Cover Page

X.509 Certificate Policy
For The
Virginia Polytechnic Institute and State University
Certification Authorities
May 13, 2004
Amended July 7, 2009
OBJECT IDENTIFIER 1.3.6.1.4.1.6760.5.2.1.1.1
Release 1.0 Version 2.0

X.509 Certificate Policy
For The
Virginia Polytechnic Institute and State University
Certification Authorities
May 13, 2004
Amended March 16, 2011
OBJECT IDENTIFIER 1.3.6.1.4.1.6760.5.2.1.1.1
Release 1.0 Version 3.0

1. INTRODUCTION

The VTCAs that comprise the VTPKI are part of a Public Key Infrastructure (PKI) hierarchy consisting of a Root CA and one or more Subordinate CA(s). This CP applies to the Virginia Tech Root CA and all of the Subordinate CAs within the VTPKI hierarchy. Any VTCA for which the Virginia Tech Root CA signs an authority certificate MUST adopt this CP or one that is consistent with all of the requirements of this CP as determined by the Policy Management Authority for the VTPKI.

The VTCAs that comprise the VTPKI are defined by independant Self Signed Root and Global Root CA hierarchies. Each Root CA hierarchy consists of one or more Subordinate CA(s). This CP applies to both Virginia Tech Root CA hierachies and all of the Subordinate CAs within each hierarchy. Any VTCA for which the Virginia Tech Self Signed Root or Global Root CA signs an authority certificate MUST adopt this CP or one that is consistent with all of the requirements of this CP as determined by the Policy Management Authority for the VTPKI.

1.3.1 PKI Authorities

The Virginia Tech Root CA MAY issue a PKC with certificate issuance rights (“authority PKC”) to another VTCA and in that case the Authorized Subordinate VTCA assumes the role of a CA under this CP. For all purposes under this CP, the Authorized Subordinate CA SHALL conform to, and operate under, this CP.

A Virginia Tech Root CA MAY issue a PKC with certificate issuance rights (“authority PKC”) to another VTCA and in that case the Authorized Subordinate VTCA assumes the role of a CA under this CP. For all purposes under this CP, the Authorized Subordinate CA SHALL conform to, and operate under, this CP.

3.1.2 Need for Names to be Meaningful

In the case where the Virginia Tech Root CA certifies another Authorized Subordinate CA within its policy domain, the Virginia Tech Root Authorizing CA MUST impose restrictions on the name space that MAY be used by the Authorized Subordinate CA that are at least as restrictive as its own name constraints.

In the case where a Virginia Tech Root CA certifies another Authorized Subordinate CA within its policy domain, the Virginia Tech Root Authorizing CA MUST impose restrictions on the name space that MAY be used by the Authorized Subordinate CA that are at least as restrictive as its own name constraints.

3.1.4 Uniqueness of Names

The Virginia Tech Root CA and Authorized Subordinate CAs SHALL document in their respective CPSs:
• What name forms will be used.
• How the Virginia Tech Root CA and Authorized Subordinate CAs will interact to ensure this is accomplished.
• How the Virginia Tech Root CA and Authorized Subordinate CAs will allocate names within the Community to guarantee name uniqueness among current and past Subscribers (e.g., if "Joe Smith" leaves a Community, and a new, different "Joe Smith" enters the Community, how these two people will be provided unique Subject names).

A Virginia Tech Root CA and Authorized Subordinate CAs SHALL document in their respective CPSs:
• What name forms will be used.
• How a Virginia Tech Root CA and Authorized Subordinate CAs will interact to ensure this is accomplished.
• How a Virginia Tech Root CA and Authorized Subordinate CAs will allocate names within the Community to guarantee name uniqueness among current and past Subscribers (e.g., if "Joe Smith" leaves a Community, and a new, different "Joe Smith" enters the Community, how these two people will be provided unique Subject names).

3.2.3 Certificate Update

When the Virginia Tech Root CA updates its private signature key and thus generates a new public key, the Virginia Tech Root CA SHALL notify all Authorized Subordinate or cross certified CAs, and SHOULD make a best effort to notify any Subscribers that rely on the VTCA's PKC, that it has been changed. For self signed ("root") PKCs, such PKCs SHALL be made available online along with separately retrievable verification information to enable a relying party to verify that it has received a valid copy of the new “root” PKC.

When a Virginia Tech Root CA updates its private signature key and thus generates a new public key, the Virginia Tech Root CA SHALL notify all Authorized Subordinate or cross certified CAs, and SHOULD make a best effort to notify any Subscribers that rely on the VTCA's PKC, that it has been changed. For self signed or globally trusted ("root") PKCs, such PKCs SHALL be made available online along with separately retrievable verification information to enable a relying party to verify that it has received a valid copy of the new “root” PKC.

4.8.1.1 Compromise Recovery

If the VTCA is the Virginia Tech Root CA, the trusted self signed certificate MUST be removed from each Relying Party application, and a new one distributed via secure out of band mechanisms. The Virginia Tech Root CA SHALL describe its approach to reacting to a Root CA key compromise in their CPSs.

If the VTCA is a Virginia Tech Root CA, the trusted self signed certificate MUST be removed from each Relying Party application, and a new one distributed via secure out of band mechanisms. A Virginia Tech Root CA SHALL describe its approach to reacting to a Root CA key compromise in their CPSs.

6.2.2 CA Private Key Multi Person Control

The Virginia Tech Root CA of the VTPKI SHALL implement M of N authentication.( M number of persons from N total number of persons).

A Virginia Tech Root CA of the VTPKI SHALL implement M of N authentication.( M number of persons from N total number of persons).

6.7 NETWORK SECURITY CONTROLS

The Virginia Tech Root CA equipment SHALL be implemented using a stand-alone (offline) configuration.

The equipment of a Virginia Tech Root CA SHALL be implemented using a stand-alone (offline) configuration.

10. GLOSSARY

VTPKI: Virginia Tech Public Key Infrastructure refers to the Virginia Tech Root CA and all of the Subordinate CAs within the PKI hierarchy.

VTPKI: Virginia Tech Public Key Infrastructure refers collectively to the Self Signed Root and Global Virginia Tech Root CAs and all of the Subordinate CAs within each PKI hierarchy.

  • No labels

3 Comments

  1. Frank Galligan

    Feb 11, 2011

    This WIKI page has been created to identify the revisions needed to update the VTCA CP (Certificate Policy) in order to extend the current CP policies to include the new Virginia Tech Global Root CA. The format for each update includes: 1) The affected section of the CP, 2) The current content with the affected text highlighted in red font, 3) The revised version of the content after updates have been applied.

  2. Mary Dunker

    Feb 15, 2011

    In section 4.8.1.1, does there need to be a change to the following wording, or is "self-signed" still appropriate?

    ... the trusted self signed certificate MUST be removed from each ...

  3. Frank Galligan

    Mar 04, 2011

    The reference to “self-signed” is still appropriate here since there are CAs that will continue to operate under the VT self-signed root. It might be good to also mention that compromise and disaster recovery policy for the GlobalSign “self-signed” root are documented by GobalSign in their respective CPS document at http://www.globalsign.com/repository/