Get documents about "Karolinska Institutet CA CPS Version Certificate Practice Statement CPS
Document Sample
Karolinska Institutet CA CPS 2003-05-28 Version 1.0
Certificate Practice Statement (CPS)
for
Karolinska Institutet CA
Karolinska Institutet CA CPS
Revision history:
Version Date Comment
1.0 2003-05-28 Initial release
Page 2 28/05/03
Karolinska Institutet CA CPS
1 Introduction
This is the Certificate Practice Statement (CPS) for Karolinska Institutet CA. It states the practices the CA
employs in issuing and managing certificates. The CPS outlines the technical, procedural and personnel
policies and practices of Karolinska Institutet CA. The numbering of chapters and sections are the same as in
the SwUPKI CP, see below. Only the sections where practices are added are present in the CPS
1.2 Identification
This is the CPS of the Karolinska Institutet CA, a member of SwUPKI (Swedish Universities' and University
Colleges' Public Key Infrastructure). The CPS has been approved by the PMA of SwUPKI on 2003-05-28
The CPS is published at URL: http://ca.ki.se/CPS
As a member of SwUPKI, the Karolinska Institutet CA is operating in compliance with the CP of SwUPKI:
Certificate Policy Name: SwUPKISoftSignCert-1
Object Identifier: {iso(1) member-body(2) se(752) stockholms universitet(43) swupki(2) policies(1)
swupkisoftsigncert(1) swupkisoftsigncert-1(1)}
This policy is published at URL: http://www.swupki.su.se/CP
1.3.4 Repositories
See 2.6.
1.3.5 Sponsors
Karolinska Institutet is the Sponsor of certificates issued by Karolinska Institutet CA
1.4 Contact Details
Questions regarding this CPS should be addressed to:
Karolinska Institutet
Karolinska Institutet CA/IT Center
von Eulers väg 4
SE 171 77 Stockholm
Sverige
or ca@ki.se
Further information can be found at URL: http://ca.ki.se/.
2 General Provisions
2.1.4 Subscriber Obligations
The Subscriber Agreement is included as an Appendix and can be found at the CA web site http://ca.ki.se.
Page 3 28/05/03
Karolinska Institutet CA CPS
2.6 Publication and Repository
The Karolinska Institutet CA web site is: http://ca.ki.se
The CRL repository contains X.509 version two (2) CRLs in accordance with the PKIX “Internet X.509
Public Key Infrastructure Certificate and CRL Profile” [RFC2459] in {DER,PEM} format on
http://ca.ki.se/CRL/
3 Identification and Authentication
3.1.2 Need for Names to Be Meaningful
The commonName component is included in the DN and shall be the official name of the organisation in
English.
The name of the CA certificate shall be:
C=SE, O=Karolinska Institutet, CN=Karolinska Institutet CA
For other certificates the name structure shall be:
C=SE, O=Karolinska Institutet, CN=official certificate name.
If the certificate is a server certificate the CN is the DNS name for the server.
If the certificate is a personal certificate the CN is named as the unique uid of the person in the central
personnel/student uid at Karolinska Institutet.
3.1.7 Method to Prove Possession of Private Key
The generation of the private key for CA certificates is done or supervised by the Karolinska Institutet CA
representatives, other certificates requires a PKCS #10 request to prove the possession of the private key.
3.2 Authentication for Routine Renewal of Certificates
Online renewal request shall be signed by the Subscriber's valid private key. It is then received and reviewed
by the Karolinska Institutet CA. The renewal request is signed by the Karolinska Institutet CA and published
on the web site. If the renewal request isn’t made online the routines of signing the renewal request is the
same as for subscribing for a certificate.
3.4 Authentication of Revocation Request
The revocation of certificates may be conducted after communication with the Karolinska Institutet CA, the
Subscriber, CAO or CASO. The revocation request shall be either:
• Written request (paper).
• Trusted electronic request (PKCS #7).
• Other trusted communications.
Page 4 28/05/03
Karolinska Institutet CA CPS
A CAO must authenticate a request for revocation of a certificate. When receiving a non-signed revocation
request (eg telephone call), steps to ensure the identity of the person requesting the revocation must be taken.
Revocation can be requested by the owner of the certificate or by the head of the department (prefekt or
equivalent).
4 Operational Requirements
4.1 Application for a Certificate
Information about what is required to join the Karolinska Institutet CA that is based on the SwUPKI PKIX
can be found on:
http://ca.ki.se/
A certificate application form including a subscriber agreement will be published on the Karolinska Institutet
CA web site.
This form, together with a PKCS #10 certificate request on a removable media shall be delivered to the CAO.
The CAO shall print the electronic request and after verification of consistency on the printed request note all
requirements as specified in CP 4.1.
For a server, the subscriber must have a written authorization from the head of the department (prefekt or
equivalent).
The identity of the sponsor and subscriber must be verified using an approved and valid photo-id.
The subscriber agreement shall include:
• Agreement to publish certificate.
• Consent to gather information.
4.4.4 Revocation Request Grace Period
The revocation shall be done within 2 (two) workdays. Any other action taken as a result of a request for
revocation of a certificate must be initiated within the same time limit.
4.4.7 CSS Publishing Frequency
If a certificate is revoked, the on-line CRL shall be updated during the same work day.
4.5.1 Types of Event Recorded
The Karolinska Institutet CA personnel shall log the following in a manual log:
• Access to the CA machine: Who, why and what.
In addition to this, standard machine logs (syslog, messages) shall be kept.
4.5.2 Frequency of Processing Audit Log
The CASA shall periodically review the audit logs and note significant events in an audit log summary.
Page 5 28/05/03
Karolinska Institutet CA CPS
4.5.6 Audit Collection System
See 4.5.1
4.6 Records archival
The second backup mentioned in CP 4.6 is kept on removable media in a separate location. They are put in a
safe, whose key is kept by CAO #1, #3 and #5.
4.8.2 Entity Public Certificate Is Revoked
In the event of Karolinska Institutet CA private key compromise, or suspected compromise, the Karolinska
Institutet CA operators must try to contact the PCA and subscribers with any possible means until contact is
reached.
In the case of revocation of the Karolinska Institutet CA certificate, the following steps must be taken:
1. Inform the PCA and ensure that the CA certificate is included in the PCA CRL.
2. Inform all Karolinska Institutet CA subscribers using individual and group emails.
3. Publish information about the revocation on http://ca.ki.se
4. Contact subscribers via phone/voicemail if necessary.
5. Physical, Procedural and Personnel Security
5.1.1 & 5.1.2 Site Location, Construction and Physical Access
The CA system consists of a removable media and it uses openssl to manage the certificates and the private
key.
The Karolinska Institutet CA private key will be stored on removable media.
The Karolinska Institutet CA system is placed in a safe and the Karolinska Institutet CA private key is placed
in a different safe in the Karolinska Institutet's IT Center office. Access to this office is restricted to selected
staff members of IT Center at KI. Furthermore the both safes are restricted to only a few selected staff
members.
When not in use the private key will be kept in its safe. Access to this safe is restricted only to CAO #1, CAO
#3 and CAO #5 access to the key is logged by them. The key to this safe is kept by CAO #1, CAO #3 and
CAO #5.
Access to the safe containing the KI CA system is restricted only to CAO #2, CAO #4 or CAO #6. Access to
the CA system is logged by them. The key to this safe is kept by CAO #2, CAO #4 and CAO #6.
The password to the Karolinska Institutet CA private key is divided into two parts. The first part is kept safely
by CAO #1, #3 and #5. The second part is kept safely by CAO #2, #4 and #6.
The Karolinska Institutet CA web site is placed in a machine connected to the network and located in
Karolinska Institutet computer hall. It will be monitored for intrusion attempts and misuse by staff and
programs. The Karolinska Institutet CA web site is placed on a computer running a web server. The server
running the web site is secured by Karolinska Institutet CASA and only accessed by authorized personnel.
Page 6 28/05/03
Karolinska Institutet CA CPS
5.2.2 Number of Persons Required per Task
CASO: 1
CAO: 6
The CAO:s will be numbered #1, #2, #3, #4, #5 and #6
The password to the Karolinska Institutet CA private key is divided in two parts. CAO #1, CAO #3
and CAO #5 are in possession of the first part and CAO #2, CAO #4 and CAO #6 are in possession of the
second part.
CASA: 2
5.3.1 Background, Qualifications, Experience, and Clearance Requirements
The person administrating and operating the Karolinska Institutet CA site must be an employee in Karolinska
Institutet. The person must also have earned the trust and be loyal to the Karolinska Institutet.
6 Technical Security Controls
6.2.2 CA Private Signing Key
The Karolinska Institutet CA private key will be stored on a removable media and kept in a locked safe while
not in use. Access to the Karolinska Institutet CA private key must be logged.
See section 5.1.1 and 5.1.2.
6.5.1 Specific Computer Security Technical Requirements
See section 6.2.1.
The removable media containing the CA system has restricted access and one has to be included in the
Karolinska Institutet CAO’s to be able to access the system. The signing private key is stored elsewhere in a
safe and can only be accessed by Karolinska Institutet CAO’s. The access to the keys is logged in a logbook.
Two persons, either CAO #1, CAO #3 or CAO #5 and CAO#2, CAO #4 or CAO #6 must be present and
participate in using the private key and log the event in an audit log.
6.7 Network Security Controls
The Karolinska Institutet CA system is not connected to the network.
6.9 Life-Cycle Security Assurance
The installed software on the Karolinska Institutet Certificate Management System and the configuration files
are verified on every login.
Page 7 28/05/03
Karolinska Institutet CA CPS
Appendix: CA Personnel
CASO: Hans Nordlöf
CAO: #1 Hans Nordlöf
#2 Johanna Hellman
#3 Tobias Persson
#4 Jonas Vreintaal
#5 Martin Pousette
#6 Tobias Person
CASA: #1 Thore Olausson
#2 Lena Fors
Page 8 28/05/03
Karolinska Institutet CA CPS
Appendix: Subscriber Agreement
The Subscriber is notified the importance of the Karolinska Institutet CA by being informed about the
obligations and responsibilities the Subscriber and the Relying party. The Subscriber confirms having
understood this obligations and responsibilities and agrees to it.
The Subscriber shall be informed that a certificate is issued to an individual, even if the Subject is an institute
or a role, and the private key is personal.
The subscriber shall be informed about the information that must be presented with a request and give it's
consent to gather this information about the Subscriber needed to complying with the policy. The Subscriber
shall also be informed that this information may be transferred across borders.
The Subscriber is informed about the means to communicate with the CA and the RA using the defined email
address, which is stated in the CPS or can be accessed through the Karolinska Institutet CA web site:
http://ca.ki.se.
Other means to communicate is also notified to the Subscriber, which is stated in the Karolinska Institutet CA
web site as well as information about contact personal.
The Subscriber agrees to:
• All information provided by the Subscriber and the representations the Subscriber will make in
applying for a certificate are true.
• Have understood the importance of the Karolinska Institutet Certificate Authority.
• Have understood the responsibility and obligation of a Subscriber.
• Have not and will not allow anyone access to the private key that will be associated with the
certificate requested.
• Have stored the private key in removable media kept secure elsewhere than in the system using the
private key. The private key is also protected with a password.
• If any information provided by the Subscriber is changed the Subscriber must contact the CA
Administrator about the changes.
• If the event or suspect that the security of the private key is compromised the CA Administator will
be informed. The certificate and private key will then be removed within 24 hours of being informed
that it has been revoked.
The person administrating a web server will agree to:
• Having authority to and accept responsibility for ensuring that anyone who performs administration
functions on the web server for which a Karolinska Institutet CA certificate is issued is fully
informed of the requirements for use of the certificate and they agree to use the certificate
exclusively for authorized and legal purpose and that is consistent with this policy.
Page 9 28/05/03
Related docs
