1.3.1. Certification Authority

The KISTI GRID CA does not issue certificates to subordinate certification authorities.

1.3.2. Registration Authorities

The KISTI GRID CA delegates the authentication of individual identity to Registration Authorities (RA). RAs must sign an agreement with the KISTI GRID CA, stating their adherence to the procedures described in this document. RAs are not allowed to issue certificates under this CP/CPS. The following is the KISTI GRID RA registration procedure:

• RA candidate must accept the CP/CPS and agree to all RA responsibilities.
• RA candidate must be an employee of the institution or organization and provide work ID or proof of work.
• Complete the RA application form and fax it to KISTI GRID CA.
• Send a verification e-mail to KISTI GRID CA.
• KISTI GRID CA will then arrange face-to-face or web-conference meeting with the RA candidate.
• After completing the request, KISTI GRID CA will publish the RA contact information on KISTI GRID CA website.

1.3.3. Subscribers (End Entities)

The KISTI GRID PKI issues person, host and service certificates to members of KISTI and other individuals working on

• Grid projects in collaboration with KISTI
• Programs involved in KISTI supercomputing research
• LCG/EGEE-related projects/programs in Korea
• International or domestic collaboration in Grid computing area

The person requesting and responsible for a certificate's private key is the subscriber. The term end entity is used to refer to the holder of the private key. For a person certificate it will be the subscriber, but for a host or service certificate the end entity may be some process running on a machine.

1.3.4 Relying parties

KISTI GRID CA's relying parties includes the following:
- Employees of KISTI or research institutes in Korea
- Employees of international research institutes which collaborate with KISTI in Grid computing area.
- Resource-sharing organizations with KISTI Supercomputing Center

Relying parties' obligations are as follows:
- Must read the procedures published by the KISTI GRID CA.
- Must use the certificates for the permitted uses only.
- Must notify KISTI GRID CA of any security incidents. (Notification shall occur within the first 12 hours of initial knowledge of incident.)
- May verify that the certificate is not on the CRL before validating a certificate.

1.3.5 Other participants

No stipulation.

1.4.1. Appropriate certificate uses

• Information publication
• Application work-flow
• Grid middleware

1.4.2. Prohibited certificate uses

• Electronic commerce.
• Any application requiring fail-safe performance, including those associated with, but not limited to:
  • The operation of nuclear facilities;
  • Air traffic control systems;
  • Aircraft navigation systems;
  • Hospital life support systems;
  • Municipal water treatment plants;
  • Weapons control systems; or
  • Any other system whose failure could lead to injury, death, damage to property or environmental damage.
• Transactions where applicable law prohibits the use of digital signatures for such transactions or where otherwise prohibited by law; or
• Unless supported by other appropriate security mechanisms and procedural safeguards, the protection of:
  • Information that, if compromised, could cause extremely grave injury outside the national interest; or
  • Classified information.

1.5.1. Organization administering the document

KISTI GRID CA is managed by Grid Technology Research Team, KISTI.

1.5.2. Contact person

For inquiries regarding this document or the KISTI GRID PKI service in general, please contact:

Sangwan Kim
Grid Technology Research Team, KISTI
305-806 Eoeun-dong 52, Yusung-gu, Daejeon, Korea
Phone: +82-42-869-0568
Fax: +82-42-869-0599
Email: ca@gridcenter.or.kr or sangwan@kisti.re.kr

Soonwook Hwang
Grid Technology Research Team, KISTI
305-806 Eoeun-dong 52, Yusung-gu, Daejeon, Korea
Phone: +82-42-869-0647
Fax: +82-42-869-0599
Email: ca@gridcenter.or.kr or hwang@kisti.re.kr

1.5.3. Person determining CPS suitability for the policy

See Section 1.5.2.

1.5.4. CPS approval procedures

The KISTI GRID CA is responsible for the CP and CPS.
For the global grid collaboration, KISTI GRID CA is a member of APGrid PMA and IGTF.
Major changes must be approved by the APGrid PMA community.
Minor changes can be done by KISTI GRID CA staff, and should be notified through the APGrid PMA mailing list.

3.1.1. Types of names

Identification of certificates will be according to X.500 distinguished name. (RFC2459)
The DN must be in the form of a X.501 printable string and must not be blank.

The following table shows attribute values for name.
Both the Organization Name 3 and Common Name are decided based on the data provided by subscribers when requesting certificates.

3.1.2. Need for names to be meaningful

The Subject Name in a certificate MUST have a reasonable association with the End Entity.

3.1.3. Anonymity or pseudonymity of subscribers

The subscribers can not be anonymous or pseudonymous.

3.1.4. Rules for interpreting various name forms

See Section 3.1.1.

3.1.5. Uniqueness of names

• The Distinguished Name(DN) must be assigned unique among certificates issued by the KISTI GRID CA.
• If a subscriber request a certificate, the X.509 Distinguished Name(DN) of which collide with an existing certificates, the subscriber's certificate request must be rejected.
• The CA reserves the right to make decisions regarding Entity names in all assigned certificates. A party requesting a certificate may be required to demonstrate its right to use a particular name.
• Where there is a dispute about a name in a repository not under its control, the CA shall ensure in its agreement with that repository that the repository has a name claim dispute resolution procedure.

3.1.6. Recognition, authentication, and role of trademarks

No Stipulation

3.1.6. Recognition, authentication and role trademarks

No Stipulation

3.2.1. Method to prove possession of private key

KISTI Grid CA confirms the possession of a private key by verification of the CSR signature.

3.2.2. Authentication of organization identity

The KISTI GRID CA verifies the identity of organizations by checking that the organization is known to the grid computing communities.

3.2.3. Authentication of individual identity

• User: A person who requests a user certificate will be identified by in person interview with the RA. A work ID card with a photo image on it must be presented at the interview.
• Host or Service certificate: Requests must be authorized as a legal subscriber of the CA.

3.2.4. Non-verified subscriber information

No Stipulation

3.2.5. Validation of authority

No Stipulation

3.2.6. Criteria for interoperation

No Stipulation

3.3.1. Identification and authentication for routine re-key

Rekey after revocation follows the same rules as an initial registration.

KISTI GRID CA does not support routine re-key or key change over.

3.3.2. Identification and authentication for re-key after revocation

Rekey after revocation follows the same rules as an initial registration.

4.2.1. Performing identification and authentication functions

KISTI GRID CA ensures that the followins in the enrollment process and certificate application process:
In the enrollment process, the CA checks if
- the application form is correct; and
- the PIN number in the application form is correspond with the RA's generated number in the previous section; and
- the RA examined the subscriber in a face-to-face meeting or an equivalent inspection process, if required.

In the certificate application process, the CA checks if
- the certificate request is done in accordance with the process in this document especially in the section 4.1.
- the certificate request subject name has correct format; and
- the key length of the certificate request meets the requirement.

4.2.2. Approval or rejection of certificate applications

- The issuance of a certificate by the CA indicates a complete and final approval of the certificate application by the CA.
- If any condition specified in section 4.2.1 is not be satisfied, the certificate application is rejected and the CA notifies to the subscriber with the reson of the rejection.

4.2.3. Time to process certificate applications

- The CA should process the certificate application within 1 working day from the recognition of the certificate request.

4.7.1. Circumstance for certificate re-key

Generally, certificate re-key can or must take place in cases such as:
(case 1) after a certificate is revoked for reasons of key compromise; or
(case 2) after a certificate has expired and the usage period of the key pair has also expired

4.7.2. Who may request certification of a new public key

In KISTI GRID CA, if a certificate is revoked for reasons of key compromise (case 1 in section 4.7.1), the certificate must be revoked and the subscriber of the certificate should follow the enrollment process (of section 4.1) to get a new certificate.
If a certificate has expired and the usage period of the key pair has also expired (case 2 in section 4.7.1), the certificate must be revoked and the subscriber of the certificate should follow the certificate application process (of section 4.1) to get a new certificate.

4.7.3. Processing certificate re-keying requests

The process of re-key request processing is basically the same as the initial certificate application of section 4.1.

The re-key request processing includes the following:
- notification of new certificate issuance
- acceptance of a re-keyed certificate by the subscriber
- publication of the re-keyed certificate by the CA
- notification of certificate issuance by the CA to other entities

4.7.4. Notification of new certificate issuance to subscriber

Covered in section 4.7.3.

4.7.5. Conduct constituting acceptance of a re-keyed certificate

Covered in section 4.7.3.

4.7.6. Publication of the re-keyed certificate by the CA

Covered in section 4.7.3.

4.7.7. Notification of certificate issuance by the CA to other entities

Covered in section 4.7.3.

4.9.1. Circumstances for revocation

A certificate must be revoked when information it contains is suspected to be incorrect or compromised. This includes situations where:

• The subscriber's private key is compromised or is suspected to have been compromised.
• The subscriber's information in the certificate is suspected to be inaccurate.
• The subscriber is known to have violated his obligations.
• The subscriber leaves his/her organization.
• In case of host/service certificates, the corresponding host/service is retired.

4.9.2. Who Can Request Revocation

KISTI GRID CA will accept a revocation request made by

• The certificate subscriber
• KISTI GRID CA/RA
• Any other entity presenting evidence of circumstances as described in section 4.4.1

4.9.3. Procedure for Revocation Request

Entities requesting revocation of a certificate must authenticate themselves in one of the following ways:

• Sending an email, maybe signed by a valid and trusted certificate, to ca@gridcenter.or.kr, RA will contact the subscriber for confirmation.
• In the other cases, authentication is performed with the same procedure used to authenticate the identity of person.

In both case above, the requesting entity must specify the reason for the revocation request and provide evidence of circumstances as described in section 4.4.1.

4.9.4. Revocation request grace period

• CA will process revocation as soon as it receives the revocation request and the request is approved.
• The revocation information will be published to the online repository.
• During the revocation, a revocation notification is sent to the subscriber through the subscriber's email.

4.9.5. Time within which CA must process the revocation request

The CA should process the certificate revocation request within 1 working day from the recognition of the request.

4.9.6. Revocation checking requirement for relying parties

No stipulation.

4.9.7. CRL Issuance Frequency (if applicable)

• The lifetime of the CRL is 30 days.
  
• A new CRL is issued immediately after a revocation or at least 7 days before expiration.

4.9.8. Maximum latency for CRLs (if applicable)

- CRLs must be published in the repository after generation as soon as possible.
- In KISTI GRID CA, the maximum latency between the generation of CRLs and posting of the CRLs to the repository is 1 hour.

4.9.9. On-line revocation/status checking availability

KISTI GRID PKI system does not provides any online status checking facility.

4.9.10. On-line revocation checking requirements

KISTI GRID PKI system does not provides any online status checking facility.

4.9.11. Other forms of revocation advertisements available

No stipulation.

4.9.12. Special requirements re key compromise

No stipulation.

4.9.13. Circumstances for suspension

KISTI GRID CA does not support Certificate Suspension.

4.9.14. Who can request suspension

KISTI GRID CA does not support Certificate Suspension.

4.9.15. Procedure for suspension request

KISTI GRID CA does not support Certificate Suspension.

4.9.16. Limits on suspension period

KISTI GRID CA does not support Certificate Suspension.

5.1.1. Site location and construction

KISTI GRID PKI is located at Grid Technology Research Team, KISTI at Daejeon, Korea.

5.1.2. Physical access

Physical access to the KISTI GRID CA machine is restricted to authorized personnel.
The KISTI Grid CA machines (both the issueing machine and the public web server) are:

• running on dedicated machines.
• located in a secure environment where access is controlled.
• professionally managed.

5.1.3. Power and air conditioning

The CA signing machine and the CA web server are both protected by uninterruptible power supplies. Environment temperature in rooms containing CA related equipment is maintained at appropriate levels by suitable air conditioning systems.

5.1.4. Water exposures

The CA shall ensure that the CA system is adequately protected from water exposures.

5.1.5. Fire prevention and protectionr

The building housing the KISTI GRID CA facilities has a fire alarm system.
The CA shall ensure that the CA system is adequately protected from fire by a fire suppression system.

5.1.6. Media storage

The KISTI GRID CA key and backup copies of CA related information is securely kept in several removable storage media.

5.1.7. Waste disposal

The CA shall ensure that all media containing sensitive information is sanitized, to remove information such that data recovery is not possible, or destroyed before release for disposal. CA personnel shall account for the destruction of sensitive information.

5.1.8. Off-site backup

In KISTI GRID CA, No off-site backups are currently performed.

5.2.1. Trusted roles

• SYSTEM ADMINISTRATOR has full control over the CA server and software.
  
• CERTIFICATE AUTHORITY OPERATOR can manage all certificates, requests and cryptographic data including CA private key. CAO is contact point for subscribers about CA operation.
  
• REGISTRATION AUTHORITY OPERATOR examines subscriber's information and checks the trust of the subscriber in belalf of certificate authority.
  
• SYSTEM AUDITOR have read-only access to all components of the PKI system to verify the operation complies with the rules and regulations of this CP/CPS.
  

5.2.2. Number of persons required per task

For operation of KISTI GRID PKI, the number of persons required for the roles is:

• SYSTEM ADMINISTRATOR: 1 person or more.
  
• CERTIFICATE AUTHORITY OPERATOR: 2 persons or more for back-up each other.
  
• REGISTRATION AUTHORITY OPERATOR: 1 person or more for each RA site.
  
• SYSTEM AUDITOR: 1 person or more.
  

5.2.3. Identification and authentication for each role

In KISTI GRID PKI, on-line and/or off-line system will identify and authenticate the operator when the staff operates the system.

5.2.4. Roles requiring separation of duties

- SYSTEM AUDITOR may not be a SYSTEM ADMINISTRATOR, or CERTIFICATE AUTHORITY OPERATOR.

5.3.1. Qualifications, experience, and clearance requirements

The CA shall ensure that all staff performing CA and RA functions possess the necessary knowledge, experience and qualifications to perform their duties.

5.3.2. Background check procedures

CA personnel must be a formal member of KISTI.

5.3.3. Training requirements

The CA shall ensure that all personnel receive appropriate training. Such training shall address relevant topics such as security requirements, operational responsibilities and associated procedures.

5.3.4. Retraining frequency and requirements

The CA shall review and update its training program at least once a year to accommodate changes in the CA system.

5.3.5. Job rotation frequency and sequence

No stipulation.

5.3.6. Sanctions for unauthorized actions

In the event of actual or suspected unauthorized actions by a person performing duties with respect to the operation of the CA or an RA, the CA shall suspend his or her access to the CA system.

5.3.7. Independent contractor requirements

The CA shall ensure that contract personnel satisfy the same personnel security requirements with respect to appointment, training and background checks as those applicable to CA employees.

5.3.8. Documentation supplied to personnel

The CA shall provide these Certificate Policies, relevant provisions of the CPS, as well as any specific statutes, policies or contracts relevant to their positions to CA personnel, RAs and Client Responsible Individuals.

5.4.1. Types of events recorded

• Certification requests
  
• Revocation requests
  
• Issued certificates
  
• Issued CRLs
  
• shutdown/boot/reboot/login/logout/sudo logs of the CA machine and on-line request web server.
• other logs archived by UNIX operating of the CA machine and RA server

5.4.2. Frequency of processing log

The CA shall ensure that all significant events are explained in an audit log summary and that CA personnel review audit logs at least once every month. Such reviews involve verifying that the log has not been tampered with, and then inspecting all log entries. CA personnel shall conduct a more thorough investigation of any "alerts" or irregularities in the logs. The CA shall indicate who has responsibility for audit log review and audit log summary preparation in the CPS.

5.4.3. Retention period for audit log

The CA shall retain its audit logs on site for at least two(2) months and subsequently retain audit logs in the manner described in Section 5.5.

5.4.4. Protection of audit log

The CA shall protect the electronic audit log system and audit information captured electronically or manually from unauthorized viewing, modification, deletion or destruction.

5.4.5. Audit log backup procedures

The CA shall back up or copy all audit logs and audit summaries.

5.4.6. Audit collection system (internal vs. external)

No stipulation.

5.4.7. Notification to event-causing subject

No stipulation.

5.4.8. Vulnerability assessments

No stipulation.

5.5.1. Types of records archived

5.5.2. Retention period for archive

Certificates and CRLs generated by the CA, must be retained for at least 2 years after their expiration, and;
The minimum retention period is 3 years.

5.5.3. Protection of archive

System logs and email archives are protected by the authorization mechanism provided by Unix operating system. Only the owners of the system logs are able to modify the logs. System logs and email archives are periodically back-up to the offline media which is stored in a safe place.

5.5.4. Archive backup procedures

A second copy of all material retained or backed up must be stored in readonly media like CD-ROM.
The second copy must be protected either by physical security alone, or a combination of physical and cryptographic protection.

5.5.5. Requirements for time-stamping of records

All archived logs and documents are time stamped.

5.5.6. Archive collection system (internal or external)

No stipulation.

5.5.7. Procedures to obtain and verify archive information

No stipulation.

6.1.1. Key pair generation

• A CA key pair is generated by CA staff on a signing machine which is not connected to any kind of network.
• End entities' cryptographic keys are locally generated by their application during the requesting process.
• KISTI GRID PKI does not generate private keys for subjects.

6.1.2. Private key delivery to subscriber

The KISTI GRID CA does not generate end entities' private keys hence does not deliver private keys. User's private key could be generated by browser application in personal computer.

6.1.3. Public key delivery to certificate issuer

End entity will send its public key included in CSR at time of certificate request.

6.1.4. CA public key delivery to relying parties

CA certificate will be published on the KISTI Grid PKI repository.

6.1.5. Key sizes

• The minimum key length for user or host/service certificate is 1024 bits.
  
• The CA key length is 2048 bits.
  

6.1.6. Public key parameters generation and quality checking

No stipulation

6.1.7. Key usage purposes(as per X.509 v3 key usage field)

KISTI GRID CA private key is the only key used for signing CRLs and Certificates for persons, servers and services.

The Certificate key Usage field must be used in accordance with the ``Internet X.509 Public Key Infrastructure Certificate and CRL profile'' [RFC 2459].

6.2.1. Cryptographic module standards and controls

KISTI GRID CA do not use any hardware security module.

6.2.2. Private key (n out of m) multi person control

In KISTI GRID CA system, (n out of m) multi-person control is not supported.
The CA's private key is shared between 2 CA staffs.

6.2.3. Private key escrow

Not supported.

6.2.4. Private key backup

The KISTI GRID private key backup is performed by CA operator and the two copies of backup key is kept encrypted in a CDROM and Memory stick respectively in a safe place where access is controlled.

6.2.5. Private key archival

6.2.6. Private key transfer into or from a cryptographic module

No stipulation.

6.2.7. Private key storage on cryptographic module

No stipulation.

6.2.8. Method of activating private key

6.2.9. Method of deactivating private key

No stipulation.

6.2.10. Method of destroying private key

No stipulation.

6.2.11. Cryptographic Module Rating

No stipulation.

6.3.1. Public key archival

The CA shall retain all public key certificates it generates.

6.3.2. Certificate operational periods and key pair usage periods

• The lifetime of KISTI GRID CA certificate is ten years.
• The lifetime of user certificate is one year.
• The lifetime of host certificate is one year.

6.5.1. Specific computer security technical requirements

• CA operating systems are maintained at a high level of security by applying all the relevant patches.
  
• Monitoring is performed to detect unauthorized software changes.
  
• CA systems configuration is reduced to the base minimum.
  
• Both CA signing machine and web server machine are used for dedicated purpose respectively.

6.5.2. Computer security rating

No stipulation.

7.1.1. Version number(s)

X.509 v3.

7.1.2. Certificate extensions

CA Certificates:

• X509v3 Basic Constraints: critical, CA:TRUE
• X509v3 Key Usage: critical, Certificate Sign (keyCertSign), CRL Sign (cRLSign)
• X509v3 Subject Alternative Name: email:ca@gridcenter.or.kr, URI:http://ca.gridcenter.or.kr/
• X509v3 Issuer Alternative Name: email:ca@gridcenter.or.kr, URI:http://ca.gridcenter.or.kr/

User Certificates:

• X509v3 Basic Constraints: critical, CA:FALSE
• X509v3 Key Usage: critical, Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, TLS Web Client Authentication(clientAuth)
• X509v3 Issuer Alternative Name: email:ca@gridcenter.or.kr, URI:http://ca.gridcenter.or.kr/
• X509v3 CRL Distribution Points: URI://ca.gridcenter.or.kr/CRL/
• Certificate Policies: 1.3.6.1.4.1.14305.1.1.1.2.0

Host Certificates:

• X509v3 Basic Constraints: critical, CA:FALSE
• X509v3 Key Usage: critical, Digital Signature, Key Encipherment, Data Encipherment, Server Authentication, Client Authentication
• X509v3 Issuer Alternative Name: email:ca@gridcenter.or.kr, URI:http://ca.gridcenter.or.kr/
• X509v3 CRL Distribution Points: URI://ca.gridcenter.or.kr/CRL/
• Certificate Policies: 1.3.6.1.4.1.14305.1.1.1.2.0

7.1.3. Algorithm object identifiers

No stipulation

7.1.4. Name forms

• Issuer:
  C=KR, O=KISTI, O=GRID, CN=KISTI Grid Certificate Authority
  
• User DN:
  C=KR, O=KISTI, O=GRID, O=[applicant's organization], CN=[the name of applicant]
  
• Host DN:
  C=KR, O=KISTI, O=GRID, O=[applicant's organization], CN=[FQDN of the hostname]
  

7.1.5. Name constraints

No Stipulation.

7.1.6 Certificate policy object identifier

7.1.7 Usage of policy constraints extensions

No Stipulation.

7.1.8 Policy qualifier syntax and eemantics

No Stipulation.

7.1.9. Processing semantics for the critical Certificate Policies extension

No Stipulation.

7.2.1. Version number(s)

X.509 v2.

7.2.2. CRL and CRL entry extensions

No stipulation.

7.3.1. Version number(s)

No stipulation.

7.3.2. OCSP extensions

No stipulation.

9.10.1. Term

This CP/CPS is valid and enforceable from the time of accreditation by APGrid PMA.

9.10.2. Termination

This CP/CPS terminates in the following cases:
- CA certificate expires
- CA terminates its service
- A new version of CP/CPS is accreditated.

9.10.3. Effect of termination and survival

No stipulation.