VTCA Root CPS Updates

X.509 Certification Practice Statement for the VT Root Certification Authority
March 28, 2006
OBJECT IDENTIFIER 1.3.6.1.4.1.6760.5.2.3.1. 1
Release 1.0, Version 0.0

X.509 Certification Practice Statement for the VT Root Certification Authority
March 28, 2006
Amended ?, 2009
OBJECT IDENTIFIER 1.3.6.1.4.1.6760.5.2.3.1. 1
Release 1.0, Version 2.0

Add all changes for Migration Project here!

The RCA has digitally signed a copy of the VTCA CP, using SHA-1 with RSA encryption and its
primary PKC signing key. The digitally signed copy of the RCA CPS is available online at
http://www.pki.vt.edu/rootca/cps .

The RCA has a copy of the VTCA CP and CPS which has been digitally signed by the chairman of the VTPKI-PMA who has the primary responsibility for approving policies/standards of the Virginia Tech Public Key Infrastructure (PKI) and the related Certificate Authorities operating within it.

• A digitally signed copy of the VTCA CP(Certificate Policy) is available at http://www.pki.vt.edu/rootca/cp.&nbsp.
• A digitally signed copy of the RCA CPS(Certification Practice Statement)  is available at http://www.pki.vt.edu/rootca/cps.

Questions about interpretation of this CPS are directed in writing to Information Resource Management. Concerns about possible abuse of this CPS, are directed in writing to the Virginia Tech Public Key Infrastructure Policy Management Authority (VTPKI PMA).       
Information Resource Management 1700 Pratt Dr. Blacksburg, VA 24060

Questions about interpretation of this CPS are directed in writing to Identity Management Services. Concerns about possible abuse of this CPS, are directed in writing to the Virginia Tech Public Key Infrastructure Policy Management Authority (VTPKI PMA).       
Identity Management Services 1700 Pratt Dr. Blacksburg, VA 24060

• notifies Information Resource Management immediately upon either suspected or known compromise of the private key associated with a PKC issued by the RCA 

• notifies Identity Management Services immediately upon either suspected or known compromise of the private key associated with a PKC issued by the RCA 

Interpretation of this CPS is the responsibility of the PMA and Information Resource Management.

Interpretation of this CPS is the responsibility of the PMA and Identity Management Services.

Access to audit logs is controlled by IRM, and access is restricted to authorized employees only.

Access to audit logs is controlled by IMS, and access is restricted to authorized employees only.

The audit log is backed up immediately after subordinate CA key generation ceremonies using a backup utility (vtBackup) which was developed at Virginia Tech. Backup audit logs of the RCA are protected against unauthorized viewing, modification, or deletion by encrypting the backup and using offsite storage in a separate secure location from the RCA host.

The audit log is backed up on the same schedule as the rest of the data on VTCA servers using VT Information Systems and Computing network backup service providing:

• Scheduled daily backup of server files and directories
• Offsite storage in compliance with computing standards
• Restoration of files as needed

Archived records are protected against unauthorized viewing, modification, and deletion by using cryptographic protection and offsite storage in a physically secure and trustworthy location. The cryptographic protection is implemented using a 512 bit DES3 symmetric key that is unique to each backup instance. The DES3 symmetric key is then encrypted using 4096 bit RSA public key encryption.

Archived records are protected against unauthorized viewing, modification, and deletion by using offsite storage in a physically secure and trustworthy location. The offsite backup location provides the following key features:

• Storage in a secure, fire resistant Vault Room.
• A stable, secure storage environment: The room is maintained at a constant 70 degrees and 35% - 55% humidity. It's secured with intrusion alarms and motion detectors.
• Controlled access: The interior door to the building remains locked at all times. After admittance to the building, access to the Vault Room can only be obtained with the use of a valid VT ID card entered into the cipher lock.
• Enhanced fire protection: Constructed with a concrete floor, and walls, the Vault Room is rated to withstand as a minimum three hours of fire. Additionally the entire building has an automated fire suppression system and a fire alarm wired into the campus police office.

On request by the auditors, the VT Root CA Administrator will retrieve media containing archived information from the offsite storage location. The VT Root CA Administrator maintains the record of where backups are stored as part of the VTCA Resource Inventory document. To view the CA archive, it must be decrypted. The private key needed to decrypt the symmetric key used to encrypt the backups is stored on zip disk labeled "Backup Encryption RSA Key Pair" at the offsite storage location.  A duplicate copy of the private key is stored on a BIO drive kept in a locked file cabinet in the eProvisioning office area.

The office that provides maintenance and support for the Certification Authority application is responsible for restoration of files from backup archives as needed.

The encrypted backup media of the RCA are stored in an offsite physically secure and trustworthy location.

The backup media of the RCA are stored in an offsite physically secure and trustworthy location.

In the event of a system failure there are sufficient backups that can be used to restore the RCA system. These backups are made immediately after every subordinate CA key signing ceremony or other modifications to the RCA using the vtBackup utility. The three most recent full backups are stored at a secure offsite location which can only be accessed by authorized personnel.

In the event of a system failure there are sufficient backups that can be used to restore the RCA system. Full monthly, weekly differential, and daily incremental backups are created durinng normal daily scheduled backups by the Information Systems and Computing network backup service. The backup media of the RCA are stored in an offsite physically secure and trustworthy location.

The Certification Authority Administrator (CAA) role is appointed by the Office of the Vice President forInformation Technology. The CAA's responsibilities are:
• certificate generation and revocation
• CRL generation
• certificate profile, certificate template, and audit parameter configuration
• administration of the RCA Hardware Security Module

The Certification Authority Administrator (CAA) role is appointed by the Office of the Vice President forInformation Technology. Primarily, a CAA's responsibilities are: 
• Certificate profile, certificate template, and audit parameter configuration
• Develop VTCA key generation and backup procedures
• Assignment of VTCA security privileges and access controls of users
• Install and configure new CA software releases
• Startup/Shutdown of the VTCA

The certificate profiles for the RCA and the subordinate CA certificates issued by the RCA are published at http://www.pki.vt.edu/vtroot/cps/ .

The certificate profiles for the RCA and the subordinate CA certificates issued by the RCA are published at http://www.pki.vt.edu/rootca/cps/ .