Cover Page |
|---|
X.509 Certification Practice Statement for the VT Root Certification Authority |
X.509 Certification Practice Statement for the VT Root Certification Authority |
RECORD OF CHANGES |
|---|
|
Add all changes for Migration Project here! |
1.1.1 Certificate Policy (CP) |
|---|
The RCA has digitally signed a copy of the VTCA CP, using SHA-1 with RSA encryption and its |
The RCA has a copy of the VTCA CP and CPS which has been digitally signed by the chairman of the VTPKI-PMA who has the primary responsibility for approving policies/standards of the Virginia Tech Public Key Infrastructure (PKI) and the related Certificate Authorities operating within it.
|
1.4 CONTACT DETAILS |
|
|
|
|
|---|---|---|---|---|
Questions about interpretation of this CPS are directed in writing to Information Resource Management. Concerns about possible abuse of this CPS, are directed in writing to the Virginia Tech Public Key Infrastructure Policy Management Authority (VTPKI PMA). |
||||
Questions about interpretation of this CPS are directed in writing to Identity Management Services. Concerns about possible abuse of this CPS, are directed in writing to the Virginia Tech Public Key Infrastructure Policy Management Authority (VTPKI PMA). |
||||
|
||||
• notifies Information Resource Management immediately upon either suspected or known compromise of the private key associated with a PKC issued by the RCA |
||||
• notifies Identity Management Services immediately upon either suspected or known compromise of the private key associated with a PKC issued by the RCA |
||||
2.4 INTERPRETATION AND ENFORCEMENT |
||||
Interpretation of this CPS is the responsibility of the PMA and Information Resource Management. |
||||
Interpretation of this CPS is the responsibility of the PMA and Identity Management Services. |
4.5.4 Protection of Security Audit Data |
|---|
Access to audit logs is controlled by IRM, and access is restricted to authorized employees only. |
Access to audit logs is controlled by IMS, and access is restricted to authorized employees only. |
4.5.5 Security Audit Data Backup Procedures |
The audit log is backed up immediately after subordinate CA key generation ceremonies using a backup utility (vtBackup) which was developed at Virginia Tech. Backup audit logs of the RCA are protected against unauthorized viewing, modification, or deletion by encrypting the backup and using offsite storage in a separate secure location from the RCA host. |
The audit log is backed up on the same schedule as the rest of the data on VTCA servers using VT Information Systems and Computing network backup service providing:
|
4.6.3 Protection of Archive |
|---|
Archived records are protected against unauthorized viewing, modification, and deletion by using cryptographic protection and offsite storage in a physically secure and trustworthy location. The cryptographic protection is implemented using a 512 bit DES3 symmetric key that is unique to each backup instance. The DES3 symmetric key is then encrypted using 4096 bit RSA public key encryption. |
Archived records are protected against unauthorized viewing, modification, and deletion by using offsite storage in a physically secure and trustworthy location. The offsite backup location provides the following key features:
|
|
On request by the auditors, the VT Root CA Administrator will retrieve media containing archived information from the offsite storage location. The VT Root CA Administrator maintains the record of where backups are stored as part of the VTCA Resource Inventory document. To view the CA archive, it must be decrypted. The private key needed to decrypt the symmetric key used to encrypt the backups is stored on zip disk labeled "Backup Encryption RSA Key Pair" at the offsite storage location. A duplicate copy of the private key is stored on a BIO drive kept in a locked file cabinet in the eProvisioning office area. |
The office that provides maintenance and support for the Certification Authority application is responsible for restoration of files from backup archives as needed. |
5.1.5 Media Storage |
|---|
The encrypted backup media of the RCA are stored in an offsite physically secure and trustworthy location. |
The backup media of the RCA are stored in an offsite physically secure and trustworthy location. |
5.1.7 Offsite Backup |
|---|
In the event of a system failure there are sufficient backups that can be used to restore the RCA system. These backups are made immediately after every subordinate CA key signing ceremony or other modifications to the RCA using the vtBackup utility. The three most recent full backups are stored at a secure offsite location which can only be accessed by authorized personnel. |
In the event of a system failure there are sufficient backups that can be used to restore the RCA system. Full monthly, weekly differential, and daily incremental backups are created durinng normal daily scheduled backups by the Information Systems and Computing network backup service. The backup media of the RCA are stored in an offsite physically secure and trustworthy location. |
5.2.1.1 Certification Authority Administrator |
|---|
The Certification Authority Administrator (CAA) role is appointed by the Office of the Vice President forInformation Technology. The CAA's responsibilities are: |
The Certification Authority Administrator (CAA) role is appointed by the Office of the Vice President forInformation Technology. Primarily, a CAA's responsibilities are: |
7.1 CERTIFICATE PROFILE |
|---|
The certificate profiles for the RCA and the subordinate CA certificates issued by the RCA are published at http://www.pki.vt.edu/vtroot/cps/ . |
The certificate profiles for the RCA and the subordinate CA certificates issued by the RCA are published at http://www.pki.vt.edu/rootca/cps/ . |