Cover Page |
|---|
X.509 Certificate Policy |
X.509 Certificate Policy |
1. INTRODUCTION |
|---|
The VTCAs that comprise the VTPKI are part of a Public Key Infrastructure (PKI) hierarchy consisting of a Root CA and one or more Subordinate CA(s). This CP applies to the Virginia Tech Root CA and all of the Subordinate CAs within the VTPKI hierarchy. Any VTCA for which the Virginia Tech Root CA signs an authority certificate MUST adopt this CP or one that is consistent with all of the requirements of this CP as determined by the Policy Management Authority for the VTPKI. |
The VTCAs that comprise the VTPKI are defined by independant Self Signed Root and Global Root CA hierarchies. Each Root CA hierarchy consists of one or more Subordinate CA(s). This CP applies to both Virginia Tech Root CA hierachies and all of the Subordinate CAs within each hierarchy. Any VTCA for which the Virginia Tech Self Signed Root or Global Root CA signs an authority certificate MUST adopt this CP or one that is consistent with all of the requirements of this CP as determined by the Policy Management Authority for the VTPKI. |
1.3.1 PKI Authorities |
|---|
The Virginia Tech Root CA MAY issue a PKC with certificate issuance rights (“authority PKC”) to another VTCA and in that case the Authorized Subordinate VTCA assumes the role of a CA under this CP. For all purposes under this CP, the Authorized Subordinate CA SHALL conform to, and operate under, this CP. |
A Virginia Tech Root CA MAY issue a PKC with certificate issuance rights (“authority PKC”) to another VTCA and in that case the Authorized Subordinate VTCA assumes the role of a CA under this CP. For all purposes under this CP, the Authorized Subordinate CA SHALL conform to, and operate under, this CP. |
3.1.2 Need for Names to be Meaningful |
|---|
In the case where the Virginia Tech Root CA certifies another Authorized Subordinate CA within its policy domain, the Virginia Tech Root Authorizing CA MUST impose restrictions on the name space that MAY be used by the Authorized Subordinate CA that are at least as restrictive as its own name constraints. |
In the case where a Virginia Tech Root CA certifies another Authorized Subordinate CA within its policy domain, the Virginia Tech Root Authorizing CA MUST impose restrictions on the name space that MAY be used by the Authorized Subordinate CA that are at least as restrictive as its own name constraints. |
3.1.4 Uniqueness of Names |
|---|
The Virginia Tech Root CA and Authorized Subordinate CAs SHALL document in their respective CPSs: |
A Virginia Tech Root CA and Authorized Subordinate CAs SHALL document in their respective CPSs: |
3.2.3 Certificate Update |
|---|
When the Virginia Tech Root CA updates its private signature key and thus generates a new public key, the Virginia Tech Root CA SHALL notify all Authorized Subordinate or cross certified CAs, and SHOULD make a best effort to notify any Subscribers that rely on the VTCA's PKC, that it has been changed. For self signed ("root") PKCs, such PKCs SHALL be made available online along with separately retrievable verification information to enable a relying party to verify that it has received a valid copy of the new “root” PKC. |
When a Virginia Tech Root CA updates its private signature key and thus generates a new public key, the Virginia Tech Root CA SHALL notify all Authorized Subordinate or cross certified CAs, and SHOULD make a best effort to notify any Subscribers that rely on the VTCA's PKC, that it has been changed. For self signed or globally trusted ("root") PKCs, such PKCs SHALL be made available online along with separately retrievable verification information to enable a relying party to verify that it has received a valid copy of the new “root” PKC. |
4.8.1.1 Compromise Recovery |
|---|
If the VTCA is the Virginia Tech Root CA, the trusted self signed certificate MUST be removed from each Relying Party application, and a new one distributed via secure out of band mechanisms. The Virginia Tech Root CA SHALL describe its approach to reacting to a Root CA key compromise in their CPSs. |
If the VTCA is a Virginia Tech Root CA, the trusted self signed certificate MUST be removed from each Relying Party application, and a new one distributed via secure out of band mechanisms. A Virginia Tech Root CA SHALL describe its approach to reacting to a Root CA key compromise in their CPSs. |
6.2.2 CA Private Key Multi Person Control |
|---|
The Virginia Tech Root CA of the VTPKI SHALL implement M of N authentication.( M number of persons from N total number of persons). |
A Virginia Tech Root CA of the VTPKI SHALL implement M of N authentication.( M number of persons from N total number of persons). |
6.7 NETWORK SECURITY CONTROLS |
|---|
The Virginia Tech Root CA equipment SHALL be implemented using a stand-alone (offline) configuration. |
The equipment of a Virginia Tech Root CA SHALL be implemented using a stand-alone (offline) configuration. |
10. GLOSSARY |
|---|
VTPKI: Virginia Tech Public Key Infrastructure refers to the Virginia Tech Root CA and all of the Subordinate CAs within the PKI hierarchy. |
VTPKI: Virginia Tech Public Key Infrastructure refers collectively to the Self Signed Root and Global Virginia Tech Root CAs and all of the Subordinate CAs within each PKI hierarchy. |