COMPANY PROPRIETARY AND CONFIDENTIAL WidePoint PIV SSP CPS Version 4.2.4 WIDEPOINT PERSONAL IDENTITY VERIFICATION SHARED SERVICE PROVIDER (WIDEPOINT PIV SSP) CERTIFICATE PRACTICE STATEMENT (CPS) Version 4.2.4 24 July 2020 WidePoint Cybersecurity Solutions Corporation 11250 Waples Mill Road South Tower, Suite 210 Fairfax, VA 22030 Copyright 2020, WidePoint Cybersecurity Solutions Corporation All Rights Reserved This document is proprietary and may not be disclosed to other parties, be it pursuant to the Freedom of Information Act or to any other law or regulation. COMPANY PROPRIETARY AND CONFIDENTIAL WidePoint PIV SSP CPS Version 4.2.4 Notice: Operational Research Consultants, Inc. (ORC), a wholly-owned subsidiary of WidePoint Corporation, has changed its legal name to WidePoint Cybersecurity Solutions Corporation, hereafter referred to simply as WidePoint. This is a legal name change only for branding purposes with no change to ownership, corporation type or other status. Any and all references to "WidePoint" within this document refers specifically and only to WidePoint Cybersecurity Solutions Corporation, the wholly- owned subsidiary of WidePoint Corporation, and not to WidePoint Corporation as a whole. Any reference or citing of personnel within this document, such as "WidePoint CEO", refers to the CEO of WidePoint Cybersecurity Solutions Corporation and not the CEO of WidePoint Corporation. i Copyright 2020, WidePoint Cybersecurity Solutions Corporation All Rights Reserved This document is proprietary and may not be disclosed to other parties, be it pursuant to the Freedom of Information Act or to any other law or regulation. COMPANY PROPRIETARY AND CONFIDENTIAL WidePoint PIV SSP CPS Version 4.2.4 TABLE OF CONTENTS 1 INTRODUCTION ............................................................................................................................... 1 1.1 OVERVIEW ...................................................................................................................................... 2 1.1.1 CERTIFICATE POLICY .................................................................................................................... 2 1.1.2 RELATIONSHIP BETWEEN THE CP AND THE CPS ............................................................................. 2 1.1.3 SCOPE ......................................................................................................................................... 3 1.1.4 INTEROPERATION BETWEEN THE WIDEPOINT PIV SSP AND CAS ISSUING UNDER DIFFERENT POLICIES ................................................................................................................................................... 3 1.2 DOCUMENT NAME AND IDENTIFICATION ............................................................................................ 3 1.3 PKI PARTICIPANTS .......................................................................................................................... 4 1.3.1 PKI AUTHORITIES ......................................................................................................................... 4 1.3.1.1 FEDERAL CHIEF INFORMATION OFFICERS COUNCIL ...................................................................... 4 1.3.1.2 FEDERAL PKI POLICY AUTHORITY (FPKIPA) ............................................................................... 5 1.3.1.3 FPKI MANAGEMENT AUTHORITY (FPKIMA) ................................................................................ 5 1.3.1.4 FPKI MANAGEMENT AUTHORITY PROGRAM MANAGER ................................................................. 5 1.3.1.5 POLICY MANAGEMENT AUTHORITY .............................................................................................. 5 1.3.1.6 AUTHORIZED WIDEPOINT PIV SSP CAS ..................................................................................... 6 1.3.1.7 CERTIFICATE STATUS SERVERS .................................................................................................. 7 1.3.1.8 KEY ESCROW DATABASE (WIDEPOINT KED) ............................................................................... 7 1.3.2 REGISTRATION AUTHORITIES ......................................................................................................... 7 1.3.3 KEY RECOVERY AGENT (KRA) ...................................................................................................... 8 1.3.4 KEY RECOVERY REQUESTORS ...................................................................................................... 8 1.3.4.1 SUBSCRIBER .............................................................................................................................. 8 1.3.4.2 INTERNAL THIRD-PARTY REQUESTOR .......................................................................................... 8 1.3.4.3 EXTERNAL THIRD-PARTY REQUESTOR ........................................................................................ 9 1.3.5 TRUSTED AGENTS ......................................................................................................................... 9 1.3.6 SUBSCRIBERS ............................................................................................................................... 9 1.3.6.1 PKI SPONSOR .......................................................................................................................... 10 1.3.7 RELYING PARTIES ....................................................................................................................... 10 1.3.8 OTHER PARTICIPANTS ................................................................................................................. 10 1.3.8.1 CERTIFICATE MANAGEMENT AUTHORITY(S) (CMA) .................................................................... 10 1.3.8.2 LOCAL REGISTRATION AUTHORITIES (LRAS) ............................................................................. 11 1.3.8.3 SERVICE PROVIDERS ................................................................................................................ 11 1.3.9 RELATIONSHIP TO PKI AUTHORITIES FROM CP ............................................................................. 11 1.4 CERTIFICATE USAGE ..................................................................................................................... 12 1.4.1 APPROPRIATE CERTIFICATE USES ............................................................................................... 12 1.4.2 PROHIBITED CERTIFICATE USES .................................................................................................. 12 1.5 POLICY ADMINISTRATION ............................................................................................................... 13 1.5.1 ORGANIZATION ADMINISTERING THE DOCUMENT .......................................................................... 13 ii Copyright 2020, WidePoint Cybersecurity Solutions Corporation All Rights Reserved This document is proprietary and may not be disclosed to other parties, be it pursuant to the Freedom of Information Act or to any other law or regulation. COMPANY PROPRIETARY AND CONFIDENTIAL WidePoint PIV SSP CPS Version 4.2.4 1.5.2 CONTACT PERSON ...................................................................................................................... 13 1.5.3 PERSON DETERMINING WIDEPOINT PIV SSP CPS SUITABILITY FOR THE FPCPF ......................... 13 1.5.4 CPS APPROVAL PROCEDURES .................................................................................................... 14 1.6 DEFINITIONS AND ACRONYMS ........................................................................................................ 14 2 PUBLICATION AND REPOSITORY RESPONSIBILITIES ........................................................... 15 2.1 REPOSITORIES .............................................................................................................................. 15 2.2 PUBLICATION OF CERTIFICATION INFORMATION .............................................................................. 16 2.2.1 PUBLICATION OF CERTIFICATES AND CERTIFICATE STATUS ........................................................... 16 2.2.2 PUBLICATION OF CA INFORMATION .............................................................................................. 16 2.2.3 INTEROPERABILITY ...................................................................................................................... 17 2.2.4 TIME OR FREQUENCY OF PUBLICATION......................................................................................... 17 2.3 ACCESS CONTROLS ON REPOSITORIES .......................................................................................... 17 3 IDENTIFICATION AND AUTHENTICATION ................................................................................. 18 3.1 NAMING ........................................................................................................................................ 18 3.1.1 TYPES OF NAMES ....................................................................................................................... 18 3.1.2 NEED FOR NAMES TO BE MEANINGFUL ......................................................................................... 23 3.1.3 ANONYMITY OR PSEUDONYMITY OF SUBSCRIBERS ........................................................................ 24 3.1.4 RULES FOR INTERPRETING VARIOUS NAME FORMS ...................................................................... 24 3.1.5 UNIQUENESS OF NAMES .............................................................................................................