email messages sent and received by RDIG-CA.
Records will be kept for at least 3 years.
Records may be consulted only by:
- RDIG-CA personnel,
- authorized external auditors, including accredited EUGridPMA CA managers.
All records are copied to an offline medium. Online records are protected
using the file system security.
No stipulation.
No stipulation.
The records archive is internal to the RDIG-CA.
No stipulation.
Public keys are distributed by electronic mail or using online system at
the following URL:
http://ca.grid.kiae.ru/RDIG/certificates/.
In case the RDIG-CA private key is compromised the RDIG-CA will:
- Notify all subscribers and cross-certifying Certification Authorities.
- Notify Registration Authorities.
- Terminate the issuance and distribution of the certificates and CRLs.
- Notify relevant security contacts.
- Notify as widely as possible about service termination.
In case the RDIG-CA Registration Authority private key is compromised
the RDIG-CA will:
- Notify all subscribers and cross-certifying Certification Authorities.
- Notify Registration Authorities.
- Terminate the operation of the compromised Registration Authority.
- Revoke all certificates validated by the compromised Registration
Authority.
- Notify as widely as possible about Registration Authority compromise.
Upon termination RDIG-CA will:
- Notify all subscribers and cross-certifying Certification Authorities.
- Notify Registration Authorities.
- Terminate the issuance of certificates and CRLs.
- Notify relevant security contacts.
- Notify as widely as possible about service termination.
The RDIG-CA is located at the Russian Research Centre ``Kurchatov Institute''
in Moscow, Russia and is hosted on a professional collocation area.
Physical access to the RDIG-CA hosts is restricted to authorized personnel.
The RDIG-CA signing machine and the RDIG-CA web server are both protected
with uninterruptable power supplies. Environmental temperature in room
containing RDIG-CA related equipment is maintained at appropriate level
by an air conditioning system.
Due to the location of RDIG-CA facilities floods are not expected.
Buildings containing RDIG-CA facilities obey to the Russian laws regarding
fire prevention and protection of buildings.
The RDIG-CA key is kept in several removable storage media. Backup copies of
RDIG-CA related information are kept on CD-ROM and flash disks.
Waste carrying potential confidential information such as old storage media are
physically destroyed before being trashed.
No off-site backups are currently performed.
No stipulation.
RDIG-CA personnel is recruited from the ``Kurchatov Institute'' Grid team.
Registration Authorities personnel is recruited from personnel of corresponding
institutions.
No other personnel is authorized to access RDIG-CA facilities without the
physical presence of RDIG-CA personnel.
Internal training is given to the RDIG-CA operators and Registration
Authorities operators.
Repeated training is given on every change of this document or used software.
Job rotation is not performed.
No stipulation.
No stipulation.
All personnel is supplied with copies of this document and RDIG-CA Operation
Manual.
Each subscriber must generate its own key pair. RDIG-CA does not generate
private keys for subscribers.
Private key deliverance is not supported.
Public keys are delivered by electronic mail. They are also accessible
from public web page at http://ca.grid.kiae.ru/RDIG/certificates/.
RDIG-CA public key is accessible from public web page at
http://ca.grid.kiae.ru/RDIG/cacrt.pem.
The minimum key length for user, host or host application certificate is 1024
bits. The RDIG-CA key length is 2048 bits.
No stipulation.
No stipulation.
Keys are generated using software algorithms.
Keys must be used according to the value of X.509v3 keyUsage field.
No stipulation.
No stipulation.
The RDIG-CA private key is kept encrypted in multiple copies on CD-ROM
and flash disks in safe places. One copy of encrypted key and its passphrase
is sealed in the envelope and kept in a safe.
The RDIG-CA private key validity period is 10 years.
Each copy of the RDIG-CA private key is protected by its own passphrase which
is at least 15 characters long.
The RDIG-CA operating systems are maintained at a high level of security by
applying all relevant patches. Monitoring is performed to detect unauthorized
software changes.
Not tested.
No stipulation.
The RDIG-CA public-interface machine is protected by a firewall.
The server access is restricted to a few stations.
No stipulation.
X.509 v3.
The following extensions may be included in the certificate issued by RDIG-CA:
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid:always,issuer:always
- basicConstraints (CRITICAL): CA:false
- keyUsage (CRITICAL): digitalSignature, nonRepudiation,
keyEncipherment, dataEncipherment, keyAgreement
- certificatePolicies: OID 1.3.6.1.4.1.22139.1.1.1
- issuerAlternativeName: e-mail address of RDIG-CA
- subjectAlternativeName: subscriber's e-mail address for user
certificate or FQDN for host/service certificate
- cRLDistributionPoints: URI
- nsCaPolicy: URL
- nsComments: an issuer description
- nsCertType: (for user certificates) client, email, objsign
- nsCertType: (for host certificates) server, objsign
No stipulation
Issuer: C=RU,O=RDIG,CN=Russian Data-Intensive Grid CA.
For Subject field name forms check section 3.1.1.
Subject attribute constraints:
- countryName: must be ``RU''
- organizationName: must be ``RDIG''
- organisationalUnit: first component
must be either ``users'', ``hosts'' or ``services'' as determined by the
certificate type, see section 3.1.1.
- commonName: determined according to section 3.1.1.
This policy is identified by OID 1.3.6.1.4.1.22139.1.1.2.
No stipulation.
No stipulation.
X.509 v1.
None.
Minor changes to this document can be made without announcements to subscribers
and relying parties. Substantial changes in policy will be notified to all
subscribers, relying parties and cross-certifying Certification Authorities. It
will be also announced on the EUgridPMA mailing list.
The last version of this document is available at the following URL:
http://ca.grid.kiae.ru/RDIG/policy/.
No stipulation.
- Changed end-entity certificate lifetime from one year
to one year and 31 days.
- Corrected contact phones: area code had changed.
- Replaced old CRL location with a new one: new CRL download point
provides much higher throughput and reliability.
Old location stopped and the new one started to be announced via
EUGridPMA/IGTF since IGTF distribution 1.5, dated 19 June 2006.
- Changed root certificate key length to 2048 bits to
avoid problems with current gLite software.
- Clarified user obligations for host and service certificates.
- Changed ``RDIG project'' to ``RDIG consortium''.
- Changed root certificate lifetime to 10 years.
- Changed namespace to conform to the PKIX recommendations: transformed
extra O components to OU components.
Changes history was not recorded.
Changes history was not recorded.
Changes history was not recorded.
Changes history was not recorded.
Changes history was not recorded.
First internal draft.