1.3. Community and Applicability
1.3.2 Registration Authorities
2.1.4 Relying Party Obligations
2.4. Interpretation and Enforcement
2.6. Publication and Repository
2.6.1 Publication of CA Information
2.6.2 Frequency of Publication
2.7.1 Frequency of Entity Compliance Audit
2.7.2 Identity/Qualifications of Auditor
2.7.3 Auditor's Relationship to Audited Party
2.7.5 Actions Taken as a Result of Deficiency
2.7.6 Communications of Results Frequency of Entity Compliance
2.9. Intellectual Property Rights
3. Identification and Authentication
3.1.3 Rules of interpreting various name forms
3.1.5 Name cliam dispute resolution procedure
3.1.6 Recognition, authentication and role trademarks
3.1.7 Method to prove possession of private key
3.1.8 Authentication of organization identity
3.1.9 Authentication of Individual Identity
4.4. Certificate Suspension and Revocation
4.4.1 Circumstances for Revocation
4.4.2 Who Can Request Revocation
4.4.3 Procedure for Revocation Request
4.4.4 Revocation Request Grace Period
4.4.5 Circumstances for Suspension
4.5. Security Audit Procedures
4.5.2 Frequency of Processing Log
4.5.3 Retention Period for Audit Log
4.6.1. Types of Event Recorded
4.6.2. Retention Period for Archive
4.7.1. User Certificate Validity Date
4.7.2. CA Certificate Validity Date
4.8. Compromise and Disaster Recovery
5. Physical, Procedural, and Personnel Security Controls
5.1. Physical Security Controls
5.1.3 Power and Air Conditioning
5.1.5 Fire Prevention and Protection
5.3. Personnel Security Controls
5.3.1 Background Checks and Clearance Procedures for CA Personnel
5.3.2 Background Checks and Security Procedures for Other Personnel
5.3.3 Training Requirements and Procedures
5.3.4 Training Period and Retraining Procedures
5.3.5 Frequency and Sequence of Job Rotat/pn
5.3.6 Sanctions Against Personnel 5.3.7 Controls on Contracting Personnel 5.3.8 Documentation Supplied to Personnel 6. Technical Security Controls 6.1.2. Private Key Delivery to Entity 6.1.3. Public Key Delivery to Certificate Issuer 6.1.4. CA Public Key Delivery to Users 6.1.6. Public Key Parameters Generation 6.1.7. Parameter Quality Checking 6.1.8. Hardware/Software Key Generation 6.2.1. Private Key (n out of m) Multi person control 6.3. Other Aspects of Key Pair Management 6.5. Computer Security Controls 6.5.1. Specific Security Technical Requirements 6.5.2. Computer Security Rating 6.6. Life Cycle Security Controls 6.7. Network Security Controls 6.8. Cryptographic Module Engineering Controls 7. Certificates and CRL Profile 7.1.3. Algorithm Object Identifiers 7.1.6 Certificate Policy Object Identifier 7.1.7 Usage of Policy Constraints Extensions 7.1.8 Policy Qualifier Syntax and Semantics 7.2.2. CRL and CRL Entry Extensions 8. Specification Administration 8.1. Specification Change Procedures 8.2. Publication and Notification Policies
1. Introduction[Content]
1.1. Overview[Content]
This document is structured according to the RFC 2527. Not all sections of RFC2527 are used. Sections that are not included have a default value of "No stipulation." This document describes the set of rules and procedures established by the Korea Institute of Science and Technology Information Certificate Authority (KISTI GRID CA) Policy Management Authority for the operations of the KISTI GRID PKI service. This document will include both the Certificate Policy and the Certificate Practice Statement for the KISTI GRID PKI which is a traditional X.509 Public Key Certificate Authority that complies with the IGTF Profile for a traditional X.509 Public Key Certificate Authorities with secure infrastructure. It is intent of the KISTI GRID CA PKI to issue identity and service certificates for use in Grids.
The purpose of KISTI GRID CA is to issue identity and service certificates for use in Grids for its community of users and/or class of applications with common security requirements.
1.2. Identification[Content]
| IANA | 1.3.6.1.4.1 |
| KISTI(Korea Institute of Science and Technology Information) | .14305 |
| KISTI Supercomputing Center | .1 |
| KISTI GRID CA | .1 |
| CP/CPS | .1 |
| Major Version | .2 |
| Minor Version | .0 |
1.3. Community and Applicability[Content]
1.3.1. Certification Authority[Content]
The KISTI GRID CA does not issue certificates to subordinate Certification Authorities.
1.3.2. Registration Authorities[Content]
The KISTI GRID CA delegates the authentication of individual identity to Registration Authorities (RA). RAs must sign an agreement with the KISTI GRID CA, stating their adherence to the procedures described in this document. RAs are not allowed to issue certificates under this CP/CPS. Every organization, whether a real or virtual organization, has only one RA who is a representative of the organization. The following is the KISTI GRID RA registration procedure:
1.3.3. End Entities[Content]
The KISTI GRID PKI issues person, host and service certificates to members of KISTI and other individuals working on
The person requesting and responsible for a certificate's private key is the subscriber. The term end entity is used to refer to the holder of the private key. For a person certificate it will be the subscriber, but for a host or service certificate the end entity may be some process running on a machine.
1.3.4. Applicability[Content]
Certificates issued by the KISTI GRID CA are to be used for grid security, generally with the various globus certificate related security tools, and PKI object signing and authentication. Certificates issued by the KISTI GRID CA is only valid in the context of Grid research activities of KISTI and other research and development activities listed in 1.3.3. Any other usage including financial transaction is strictly forbidden.
1.4. Contact Details[Content]
For inquiries regarding this document or the KISTI GRID PKI service in general, please contact:
Sangwan Kim
Grid Technology Research Team, KISTI
305-806 Eoeun-dong 52, Yusung-gu, Daejeon, Korea
Phone: +82-42-869-0568
Fax: +82-42-869-0599
Email: ca@gridcenter.or.kr or sangwan@kisti.re.kr
Soonwook Hwang
Grid Technology Research Team, KISTI
305-806 Eoeun-dong 52, Yusung-gu, Daejeon, Korea
Phone: +82-42-869-0647
Fax: +82-42-869-0599
Email: ca@gridcenter.or.kr or hwang@kisti.re.kr
2. General Provisions[Content]
2.1. Obligations[Content]
2.1.1. CA Obligations[Content]
CA will:
2.1.2. RA Obligations[Content]
CA will:
2.1.3. Subscriber Obligations[Content]
In all cases, subscribers will be required to:
2.1.4. Relying Party Obligations[Content]
Relying parties must:
2.1.5. Repository Obligations[Content]
2.2. Liability[Content]
2.3. Financial Responsibility[Content]
No Stipulation.
2.4. Interpretation and Enforcement[Content]
No Stipulation
2.5. Fees[Content]
No fees are charged for any service provided by the KISTI GRID CA.
2.6. Publication and Repository[Content]
2.6.1. Publication of CA information[Content]
KISTI GRID CA publishes the following information through its online repository.
2.6.2. Frequency of Publication[Content]
2.6.3. Access controls[Content]
2.6.4. Repositories[Content]
2.7. Compliance Audit[Content]
2.7.1. Frequency of Entity Compliance Audit[Content]
The KISTI GRID CA will accept at least one external Compliance Audit per year. In addition, the KISTI GRID CA performs operational self-assessment of CA/RA staff at least once per year.
2.7.2. Identity/Qualifications of Auditor[Content]
The CA will be audited by the other cross-certifying CAs.
2.7.3. Auditor's Relationship to Audited Party[Content]
It is desirable that the auditor is a third-party to this PKI system
2.7.4. Topics Covered by Audit[Content]
Audit items will be selected based on the WebTrust criteria and minimum CA requirements enacted by the APGridPMA. The Audit must cover both compliance audit and operational audit.
2.7.5. Actions Taken as a Result of Deficiency[Content]
The KISTI GRID CA has the responsibility for the action to be taken as a result of deficiency. When the KSITI GRID CA receives an audit report from the auditor, it will send a report on actions to the auditor within two weeks. The report must describe actions taken as a result of deficiency and their timetable.
2.7.6. Communications of Results Frequency of Entity Compliance[Content]
The result of the audit will be made available to members of any policy management authorities in which the KISTI GRID CA participates. It may make the results of the audit publicly available. The decision will be made by the KISTI GRID CA in case-by-case basis.
2.8. Confidentiality[Content]
KISTI GRID CA collects subscriber's full names and email addresses. Some of this information is used to construct unique, meaningful subject names in the issued certificates.
Information included in issued certificates and CRLs is not considered confidential.
KISTI GRID PKI does not collect any kind of confidential information.
KISTI GRID PKI does not have access to or generate the private keys of a digital signature key pair, such as those used in KISTI GRID identity certificates. These key pairs are generated and managed by the subscribers and are the sole responsibility of the subscribers.
2.9. Intellectual Property Rights[Content]
All certificate related data issued by KISTI GRID CA is not under any copyright or intellectual property protection.
3. Identification and Authentication[Content]
3.1. Initial Registration[Content]
3.1.1. Types of Names[Content]
Identification of certificates will be according to X.500 distinguished name. (RFC2459)
3.1.2. Name Meanings[Content]
The following table shows attribute values for name.
Both the Organization Name 3 and Common Name are decided based on the data provided by subscribers when requesting certificates.
| attributes | meaning | value |
| countryName | Country name | KR |
| organizationName | Organization Name 1 | KISTI |
| organizationName | Organization Name 2 | GRID |
| organizationName | Organization Name 3 | Based on application information |
| commonName | User name(client certificate) | |
| Host name(server certificate) |
3.1.3. Rules of interpreting various name forms[Content]
Identification will be according to the rule in the previous section[3.1.2].
3.1.4. Uniqueness of Names[Content]
The Distinguished Name must be assigned unique among certificates issued by the KISTI GRID CA.
3.1.5. Name cliam dispute resolution procedure[Content]
No Stipulation
3.1.6. Recognition, authentication and role trademarks[Content]
No Stipulation
3.1.7. Method to prove possession of private key[Content]
KISTI Grid CA confirms to prove possession of private key by verification of CSR signature.
3.1.8. Authentication of organization identity[Content]
If the name of an organization is requested to be part of subject name, the KISTI Grid CA may take steps to ascertain that the organization consent to such use.
3.1.9. Authentication of Individual Identity[Content]
User:
Host or Service certificate:
3.2. Routine Rekey[Content]
Rekey before expiration can be accomplished by sending a rekey request based on a new public key. Rekey after expiration follows the same authentication procedures as for a new certificate.
3.3. Rekey After Revocation[Content]
Rekey after revocation follows the same rules as an initial certification request.
3.4. Revocation request[Content]
Contact personally the KISTI GRID CA or an authorized RA in order to verify his/her identity and the validity of the request.
4. Operational Requirements[Content]
4.1. Certificate Application[Content]
4.2. Certificate Issuance[Content]
4.3. Certificate Acceptance[Content]
No stipulation.
4.4. Certificate Suspension and Revocation[Content]
4.4.1. Circumstances for Revocation[Content]
A certificate must be revoked when information it contains is suspected to be incorrect or compromised. This includes situations where:
4.4.2. Who Can Request Revocation[Content]
KISTI GRID CA will accept a revocation request made by
4.4.3. Procedure for Revocation Request[Content]
The entity requesting revocation of a certificate must authenticate themselves in one of the following ways:
In both case above, the requesting entity must specify the reason for the revocation request and provide evidence of circumstances as described in section 4.4.1.
4.4.4. Revocation request grace period[Content]
KISTI GRID CA will process revocation as soon as it receives the revocation request and the request is approved. The revocation information will be published to the KISTI Grid PKI repository.
4.4.5. Circumstances for Suspension[Content]
KISTI GRID CA does not support Certificate Suspension.
4.4.6. CRL Issuance Frequency[Content]
4.5. Security Audit Procedures[Content]
The KISTI Grid CA will retain records as much as possible so that the KISTI Grid CA could trace anything if something illegal would happen. Such audit information is not publicly available. Auditors are allowed to access the information as part of auditing and such information must be kept confidential.
4.5.1 Types of Events Recorded[Content]
4.5.2 Frequency of processing logs[Content]
No Stipulation.
4.5.3 Retention Period for Audit Logs[Content]
Logs will be kept for a minimum of 3 years.
4.6. Records Archival[Content]
4.6.1. Types of Event Recorded[Content]
All the types of events listed in section 4.5.1 will be recorded in archives. In addition to that, email messages will be archived as well:
4.6.2. Retention Period for Archive[Content]
The minimum retention period is 3 years.
4.7. Key Changeover[Content]
4.7.1. User Certificate Validity Date[Content]
A user certificates including host/service certificate will require renewal within its validity period, which will not exceed one year.
4.7.2. CA Certificate Validity Date[Content]
The CA will stop signing new user certificates by its private key before it is shorten than end-entity certificate. CA certificate validity is 10 years.
4.8. Compromise and Disaster Recovery[Content]
4.9. CA Termination[Content]
Before KISTI GRID CA terminates its services it will:
5. Physical, Procedural, and Personnel Security Controls[Content]
5.1. Physical Security Controls[Content]
The CA operates in a controlled environment, where access is restricted to authorized people.
5.1.1. Site Location[Content]
KISTI GRID PKI is located at Grid Technology Research Team, KISTI Supercomputing Center, Daejeon, Korea.
5.1.2. Physical Access[Content]
Physical access to the KISTI GRID CA machine is restricted to authorized personnel. The KISTI GRID CA machines are:
5.1.3. Power and Air Conditioning[Content]
The CA signing machine and the CA web server are both protected by uninterruptible power supplies. Environment temperature in rooms containing CA related equipment is maintained at appropriate levels by suitable air conditioning systems.
5.1.4 Water exposures[Content]
No stipulation
5.1.5 Fire Prevention and Protectionr[Content]
The building housing the KISTI GRID CA facilities has a fire alarm system.
5.1.6 Media storage[Content]
The KISTI GRID CA key and backup copies of CA related information is securely kept in several removable storage media.
5.1.7 Waste Disposal[Content]
Wastes carrying potential confidential information such as old floppy disks are physically destroyed before being trashed.
5.1.8 Off-Site Backup[Content]
No off-site backups are currently performed.
5.2. Procedural Controls[Content]
No stipulation
5.3. Personnel Security Controls[Content]
All access to the servers and applications that comprise the KISTI GRID PKI is limited to KISTI GRID PKI security staffs.
5.3.1 Background Checks and Clearance Procedures for CA Personnel[Content]
CA personnel are recruited from the KISTI Supercomputing Center.
5.3.2 Background Checks and Security Procedures for Other Personnel[Content]
No other personnel is authorized to access KISTI GRID CA facilities without the physical presence of CA personnel.
5.3.3 Training Requirements and Procedures[Content]
Internal training is given to CA operators.
5.3.4 Training Period and Retraining Procedures[Content]
No Stipulation
5.3.5 Frequency and Sequence of Job Rotation[Content]
No stipulation.
5.3.6 Sanctions Against Personnel[Content]
No Stipulation.
5.3.7 Controls on Contracting Personnel[Content]
No Stipulation
5.3.8 Documentation Supplied to Personnel[Content]
- Copies of this document
- KISTI GRID CA Operations Manual
6. Technical Security Controls[Content]
6.1. Key Pair Generation and Installation[Content]
6.1.1. Key Pair Generation[Content]
A CA key pair is generated by CA staff on a dedicated machine not connected to any kind of network. End entities' cryptographic keys are locally generated by their application during the requesting process. KISTI GRID PKI does not generate private keys for subjects.
6.1.2. Private Key Delivery to Entity[Content]
The KISTI GRID CA does not generate end entities' private keys hence does not deliver private keys. User's private key could be generated by browser application in personal computer.
6.1.3. Public Key Delivery to Certificate Issuer[Content]
End entity will send its public key included in CSR at time of certificate request.
6.1.4. CA Public Key Delivery to Users[Content]
CA certificate will be published on the KISTI Grid PKI repository.
6.1.5. Key Sizes[Content]
6.1.6. Public Key Parameters Generation[Content]
No stipulation
6.1.7. Parameter Quality Checking[Content]
No stipulation
6.1.8. Hardware/Software Key Generation[Content]
It is defined in this document [6.1.1 key pair generation].
6.1.9. Key Usage Purposes[Content]
KISTI GRID CA private key is the only key used for signing CRLs and Certificates for persons, servers and services.
The Certificate key Usage field must be used in accordance with the ``Internet X.509 Public Key Infrastructure Certificate and CRL profile'' [RFC 2459].
6.2. Private Key Protection[Content]
6.2.1. Private Key (n out of m) Multi person control[Content]
The CA's private key is not under (n out of m) multi-person control. But the KISTI GRID CA implements multi-person control for the access to the CA server as described in this document [5.1.2 Physical Access]. Backup copy of CA's private key is under (2 out of 3) multi-person control.
6.2.2. Private Key Escrow[Content]
Not supported.
6.2.3. Private Key Backup[Content]
The KISTI GRID private key backup is performed by CA operator and the two copies of backup key is kept encrypted in a CDROM and Memory stick respectively in a safe place where access is controlled.
6.2.4. Private Key Archival[Content]
The CA private key will not be archived.
6.3. Other Aspects of Key Pair Management[Content]
6.4. Activation Data[Content]
The KISTI GRID CA's private key is protected by a pass phrase over 15 characters. This pass phrase is only known by CA operators. The pass phrase is in a sealed envelop kept in a safe place where access is controlled.
6.5. Computer Security Controls[Content]
6.5.1. Specific Security Technical Requirements[Content]
CA operating systems are maintained at a high level of security by applying all the relevant patches.
Monitoring is performed to detect unauthorized software changes.
CA systems configuration is reduced to the base minimum.
6.5.2. Computer Security Rating[Content]
No stipulation.
6.6. Life Cycle Security Controls[Content]
No stipulation.
6.7. Network Security Controls
The CA signing machine is kept off-line.
CA website machines other than the signing machine are protected by a firewall.
6.8. Cryptographic Module Engineering Controls[Content]
No stipulation.
7. Certificates and CRL Profile[Content]
7.1. Certificate Profile[Content]
7.1.1. Version Number[Content]
X.509 v3.
7.1.2. Certificate Extensions[Content]
CA Certificates:
User Certificates:
Host Certificates:
7.1.3. Algorithm Object Identifiers[Content]
No stipulation
7.1.4. Name Forms[Content]
Issuer:
C=KR, O=KISTI, O=GRID, CN=KISTI Grid Certificate Authority
Person DN:
C=KR, O=KISTI, O=GRID, O=[applicant's organization], CN=[the name of applicant]
Host DN:
C=KR, O=KISTI, O=GRID, O=[applicant's organization], CN=[FQDN of the hostname]
7.1.5. Name Constraints[Content]
No Stipulation.
7.1.6 Certificate Policy Object Identifier[Content]
See section 1.2.
7.1.7 Usage of Policy Constraints Extensions[Content]
No Stipulation.
7.1.8 Policy Qualifier Syntax and Semantics[Content]
No Stipulation.
7.2. CRL Profile[Content]
CRLs are signed by the KISTI GRID CA private key and are published in a web page.
7.2.1. Version number(s)[Content]
X.509 v1.
7.2.2. CRL and CRL Entry Extensions[Content]
No stipulation.
8. Specification Administration[Content]
8.1. Specification Change Procedures[Content]
Users will not be warned in advance of changes to the KISTI GRID CA's policy and CPS. Revision is made and approved by the APGridPMA. Minor editorial changes to this document can be made without approval by the APGridPMA. New OID will not be assigned to the revised document when minor changes would be made. Major changes such as changes in policy or technical security controls need to be approved by the KISTI GRID PMA. New OID will be assigned to the revised document for such major changes would be made.
8.2. Publication and Notification Policies[Content]
Changes to this CP/CPS will be announced on the KISTI GRID PKI repository.
8.3. CPS Approval Procedures[Content]
Major changes must be approved by the KISTI GRID PMA.
Glossary[Content]
Certification authority (CA)
An authority trusted by one or more
users to create and assign public key certificates. Optionally the CA
may create the user's keys. The CA is responsible for the public key
certificates during their whole lifetime, not just for issuing them.
CA certificate
A certificate for one CA's public key issued by another CA.
Certificate policy (CP)
A named set of rules that indicates the
applicability of a certificate to a particular community or class of
application with common security requirements. For example, a
particular certificate policy might indicate applicability of a type of
certificate to the authentication of electronic data interchange
transactions for the trading of goods within a given price range.
Certification path
An ordered sequence of certificates that, together
with the public key of the initial object in the path, can be processed
to obtain that of the final object in the path.
Certification practice statement (CPS)
A statement of the practices
that a certification authority employs in issuing certificates.
Certificate revocation list (CRL)
A time stamped list identifying
revoked certificates, which is signed by a CA and made freely available
in a public repository.
Issuing certification authority (issuing CA)
The CA that issues the
certificate (see also Subject certification authority).
Public key certificate (PKC)
A data structure containing the public
key of an end entity and some other information, which is digitally
signed with the private key of the CA that issued it.
Public Key Infrastructure (PKI)
The set of hardware, software,
people, policies and procedures needed to create, manage, store,
distribute, and revoke PKCs based on public key cryptography.
Registration authority (RA)
An entity that is responsible for
identification and authentication of certificate subjects but that does
not sign or issue certificates (i.e., an RA is delegated certain tasks
on behalf of a CA). The term Local Registration Authority (LRA) is used
elsewhere for the same concept.
Relying party
A recipient of a certificate who acts in reliance on
that certificate or on digital signatures verified using that
certificate. In this document, the terms "certificate user" and
"relying party" are used interchangeably.
Subject certification authority (subject CA)
In the context of a
particular CA-certificate, the subject CA is the CA whose public key is
certified in the certificate.