Korea Institute of Science and Technology Information (KISTI)
Certificate Policy and Certification Practice Statement

Version 2.0 ( July 20, 2007 )

Korea Institute of Science and Technology Information (KISTI), Korea












1.1. Overview

1.2. Document Name and Identification

1.3. PKI participants

1.4. Certificate usage

1.5. Policy administration

1.6. Definitions and acronyms


2.1. Repositories

2.2. Publication of certification information

2.3. Time or frequency of publication

2.4. Access controls on repositories


3.1. Naming

3.2. Initial identity validation

3.3. Identification and authentication for re-key requests

3.4. Identification and authentication for revocation request


4.1. Certificate Application

4.2. Certificate application processing

4.3. Certificate issuance

4.4. Certificate acceptance

4.5. Key pair and certificate usage

4.6. Certificate renewal

4.7. Certificate re-key

4.8. Certificate modification

4.9. Certificate revocation and suspension

4.10. Certificate status services

4.11. End of subscription

4.12. Key escrow and recovery


5.1. Physical security controls

5.2. Procedural controls

5.3. Personnel security controls

5.4. Audit logging procedures

5.5. Records archival

5.6. Key changeover

5.7. Compromise and disaster recovery

5.8. CA or RA termination


6.1. Key pair generation and installation

6.2. Private Key Protection and Cryptographic Module Engineering Controls

6.3. Other aspects of key pair management

6.4. Activation data

6.5. Computer security controls

6.6. Life cycle technical controls

6.7. Network security controls

6.8. Time-stamping


7.1. Certificate profile

7.2. CRL profile

7.3. OCSP profile


8.1. Frequency or circumstances of assessment

8.2. Identity/qualifications of assessor

8.3. Assessor's relationship to assessed entity

8.4. Topics covered by assessment

8.5. Actions taken as a result of deficiency

8.6. Communication of results


9.1. Fees

9.2. Financial responsibility

9.3. Confidentiality of business information

9.4. Privacy of personal information

9.5. Intellectual property rights

9.6. Representations and Warranties

9.7. Disclaimers of warranties

9.8. Limitations of liability

9.9. Indemnities

9.10. Term and termination

9.11. Individual notices and communications with participants

9.12. Amendments

9.13. Dispute resolution provisions

9.14. Governing law

9.15. Compliance with applicable law

9.16. Miscellaneous provisions

9.17. Other provisions

1. Introduction[Content] [RFC3647]

1.1. Overview[Content]

1.2. Document Name and Identification[Content]

1.3. PKI Participants[Content]

1.3.1. Certification Authority

The KISTI GRID CA does not issue certificates to subordinate certification authorities.

1.3.2. Registration Authorities

The KISTI GRID CA delegates the authentication of individual identity to Registration Authorities (RA). RAs must sign an agreement with the KISTI GRID CA, stating their adherence to the procedures described in this document. RAs are not allowed to issue certificates under this CP/CPS. The following is the KISTI GRID RA registration procedure:

1.3.3. Subscribers (End Entities)

The KISTI GRID PKI issues person, host and service certificates to members of KISTI and other individuals working on

The term end entity is used to refer to the holder of the private key. For a person certificate it will be the subscriber, but for a host or service certificate the end entity may be some process running on a machine.

The subscriber is required to:
- read and adhere to the procedures published in this document.
- generate a key pair using a trustworthy method.
- take reasonable precautions to prevent any loss, disclosure or unauthorized use of the private key associated with the certificate, including:

1.3.4 Relying parties

KISTI GRID CA's relying parties includes the following:
- Employees of KISTI or research institutes in Korea
- Employees of international research institutes which collaborate with KISTI in Grid computing area.
- Resource-sharing organizations with KISTI Supercomputing Center

Relying parties' obligations are as follows:
- Must read the procedures published by the KISTI GRID CA.
- Must use the certificates for the permitted uses only.
- Must notify KISTI GRID CA of any security incidents. (Notification shall occur within the first 12 hours of initial knowledge of incident.)
- May verify that the certificate is not on the CRL before validating a certificate.

1.3.5 Other participants

No stipulation.

1.4. Certificate Usage[Content]

1.4.1. Appropriate certificate uses

Certificates from KISTI GRID CA may be used in applications for the following purposes:

Certificates may also be used to satisfy other general or specific requirements of Grid computing.

1.4.2. Prohibited certificate uses

Certificates issued by the CA must not be used for:

1.5. Policy Administration[Content]

1.5.1. Organization administering the document

KISTI GRID CA is managed by Grid Technology Research Team, KISTI.

1.5.2. Contact person

For inquiries regarding this document or the KISTI GRID PKI service in general, please contact:

Sangwan Kim
Grid Technology Research Team, KISTI
52 Eoeun-dong, Yusung-gu, Daejeon, 305-806 Korea
Phone: +82-42-869-0568
Fax: +82-42-869-0599
Email: ca@gridcenter.or.kr or sangwan@kisti.re.kr

Soonwook Hwang
Grid Technology Research Team, KISTI
52 Eoeun-dong, Yusung-gu, Daejeon, 305-806 Korea
Phone: +82-42-869-0647
Fax: +82-42-869-0599
Email: ca@gridcenter.or.kr or hwang@kisti.re.kr

1.5.3. Person determining CPS suitability for the policy

See section 1.5.2.

1.5.4. CPS approval procedures

The KISTI GRID CA is responsible for the CP and CPS.
For the global grid collaboration, KISTI GRID CA is a member of APGrid PMA and IGTF.
Major changes must be approved by the APGrid PMA community.
Minor changes can be done by KISTI GRID CA staff, and should be notified through the APGrid PMA mailing list.

1.6. Definitions and Acronyms[Content]

Certification authority (CA)
An authority trusted by one or more users to create and assign public key certificates. Optionally the CA may create the user's keys. The CA is responsible for the public key certificates during their whole lifetime, not just for issuing them.

CA certificate
A certificate for one CA's public key issued by another CA.

Certificate policy (CP)
A named set of rules that indicates the applicability of a certificate to a particular community or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range.

Certification path
An ordered sequence of certificates that, together with the public key of the initial object in the path, can be processed to obtain that of the final object in the path.

Certification practice statement (CPS)
A statement of the practices that a certification authority employs in issuing certificates.

Certificate revocation list (CRL)
A time stamped list identifying revoked certificates, which is signed by a CA and made freely available in a public repository.

Issuing certification authority (issuing CA)
The CA that issues the certificate (see also Subject certification authority).

Public key certificate (PKC)
A data structure containing the public key of an end entity and some other information, which is digitally signed with the private key of the CA that issued it.

Public Key Infrastructure (PKI)
The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke PKCs based on public key cryptography.

Registration authority (RA)
An entity that is responsible for identification and authentication of certificate subjects but that does not sign or issue certificates (i.e., an RA is delegated certain tasks on behalf of a CA). The term Local Registration Authority (LRA) is used elsewhere for the same concept.

Relying party
A recipient of a certificate who acts in reliance on that certificate or on digital signatures verified using that certificate. In this document, the terms "certificate user" and "relying party" are used interchangeably.

Subject certification authority (subject CA)
In the context of a particular CA-certificate, the subject CA is the CA whose public key is certified in the certificate.

2. Publication and Repository Responsibilities[Content] [RFC3647]

2.1. Repositories[Content]

2.2. Publication of certification information[Content]

KISTI GRID CA publishes the following information through its online repository (web site http://ca.gridcenter.or.kr/).

2.3. Time or frequency of publication[Content]

2.4. Access controls on repositories[Content]

3. Identification and Authentication[Content] [RFC3647]

3.1. Naming[Content] [RFC3647]

3.1.1. Types of names

Identification of certificates will be according to X.500 distinguished name. (RFC2459)
The DN must be in the form of a X.501 printable string and must not be blank.

The following table shows attribute values for name.
Both the Organization Name 3 and Common Name are decided based on the data provided by subscribers when requesting certificates.

attributes meaning value
countryName Country name KR
organizationName Organization Name 1 KISTI
organizationName Organization Name 2 GRID
organizationName Organization Name 3 Based on application information
commonName User name(client certificate)
Host name(host certificate)

3.1.2. Need for names to be meaningful

The Subject Name in a certificate MUST have a reasonable association with the End Entity.
Each host certificate must be linked to a single network entity.
The common name of the host certificate must be the FQDN of the host.

3.1.3. Anonymity or pseudonymity of subscribers

The subscribers can not be anonymous or pseudonymous.

3.1.4. Rules for interpreting various name forms

See section 3.1.1.

3.1.5. Uniqueness of names

3.1.6. Recognition, authentication, and role of trademarks

No Stipulation

3.1.6. Recognition, authentication and role trademarks

No Stipulation

3.2. Initial Identity Validation[Content] [RFC3647]

3.2.1. Method to prove possession of private key

KISTI GRID CA confirms the possession of a private key by verification of the CSR signature.

3.2.2. Authentication of organization identity

The KISTI GRID CA verifies the identity of organizations by checking that the organization is known to the grid computing communities.

3.2.3. Authentication of individual identity

3.2.4. Non-verified subscriber information

No Stipulation

3.2.5. Validation of authority

No Stipulation

3.2.6. Criteria for interoperation

No Stipulation

3.3. Identification and Authentication for Re-key Requests [Content] [RFC3647]

3.3.1. Identification and authentication for routine re-key

This is covered by section 4.7.2.

3.3.2. Identification and authentication for re-key after revocation

Rekey after revocation follows the same rules as an initial registration.

3.4. Identification and Authentication for Revocation Requests[Content]

Contact the KISTI GRID CA or an authorized RA using e-mail or telephone in order to verify his/her identity and the validity of the request.

4. Certificate Life-Cycle Operational Requirements[Content] [RFC3647]

4.1. Certificate Application[Content] [RFC3647]

Enrollment Process is as follows:

Certificate application process is as follows:

4.2. Certificate Application Processing[Content] [RFC3647]

4.2.1. Performing identification and authentication functions

KISTI GRID CA ensures that the followings in the enrollment process and certificate application process:

In the enrollment process, the CA checks if
- the application form is correct; and
- the PIN number in the application form is correspond with the RA's generated number in the previous section; and
- the RA examined the subscriber in a face-to-face meeting or an equivalent inspection process, if required.

In the certificate application process, the CA checks if
- the certificate request is done in accordance with the process in this document especially in the section 4.1.
- the certificate request subject name has correct format; and
- the key length of the certificate request meets the requirement.

4.2.2. Approval or rejection of certificate applications

- The issuance of a certificate by the CA indicates a complete and final approval of the certificate application by the CA.
- If any condition specified in section 4.2.1 is not be satisfied, the certificate application is rejected and the CA notifies to the subscriber with the reason of the rejection.

4.2.3. Time to process certificate applications

- The CA should process the certificate application within 2 business day from the acceptance of the certificate request.

4.3. Certificate Issuance[Content] [RFC3647]

4.4. Certificate Acceptance[Content] [RFC3647]

4.5. Key Pair and Certificate Usage[Content] [RFC3647]

4.6. Certificate Renewal[Content] [RFC3647]

4.6.1. Circumstance for certificate renewal

- Certificate renewal means the issuance of a new certificate to the subscriber without changing information in the certificate before expiration of the certificate. There are two possible cases:

4.6.2. Who may request renewal

- Covered in section 4.7.2.

4.6.3. Processing certificate renewal requests

- Covered in section 4.7.3.

4.6.4. Notification of new certificate issuance to subscriber

- Covered in section 4.7.

4.6.5. Conduct constituting acceptance of a renewal certificate

- Covered in section 4.7.

4.6.6. Publication of the renewal certificate by the CA

- Covered in section 4.7.

4.6.7. Notification of certificate issuance by the CA to other entities

- Covered in section 4.7.

4.7. Certificate Re-key[Content] [RFC3647]

4.7.1. Circumstance for certificate re-key

Generally, certificate re-key can or must take place in cases such as:
(case 1) after a certificate is revoked for reasons of key compromise; or
(case 2) after a certificate has expired and the usage period of the key pair has also expired; or
(case 3) one (1) month prior to the expiration of the EE certificate.

4.7.2. Who may request certification of a new public key

- A subscriber of KISTI GRID CA can request certification of a new public key in the following conditions.

4.7.3. Processing certificate re-keying requests

4.7.4. Notification of new certificate issuance to subscriber

- Basically same as the initial certificate issuance in the section 4.1.

4.7.5. Conduct constituting acceptance of a re-keyed certificate

- Basically same as the initial certificate issuance in the section 4.1.

4.7.6. Publication of the re-keyed certificate by the CA

- Basically same as the initial certificate issuance in the section 4.1.

4.7.7. Notification of certificate issuance by the CA to other entities

- Basically same as the initial certificate issuance in the section 4.1.

4.8. Certificate Modification[Content] [RFC3647]

KISTI GRID CA does not support certificate modification.

4.9. Certificate Revocation and Suspension[Content] [RFC3647]

4.9.1. Circumstances for revocation

A certificate must be revoked when information it contains is suspected to be incorrect or compromised. This includes situations where:

4.9.2. Who Can Request Revocation

KISTI GRID CA will accept a revocation request made by

4.9.3. Procedure for Revocation Request

Entities requesting revocation of a certificate must authenticate themselves in one of the following ways:

In both case above, the requesting entity must specify the reason for the revocation request and provide evidence of circumstances as described in section 4.2.1.

4.9.4. Revocation request grace period

4.9.5. Time within which CA must process the revocation request

The CA should process the certificate revocation request within 1 working day from the recognition of the request.

4.9.6. Revocation checking requirement for relying parties

No stipulation.

4.9.7. CRL Issuance Frequency (if applicable)

4.9.8. Maximum latency for CRLs (if applicable)

- CRLs must be published in the repository after generation as soon as possible.
- In KISTI GRID CA, the maximum latency between the generation of CRLs and posting of the CRLs to the repository is 1 hour.

4.9.9. On-line revocation/status checking availability

KISTI GRID PKI system does not provide any online status checking facility.

4.9.10. On-line revocation checking requirements

KISTI GRID PKI system does not provides any online status checking facility.

4.9.11. Other forms of revocation advertisements available

No stipulation.

4.9.12. Special requirements re key compromise

No stipulation.

4.9.13. Circumstances for suspension

KISTI GRID CA does not support Certificate Suspension.

4.9.14. Who can request suspension

KISTI GRID CA does not support Certificate Suspension.

4.9.15. Procedure for suspension request

KISTI GRID CA does not support Certificate Suspension.

4.9.16. Limits on suspension period

KISTI GRID CA does not support Certificate Suspension.

4.10. Certificate Status Services[Content] [RFC3647]

KISTI GRID CA does not support (on-line) certificate status services.

4.11. End of Subscription[Content] [RFC3647]

If a subscriber of KISTI GRID CA end the subscription to the CA services:

The subscriber must do the following:
- Must not use any certificate issued from KISTI GRID CA
- Must delete his WACC(from section 4.1) from his web browser.

The CA must do the following:
- Must revoked all certificates issued for the subscriber.
- Must disable any authentication for the user's WACC

4.12. Key Escrow and Recovery[Content] [RFC3647]

No stipulation.

5. Management, Operational, and Physical Controls[Content] [RFC3647]

5.1. Physical Security Controls[Content] [RFC3647]

The CA operates in a controlled environment, where access is restricted to authorized people.

5.1.1. Site location and construction

KISTI GRID PKI is located at Grid Technology Research Team, KISTI at Daejeon, Korea.

5.1.2. Physical access

Physical access to the KISTI GRID CA machine is restricted to authorized personnel.
The KISTI GRID CA machines (both the issueing machine and the public web server) are:

5.1.3. Power and air conditioning

The CA signing machine and the CA web server are both protected by uninterruptible power supplies. Environment temperature in rooms containing CA related equipment is maintained at appropriate levels by suitable air conditioning systems.

5.1.4. Water exposures

The CA shall ensure that the CA system is adequately protected from water exposures.

5.1.5. Fire prevention and protectionr

The building housing the KISTI GRID CA facilities has a fire alarm system.
The CA shall ensure that the CA system is adequately protected from fire by a fire suppression system.

5.1.6. Media storage

The KISTI GRID CA key and backup copies of CA related information is securely kept in several removable storage media.

5.1.7. Waste disposal

The CA shall ensure that all media containing sensitive information is sanitized, to remove information such that data recovery is not possible, or destroyed before release for disposal. CA personnel shall account for the destruction of sensitive information.

5.1.8. Off-site backup

In KISTI GRID CA, No off-site backups are currently performed.

5.2. Procedural Controls[Content] [RFC3647]

5.2.1. Trusted roles

5.2.2. Number of persons required per task

For operation of KISTI GRID PKI, the number of persons required for the roles is:

5.2.3. Identification and authentication for each role

In KISTI GRID PKI, on-line and/or off-line system will identify and authenticate the operator when the staff operates the system.

5.2.4. Roles requiring separation of duties


5.3. Personnel Security Controls[Content] [RFC3647]

All access to the servers and applications that comprise the KISTI GRID PKI is limited to KISTI GRID PKI security staffs.

5.3.1. Qualifications, experience, and clearance requirements

The CA shall ensure that all staff performing CA and RA functions possess the necessary knowledge, experience and qualifications to perform their duties.

5.3.2. Background check procedures

CA personnel must be a formal member of KISTI.

5.3.3. Training requirements

- The CA shall ensure that all personnel receive appropriate training. Such training shall address relevant topics such as security requirements, operational responsibilities and associated procedures.

5.3.4. Retraining frequency and requirements

The CA shall review and update its training program at least once a year to accommodate changes in the CA system.

5.3.5. Job rotation frequency and sequence

No stipulation.

5.3.6. Sanctions for unauthorized actions

In the event of actual or suspected unauthorized actions by a person performing duties with respect to the operation of the CA or an RA, the CA shall suspend his or her access to the CA system.

5.3.7. Independent contractor requirements

The CA shall ensure that contract personnel satisfy the same personnel security requirements with respect to appointment, training and background checks as those applicable to CA employees.

5.3.8. Documentation supplied to personnel

The CA shall provide these Certificate Policies, relevant provisions of the CPS, as well as any specific statutes, policies or contracts relevant to their positions to CA personnel, RAs and Client Responsible Individuals.

5.4. Audit Logging Procedures[Content] [RFC3647]

- The KISTI GRID CA will retain records as much as possible so that the KISTI GRID CA could trace anything if something illegal would happen.
- Such audit information is not publicly available.
- Auditors are allowed to access the information as part of auditing and such information must be kept confidential.
- CA operator performs operational audits of the CA/RA staff at least once per year.

5.4.1. Types of events recorded

5.4.2. Frequency of processing log

The CA shall ensure that all significant events are explained in an audit log summary and that CA personnel review audit logs at least once every month. Such reviews involve verifying that the log has not been tampered with, and then inspecting all log entries. CA personnel shall conduct a more thorough investigation of any "alerts" or irregularities in the logs. The CA shall indicate who has responsibility for audit log review and audit log summary preparation in the CPS.

5.4.3. Retention period for audit log

The CA shall retain its audit logs on site for at least two(2) months and subsequently retain audit logs in the manner described in section 5.5.

5.4.4. Protection of audit log

The CA shall protect the electronic audit log system and audit information captured electronically or manually from unauthorized viewing, modification, deletion or destruction.

5.4.5. Audit log backup procedures

The CA shall back up or copy all audit logs and audit summaries.

5.4.6. Audit collection system (internal vs. external)

No stipulation.

5.4.7. Notification to event-causing subject

No stipulation.

5.4.8. Vulnerability assessments

No stipulation.

5.5. Records Archival[Content] [RFC3647]

5.5.1. Types of records archived

5.5.2. Retention period for archive

Certificates and CRLs generated by the CA, must be retained for at least 2 years after their expiration, and;
The minimum retention period is 3 years.

5.5.3. Protection of archive

System logs and email archives are protected by the authorization mechanism provided by Unix operating system. Only the owners of the system logs are able to modify the logs. System logs and email archives are periodically back-up to the offline media which is stored in a safe place.

5.5.4. Archive backup procedures

A second copy of all material retained or backed up must be stored in readonly media like CD-ROM.
The second copy must be protected either by physical security alone, or a combination of physical and cryptographic protection.

5.5.5. Requirements for time-stamping of records

All archived logs and documents are time stamped.

5.5.6. Archive collection system (internal or external)

No stipulation.

5.5.7. Procedures to obtain and verify archive information

No stipulation.

5.6. Key Changeover[Content] [RFC3647]

- When the CA's cryptographic data needs to be changed (e.g. CA key expiration), from the time of distribution of new crtyptographic data, only the new CA certificate will be used for certificate signing purposes.
- From that time, the old CA certificate will not be used for certificate signing purposes.
- The overlap of the old and new CA certificate must be at least the longest time an end-entity certificate can be valid(1 year).
- The old CA certificate will be valid and available to verify old signatures and the secret key to sign CRLs until all the certificates signed using the associated private key have also expired.

5.7. Compromise and Disaster Recovery[Content] [RFC3647]

5.8. CA or RA Termination[Content] [RFC3647]

Before KISTI GRID CA terminates its services it will:

6. Technical Security Controls[Content] [RFC3647]

6.1. Key Pair Generation and Installation[Content] [RFC3647]

6.1.1. Key pair generation

6.1.2. Private key delivery to subscriber

The KISTI GRID CA does not generate end entities' private keys hence does not deliver private keys. User's private key could be generated by browser application in personal computer.

6.1.3. Public key delivery to certificate issuer

End entity will send its public key included in CSR at time of certificate request.

6.1.4. CA public key delivery to relying parties

CA certificate will be published on the KISTI Grid PKI repository.

6.1.5. Key sizes

6.1.6. Public key parameters generation and quality checking

No stipulation

6.1.7. Key usage purposes(as per X.509 v3 key usage field)

KISTI GRID CA private key is the only key used for signing CRLs and Certificates for persons, servers and services.

The Certificate key Usage field must be used in accordance with the ``Internet X.509 Public Key Infrastructure Certificate and CRL profile'' [RFC 2459].

6.2. Private Key Protection and Cryptographic Module Engineering[Content] [RFC3647]

6.2.1. Cryptographic module standards and controls

KISTI GRID CA do not use any hardware security module.

6.2.2. Private key (n out of m) multi person control

In KISTI GRID CA system, (n out of m) multi-person control is not supported.

The passphrase for accessing to CA's privatekey is known to 3 CA staffs.

6.2.3. Private key escrow

Not supported.

6.2.4. Private key backup

The KISTI GRID private key backup is performed by CA operator and the two copies of backup key is kept encrypted in a CDROM and memory stick respectively in a safe place where access is controlled.

6.2.5. Private key archival

See section 5.5.

6.2.6. Private key transfer into or from a cryptographic module

No stipulation.

6.2.7. Private key storage on cryptographic module

No stipulation.

6.2.8. Method of activating private key

See section 6.4.

6.2.9. Method of deactivating private key

No stipulation.

6.2.10. Method of destroying private key

No stipulation.

6.2.11. Cryptographic Module Rating

No stipulation.

6.3. Other Aspects of Key Pair Management[Content] [RFC3647]

6.3.1. Public key archival

The CA shall retain all public key certificates it generates.

6.3.2. Certificate operational periods and key pair usage periods

6.4. Activation Data[Content] [RFC3647]

6.5. Computer Security Controls[Content] [RFC3647]

6.5.1. Specific computer security technical requirements

6.5.2. Computer security rating

No stipulation.

6.6. Life Cycle Security Controls[Content] [RFC3647]

No stipulation.

6.7. Network Security Controls[Content] [RFC3647]

6.8. Time-stamping[Content] [RFC3647]

No stipulation.

7. Certificate and CRL Profiles[Content] [RFC3647]

7.1. Certificate Profile[Content] [RFC3647]

7.1.1. Version number(s)

X.509 v3.

7.1.2. Certificate extensions

CA Certificate:

User Certificates:

Host Certificates:

X.509v3 Extension CA Certificate User Certificates Host Certificates
Basic Constraints critical, CA:TRUE critical, CA:FALSE critical, CA:FALSE
Key Usage critical critical critical
Key Usage:Certificate Sign O - -
Key Usage:CRL Sign O - -
Key Usage:Digital Signature O O O
Key Usage:Non Repudiation O O -
Key Usage:Key Encipherment O O O
Key Usage:Data Encipherment - O O
Extended Key Usage - TLS Web Client Authentication(clientAuth) TLS Web Server Authentication(serverAuth),
TLS Web Client Authentication(clientAuth)
Issuer Alternative Name - email:ca@gridcenter.or.kr,
Subject Alternative Name - - DNS:<FQDN of the host>
CRL Distribution Points - URI://ca.gridcenter.or.kr/CRL/ URI://ca.gridcenter.or.kr/CRL/
Certificate Policies

7.1.3. Algorithm object identifiers

Signature Algorithm: sha1WithRSAEncryption(2048 bits)

7.1.4. Name forms

7.1.5. Name constraints

Subject DN can contain the following characters:
Alphabetic characters: a-z, A-Z
Numerical character: 0-9
Special character: -(dash), _(underscore)

No other characters are not allowed for the subject name.

7.1.6 Certificate policy object identifier

X509v3 Certificate Policies: Policy:
See section 1.2.

7.1.7 Usage of policy constraints extensions

No Stipulation.

7.1.8 Policy qualifier syntax and semantics

No Stipulation.

7.1.9. Processing semantics for the critical Certificate Policies extension

No Stipulation.

7.2. CRL Profile[Content] [RFC3647]

CRLs are signed by the KISTI GRID CA private key and are published in a web page.

7.2.1. Version number(s)

X.509 v2.

7.2.2. CRL and CRL entry extensions

Message digest algorithm of the CRL: SHA-1

7.3. OCSP Profile[Content] [RFC3647]

7.3.1. Version number(s)

No stipulation.

7.3.2. OCSP extensions

No stipulation.

8. Compliance Audit and Other Assessment[Content] [RFC3647]

8.1. Frequency of Entity Compliance Assessment[Content] [RFC3647]

The KISTI GRID CA will accept external Compliance Audit.
In addition, the KISTI GRID CA performs operational self-assessment of CA/RA staff at least once per year.

8.2. Identity/Qualifications of Assessor[Content]

KISTI GRID CA can be audited by the APGrid PMA.

8.3. Assessor's relationship to assessed entity[Content]

KISTI GRID CA can be audited by the APGrid PMA.

8.4. Topics Covered by Assessment[Content]

Audit items will be selected based on the minimum CA requirements and documents enacted by the APGridPMA.

8.5. Actions Taken as a Result of Deficiency[Content]

The KISTI GRID CA has the responsibility for the action to be taken as a result of deficiency. When the KSITI GRID CA receives an audit report from the auditor, it will send a report on actions to the auditor within two weeks. The report must describe actions taken as a result of deficiency and their timetable.

8.6. Communications of Results[Content]

The result of the audit will be made available to APGrid PMA in which the KISTI GRID CA participates. It may make the results of the audit publicly available.

9. Other Business and Legal Matters[Content] [RFC3647]

9.1. Fees[Content] [RFC3647]

No fees are charged for any service provided by the KISTI GRID CA.

9.2. Financial Responsibility[Content] [RFC3647]

Accept no liability at all.

9.3. Confidentiality of Business Information[Content] [RFC3647]

9.4. Privacy of Personal Information[Content] [RFC3647]

The subscriber's private information collected for registration are:
- Name of subscriber
- Gender of subscriber
- Country
- Organization Name
- Position
- Telephone
- Email
We do not provide this information to other organizations.

9.5. Intellectual Property Rights[Content] [RFC3647]

All certificate related data issued by KISTI GRID CA is not under any copyright or intellectual property protection.

9.6. Representations and Warranties[Content] [RFC3647]

No stipulation.

9.7. Disclaimers of Warranties[Content] [RFC3647]

No stipulation.

9.8. Limitations of Liability[Content] [RFC3647]

9.9. Indemnities[Content] [RFC3647]

No stipulation.

9.10. Term and Termination[Content] [RFC3647]

9.10.1. Term

This CP/CPS is valid and enforceable from the time of accreditation by APGrid PMA.

9.10.2. Termination

This CP/CPS terminates in the following cases:
- CA certificate expires
- CA terminates its service
- A new version of CP/CPS is accreditated.

9.10.3. Effect of termination and survival

No stipulation.

9.11. Individual notices and communications with participants[Content] [RFC3647]

No stipulation.

9.12. Amendments[Content] [RFC3647]

9.13. Dispute Resolution Procedures[Content] [RFC3647]

No stipulation.

9.14. Governing Law[Content] [RFC3647]

KISTI GRID CA is subject to Korean law.

9.15. Compliance with Applicable Law[Content] [RFC3647]

No stipulation.

9.16. Miscellaneous Provisions[Content] [RFC3647]

No stipulation.

9.17. Other Provisions[Content] [RFC3647]

No stipulation.