Treasury X.509 Certificate Policy [TREASURYCP].” It Only Addresses Where an OLT PKI’S Requirements Differ from the Requirements for Basic Assurance in [TREASURYCP]
Total Page:16
File Type:pdf, Size:1020Kb
UNCLASSIFIED UNITED STATES DEPARTMENT OF THE TREASURY DEPARTMENT OF THE TREASURY PUBLIC KEY INFRASTRUCTURE (PKI) X.509 CERTIFICATE POLICY VERSION 3.4 April 27, 2021 PKI Policy Management Authority (PMA) DATE DANIEL W. WOOD 1 UNCLASSIFIED DOCUMENT VERSION CONTROL Version Date Author(s) Description Reason For Change Bring the Treasury PKI Policy into Department of the compliance with FPKIPA change Treasury PKI Policy in 2.0 January 2008 James Schminky proposal requiring all cross certified RFC PKI Policies to be in RFC 3647 3647 format. format. As a result of mapping the Treasury Errata changes to sections PKI Policy to Federal Policy, a 2.2.1, 2.1 March 17, 2009 James Schminky number of minor changes and 4.8, 4.912, 5.5, and omissions where identified and 7.1.3. corrected. As a result of the PMA annual Errata changes to sections review a number of minor 5.6, and 6.3.2. Change corrections, Federal Bridge proposal changes to 2.4, 2.2 March 11, 2010 James Schminky Certification Authority (FBCA) 4.2.2, 5.1, 5.1.1 5.1.2.1, Policy Change Proposal Number: 5.4.4, 5.4.5, 6.1.6, 6.5.1, 2009-02 and 2010-01, and Treasury and 6.7. Change Proposal Change proposal changes As a result of FBCA Policy Change 2.3 April 15, 2010 James Schminky to 8.1 and 8.4. Proposal Number: 2010-02. Changes Proposal As a result of FBCA Policy Change Changes to 1.3.1.8, Proposal Numbers; 2010-3 thru 8 2.4 March 22, 2011 James Schminky 3.1.1&.2, 3.1.5, 3.2.3.1, and CPCA policy Change Proposal 4.7, 6.1.5, 8.1, and 9.4.3. Number: 2011-1 Made changes to align the Treasury CP with the Common Changes Proposal Policy Framework (CPF), removed 2.5 September 11,2012 Daniel Wood Changes to 3.2.3.2 and all reference to the acronym “DoT” 4.9.7 and replaced with the name “Treasury”. Changes Proposal Changes to Made changes to align the 2.6 October 15, 2012 Daniel Wood 1.2, 3.2.3.2, 6.1.5, Treasury CP with the CPF, 6.2.3, 6.2.4.2, and 6.2.8. 1.3, 1.3.1, 1.3.1.1, 1.3.1.2, Fred Asomani- Made changes to align the 2.7 August 22, 2013 1.3.1.3, 1.3.1.4, 1.3.1.5, Atinkah Treasury CP with the CPF, 1.5.2, and 3.2.3.2. Clarified Treasury’s dual role as Federal Legacy and Provide capabilities to customers Daniel Wood, 2.8 March 26, 2015 SSP; Added PIV-I, role- and baseline update as requested by Terry McBride based, and group FPKIPA certificates 2 UNCLASSIFIED Adds PIV-I, and Internal PKI OIDs, changed criteria for suspension, defined the PKI Program Changes to Treasury PKI based on 2.9 March 25, 2017 Daniel Wood Team, added the internal user needs PKI addendum, changes to Common/Federal CPs and editorial updates Update based on TOCA Compliance Audit and Correct minor errors and maintain introduction of the Fed compliance with Fed PKI (through 2.91 November 20, 2018 Daniel Wood Key Recovery Policy and 2018- other Common and 06) Federal Bridge policy changes Updated based on Maintain conformance with FBCA 3 February 28, 2019 Daniel Wood Comments from BFS CP Updated Section 5.8 with Maintain conformance with 3.1 October 30, 1,2019 Daniel Wood new language to cover CA Federal/Common CPs terminations Updates in sections: Responses to audit findings, annual 1, 1.1.1, 1.2, 1.4.1, 2.2.1, review findings, change proposals, 3.2 December 15, 2020 Daniel Wood 4.4.2, 5.2.1, 5.2.1.1, and for separation of Key Recovery 5.2.1.2, 5.3.1, 5.3.2, 5.3.7, roles from clearance requirements 5.4.2, 5.5.1, and 6.1.5 on CA roles Removed the “offline” requirement on OLT Root CAs in section 1.3.1.2 of To allow for remote administration Addendum 1. on an OLT Root CA, and to define 3.3 March 29, 2021 Daniel Wood Added Addendum 2 – implementation policies on Implementation of PKI SSL/TLS certificates for HTTPS Certificates on Treasury Systems 3 UNCLASSIFIED Table of Contents 1. INTRODUCTION ........................................................................................................................................................... 11 1.1 OVERVIEW................................................................................................................................................................................ 12 1.1.1 Certificate Policy ............................................................................................................................................................................... 12 1.1.2 Relationships between Treasury PKI CP & Treasury PKI CA CPSs ..................................................................................................... 12 1.1.3 Scope ................................................................................................................................................................................................ 12 1.1.4 Relationships between Treasury PKI CP, the FBCA and Other Entity CPs ........................................................................................ 13 1.1.5 Interaction with PKIs External to the Federal Government ............................................................................................................. 14 1.2 DOCUMENT IDENTIFICATION .......................................................................................................................................................... 14 1.3 PKI ENTITIES .................................................................................................................................................................................... 15 1.3.1 Treasury PKI Program Team ............................................................................................................................................................. 15 1.3.2 Registration Authority ...................................................................................................................................................................... 18 1.3.3 Subscribers ....................................................................................................................................................................................... 19 1.3.4 Relying Parties .................................................................................................................................................................................. 19 1.3.5 Other Participants ............................................................................................................................................................................ 20 1.4 CERTIFICATE USAGE ........................................................................................................................................................................ 20 1.4.1 Appropriate Certificate Uses ............................................................................................................................................................ 20 1.4.2 Prohibited Certificate Uses ............................................................................................................................................................... 22 1.5 POLICY ADMINISTRATION ............................................................................................................................................................... 22 1.5.1 Organization administering the document ...................................................................................................................................... 22 1.5.2 Contact Person ................................................................................................................................................................................. 22 1.5.3 Person Determining CPS Suitability for the Policy............................................................................................................................ 23 1.5.4 CPS Approval Procedures ................................................................................................................................................................. 23 1.6 DEFINITIONS AND ACRONYMS ........................................................................................................................................................ 23 2. PUBLICATION & REPOSITORY RESPONSIBILITIES ......................................................................................... 24 2.1 REPOSITORIES ................................................................................................................................................................................. 24 2.2 PUBLICATION OF CERTIFICATION INFORMATION ............................................................................................................................ 24 2.2.1 Publication of certificates and Certificate Status ............................................................................................................................. 24 2.2.2 Publication of CA Information .......................................................................................................................................................... 25 2.2.3 Interoperability ................................................................................................................................................................................. 25 2.3 FREQUENCY OF PUBLICATION ......................................................................................................................................................... 25 2.4 ACCESS CONTROLS ON REPOSITORIES ............................................................................................................................................