Digicert Gatekeeper Certification Practices Statement
Total Page:16
File Type:pdf, Size:1020Kb
DigiCert Gatekeeper Certification Practices Statement Version 3.3 11 June 2020 Within the framework described in section 1.1 (diagram), the role of the CA is performed by DigiCert Australia Pty Ltd a wholly owned subsidiary of DigiCert, Inc. Registered Office: Level 3, 437 St Kilda Road Melbourne, Australia Legal representative: DLA Piper Australian Business Number: 88 088 021 603 Telephone (switchboard): (03) 9674 5500 ISO Object Identifier (OID): 1.2.36.88021603.333.30.1 Corporate web site (information): http://www.DigiCert.com Certification service web site: https://my.gatekeeper.digicert.com/ E-mail address (information and enquiries): [email protected] DigiCert Gatekeeper CPS - i - DigiCert Gatekeeper Certification Practice Statement © 2020 DigiCert Australia Pty Ltd. All rights reserved. Printed in Australia. Published date: June 12, 2020 Trademark Notices DigiCert and the DigiCert logo are the registered trademarks of DigiCert, Inc or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Without limiting the rights reserved above, and except as licensed below, no part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without prior written permission of DigiCert, Inc. Notwithstanding the above, permission is granted to reproduce and distribute this DigiCert Gatekeeper Certification Practice Statement on a nonexclusive, royalty-free basis, provided that (i) the foregoing copyright notice and the beginning paragraphs are prominently displayed at the beginning of each copy, and (ii) this document is accurately reproduced in full, complete with attribution of the document to DigiCert, Inc. Requests for any other permission to reproduce this DigiCert Gatekeeper Certification Practice Statement (as well as requests for copies from DigiCert) must be addressed to DigiCert Australia Pty. Ltd. as set forth in section 1.5 of this document. DigiCert Gatekeeper CPS - ii - Change Date Released Doc Version Change By Description 1 4 Dec 2017 2.3 L Hansen DigiCert rebranding 2 1 Jul 2019 3.0 L Hansen Updated with Digicert Gen 4 information 3 25 Sep 2019 3.1 M Sullivan Updated with Current GateKeeper standards 4 4 Feb 2020 3.2 M Sullivan Updated with new Certificate Profiles. 5 11 Jun 2020 3.3 M Sullivan Updated with EKU and validity. DigiCert Gatekeeper CPS - iii - TABLE OF CONTENTS 1. INTRODUCTION ................................................................... 1 5.2.4 Roles Requiring Separation of Duties .................... 13 1.1 Overview ......................................................................... 1 5.3 Personnel Controls........................................................ 13 1.2 Document Name and Identification ................................. 2 5.3.1 Qualifications, Experience and Clearance 1.3 PKI Participants ............................................................... 2 Requirements ................................................................. 13 1.3.1 Certification Authorities ............................................ 2 5.3.2 Background Check Procedures ............................. 13 1.3.2 Registration Authorities ............................................ 3 5.3.3 Training Requirements .......................................... 14 1.3.3 End Entities .............................................................. 3 5.3.4 Retraining Frequency and Requirements .............. 14 1.3.4 Other Participants .................................................... 4 5.3.5 Job Rotation Frequency and Sequence ................. 14 1.4 Certificate Usage ............................................................ 5 5.3.6 Sanctions for Unauthorised Actions ....................... 14 1.4.1 Appropriate Certificate Uses .................................... 5 5.3.7 Independent Contractor Requirements .................. 15 A Business or Individual Certificate is suitable for 5.3.8 Documentation Supplied to Personnel ................... 15 supporting the transmission of information dependant on 5.4 Audit Logging Procedures ............................................. 15 the Level of Assurance it has been Validated to this would 5.4.1 Types of Events Recorded..................................... 15 include: ............................................................................. 5 5.4.2 Frequency of Processing Log ................................ 15 1.4.2 Prohibited Certificate Uses ...................................... 6 5.4.3 Retention Period for Audit Log ............................... 15 1.5 Policy Administration ....................................................... 6 5.4.4 Protection of Audit Log .......................................... 16 1.5.1 Organisation Administering the Document ............... 6 5.4.5 Audit Log Backup Procedures ............................... 16 1.5.2 Contact Person ........................................................ 6 5.4.6 Audit Collection System (Internal vs. External) ...... 16 1.5.3 Person Determining CPS Suitability for the Policy ... 6 5.4.7 Notification to Event-Causing Subject .................... 16 1.5.4 CPS Approval Procedures (Gatekeeper 5.4.8 Vulnerability Assessments ..................................... 16 Accreditation) .................................................................... 6 5.5 Records Archival ........................................................... 16 1.6 Definitions and Acronyms................................................ 7 5.5.1 Types of Records Archived .................................... 16 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES .... 8 5.5.2 Retention Period for Archive .................................. 16 2.1 Publication of Certification Information ............................ 8 5.5.3 Protection of Archive .............................................. 17 2.2 Time or Frequency of Publication .................................... 8 5.5.4 Archive Backup Procedures................................... 17 2.3 Access Controls on Repositories .................................... 8 5.5.5 Requirements for Time-Stamping of Records ........ 17 3. IDENTIFICATION AND AUTHENTICATION ......................... 9 5.5.6 Archive Collection System (Internal vs. External) .. 17 4. CERTIFICATE LIFE-CYCLE OPERATIONAL 5.5.7 Procedures to Obtain and Verify Archive Information REQUIREMENTS ...................................................................... 9 ........................................................................................ 17 4.1 Certificate Application ..................................................... 9 5.6 Key Changeover ........................................................... 17 4.2 Certificate Application Processing ................................... 9 5.7 Compromise and Disaster Recovery............................. 17 4.3 Certificate Issuance ......................................................... 9 5.7.1 Incident and Compromise Handling Procedures.... 18 4.4 Certificate Acceptance .................................................... 9 5.7.2 Computing Resources, Software and/or Data are 4.5 Key Pair and Certificate Usage ....................................... 9 Corrupted ........................................................................ 18 4.6 Certificate Renewal ......................................................... 9 5.7.3 Entity Private Key Compromise Procedures .......... 18 4.7 Certificate Re-Key ........................................................... 9 5.7.4 Business Continuity Capabilities After a Disaster .. 18 4.8 Certificate Modification .................................................... 9 5.8 CA or RA Termination ................................................... 18 4.9 Certificate Revocation and Suspension ........................ 10 6. TECHNICAL SECURITY CONTROLS ............................... 20 4.10 Certificate Status Services .......................................... 10 6.1 Key Pair Generation and Installation ............................. 20 4.10.1 Operational Characteristics .................................. 10 6.1.1 Key Pair Generation .............................................. 20 4.10.2 Service Availability ............................................... 10 6.1.2 Private Key Delivery to Subscriber ........................ 20 4.10.3 Optional Features ................................................ 10 6.1.3 Public Key Delivery to Certificate issuer ................ 20 4.11 End of Subscription ..................................................... 10 6.1.4 CA Public Key Delivery to Relying Parties ............. 20 4.12 Key Escrow and Recovery .......................................... 10 6.1.5 Key Sizes ............................................................... 21 4.12.1 Key Escrow and Recovery Policy and Practices .. 10 6.1.6 Public Key Parameters Generation and Quality 4.12.2 Session Key Encapsulation and Recovery Policy Checking ......................................................................... 21 and Practices .................................................................. 10 6.1.7 Key Usage Purposes (as per x509v3 field) ............ 21 5. FACILITY, MANAGEMENT AND OPERATIONAL 6.2 Private Key Protection & Cryptographic Module CONTROLS............................................................................. 11 Engineering Controls........................................................... 21 5.1 Physical Controls .........................................................