DOCSLIB.ORG

Treasury X.509 Certificate Policy [TREASURYCP].” It Only Addresses Where an OLT PKI’S Requirements Differ from the Requirements for Basic Assurance in [TREASURYCP]

Treasury X.509 Certificate Policy [TREASURYCP].” It Only Addresses Where an OLT PKI’S Requirements Differ from the Requirements for Basic Assurance in [TREASURYCP]

<p><strong>UNCLASSIFIED </strong></p><p><strong>UNITED STATES </strong><br><strong>DEPARTMENT OF THE </strong><br><strong>TREASURY </strong></p><p><strong>DEPARTMENT OF THE TREASURY </strong><br><strong>PUBLIC KEY INFRASTRUCTURE (PKI) X.509 CERTIFICATE POLICY </strong><br><strong>VERSION 3.4 April 27, 2021 </strong></p><p>Digitally signed by Daniel W. Wood </p><p>Daniel W. Wood </p><p>Date: 2021.04.27 10:48:30 -04'00' </p><p>PKI Policy Management Authority (PMA) DANIEL W. WOOD <br>DATE </p><p>1</p><p><strong>UNCLASSIFIED </strong></p><p>DOCUMENT VERSION CONTROL <br>Version </p><p>2.0 </p><ul style="display: flex;"><li style="flex:1">Date </li><li style="flex:1">Author(s) </li><li style="flex:1">Description </li><li style="flex:1">Reason For Change </li></ul><p>Bring the Treasury PKI Policy into compliance with FPKIPA change proposal requiring all cross certified PKI Policies to be in RFC 3647 format. <br>Department of the Treasury PKI Policy in <br>RFC </p><ul style="display: flex;"><li style="flex:1">January 2008 </li><li style="flex:1">James Schminky </li></ul><p>3647 format. </p><p>As a result of mapping the Treasury <br>PKI Policy to Federal Policy, a number of minor changes and omissions where identified and corrected. <br>Errata changes to sections <br>2.2.1, <br>2.1 </p><p>2.2 <br>March 17, 2009 March 11, 2010 <br>James Schminky James Schminky <br>4.8, 4.912, 5.5, and <br>7.1.3. </p><p>As a result of the PMA annual review a number of minor <br>Errata changes to sections <br>5.6, and 6.3.2. Change proposal changes to 2.4, 4.2.2, 5.1, 5.1.1 5.1.2.1, 5.4.4, 5.4.5, 6.1.6, 6.5.1, and 6.7. corrections, Federal Bridge Certification Authority (FBCA) Policy Change Proposal Number: <br>2009-02 and 2010-01, and Treasury <br>Change Proposal </p><p>Change proposal changes&nbsp;As a result of FBCA Policy Change <br>2.3 </p><p>2.4 <br>April 15, 2010 March 22, 2011 <br>James Schminky James Schminky </p><ul style="display: flex;"><li style="flex:1">to 8.1 and 8.4. </li><li style="flex:1">Proposal Number: 2010-02. </li></ul><p>Changes Proposal Changes to 1.3.1.8, <br>3.1.1&amp;.2, 3.1.5, 3.2.3.1, 4.7, 6.1.5, 8.1, and 9.4.3. <br>As a result of FBCA Policy Change Proposal Numbers; 2010-3 thru 8 and CPCA policy Change Proposal <br>Number: 2011-1 </p><p>Made changes to align the <br>Treasury CP with the Common Policy Framework (CPF), removed </p><p>allreference to the acronym “DoT” </p><p>and replaced with the name </p><p>“Treasury”. </p><p>Changes Proposal <br>Changes to 3.2.3.2 and <br>4.9.7 </p><ul style="display: flex;"><li style="flex:1">2.5 </li><li style="flex:1">September 11,2012 </li><li style="flex:1">Daniel Wood </li></ul><p>Daniel Wood <br>Changes Proposal <br>Changes to <br>1.2, 3.2.3.2, 6.1.5, <br>6.2.3, <br>Made changes to align the Treasury CP with the CPF, <br>2.6 2.7 2.8 <br>October 15, 2012 August 22, 2013 March 26, 2015 <br>6.2.4.2, and 6.2.8. </p><p>1.3, 1.3.1, 1.3.1.1, 1.3.1.2, <br>1.3.1.3, 1.3.1.4, 1.3.1.5, </p><p>1.5.2, and 3.2.3.2. <br>Fred Asomani- <br>Atinkah <br>Made changes to align the Treasury CP with the CPF, </p><p>Clarified Treasury’s dual </p><p></p><ul style="display: flex;"><li style="flex:1">role as Federal Legacy and </li><li style="flex:1">Provide capabilities to customers </li></ul><p>SSP; Added PIV-I, role-&nbsp;and baseline update as requested by <br>Daniel Wood, Terry McBride based, and group </p><p>certificates <br>FPKIPA </p><p>2</p><p><strong>UNCLASSIFIED </strong></p><p>Adds PIV-I, andInternal <br>PKI OIDs, changed criteria for suspension, defined the PKIProgram Team, added theinternal PKI addendum, changes to Common/FederalCPs and editorial updates <br>Changes to Treasury PKI based on user needs </p><ul style="display: flex;"><li style="flex:1">2.9 </li><li style="flex:1">March 25, 2017 </li><li style="flex:1">Daniel Wood </li></ul><p>Update based on TOCA Compliance Audit and introduction of the Fed Key Recovery Policyand other Common and Federal Bridge policy changes <br>Correct minorerrors and maintain compliance withFed PKI (through </p><ul style="display: flex;"><li style="flex:1">2.91 </li><li style="flex:1">November 20, 2018 </li><li style="flex:1">Daniel Wood </li></ul><p>2018- </p><p>06) </p><p>Updated based on Comments from BFS <br>Maintain conformance with FBCA <br>CP </p><p>3</p><p>February 28, 2019 October 30, 1,2019 <br>Daniel Wood Daniel Wood <br>Updated Section 5.8with new language to cover CA terminations <br>Maintain conformance with </p><p>Federal/Common CPs </p><p>3.1 <br>Updates in sections: <br>1, 1.1.1, 1.2, 1.4.1, 2.2.1, <br>4.4.2, 5.2.1, 5.2.1.1, <br>5.2.1.2, 5.3.1, 5.3.2, 5.3.7,&nbsp;roles from clearance requirements <br>5.4.2, 5.5.1, and 6.1.5 <br>Responses to audit findings, annual review findings, change proposals, </p><ul style="display: flex;"><li style="flex:1">and for separation of Key Recovery </li><li style="flex:1">3.2 </li></ul><p>3.3 </p><ul style="display: flex;"><li style="flex:1">December 15, 2020 </li><li style="flex:1">Daniel Wood </li></ul><p>Daniel Wood on CA roles </p><p>Removed the “offline” </p><p>requirement on OLT Root CAs in section 1.3.1.2 of <br>Addendum 1. <br>Added Addendum 2 – Implementation of PKI Certificates on Treasury <br>Systems <br>To allow for remote administration on an OLT Root CA, and to define implementation policies on <br>March 29, 2021 <br>SSL/TLS certificates for HTTPS </p><p>3</p><p><strong>UNCLASSIFIED </strong></p><p><strong>Table of Contents </strong></p><p><strong>1. INTRODUCTION...........................................................................................................................................................11 </strong></p><p><strong>1.1 </strong></p><p><strong>OVERVIEW................................................................................................................................................................................12 </strong></p><p>1.1.1 Certificate Policy...............................................................................................................................................................................12 1.1.2 Relationships between Treasury PKI CP &amp; Treasury PKI CA CPSs.....................................................................................................12 1.1.3 Scope ................................................................................................................................................................................................12 1.1.4 Relationships between Treasury PKI CP, the FBCA and Other Entity CPs ........................................................................................13 1.1.5 Interaction with PKIs External to the Federal Government .............................................................................................................14 </p><p><strong>1.2 DOCUMENT IDENTIFICATION ..........................................................................................................................................................14 1.3 PKI ENTITIES....................................................................................................................................................................................15 </strong></p><p>1.3.1 Treasury PKI Program Team .............................................................................................................................................................15 1.3.2 Registration Authority ......................................................................................................................................................................18 </p><p>1.3.3 Subscribers.......................................................................................................................................................................................19 </p><p>1.3.4 Relying Parties ..................................................................................................................................................................................19 1.3.5 Other Participants ............................................................................................................................................................................20 </p><p><strong>1.4 CERTIFICATE USAGE ........................................................................................................................................................................20 </strong></p><p>1.4.1 Appropriate Certificate Uses ............................................................................................................................................................20 1.4.2 Prohibited Certificate Uses...............................................................................................................................................................22 </p><p><strong>1.5 POLICY ADMINISTRATION ...............................................................................................................................................................22 </strong></p><p>1.5.1 Organization administering the document ......................................................................................................................................22 1.5.2 Contact Person .................................................................................................................................................................................22 1.5.3 Person Determining CPS Suitability for the Policy............................................................................................................................23 1.5.4 CPS Approval Procedures .................................................................................................................................................................23 </p><p><strong>1.6 DEFINITIONS AND ACRONYMS........................................................................................................................................................23 </strong></p><p><strong>2. PUBLICATION&nbsp;&amp; REPOSITORY RESPONSIBILITIES .........................................................................................24 </strong></p><p><strong>2.1 REPOSITORIES .................................................................................................................................................................................24 2.2 PUBLICATION OF CERTIFICATION INFORMATION ............................................................................................................................24 </strong></p><p>2.2.1 Publication of certificates and Certificate Status .............................................................................................................................24 2.2.2 Publication of CA Information ..........................................................................................................................................................25 2.2.3 Interoperability.................................................................................................................................................................................25 </p><p><strong>2.3 FREQUENCY OF PUBLICATION .........................................................................................................................................................25 2.4 ACCESS CONTROLS ON REPOSITORIES.............................................................................................................................................25 </strong></p><p><strong>3. IDENTIFICATION&nbsp;&amp; AUTHENTICATION...............................................................................................................26 </strong></p><p><strong>3.1 NAMING..........................................................................................................................................................................................26 </strong></p><p>3.1.1 Types of Names ................................................................................................................................................................................26 3.1.2 Need for Names to Be Meaningful...................................................................................................................................................30 3.1.3 Anonymity or Pseudonymity of Subscribers ....................................................................................................................................30 3.1.4 Rules for Interpreting Various Name Forms.....................................................................................................................................31 </p><p>4</p><p><strong>UNCLASSIFIED </strong></p><p>3.1.5 Uniqueness of Names.......................................................................................................................................................................31 3.1.6 Recognition, Authentication, &amp; Role of Trademarks........................................................................................................................31 </p><p><strong>3.2 INITIAL IDENTITY VALIDATION ........................................................................................................................................................31 </strong></p><p>3.2.1 Method to Prove Possession of Private Key.....................................................................................................................................32 3.2.2 Authentication of Organization Identity ..........................................................................................................................................32 3.2.3 Authentication of Individual Identity ...............................................................................................................................................33 3.2.4 Non-verified Subscriber Information ...............................................................................................................................................37 3.2.5 Validation of Authority.....................................................................................................................................................................38 3.2.6 Criteria for Interoperation................................................................................................................................................................38 </p><p><strong>3.3 IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS ....................................................................................................38 </strong></p><p>3.3.1 Identification and Authentication for Routine Re-key .....................................................................................................................38 3.3.2 Identification and Authentication for Re-key after Revocation .......................................................................................................40 </p><p><strong>3.4 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST ............................................................................................40 </strong></p><p><strong>4. CERTIFICATE&nbsp;LIFE-CYCLE ........................................................................................................................................41 </strong></p><p><strong>4.1 APPLICATION ..................................................................................................................................................................................41 </strong></p><p>4.1.1 Submission of Certificate Application ..............................................................................................................................................41 4.1.2 Enrollment Process and Responsibilities..........................................................................................................................................41 </p><p><strong>4.2 CERTIFICATE APPLICATION PROCESSING .........................................................................................................................................41 </strong></p><p>4.2.1 Performing Identification and Authentication Functions.................................................................................................................41 4.2.2 Approval or Rejection of Certificate Applications ............................................................................................................................42 4.2.3 Time to Process Certificate Applications..........................................................................................................................................42 </p><p><strong>4.3 ISSUANCE........................................................................................................................................................................................43 </strong></p><p>4.3.1 CA Actions during Certificate Issuance.............................................................................................................................................43 4.3.2 Notification to Subscriber of Certificate Issuance............................................................................................................................43 </p><p><strong>4.4 ACCEPTANCE...................................................................................................................................................................................43 </strong></p><p>4.4.1 Conduct constituting certificate acceptance....................................................................................................................................43 4.4.2 Publication of the Certificate by the CA ...........................................................................................................................................43 4.4.3 Notification of Certificate Issuance by the CA to other entities.......................................................................................................43 </p><p><strong>4.5 KEY PAIR AND CERTIFICATE USAGE .................................................................................................................................................44 </strong></p><p>4.5.1 Subscriber Private Key and Certificate Usage ..................................................................................................................................44 4.5.2 Relying Party Public key and Certificate Usage ................................................................................................................................44 </p><p><strong>4.6 CERTIFICATE RENEWAL....................................................................................................................................................................44 </strong></p><p>4.6.1 Circumstance for Certificate Renewal ..............................................................................................................................................44 4.6.2 Who may Request Renewal .............................................................................................................................................................45 4.6.3 Processing Certificate Renewal Requests.........................................................................................................................................45 4.6.4 Notification of new certificate issuance to Subscriber.....................................................................................................................45 4.6.5 Conduct constituting acceptance of a Renewal certificate ..............................................................................................................45 4.6.6 Publication of the Renewal certificate by the CA.............................................................................................................................45 4.6.7 Notification of Certificate Issuance by the CA to other entities.......................................................................................................45 </p><p><strong>4.7 CERTIFICATE RE-KEY ........................................................................................................................................................................45 </strong></p><p>4.7.1 Circumstance for Certificate Re-key.................................................................................................................................................46 4.7.2 Who may request certification of a new public key.........................................................................................................................46 4.7.3 Processing certificate Re-keying requests........................................................................................................................................46 </p><p>5</p><p><strong>UNCLASSIFIED </strong></p><p>4.7.4 Notification of new certificate issuance to Subscriber.....................................................................................................................46 4.7.5 Conduct constituting acceptance of a Re-keyed certificate.............................................................................................................46 4.7.6 Publication of the Re-keyed certificate by the CA............................................................................................................................46 4.7.7 Notification of certificate issuance by the CA to other Entities .......................................................................................................46 </p><p><strong>4.8 MODIFICATION ...............................................................................................................................................................................47 </strong></p><p>4.8.1 Circumstance for Certificate Modification .......................................................................................................................................47 4.8.2 Who may request Certificate Modification......................................................................................................................................47 4.8.3 Processing Certificate Modification Requests..................................................................................................................................47 4.8.4 Notification of new certificate issuance to Subscriber.....................................................................................................................48 4.8.5 Conduct constituting acceptance of modified certificate ................................................................................................................48 4.8.6 Publication of the modified certificate by the CA ............................................................................................................................48 4.8.7 Notification of certificate issuance by the CA to other Entities .......................................................................................................48 </p>

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    151 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us