-
Created by
Frank Galligan, last updated on Feb 11, 2011
3 minute read
Cover Page |
|---|
X.509 Certification Practice Statement |
X.509 Certification Practice Statement |
Acronyms |
|---|
add RCA Root Certification Authority |
1. INTRODUCTION |
|---|
This Certification Practice Statement (CPS) defines the operational implementation of the terms and conditions, described in the Virginia Polytechnic Institute and State University (hereinafter Virginia Tech) Certificate Authority (VTCA) Certificate Policy identified by the object identifier 1.3.6.1.4.1.6760.5.2.1.1.1, for the VT Root Certificate Authority, (RCA), a VTCA. |
This Certification Practice Statement (CPS) defines the operational implementation of the terms and conditions, described in the Virginia Polytechnic Institute and State University (hereinafter Virginia Tech) Certification Authority (VTCA) Certificate Policy identified by the object identifier 1.3.6.1.4.1.6760.5.2.1.1.1, for the VT Self Signed Root and Global Root Certification Authorities. |
1.1 OVERVIEW |
|---|
This CPS defines the operational implementation of the requirements set forth by the VTCA CP. |
This CPS defines the operational implementation of the requirements set forth by the VTCA CP for the Virginia Tech Self Signed Root and Global Root CAs. The term RCA (Root Certification Authority) is used throughout this document as a reference to both the Virginia Tech Self Signed Root and Global Root Certification Authorities. |
1.1.1 Certificate Policy (CP) |
|---|
The C1SCA has a copy of the VTCA CP and CPS which has been digitally signed by the VTPKI-PMA chairman and one other member of the VTPKI-PMA. The VTPKI-PMA has the primary responsibility for approving policies/standards of the Virginia Tech Public Key Infrastructure (PKI) and the related Certificate Authorities operating within it. The web administrator of the VTCA PKI website publishes CP and CPS document updates to the website at the request of the VTPKI-PMA chairman and notifies the VTPKI-PMA membership whenever these updates occur. |
A RCA has a copy of the VTCA CP and CPS which has been digitally signed by the VTPKI-PMA chairman and one other member of the VTPKI-PMA. The VTPKI-PMA has the primary responsibility for approving policies/standards of the Virginia Tech Public Key Infrastructure (PKI) and the related Certificate Authorities operating within it. The web administrator of the VTCA PKI website publishes CP and CPS document updates to the website at the request of the VTPKI-PMA chairman and notifies the VTPKI-PMA membership whenever these updates occur. . |
1.3.4 Applicability |
A PKC certificate issued by the RCA is ...... . |
A PKC issued by the RCA is ...... |
3.1.3 Rules for Interpreting Various Name Forms |
|---|
{*}The Subject names of a PKC must be in the following format: |
The Subject names of a PKC must be in the following format for certificates issued by the VT Self Signed Root CA: |
10. GLOSSARY |
|---|
VTPKI: Virginia Tech Public Key Infrastructure refers to the Virginia Tech Root CA and all of the Subordinate CAs within the PKI hierarchy. |
VTPKI: Virginia Tech Public Key Infrastructure refers collectively to the Self Signed Root and Global Virginia Tech Root CAs and all of the Subordinate CAs within each PKI hierarchy. |
5 Comments
Frank Galligan
Feb 11, 2011This WIKI page has been created to identify the revisions needed to update the VTCA CPS (Certification Practices Statement) in order to extend the current CPS policies to include the new Virginia Tech Global Root CA. The format for each update includes: 1) The affected section of the CP, 2) The current content of the affected text highlighted in red font, 3) The revised version of the content after updates have been applied.
Frank Galligan
Feb 11, 2011The production deployment date for issuing globally trusted SSL certificates is March 16, 2011.
Mary Dunker
Feb 15, 2011In section 3.1.3, does the following statement mean there will be separate User and SoftPDC CAs?
OU=Global < Server | User | SoftPDC > CA,
If not, I suggest:
OU=Global < Server | User > CA,
Ismael Medaghri Alaoui
Mar 02, 2011I too think we should maintain a separate CA for Soft PDCs. If hard and soft user certificates were to be issued from the same VT User CA, then there's a higher responsibility/burden on application developers or web server admins to check the appropriate level assurance of a certificate before accepting it.
As an example, if an application server is secured by client authentication and requires the highest level of assurance for access, it's usually a matter simple configuration to trust all certificates from a specific CA. However, if that CA was issuing certificates under multiple levels of assurance, then additional code would be needed to weed out less secure credentials.
Frank Galligan
Mar 04, 2011Unfortunately, there is no way of checking our certificate LOA extensions when using third party PKI enabled vendor products like Adobe, MS Word, Excel etc. However most of these products do allow the user to configure CA trust lists to specify what certificates should be trusted. In this case, having a separate CA for Soft PDCs is a benefit.