KISTI Grid Certificate Authority CP And CPS

Modifications are highlighted as red color.

Korea Institute of Science and Technology Information (KISTI)
Certificate Policy and Certification Practice Statement

Version 2.0 ( Mar. 7, 2007 )

Korea Institute of Science and Technology Information (KISTI), Korea

Contents

1. INTRODUCTION

1.1. Overview

1.2. Document Name and Identification

1.3. PKI participants

1.4. Certificate usage

1.5. Policy administration

1.6. Definitions and acronyms

2. PUBLICATION AND REPOSITORY RESPONSIBILITIES

2.1. Repositories

2.2. Publication of certification information

2.3. Time or frequency of publication

2.4. Access controls on repositories

3. IDENTIFICATION AND AUTHENTICATION

3.1. Naming

3.2. Initial identity validation

3.3. Identification and authentication for re-key requests

3.4. Identification and authentication for revocation request

4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS

4.1. Certificate Application

4.2. Certificate application processing

4.3. Certificate issuance

4.4. Certificate acceptance

4.5. Key pair and certificate usage

4.6. Certificate renewal

4.7. Certificate re-key

4.8. Certificate modification

4.9. Certificate revocation and suspension

4.10. Certificate status services

4.11. End of subscription

4.12. Key escrow and recovery

5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS

5.1. Physical controls

5.2. Procedural controls

5.3. Personnel controls

5.4. Audit logging procedures

5.5. Records archival

5.6. Key changeover

5.7. Compromise and disaster recovery

5.8. CA or RA termination

6. TECHNICAL SECURITY CONTROLS

6.1. Key pair generation and installation

6.2. Private Key Protection and Cryptographic Module Engineering Controls

6.3. Other aspects of key pair management

6.4. Activation data

6.5. Computer security controls

6.6. Life cycle technical controls

6.7. Network security controls

6.8. Time-stamping

7. CERTIFICATE, CRL, AND OCSP PROFILES

7.1. Certificate profile

7.2. CRL profile

7.3. OCSP profile

8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS

8.1. Frequency or circumstances of assessment

8.2. Identity/qualifications of assessor

8.3. Assessor's relationship to assessed entity

8.4. Topics covered by assessment

8.5. Actions taken as a result of deficiency

8.6. Communication of results

9. OTHER BUSINESS AND LEGAL MATTERS

9.1. Fees

9.2. Financial responsibility

9.3. Confidentiality of business information

9.4. Privacy of personal information

9.5. Intellectual property rights

9.6. Representations and Warranties

9.7. Disclaimers of warranties

9.8. Limitations of liability

9.9. Indemnities

9.10. Term and termination

9.11. Individual notices and communications with participants

9.12. Amendments

9.13. Dispute resolution provisions

9.14. Governing law

9.15. Compliance with applicable law

9.16. Miscellaneous provisions

9.17. Other provisions

1. Introduction [Content] [RFC3647]

1.1. Overview [Content]

This document is structured according to the RFC3647 (RFC3647 obsolete RFC2527).
Not all sections of RFC3647 are used. Sections that are not included have a default value of "No stipulation."
This document describes the set of rules and procedures established by the Korea Institute of Science and Technology Information Certificate Authority (KISTI GRID CA) Policy Management Authority for the operations of the KISTI GRID PKI service.
This document will include both the Certificate Policy and the Certificate Practice Statement for the KISTI GRID PKI which is a traditional X.509 Public Key Certificate Authority that complies with the IGTF Profile for a traditional X.509 Public Key Certificate Authorities with secure infrastructure.
It is intent of the KISTI GRID CA PKI is to issue identity and service certificates for use in grid.

~~The purpose of KISTI GRID CA is to issue identity and service certificates for use in Grids for its community of users and/or class of applications with common security requirements.~~

1.2. Document Name and Identification [Content]

Document title:
KISTI GRID CA Certificate Policy and Certification Practice Statement
Document version: 2.0
Document date: Mar. 7, 2007

OID:
The following ASN.1 Object Identifier (OID) has been assigned to this document: 1.3.6.1.4.1.14305.1.1.1.2.0
This OID is constructed as shown in the table below:

IANA	1.3.6.1.4.1
KISTI(Korea Institute of Science and Technology Information)	.14305
KISTI Supercomputing Center	.1
KISTI GRID CA	.1
CP/CPS	.1
Major Version	.2
Minor Version	.0

1.3. PKI Participants [Content]

1.3.1. Certification Authority

The KISTI GRID CA does not issue certificates to subordinate Certification Authorities.

1.3.2. Registration Authorities

The KISTI GRID CA delegates the authentication of individual identity to Registration Authorities (RA). RAs must sign an agreement with the KISTI GRID CA, stating their adherence to the procedures described in this document. RAs are not allowed to issue certificates under this CP/CPS. Every organization, whether a real or virtual organization, has only one RA who is a representative of the organization. The following is the KISTI GRID RA registration procedure:

RA candidate must accept the CP/CPS and agree to all RA responsibilities.
RA candidate must be an employee of the institution or organization and provide work ID or proof of work.
Complete the RA application form and fax it to KISTI GRID CA.
Send a verification e-mail to KISTI GRID CA.
KISTI GRID CA will then arrange face-to-face or web-conference meeting with RA candidate.
After completing the request, KISTI GRID CA will publish the RA contact information on KISTI GRID CA website.

1.3.3. Subscribers(End Entities)

The KISTI GRID PKI issues person, host and service certificates to members of KISTI and other individuals working on

Grid projects in collaboration with KISTI
Programs involved in KISTI supercomputing research
LCG/EGEE-related projects/programs in Korea

The person requesting and responsible for a certificate's private key is the subscriber. The term end entity is used to refer to the holder of the private key. For a person certificate it will be the subscriber, but for a host or service certificate the end entity may be some process running on a machine.

1.3.4. Applicability

Certificates issued by the KISTI GRID CA are to be used for grid security, generally with the various globus certificate related security tools, and PKI object signing and authentication. Certificates issued by the KISTI GRID CA is only valid in the context of Grid research activities of KISTI and other research and development activities listed in 1.3.3. Any other usage including financial transaction is strictly forbidden.

1.4. Certificate Usage [Content]

1.5. Policy Administration [Content]

1.5.1. Organization administering the document

1.5.2. Contact person

For inquiries regarding this document or the KISTI GRID PKI service in general, please contact:

Sangwan Kim
Grid Technology Research Team, KISTI
305-806 Eoeun-dong 52, Yusung-gu, Daejeon, Korea
Phone: +82-42-869-0568
Fax: +82-42-869-0599
Email: ca@gridcenter.or.kr or sangwan@kisti.re.kr

Soonwook Hwang
Grid Technology Research Team, KISTI
305-806 Eoeun-dong 52, Yusung-gu, Daejeon, Korea
Phone: +82-42-869-0647
Fax: +82-42-869-0599
Email: ca@gridcenter.or.kr or hwang@kisti.re.kr

1.5.3. Person determining CPS suitability for the policy

1.5.4. CPS approval procedures

Major changes must be approved by the KISTI GRID PMA.

1.6. Definitions and Acronyms [Content]

Certification authority (CA)
An authority trusted by one or more users to create and assign public key certificates. Optionally the CA may create the user's keys. The CA is responsible for the public key certificates during their whole lifetime, not just for issuing them.

CA certificate
A certificate for one CA's public key issued by another CA.

Certificate policy (CP)
A named set of rules that indicates the applicability of a certificate to a particular community or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range.

Certification path
An ordered sequence of certificates that, together with the public key of the initial object in the path, can be processed to obtain that of the final object in the path.

Certification practice statement (CPS)
A statement of the practices that a certification authority employs in issuing certificates.

Certificate revocation list (CRL)
A time stamped list identifying revoked certificates, which is signed by a CA and made freely available in a public repository.

Issuing certification authority (issuing CA)
The CA that issues the certificate (see also Subject certification authority).

Public key certificate (PKC)
A data structure containing the public key of an end entity and some other information, which is digitally signed with the private key of the CA that issued it.

Public Key Infrastructure (PKI)
The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke PKCs based on public key cryptography.

Registration authority (RA)
An entity that is responsible for identification and authentication of certificate subjects but that does not sign or issue certificates (i.e., an RA is delegated certain tasks on behalf of a CA). The term Local Registration Authority (LRA) is used elsewhere for the same concept.

Relying party
A recipient of a certificate who acts in reliance on that certificate or on digital signatures verified using that certificate. In this document, the terms "certificate user" and "relying party" are used interchangeably. Subject certification authority (subject CA)
In the context of a particular CA-certificate, the subject CA is the CA whose public key is certified in the certificate.

2. Publication and Repository Responsibilities [Content]

2.1. Repositories [Content]

2.1.1. Publication of CA information

KISTI GRID CA publishes the following information through its online repository.

KISTI GRID CA's certificate
Certificates issued by the KISTI GRID CA
A CRL issued by KISTI GRID CA
KISTI GRID CA's signing policy
A copy of this Policy
Other information relevant to the KISTI GRID PKI

2.1.2. Frequency of Publication

Certificates must be published as soon as issued.
CRLs will be published as soon as issued or refreshed on scheduled update
All KISTI GRID PKI documents will be published to the online repository as they are updated.

2.1.3. Access controls

The online repository is available on a substantially 24/7 basis, subject to reasonable scheduled maintenance.
The KISTI GRID CA does not impose any access control on the information described in section 2.6.1.

2.1.4. Repositories

The KISTI GRID CA online repository is available at http://ca.gridcenter.or.kr/

2.2. Publication of certification information [Content]

Changes to this CP/CPS will be announced on the KISTI GRID PKI repository.

2.3. Time or frequency of publication [Content]

No stipulation yet.

2.4. Access controls on repositories [Content]

3. Identification and Authentication [Content]

3.1. Naming [Content]

3.1.1. Types of Names

Identification of certificates will be according to X.500 distinguished name. (RFC2459)

3.1.2. Name Meanings

The following table shows attribute values for name.
Both the Organization Name 3 and Common Name are decided based on the data provided by subscribers when requesting certificates.

attributes	meaning	value
countryName	Country name	KR
organizationName	Organization Name 1	KISTI
organizationName	Organization Name 2	GRID
organizationName	Organization Name 3	Based on application information
commonName	User name(client certificate)
commonName	Host name(server certificate)

3.1.3. Rules of interpreting various name forms

Identification will be according to the rule in the previous section[3.1.2].

3.1.4. Uniqueness of Names

The Distinguished Name(DN) must be assigned unique among certificates issued by the KISTI GRID CA.
If a subscriber request a certificate, the X.509 Distinguished Name(DN) of which collide with an existing certificates, the subscriber's certificate request must be rejected.

3.1.5. Name claim dispute resolution procedure

No Stipulation

3.1.6. Recognition, authentication and role trademarks

No Stipulation

3.1.7. Method to prove possession of private key

KISTI Grid CA confirms the possession of a private key by verification of the CSR signature.

3.1.8. Authentication of organization identity

If the name of an organization is requested to be part of subject name, the KISTI Grid CA may take steps to ascertain that the organization consent to such use.

3.2. Initial Identity Validation [Content]

User:

A person who requests a user certificate will be identified by in person interview with the RA. A work ID card with a photo image on it must be presented at the interview.

Host or Service certificate:

Requests must be signed with a valid KISTI GRID CA user certificate.

3.3. Identification and Authentication for Re-key Requests [Content]

Rekey before expiration of a certificate can be accomplished by sending a rekey request based on a new public key.
A rekey request for an existing certificate can be done by the subscriber through the online certificate request web site, which authenticate the subscriber's identity with the same method as during certificate application described section 4.1.
The old certificate after issueing a rekeyed certificate must be revoked within a week by the CA operator .

3.4. Identification and Authentication for Revocation Requests [Content]

Contact personally the KISTI GRID CA or an authorized RA in order to verify his/her identity and the validity of the request.

4. Certificate Life-Cycle Operational Requirements [Content] [RFC3647]

4.1. Certificate Application [Content] [RFC3647]

A user who requests a user certificate must have a face to face meeting with the RA and present a user application form to the RA.
The RA examines the request according to section 3.1.9.
Once the user is identified, the RA will give a PIN (Personal Identification Number) to him/her, having him/her write down the PIN on the application form, and finally put his/her signature on the user application form. The PIN is to be used later on as a key for the user to have access to the KISTI online certificate request web site through which the user is able to make an online certificate request.
The user will fax the application form to the CA.
Upon receipt of the application form, the KISTI GRID CA will have a contact with the RA who signed the application form, making sure that the RA has really signed it.
The CA can contact to the RA using telephone or signed email.
If the application form is approved, the KISTI GRID CA will inform the user of the fact that the application form has been approved by sending him a web-access client certificate (WACC) which gives him/her an authority to access the online certificate request web site.
Using the PIN given by the RA as a key, the user will be able to import the WACC in his/her web browser.
Once the WACC properly imported into his/her web browser, the user is able to access the online certificate request web site to make certificate request by an online procedure.
For the online procedure, the user should do the following:
- Visit the KISTI online certificate request web site.
- Upload a CSR (certificate signing request) which contains the public key that is to be generated by the user.
- Send the CA an e-mail to let the CA know that he/she has uploaded a CSR
- Wait for the certificate issuance
Subscribers can generate a CSR for user certificate using following means:
- Using OpenSSL or equivalent software
- Using CSR generation service provided by KISTI CA in the certificate request web site

4.2. Certificate Application Processing [Content] [RFC3647]

The KISTI GRID CA issues the certificate if, and only if, the authentication of the subject is successful.

4.3. Certificate Issuance [Content] [RFC3647]

Upon the receipt of CSR, KISTI CA operator will store the CSR in a memory stick and take it to the KISTI signing machine which is kept off-line as described in section 6.7,
The CA operator generates(issues) user certificate containing user public key with CA signature and hand-carrying it to the KISTI online CSR server.
A notification message is sent to the e-mail address of the subject with the instructions on how to download it from the KISTI online CSR server.
The user will be able to download his/her user certificate. For this secure HTTP connection is required.
If the authentication is unsuccessful, the certificate is not issued and an e-mail with the reason is sent to the subject.

4.4. Certificate Acceptance [Content] [RFC3647]

If the issued certificate has any problem, the subscriber should notify the CA that he can not accept the issued certificate with a proper reason within 7 days from issuance of the certificate.
Unaccepted certificate should be revoked and the certificate should be re-issued.

4.5. Key Pair and Certificate Usage [Content] [RFC3647]

KISTI GRID certificates may be used for any software for grid computing.
They could be used in other capacities, but the KISTI GRID CA does not recommend or warrant any other use of the certificates it signs.
The KISTI GRID CA root private key will only be used to sign CRLs and end entity certificates.

4.6. Certificate Renewal [Content] [RFC3647]

KISTI GRID CA does not support certificate renewal.

4.7. Certificate Re-key [Content] [RFC3647]

See section 3.3.

4.8. Certificate Modification [Content] [RFC3647]

No stipulation

4.9. Certificate Revocation and Suspension [Content] [RFC3647]

4.9.1. Circumstances for Revocation

A certificate must be revoked when information it contains is suspected to be incorrect or compromised. This includes situations where:

The subscriber's private key is compromised or is suspected to have been compromised.
The subscriber's information in the certificate is suspected to be inaccurate.
The subscriber is known to have violated his obligations.
The subscriber leaves his/her organization.
In case of host/service certificates, the corresponding host/service is retired.

4.4.2. Who Can Request Revocation

KISTI GRID CA will accept a revocation request made by

The certificate subscriber
KISTI GRID CA/RA
Any other entity presenting evidence of circumstances as described in section 4.4.1

4.9.3. Procedure for Revocation Req

Entities requesting revocation of a certificate must authenticate themselves in one of the following ways:

Sending an email, maybe signed by a valid and trusted certificate, to ca@gridcenter.or.kr, RA will contact the subscriber for confirmation.
In the other cases, authentication is performed with the same procedure used to authenticate the identity of person.

In both case above, the requesting entity must specify the reason for the revocation request and provide evidence of circumstances as described in section 4.4.1.

4.9.4. Revocation request grace period

CA will process revocation as soon as it receives the revocation request and the request is approved.
The revocation information will be published to the online repository.
During the revocation, a revocation notification is sent to the subscriber through the subscriber's email.

4.9.5. Circumstances for Suspension

KISTI GRID CA does not support Certificate Suspension.

4.9.6. CRL Issuance Frequency

The lifetime of the CRL is 30 days.
A new CRL is issued immediately after a revocation or at least 7 days before expiration.

4.10. Certificate Status Services [Content] [RFC3647]

No stipulation.

4.11. End of Subscription [Content] [RFC3647]

No stipulation.

4.12. Key Escrow and Recovery [Content] [RFC3647]

No stipulation.

5. Management, Operational, and Physical Controls [Content] [RFC3647]

5.1. Physical Security Controls [Content] [RFC3647]

The CA operates in a controlled environment, where access is restricted to authorized people.

5.1.1. Site Location

KISTI GRID PKI is located at Grid Technology Research Team, KISTI Supercomputing Center, Daejeon, Korea.

5.1.2. Physical Access

Physical access to the KISTI GRID CA machine is restricted to authorized personnel.
The KISTI Grid CA machines are:

running on dedicated machines.
located in a secure environment where access is controlled.
professionally managed.

5.1.3. Power and Air Conditioning

The CA signing machine and the CA web server are both protected by uninterruptible power supplies. Environment temperature in rooms containing CA related equipment is maintained at appropriate levels by suitable air conditioning systems.

5.1.4 Water exposures

No stipulation

5.1.5 Fire Prevention and Protectionr

The building housing the KISTI GRID CA facilities has a fire alarm system.

5.1.6 Media storage

The KISTI GRID CA key and backup copies of CA related information is securely kept in several removable storage media.

5.1.7 Waste Disposal

Wastes carrying potential confidential information such as old floppy disks are physically destroyed before being trashed.

5.1.8 Off-Site Backup

No off-site backups are currently performed.

5.2. Procedural Controls [Content] [RFC3647]

5.3. Personnel Security Controls [Content] [RFC3647]

All access to the servers and applications that comprise the KISTI GRID PKI is limited to KISTI GRID PKI security staffs.

5.3.1 Background Checks and Clearance Procedures for CA Personnel

CA personnel are recruited from the KISTI Supercomputing Center.

5.3.2 Background Checks and Security Procedures for Other Personnel

No other personnel is authorized to access KISTI GRID CA facilities without the physical presence of CA personnel.

5.3.3 Training Requirements and Procedures

Internal training is given to CA operators.

5.3.4 Training Period and Retraining Procedures

No Stipulation

5.3.5 Frequency and Sequence of Job Rotation

No stipulation.

5.3.6 Sanctions Against Personnel

No Stipulation.

5.3.7 Controls on Contracting Personnel

No Stipulation

5.3.8 Documentation Supplied to Personnel

- Copies of this document
- KISTI GRID CA Operations Manual

5.4. Audit Logging Procedures [Content] [RFC3647]

The KISTI Grid CA will retain records as much as possible so that the KISTI Grid CA could trace anything if something illegal would happen. Such audit information is not publicly available. Auditors are allowed to access the information as part of auditing and such information must be kept confidential.

5.4.1. Types of Events Recorded

Certification requests
Revocation requests
Issued certificates
Issued CRLs
shutdown/boot/reboot/login/logout/sudo logs of the CA machine and on-line request web server.
other logs archived by UNIX operating of the CA machine and RA server

5.4.2. Frequency of processing logs

No Stipulation.

5.4.3. Retention Period for Audit Logs

Logs will be kept for a minimum of 3 years.

5.5. Records Archival [Content] [RFC3647]

5.5.1. Types of Event Recorded

CA's records archival
- CA records all the types of events listed in section 4.5.1 in archived.
- In addition to that, email sent to/from ca@gridcenter.or.kr messages will be archived as well.
RA's records archival
- RA records all the types of events regarding user registration, certificate/revocation request including:
  - date of meeting with a subscriber
  - evidence of identity of a subscriber
  - email messages sent to/from the RA's email address.

5.5.2. Retention Period for Archive

The minimum retention period is 3 years.

5.5.3. Protection of Archive

System logs and email archives are protected by the authorization mechanism provided by Unix operating system. Only the owners of the system logs are able to modify the logs. System logs and email archives are periodically back-up to the offline media which is stored in a safe place.

5.5.4. Requirements for Time-Stamping of Records

All archived logs and documents are time stamped.

5.6. Key Changeover [Content] [RFC3647]

5.6.1. User Certificate Validity Date

A user certificates including host/service certificate will require renewal within its validity period, which will not exceed one year.

5.6.2. CA Certificate Validity Date

The CA will stop signing new user certificates by its private key before it is shorter than end-entity certificate.
CA certificate validity is 10 years.

5.7. Compromise and Disaster Recovery [Content] [RFC3647]

If it is detected that hardware, software or data are corrupted or damaged
- Recover the system by using backup hardware, software, or data as quickly as possible.
If a CA's private key is compromised or suspected to be compromised, the KISTI GRID CA will:
- Notify subscribers, RAs and relying parties.
- Terminate the certificates and CRLs distribution service for certificates/CRLs issued using the compromised private key.
- Create a new pair of key and re-build the CA system.

5.8. CA or RA Termination [Content] [RFC3647]

Before KISTI GRID CA terminates its services it will:

Make publicly available information of its termination.
Stop issuing certificates and CRLs.
Destroy its private key's and all copies.

6. Technical Security Controls [Content] [RFC3647]

6.1. Key Pair Generation and Installation [Content] [RFC3647]

6.1.1. Key Pair Generation

A CA key pair is generated by CA staff on a issueing machine which is not connected to any kind of network.
End entities' cryptographic keys are locally generated by their application during the requesting process.
KISTI GRID PKI does not generate private keys for subjects.

6.1.2. Private Key Delivery to Entity

The KISTI GRID CA does not generate end entities' private keys hence does not deliver private keys. User's private key could be generated by browser application in personal computer.

6.1.3. Public Key Delivery to Certificate Issuer

End entity will send its public key included in CSR at time of certificate request.

6.1.4. CA Public Key Delivery to Users

CA certificate will be published on the KISTI Grid PKI repository.

6.1.5. Key Sizes

The minimum key length for user or host/service certificate is 1024 bits.
The CA key length is 2048 bits.

6.1.6. Public Key Parameters Generation

No stipulation

6.1.7. Parameter Quality Checking

No stipulation

6.1.8. Hardware/Software Key Generation

It is defined in this document [6.1.1 key pair generation].

6.1.9. Key Usage Purposes

KISTI GRID CA private key is the only key used for signing CRLs and Certificates for persons, servers and services.

The Certificate key Usage field must be used in accordance with the ``Internet X.509 Public Key Infrastructure Certificate and CRL profile'' [RFC 2459].

6.2. Private Key Protection and Cryptographic Module Engineering [Content] [RFC3647]

6.2.1. Private Key (n out of m) Multi person control

The CA's private key is not under (n out of m) multi-person control. But the KISTI GRID CA implements multi-person control for the access to the CA server as described in this document [5.1.2 Physical Access]. Backup copy of CA's private key is under (2 out of 3) multi-person control.

6.2.2. Private Key Escrow

Not supported.

6.2.3. Private Key Backup

The KISTI GRID private key backup is performed by CA operator and the two copies of backup key is kept encrypted in a CDROM and Memory stick respectively in a safe place where access is controlled.

6.2.4. Private Key Archival

The CA private key will not be archived.

6.3. Other Aspects of Key Pair Management [Content] [RFC3647]

The lifetime of KISTI GRID CA certificate is ten years.
The lifetime of user certificate is one year.
The lifetime of host certificate is one year.
The lifetime of service certificate is one year.

6.4. Activation Data [Content] [RFC3647]

The KISTI GRID CA's private key is protected by a pass phrase over 15 characters.
This pass phrase is only known by CA operators.
The pass phrase is in a sealed envelop kept in a safe place where access is controlled.
But the sealed envelop is kept separated from the backed private key.

6.5. Computer Security Controls [Content] [RFC3647]

6.5.1. Specific Security Technical Requirements

CA operating systems are maintained at a high level of security by applying all the relevant patches.
Monitoring is performed to detect unauthorized software changes.
CA systems configuration is reduced to the base minimum.
Both CA signing machine and web server machine are used for dedicated purpose respectively.

6.5.2. Computer Security Rating

No stipulation.

6.6. Life Cycle Security Controls [Content] [RFC3647]

No stipulation.

6.7. Network Security Controls [Content] [RFC3647]

The CA signing machine is kept off-line.
The CA web server machine is protected by a firewall.
The CA web server machine is a dedicated machine and no network service other than CA web server does not run on the server.
Appropriate software upgrade/patch of the CA web server is performed every 6 month or immediately if it is required.

6.8. Time-stamping [Content] [RFC3647]

No stipulation.

7. Certificate and CRL Profiles [Content] [RFC3647]

7.1. Certificate Profile [Content] [RFC3647]

7.1.1. Version Number

X.509 v3.

7.1.2. Certificate Extensions

CA Certificates:

X509v3 Basic Constraints: critical, CA:TRUE
X509v3 Key Usage: critical, Certificate Sign (keyCertSign), CRL Sign (cRLSign)
X509v3 Subject Alternative Name: email:ca@gridcenter.or.kr, URI:http://ca.gridcenter.or.kr/
X509v3 Issuer Alternative Name: email:ca@gridcenter.or.kr, URI:http://ca.gridcenter.or.kr/
~~X509v3 CRL Distribution Points: URI://ca.gridcenter.or.kr/CRL/~~
~~Certificate Policies: 1.3.6.1.4.1.14305.1.1.1.2.0~~

User Certificates:

X509v3 Basic Constraints: critical, CA:FALSE
X509v3 Key Usage: critical, Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, TLS Web Client Authentication(clientAuth)
X509v3 Issuer Alternative Name: email:ca@gridcenter.or.kr, URI:http://ca.gridcenter.or.kr/
X509v3 CRL Distribution Points: URI://ca.gridcenter.or.kr/CRL/
Certificate Policies: 1.3.6.1.4.1.14305.1.1.1.2.0

Host Certificates:

X509v3 Basic Constraints: critical, CA:FALSE
X509v3 Key Usage: critical, Digital Signature, Key Encipherment, Data Encipherment, Server Authentication, Client Authentication
X509v3 Issuer Alternative Name: email:ca@gridcenter.or.kr, URI:http://ca.gridcenter.or.kr/
X509v3 CRL Distribution Points: URI://ca.gridcenter.or.kr/CRL/
Certificate Policies: 1.3.6.1.4.1.14305.1.1.1.2.0

7.1.3. Algorithm Object Identifiers

No stipulation

7.1.4. Name Forms

Issuer:
C=KR, O=KISTI, O=GRID, CN=KISTI Grid Certificate Authority
User DN:
C=KR, O=KISTI, O=GRID, O=[applicant's organization], CN=[the name of applicant]
Host DN:
C=KR, O=KISTI, O=GRID, O=[applicant's organization], CN=[FQDN of the hostname]

7.1.5. Name Constraints

No Stipulation.

7.1.6 Certificate Policy Object Identifier

See section 1.2.

7.1.7 Usage of Policy Constraints Extensions

No Stipulation.

7.1.8 Policy Qualifier Syntax and Semantics

No Stipulation.

7.2. CRL Profile [Content] [RFC3647]

CRLs are signed by the KISTI GRID CA private key and are published in a web page.

7.2.1. Version number(s)

X.509 v2.

7.2.2. CRL and CRL Entry Extensions

No stipulation.

7.3. OCSP Profile [Content] [RFC3647]

No stipulation.

8. Compliance Audit and Other Assessment [Content] [RFC3647]

8.1. Frequency of Entity Compliance Audit [Content] [RFC3647]

The KISTI GRID CA will accept at least one external Compliance Audit per year. In addition, the KISTI GRID CA performs operational self-assessment of CA/RA staff at least once per year.

8.2. Identity/Qualifications of Auditor [Content]

The CA will be audited by the other cross-certifying CAs.

8.3. Assessor's relationship to assessed entity [Content]

It is desirable that the auditor is a third-party to this PKI system

8.4. Topics Covered by Audit [Content]

Audit items will be selected based on the WebTrust criteria and minimum CA requirements enacted by the APGridPMA. The Audit must cover both compliance audit and operational audit.

8.5. Actions Taken as a Result of Deficiency [Content]

The KISTI GRID CA has the responsibility for the action to be taken as a result of deficiency. When the KSITI GRID CA receives an audit report from the auditor, it will send a report on actions to the auditor within two weeks. The report must describe actions taken as a result of deficiency and their timetable.

8.6. Communications of Results Frequency of Entity Compliance [Content]

The result of the audit will be made available to members of any policy management authorities in which the KISTI GRID CA participates. It may make the results of the audit publicly available. The decision will be made by the KISTI GRID CA in case-by-case basis.

9. Other Business and Legal Matters [Content] [RFC3647]

9.1. Fees [Content] [RFC3647]

No fees are charged for any service provided by the KISTI GRID CA.

9.2. Financial Responsibility [Content] [RFC3647]

Accept no liability at all.

9.3. Confidentiality of Business Information [Content] [RFC3647]

KISTI GRID CA collects subscriber's full names and email addresses. Some of this information is used to construct unique, meaningful subject names in the issued certificates.
Information included in issued certificates and CRLs is not considered confidential.
KISTI GRID PKI does not collect any kind of confidential information.
KISTI GRID PKI does not have access to or generate the private keys of a digital signature key pair, such as those used in KISTI GRID identity certificates. These key pairs are generated and managed by the subscribers and are the sole responsibility of the subscribers.

9.4. Privacy of Personal Information [Content] [RFC3647]

No stipulation yet.

9.5. Intellectual Property Rights [Content] [RFC3647]

All certificate related data issued by KISTI GRID CA is not under any copyright or intellectual property protection.

9.6. Representations and Warranties [Content] [RFC3647]

No stipulation.

9.7. Disclaimers of Warranties [Content] [RFC3647]

No stipulation.

9.8. Limitations of Liability [Content] [RFC3647]

No stipulation.

9.9. Indemnities [Content] [RFC3647]

No stipulation.

9.10. Term and Termination [Content] [RFC3647]

No stipulation.

9.11. Individual notices and communications with participants [Content] [RFC3647]

No stipulation.

9.12. Amendments [Content] [RFC3647]

Users will not be warned in advance of changes to the KISTI GRID CA's policy and CPS.
Any revision of specification is made by KISTI Grid CA and it is approved by the APGridPMA.
Minor editorial changes to this document can be made without approval by the APGridPMA.
New OID will not be assigned to the revised document when minor changes would be made.
Major changes such as changes in policy or technical security controls need to be approved by the APGrid PMA. New OID will be assigned to the revised document for such major changes would be made.

9.13. Dispute Resolution Procedures [Content] [RFC3647]

No stipulation.

9.14. Governing Law [Content] [RFC3647]

KISTI GRID CA is subject to Korean law.

9.15. Compliance with Applicable Law [Content] [RFC3647]

No stipulation.

9.16. Miscellaneous Provisions [Content] [RFC3647]

No stipulation.

9.17. Other Provisions [Content] [RFC3647]

No stipulation.

2.1.1. CA Obligations

CA will:

Accept certification signing requests from entitled entities described in section 1.3.3.
Authenticate entities making the certification request in accordance with the procedures described in this document.
Issue certificates based on the requests from authenticated entities.
Notify the subscriber of the issuing of the certificate
Publish the issued certificates.
Accept revocation requests according to the procedures outlined in this document.
Authenticate entities requesting the revocation of a certificate.
Issue a Certificate Revocation List (CRL) according to the rule described in this document.
Publish the issued CRLs.
Create and manage the CA's private key in a secure environment.
Authorize RAs according to the procedures described in this document
Maintain an archive of all requests and confirmation in an auditable form

2.1.2. RA Obligations

RA will:

Authenticate the entity making certification and revocation request according to the procedures outlined in this document.
Maintain a record of authentication of entities for certification and revocation requests
~~Reconfirm the entities' identity and current employment status for a certificate renewal request when informed by CA.~~

2.1.3. Subscriber Obligations

In all cases, subscribers will be required to:

Read and adhere to the procedures published in this document.
Generate a key pair using a trustworthy method.
Take reasonable precautions to prevent any loss, disclosure or unauthorized use of the private key associated with the certificate, including:
- For person certificates
  - Selecting a pass phrase of at minimum 12 characters
  - Protecting the pass phrase from others
  - Always using the pass phrase to encrypt the stored private key
  - Never sharing the private key with other users
- For host/service certificates
  - Storing them encrypted whenever possible
  - Provide correct personal information and authorize the publication of the certificate.
  - Use the certificates for the permitted uses only.
Subscribers must request revocation of its certificate as soon as possible, but within one working day after detection of
- he/she lost or compromised the private key pertaining to the certificate,
- the data in the certificate are no longer valid.

2.1.4. Relying Party Obligations

Relying parties must:

Read and accept the policies and procedures published in this document.
Use the certificates for only the purposes that they are issued for.
Verify the certificates by double checking whether or not
- To have not been falsified
- To be within validity dates
- To have been revoked To be signed by a trusted CA

2.1.5. Repository Obligations

KISTI GRID CA will provide access to KISTI GRID CA information on its web site
The information includes CA certificate, signing policy, CRL, tools for generating certificate signing request and CP/CPS document.

2.2. Liability [Content]

KISTI GRID PKI issues person certificates according to the practices described in this document.
KISTI GRID PKI makes no guarantee about the security or suitability of a service that is identified by a KISTI GRID certificate.
The certification service is run with a reasonable level of security, but it is provided on a best effort only basis.
It does not warrant its procedures and it will take no responsibility for problems arising from its operation, or for the use made of the certificates it provides.
KISTI GRID PKI denies any financial or any other kind of responsibility for damages or impairments resulting from its operation.

2.3. Financial Responsibility [Content]

3.3. Rekey After Revocation [Content] [RFC3647]

Rekey after expiration or revocation of a certificate follows the same authentication procedures as for a new certificate.