1. INTRODUCTION

This document is written according to the structure suggested by the IETF RFC 3647 and superceedes the earlier version written according to the structure suggested by the RFC 2527. The Public Key Infrastructure (PKI) used for the implementation of the policy described by this CP/CPS document is derived from the requirements and recommendations of RFC 3289 (obsoleting RFC 2459) and is designed to be in accordance with IGTF Classic X.509 CAs with secured infrastructure profile.

1.1 Overview

SiGNET CA functions as part of the Experimental Particle Physics Department (F9-IJS) of the "Jozef Stefan" Institute in Ljubljana, Slovenia (IJS), the leading Slovenian non-profit research organization.

SiGNET CA is the top level Certification Authority for Slovenia. SiGNET CA provides public key infrastructure (PKI) to Slovenian research and educational organisations and users, and Slovenian participants in grid projects and EGEE collaboration.

This document describes the set of rules, operational procedures and obligations for the issuance and management of certificates used by the Slovenian Grid Network Certification Authority (SiGNET CA).

1.2 Document Name and Identification

Document title

Slovenian Grid Network Certification Authority Certificate Policy and Certification Policy Statement

Short title

SiGNET CA CP/CPS

Document version

Document version 1.1

Document date

12 May 2008

Document validity

Valid until further notice.

ASN.1 Object Identifier for Document (OID)

1.3.6.1.4.1.15312.3.1.1.1

OID structure:

IANA

1.3.6.1.4.1

IJS

.15312

SiGNET CA

.3

CP/CPS

.1

Major Version

.1

Minor Version

.1

1.3 PKI participants

1.3.1 Certification Authorities

SiGNET certificates are signed by SiGNET CA. SiGNET CA does not issue certificates to subordinate certification authorities.

SiGNET CA certificate is signed by itself.

1.3.2 Registration Authorities

SiGNET CA manages the functions of its Registration Authority.

Additional registration authorities may be created by SiGNET CA as required. Such trusted intermediaries are formally assigned by SiGNET CA and their identities and contact details are published in an on-line accessible repository at the following URL: http://signet-ca.ijs.si/signet-ralist.txt.

RAs must sign an agreement with SiGNET CA, stating their adherence to the procedures described in this document. RAs are not allowed to issue certificates under this CP/CPS.

1.3.3 Subscribers (End Entities)

SiGNET CA will issue certificates to entities formally based or having offices in Slovenia, or participating in projects based in Slovenia, and are intended for cross-organisational sharing of resources in the fields of research and/or education.

Certificates can be issued to persons and computer entities (services or hosts). Organisations employing the person or owning the computer entity are not the end entities themselves.

1.3.4 Relying Parties

Relying parties may be:

1.3.5 Other Participants

No stipulation.

1.4 Certificate Usage

1.4.1 Appropriate Certificate Uses

Certificates issued are of the following types:

(a) personal certificates:

authorised for document-signing, personal authentication, and encryption of communications

(b) host certificates:

authorised for object-signing, host authentication, and encryption of communications

(c) service certificates:

authorised for object-signing, service authentication, and encryption of communications

1.4.1 Prohibited Certificate Uses

The certificates issued by SiGNET CA may not be used for financial transactions or for any commercial usage, including gifts.

1.5 Policy Administration

1.5.1 Organisation Administering the Document

SiGNET CA is responsible for the registration, maintenance, and interpretation of this CP/CPS. SiGNET CA is managed by the F9 - Experimental Particle Physics Department of the "Jozef Stefan" Institute in Ljubljana, Slovenia.

F9 IJS general web address is: http://www-f9.ijs.si/.

SiGNET CA general web address is: http://signet-ca.ijs.si/.

SiGNET CA policy documents are at: http://signet-ca.ijs.si/policy/.

SiGNET CA Certificate Repository is at: http://signet-ca.ijs.si/cert/.

SiGNET CA CRL Repository is at: http://signet-ca.ijs.si/crl/.

SiGNET CA address for operational issues is:

 SiGNET CA
 F9 Experimental Particle Physics Department
 "Jozef Stefan" Institute
 Jamova 39
 P.O. BOX 3000
 SI-1001 Ljubljana
 Slovenia
 email: signet-ca@ijs.si
 phone: +386 1 477 3742
 fax:   +386 1 425 7074

1.5.2 Contact Person

The contact person for questions related with this document is:

 Jan Jona Javorsek
 F9 Experimental Particle Physics Department
 "Jozef Stefan" Institute
 Jamova 39
 P.O. BOX 3000
 SI-1001 Ljubljana
 Slovenia
 email: jona.javorsek@ijs.si
 phone: +386 1 477 3742
 fax:   +386 1 425 7074

The contact persons for questions related with SiGNET CA operations are the previous defined contact person and:

 Borut Kersevan
 F9 Experimental Particle Physics Department
 "Jozef Stefan" Institute
 Jamova 39
 P.O. BOX 3000
 SI-1001 Ljubljana
 Slovenia
 email: borut.kersevan@ijs.si
 phone: +386 1 477 3454
 fax:   +386 1 425 7074

1.5.3 Person Determining CPS Suitability for the Policy

The second person named under section 1.5.2.

1.5.4 CPS Approval Procedures

SiGNET CA CP/CPS changes are prepared and revised by SiGNET CA management. The approved document is to be submitted to EUGridPMA for revision of compliance with IGTF Classic X.509 CAs with secured infrastructure profile and acceptance in European e-Science projects.

1.6 Definitions and Acronyms

The following definitions and associated abbreviations are used in this document.

Activation data

Data values, other than keys, that are required to operate cryptographic modules and that need to be protected (e.g., a PIN, a passphrase, or a manually-held key share).

CERN

Organisation Européene pour la recherce nuclèaire, the European Organisation for Nuclear Research, an intergovernmental organisation having its seat in Geneva, Switzerland.

Certificate

Synonymous with Public Key Certificate.

Certification Authority (CA)

An entity trusted by one or more users to create and assign public key certificates and be responsible for them during their whole lifetime.

Certificate Policy (CP)

A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.

Certification Authority Request Gateway (CA-GATE)

A computer configured with appropriate software to support the procedures described in this CPS.

Certification Practice Statement (CPS)

A statement of the practices which a certification authority employs in issuing certificates.

Certificate Revocation List (CRL)

A time stamped list identifying revoked certificates which is signed by a CA and made freely available in a public repository.

F9-IJS

Experimental Particle Physics Department of the "Jozef Stefan" Institute in Ljubljana, Slovenia. F9-IJS is leading SiGNET and actively participating in grid infrastructure deployment in Slovenia. (More info on F9-IJS: http://www-f9.ijs.si/.)

Fully Qualified Domain Name (FQDN)

A fully qualified domain name consists of a host name and all domain names up to and including the top-level domain. FQDN is sufficient for unique identification of a host (multihomed IP non withstanding) or service.

IJS, "Jozef Stefan" Institute in Ljubljana

"Jozef Stefan" Institute in Ljubljana, Slovenia (IJS), is the leading Slovenian research organisation. This non-profit organisation is responsible for a broad spectrum of basic and applied research in the fields of natural sciences and technology. (More info on IJS: http://www.ijs.si/.)

Issuing Certification Authority (Issuing CA)

In the context of a particular certificate, the issuing CA is the CA that issued the certificate.

Public Key Certificate

A data structure containing the public key of an end entity and some other information, which is digitally signed with the private key of the CA which issued it.

Public Key Infrastructure (PKI)

Organisations, policies and computing facilities required for operating a public key security, encryption and authentication scheme.

Policy Qualifier

Policy-dependent information that accompanies a certificate policy identifier in an X.509 certificate.

Registration Authority (RA)

An entity that is responsible for identification and authentication of certificate subjects, but that does not sign or issue certificates (i.e. an RA is delegated certain tasks on behalf of a CA).

Relying party

A recipient of a certificate who acts in reliance on that certificate and/or digital signatures verified using that certificate. In this document, the terms "certificate user" and "relying party" are used interchangeably.

Repository

A storage area, usually online, which contains published materials, such as lists of issued certificates, CRLs, policy documents, etc.

Set of Provisions

A collection of practice and/or policy statements, spanning a range of standard topics, for use in expressing a certificate policy definition or CPS employing the approach described in this framework.

Slovenian Grid Network (SiGNET)

Slovenian Grid Network is the root organisation providing grid and computational network services to Slovenian scientific, educational and research communities.

Slovenian Grid Network Certification Authority (SiGNET CA)

SiGNET CA is the top level Certification Authority for Slovenia. SiGNET CA provides public key infrastructure (PKI) to Slovenian research and educational organisations and users, and Slovenian participants in grid projects and EGEE collaboration. (More info on SiGNET CA: http://signet-ca.ijs.si/.)

Subject certification authority (subject CA)

In the context of a particular CA-certificate, the subject CA is the CA whose public key is certified in the certificate (see also Issuing certification authority).

Within this document the words must, must not, required, shall, shall not, should, should not, recommended, may, optional are to be interpreted as in RFC 2119.

Any other terms are to be understood as defined in RFC 3647.

2. PUBLICATION AND REPOSITORY RESPONSIBILITIES

2.1 Repositories

SiGNET CA will manage an online repository with unlimited access on its public web server at the following URL: http://signet-ca.ijs.si/.

The repository is operated at a best-effort basis, where the intended availability is continuous.

2.2 Publication of Certification Information

SiGNET CA will publish the following information with no access restrictions:

  1. SiGNET CA's root certificate and public key and all previous SiGNET CA root certificates and keys needed to check still valid certificates;

  2. A Certificate Revocation List of SiGNET CA issued certificates signed by SiGNET CA;

  3. All past and current versions of this document;

  4. Other relevant information, including any relevant subscriber and relying party documentation as per SiGNET CA management discretion.

Information that can be published is limited by provisions in section 9.4.

2.3 Time or Frequency of Publication

SiGNET CA will publish all up-to-date documents on best effort basis.

CRLs will be issued and published after every certificate revocation or at least 7 days before the current CRL expires. The usual validity of a CRL is 30 days.

New versions of CP-CPS will be published as soon as they have been approved.

2.4 Access Controls on Repositories

SiGNET CA imposes no access control on its Policy, its Certificate and CRLs.

SiGNET Grid CA may at any time impose a more restricted access control policy to the repository at its discretion.

SiGNET CA public web site, online repository and certificate request submission web interface are operated at a best-effort basis, where the intended availability is continuous.

3. IDENTIFICATION AND AUTHENTICATION

3.1 Naming

3.1.1 Types of Names

The names used in certificate Subject Name and issuer name shall be in the form of full X.501 distinguished names (DN).

Name forms are further defined in section 7.1.5.

Any name under this CP/CPS starts with C=SI, O=SiGNET. If the subject is part of an organisation, an O=organisation. An optional OU=organisational_unit must be appended if the organisation consists of multiple administrative divisions. (Changes in division name that do not change the organisational layout of an organisation do not constitute a reason to invalidate the current unit name.) The last part is the CN, which takes one of the following forms:

For a Person:

CN is the full name of the subject.The name must include at least one given name in full and the full surname. Only ASCII alphanumeric letters, space and dash may be used.

Example of a full subject name for a person from IJS:

 C=SI, O=SiGNET, O=IJS, OU=F9 CN=Janez Kranjski

A change in the name of the person does not invalidate the certificate and does not necessitate immediate change of the distinguished name.

For a Host:

CN is the host fully qualified domain name DNS name (FQDN). In case the host entity is not an internetwork entity or no such FQDN is assigned for other reasons, the entity is not eligible for certification under this policy.

FQDN domains may be different from organisation and organisational_unit fields since assigned FQDN does not always follow the structural layout of an organisation or network.

Example of a full subject name for a server:

 C=SI, O=SiGNET, O=IJS, OU=F9, CN=host.ijs.si
For a Service:

CN is constructed in the same way and under the same conditions as for hosts, but with a service identifier related to the service appended to the front.

Example of a full subject name for a service:

 C=SI, O=SiGNET, O=IJS, OU=F9, CN=ldap/host.ijs.si

### If technical reasons prohibit the above form of name for a service in a certificates bound to network entities, a FQDN shall be included as a dnsName in the SubjectAlternativeName certificate extension.

3.1.2 Need for Names to Be Meaningful

The subject name in a certificate must have a reasonable association with the authenticated name of the subscriber.

The common name CN in the certificate subject name must be obtainable from the real subject name. For persons it must be obtainable from a name of the person. For host certificates, the CN must be formed from the registered fully qualified domain name (DNS FQDN). For a service certificate, the CN must be related to the type of service the certificate is identifying.

The Organisation Name in the certificate subject name must be one of the organisations involved in SiGNET activities. Current list of values available for Organisation Names in the in the certificate subject name can be obtained from the URL mentioned in section 1.3.2.

3.1.3 Anonymity or Pseudonymity of Subscribers

No personal certificates shall be issued to roles or functions, only to named and identified persons.

3.1.4 Rules for Interpreting Various Name Forms

See section 3.1.1.

3.1.5 Uniqueness of Names

The distinguished name for each certificate must be unique. In case of real subject name duplication, additional numbers and/or letters will be appended to the distinguished name to guarantee uniqueness.

Certificates must apply to unique individuals or resources. Users must not share certificates.

Name claim disputes are resolved by discretion of the first person named under section 1.5.2.

3.1.6 Recognition, Authentication and Role of Trademarks

No stipulation.

3.2 Initial Identity Validation

3.2.1 Method to Prove Possession of Private Key

The possession of the private key by the requestor is considered proven when the signature of the certifucate signing request (CSR) is verified using the public key present in the request.

3.2.2 Authentication of Organisation Identity

No certificates are issued directly to organisations. Certificate requests for entities such as hosts and services must be made by a secure online submission to SiGNET CA Public Server, signed with a valid personal SiGNET certificate. Alternatively, an e-mail message signed with a valid personal personal SiGNET certificate may be used.

3.2.3 Authentication of Individual Identity

A user requesting a certificate must meet in person with the RA and show a legaly valid Slovenian photo ID or acceptable foreign photo ID recognised in Slovenia, such as a passport.

If the identification document is valid and the photo image corresponds to the bearer, the RA shall consider that the user is correctly identified.

The RA must forward a photocopy of the document for safekeeping by the CA.

Additionally, the RA may consider that the user is correctly identified if the RA has previously identified the user using the procedure described above and the user can prove possession of his/her secret key of an existing certificate issued by SiGNET CA. In this case the RA must check by telephone or personal conversation that the request originated at the known user.

If authentication is not completed within fifteen days of receipt of the certificate request by the RA, the request will be deemed to have expired. The process of submitting a certificate request and complying with the authentication procedure as per sections 3.2.2 and 3.2.3 shall have to be repeated.

3.2.4 Non-Verified Subscriber Information.

No stipulation.

3.2.5 Validation of Authority

SiGNET CA may take steps to ascertain that the user is indeed entitled to represent the organisation or entity which has the rights over the host or service on behalf of which the certificate request has been made.

If the name of an organisation is requested to be part of a subject name, SiGNET CA may take steps to ascertain that the organisation consents to such use.

In the certificate request, the generic e-mail for the host or service must be specified in the Certificate data part and the e-mail of the user requesting the certificate in the User data.

3.2.6 Criteria for Interoperability

No stipulation.

3.3 Indentification and Authentication for Re-Key Requests

3.3.1 Indentification and Authentication for Routine Re-Key

Rekeying of certificates will follow the same procedure as an initial registration.

Additionally, rekeying of certificates of persons before certificate expiration can be requested by submitting a rekey request to the SiGNET CA Public Server, signed by the subscriber's current personal SiGNET CA certificate with the old key.

3.3.2 Identification and Authentication for Re-Key After Revocation

A public key whose certificate has been revoked shall not be re-certified.

Rekey of certificates after revocation follows the same rules as an initial registration.

3.4 Identification and Authentication for Revocation Request

Unless SiGNET CA can independently verify that a key compromise has occurred, a revocation request must be authenticated before being accepted. Anyone can make certificate revocation requests by sending email to the CA. However, the CA will not revoke a certificate unless the request is authenticated, or it can be verified independently that there is reason to revoke the certificate. See section 4.9.

Authenticated certificate revocation requests may be made by

4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS

4.1 Certificate Application

4.1.1 Who Can Submit a Certificate Applicaton

SiGNET CA issues certificates only to users who are members or associates of eligible projects or organizations or can demonstrate their connection with eligible projects or organisations.

Eligible are exclusively Slovenian scientific, educational and research organizations and projects.

Additionally, the user has to be either a Slovenian resident, possibly temporary, or Slovenian citizen, with the exception of users connected with eligible organizations or projects who have no accepted grid or scientific CA in thier country of origin and residence.

SiGNET CA issues host and service sertificates only for hosts and services administered by an eligible user, project or organization.

4.1.2 Enrollment Process and Responsibilities

Any certificate application request to SiGNET must follow the following provisions:

Maximal lifetime of a certificate is one year. The default validity period is one year.

Certificate requests are made via SiGNET CA's public web interface at http://signet-ca.ijs.si/. Alternatively, if the web interface can not be used, certificate requests can be made via e-mail with the attached public key in PEM-format at signet-ca.user@ijs.si.

Certificate requests are submitted also through any additional approved RA's as per section 1.3.2.

4.2 Certificate Application Processing

Each SiGNET RA must sign an agreement to adhere to the procedures described in this document.

4.2.1 Performing Identification and Authentication Functions

Each SiGNET RA shall authenticate entities requesting a certificate according to the procedures outlined in section 3.2.

4.2.2 Approval or Rejection of Certificate Applications

Each SiGNET RA shall:

  1. Approve certificate requests according to the procedures outlined in this document;

  2. Validate the connection between a public key and the requester identity including a suitable proof of possession method;

  3. Confirm such validation to the CA;

  4. Send the approved certificate requests to SiGNET CA;

  5. Check that the subscriber knows and agrees to subscriber obligations concerning safeguarding their private key - for a personal key, this means that the key is protected by a pass-phrase of length of at least 15 characters in length; for a server key it means that the key is at least readable only by root or a restricted user account;

  6. Check that the information provided in the certificate request is correct and check that the email address provided by the subscriber is correct;

  7. Approve revocation requests according to the procedures outlined in this document;

  8. Send the approved revocation requests to SiGNET CA;

  9. Sign each request before sending it to SiGNET CA;

  10. Request revocation of a certificate in the event that it becomes aware of circumstances justifying such revocation;

  11. inform the CA and request the revocation of the RA's certificate if the RA's private key is destroyed, lost, compromised or suspected to be compromised;

  12. Log all transactions and requests;

  13. Follow the policies and procedures described in this document.

4.4.3 Time to Process Certificate Applications

Each SiGNET RA should respond to a certification request in three working days.

Additional time constraints are as specified in section 3.2.3.

4.3 Certificate Issuance

The first step in the issuance process is the approval of the request by an RA (including SiGNET CA's own RA). The following requirements must be fulfilled:

If all the above requirements are fulfilled, then RA approves the request and passes on the request to the CA for issuance of a certificate.

The subject will be notified by e-mail. If the subject is a person, the e-mail will be sent to the address accompanying the request. Otherwise the e-mail will be sent to the address specified in the request. In the case of rejection, the e-mail will state the reason.

If the e-mail fails to be delivered in a period of 5 days, the certificate is revoked without further notice.

Once a certificate request has been approved by the RA, the certificate is normally issued by the CA within seven working days.

SiGNET CA is solely responsible for the issuance and management of certificates referencing this document.

As the issuer of SiGNET CA certificates, SiGNET CA accepts a number of obligations. SiGNET CA shall:

  1. Ensure that all services, operations and infrastructure conform to this CP/CPS at all times;

  2. Handle certificate requests and issue new certificates:

  3. Handle certificate revocation requests and certificate revocation:

4.4 Certificate Acceptance

No stipulation.

4.4.1 Conduct Constituting Certificate Acceptance

### Upon receiveing the certificate notification e-mail, visiting SiGNET CA online repository and retreiving the certificate, the subscriber has 5 working days to establish certificate usability. Unless the subscriber rejects the certificate in 5 working days, said certificate is considered accepted by the subscriber.

4.4.2 Publication of the Certificate by the CA

### SiGNET CA will make the issued certificate available in its online repository.

4.4.3 Notification of Certificate Issuance by the CA to Other Entities.

### SiGNET CA will notify the subscriber when a new certifcte is issued.

4.5 Key Pair and Certificate Usage

4.5.1 Subscriber Private Key and Certificate Usage

### Certificates issued by SiGNET CA and their associated private keys must be used exclusively in accordance with permissions and prohibitions stated in section 1.4.

Revoked and expired certificates and their key must not be used.

4.5.2 Relying Party Public Key and Certificate Usage

### The relying party must, upon being presented with a certificate issued by SiGNET CA:

4.9 Certificate Revocation and Suspension

4.9.1 Circumstances for Revocation

A certificate will be revoked when the information it contains is suspected to be incorrect or compromised. This includes situations where:

  1. The subscriber's private key is lost, destroyed or suspected to be compromised;

  2. The information in the subscriber's certificate is suspected or confirmed to be inaccurate;

  3. The subscriber no longer needs the certificate to access Relying Parties' resources;

  4. The subscriber no longer fulfills the conditions for participation in SiGNET;

  5. The subscriber violated his/her obligations;

  6. The system or service to which the certificate has been issued has been retired.

In addition, the CA will revoke all certificates in the event that its key has been compromised (as per section 5.7.3) or in the event that the CA has been terminated (as per section 5.8).

4.9.2 Who Can Request Revocation

A certificate revocation can be requested by the holder of the certificate to be revoked or by any other entity presenting proof of knowledge of circumstances for revocation, as described in section 4.9.1.

4.9.3 Procedure for Revocation Request

The entity requesting the revocation must send the revocation request with an authenticated deposition via the public web interface at SiGNET or by a signed e-mail to SiGNET CA or a SiGNET RA. If this is not possible the CA/RA must be contacted directly. Authentication can be performed as per section 3.2.3.

In both cases above, the requesting entity must specify the reason for the revocation request and provide evidence of circumstances as described in section 4.9.1.

4.9.4 Revocation Request Grace Period

There will be no grace period associated with certificate revocation.

4.9.5 Time Within which CA Must Process the Revocation Request

SiGNET CA handles revocation requests with priority and a certificate will be revoked as soon as possible after circumstances for revocation, as described in section 4.9.1, are established.

4.9.6 Revocation Checking Requirement for Relying Parties

Before use of a certificate, a relying party must validate it against the most recently issued CRL.

4.9.7 CRL Issuance Frequency

CRLs will be issued and published after every certificate revocation or at least 7 days before the current CRL expires. The usual validity of a CRL is 30 days, as stated in 2.3 Time or Frequency of Publication.

4.9.8 Maximum Latency for CRLs

No stipulation.

3.9.9 On-Line Revocation/Status Checking Availability

### SiGNET CA may provide additional mechanisms for revocation/status checking, such as an OCSP server or a web service.

3.9.10 On-Line Revocation Checking Requirements

### If an on-line revocation/status mechanism is provided, relying parties may use it instead or in addition to the published CRL, where the newest information has precedence.

3.9.11 Other Forms of Revocation Advetisments Available

No stipulation.

3.9.12 Special Requrementes Re-Key Compromise

No stipulation.

4.9.13 Circumstances for Suspension

There is no provision for certificate suspension.

4.9.14 Who can Request Suspension

No stipulation.

4.9.15 Procedure for Suspension Request

No stipulation.

4.9.16 Limits on Suspension Period

No stipulation.

### do something with this sections:

4.10 Certificate Status Services

### SiGNET CA provides a CRL for certificate validity checking.

4.10.1 Operational Characteristics

### SiGNET CA certificate validity checking service and its usage is further described in section 4.9.

4.10.2 Service Availability

### SiGNET CA certificate validity services are provided on best effort basis only, with the intention of providing continous service.

4.10.3 Optional Features

SiGNET CA my provide an OCSP responder service in addition to CRL service.

4.12 Key Escrow and Recovery

No stipulation. See 6.2.3 Private Key Escrow.

4.12.1 Key Escrow and Recovery Poliy and Practices

No stipulation.

4.12.2 Session Key Encapsulation and Recovery Policy and Practices

No stipulation.

5. FACILITY, MANAGEMEND AND OPERATIONAL CONTROLS

5.1 Physical Controls

5.1.1 Site Location and Construction

SiGNET CA operates in the computer centre of the F9 department at IJS, building C. The access to the building and the computer centre room is controlled.

5.1.2 Physical Access

The private keys of the SiGNET CA are only available in encrypted format on media in a secure location. Physical access to the hardware is restricted to personnel authorised to operate SiGNET CA.

5.1.3 Power and Air Conditioning

The computer centre room is environmentally controlled, has suitable air conditioning system and the repository machines are connected to an UPS system and any available building backup power.

5.1.4 Water Exposures

No stipulation.

5.1.5 Fire Prevention and Protection

No stipulation.

5.1.6 Media Storage

SiGNET CA key and back-up copies of SiGNET CA related data are kept on several removable storage media in a secure location. Backups are kept in an off-site secure location.

5.1.7 Waste Disposal

Waste carrying potential confidential information, such as old media and storage devices, are physically destroyed before being trashed.

5.1.8 Off-Site Backup

Off-site backup is stored at a dislocated room with physically restricted access.

5.2 Procedural Controls

5.2.1 Trusted Roles

No stipulation.

5.2.2 Number of Persons Required per Task

No stipulation.

5.2.3 Identification and Authentication for Each Role

No stipulation.

5.2.4 Roles Requiring Separation of Duties

No stipulation.

5.3 Personnel Controls

5.3.1 Qualifications, Experience, and Clearance Requirements

SiGNET CA personnel must be staff members of the F9 IJS, Experimental Particle Physics Department of the "Jozef Stefan" Institute in Ljubljana, Slovenia.

SiGNET CA personnel must pass F9 IJS computer room clearance.

SiGNET CA personnel must be appointed by the manager of F9 IJS who can revoke the appointment at his/hers discretion any time without any notice.

SiGNET CA should perform operational audits of the CA/RA staff at least once per year.

A list of SiGNET CA and all RA personnel should be maintained and verified at least once per year.

5.3.2 Background Check Procedures

No stipulation.

5.3.3 Training Requirements

No stipulation.

5.3.4 Retraining Frequency and Requirements

No stipulation.

5.3.5 Job Rotation Frequency and Sequence

No stipulation.

5.3.6 Sanctions for Unauthorised Actions

No stipulation.

5.3.7 Independent Contractor Requirements

No stipulation.

5.3.8 Documentation supplied to personnel

No stipulation.

5.4 Audit Logging Procedures

5.4.1 Types of Events Recorded

The following events are recorded and audited:

5.4.2 Frequency of Processing Log

Audit logs will be analysed at least once per month.

5.4.3 Retention Period for Audit Log

Logs will be kept for a minimum of 3 years.

5.4.4 Protection of Audit Log

Only authorised CA personnel and authorised external auditors are allowed to view and process audit logs. Audit logs are copied to an off-line non-magnetic medium.

5.4.5 Audit Log Backup Procedures

Audit logs backups are copied to an off-line medium, which is stored at a dislocated room with physically restricted access.

5.4.6 Audit Collection System (Internal vs. External)

The audit log collection system is internal to SiGNET CA.

5.4.7 Notification to Event-Causing Subject

No stipulation.

5.4.8 Vulnerability Assessments

No stipulation.

5.5 Records Archival

5.5.1 Types of Records Archived

The following events are recorded and archived:

  1. Certification requests;

  2. Approved Certification requests;

  3. Issued certificates;

  4. Requests for revocation;

  5. Issued CRLs;

  6. System logs for startups and shutdowns of the CA equipment;

  7. System logs for interactive system logins at the CA equipment.

  8. All e-mail messages received by SiGNET CA;

  9. All e-mail messages sent by SiGNET CA.

5.5.2 Retention Period for Archive

Logs will be kept for a minimum of 3 years.

5.5.3 Protection of Archive

Only authorised CA personnel and authorised external auditors are allowed to view and process audit logs. Audit logs are copied to an off-line medium.

5.5.4 Archive Backup Procedures

Audit log backups are copied to an off-line medium, which is stored at a dislocated room with physically restricted access.

5.5.5 Requirements for Time-Stamping of Records

No stipulation.

5.5.6 Archive Collection System (Internal or External)

The archive collection system is internal to SiGNET CA.

5.5.7 Procedures to Obtain and Verify Archive Information

No stipulation.

5.6 Key Changeover

The private signing key for SiGNET CA is changed periodically. To avoid interruption of validity of subordinate keys the new SiGNET CA private key should be generated one year before the expiration of the old key. From that point on new certificates are signed by the newly generated signing key. The new SiGNET CA public key is posted in the on-line repository.

5.7 Compromise and Disaster Recovery

5.7.1 Incident and Comprimise Handling Procedures

No stipulation.

5.7.2 Computing Resources, Software, and/or Data are Corrupted

If the CA equipment is damaged or rendered inoperative, but the CA private key is not destroyed, CA operation will be reestablished as quickly as possible. If the private key is destroyed the case will be treated as in section 5.7.3.

5.7.3 Entity Private Key Compromise Procedures

If the CA's private key is destroyed, lost, compromised or suspected to be compromised, or if the entities key is revoked, the CA will:

In the case of such a CA key compromise, new certificates will be issued only in accordance with the entity identification procedures defined for initial registration in section 3.

If an RA's private key is compromised or suspected to be compromised, the RA will inform the CA and request the revocation of the RA's certificate.

If an entity private key is compromised or suspected to be compromised, the entity or its administrator must request a revocation of the certificate and make all reasonable efforts to inform any known relying parties.

5.7.4 Buisiness Continuity Capabilities after a Disaster

In the case of a disaster whereby the CA installation is physically damaged and all copies of the CA signature key are destroyed as a result, SiGNET CA will take whatever action it deems appropriate.

5.8 CA or RA Termination

Before SiGNET CA terminates its services, SiGNET CA shall:

6. TECHNICAL SECURITY CONTROLS

6.1 Key Pair Generation and Installation

6.1.1 Key Pair Generation

Each subscriber must generate his/her own key pair. SiGNET CA does not generate private keys for subjects. The private key should not be known by other than the authorised user of the key pair.

Applicants are recommended to use tools available from SiGNET CA public web server to create their key pair as part of the request generation process. If key pairs are generated by some other means the applicant must ensure that key lengths conform to those given in section 6.1.5.

Key pairs for the SiGNET CA are generated exclusively by SiGNET CA staff members on a dedicated, disconnected system, using a recent, trustworthy version of required operating system software and software package.

6.1.2 Private Key Delivery to Subscriber

Each applicant must generate their own key pair.

6.1.3 Public Key Delivery to Certificate Issuer

Applicants public keys are delivered to the issuing CA by the HTTP protocol via the CA's public web interface.

Alternatively, applicants public keys are delivered to the RA or directly to SiGNET CA in in PEM-format in an email containing the certificate request. The RA must send the public key to SiGNET CA in an email signed by the RA.

6.1.4 CA Public Key Delivery to Relaying Parties

SiGNET CA certificate and public key can be downloaded from SiGNET CA public repository at the following URL: http://signet.ijs.si/pub/.

6.1.5 Key Sizes

6.1.6 Public Key Parameters Generation

No stipulation.

6.1.7 Key Usage Purposes (as per X.509 v3 key usage field)

Keys may be used for authentication, data enchipherment, message integrity and session key establishment. The SiGNET CA private key is the only key that can be used for signing SiGNET certificates and CRLs.

For the certificates issued by SiGNET CA under this policy, keyUsage field must be used in accordance with RFC 2459. The keyUsage extension is defined in subsection 7.1.2.

6.2 Private Key Protection and Cryptographic Mudule Engineering

6.2.1 Cryptographic Module Standards and Controls

No stipulation. ### should expand?

6.2.2 Private Key (n out of m) Multi-Person Control

No stipulation.

6.2.3 Private Key Escrow

SiGNET CA keys are not given in escrow. SiGNET CA is not available for accepting escrow copies of keys of other parties.

6.2.4 Private Key Backup

SiGNET CA private key is kept encrypted in multiple copies on removable devices media in safe places, including off-site storage. The passphrase is in a sealed envelope kept in a safe.

Subscribers are responsible for the backup of their encrypted private keys.

6.2.5 Private Key Archival

See section 6.2.4.

6.2.6 Private Key Transfer into or from a Cryptographic Module

No stipulation.

6.2.7 Private Key Storage on Cryptographic Module

No stipulation.

6.2.8 Method of Activating Private key

The activation of the CA private key is done by providing the passphrase.

6.2.9 Method of Deactivating Private Key

No stipulation.

6.2.10 Method of Destroying Private Key

After termination of the CA and after the archival period for archives has expired, all media that contain the private key of the CA (including those specified in section 6.2.4) will be securely and permanently destroyed, according to then best current practice.

6.2.11 Cryptographic Module Rating

No stipulation.

6.3 Other Aspects of Key Pair Management

6.3.1 Public key archival

The public key is archived as part of the certificate archival.

6.3.2 Certificate Operational Periods and Key Usage Periods

SiGNET CA root certificates have a validity of five years. For other entity certificates, the maximum validity period for a certificate is one year.

There is no stipulation as to the validity of the generated key pair.

6.4 Activation Data

6.4.1 Activation Data Generation and Installation

SiGNET CA private key is protected by a passphrase with a minimum length of 15 characters. All passphrases used by the SiGENT CA have a length of at least 15 characters, consist of both letters, numbers and signs and does not contain consecutive or repetitive keystrokes.

6.4.2 Activation Data Protection

A copy of the passphrase is kept in a safe. The passphrase is known to current staff members of SiGNET CA on a need to know basis. Change of staff will imply a change in the passphrases.

6.4.3 Other Aspects of Activation Data

No stipulation.

6.5 Computer Security Controls

6.5.1 Specific Computer Security Technical Requirements

6.5.2 Computer Security Rating

No stipulation.

6.6 Life Cycle Technical Controls

6.6.1 System Development Controls

No stipulation.

6.6.2 Security Management Controls

No stipulation.

6.6.3 Life Cycle Security Ratings

No stipulation.

6.7 Network Security Controls

6.8 Time stamping

No stipulation.

7. CERTIFICATE, CRL AND OCSP PROFILES

7.1 Certificate Profile

All certificates issued by SiGNET CA conform to the Internet PKI profille (PKIX) for X.509 certificates as defined by RFC 3280.

7.1.1 Version Number(s)

X.509 v3 (0x2).

All certificates that reference this CPS will include a reference to the AIN.1 O.I.D. of this document as per section 1.2 within the appropriate field.

7.1.2 Certificate Extensions

The following extensions are set in user certificates:

The following extensions are set in host certificates:

The following extensions are set in the SiGNET CA self-signed certificate:

The following extensions are set in SiGNET CA's OCSP certificates (if used):

7.1.3 Algorithm Object Identifiers

No stipulation.

7.1.4 Name forms

See section 3.1.1.

7.1.5 Name Constraints

countryName

must be SI.

organisationName

must be SiGNET.

organisationName(2)

If set, must be the Slovenian scientific or educational organisation involved in SiGNET activities. Current list of values available for organisationalUnitName can be obtained at the location specified in section 1.3.2.

commonName

must be name and surname or FQDN of the subject.

See also sections 3.1.2, 3.1.4 and 3.1.5.

7.1.6 Certificate Policy Object Identifier

SiGNET Grid CA identifies this policy with the object identifier (OID) as specified in section 1.2.

7.1.7 Usage of Policy Constraints extension

No stipulation.

7.1.8 Policy Qualifiers Syntax and Semantics

No stipulation.

7.1.9 Processing Semantics for the Critical Certificate Policy extension

No stipulation.

7.2 CRL profile

7.2.1 Version Number(s)

X.509 v2 (0x1).

7.2.2 CRL and CRL Entry Extensions

No stipulation.

7.3 OCSP Profile

Note that OCSP service in SiGNET CA is optional.

7.3.1 Version Number(s)

OCSP profile v1 (0x0).

7.3.2 OCSP Extensions

No stipulation.

8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS

8.1 Frequency and Circumstances of Assessment

No external audit will be required, only a self-assessment by the SiGNET CA that its operation is according to this document.

SiGNET CA will perform the self-assessment at least once a year.

Requests for external audit from other trusted CA may be considered at the discretion of IJS with the consideration that all costs and accommodations associated with such an audit will be borne by the requesting party.

8.2 Identity/Qualifications of Assessor

No stipulation.

8.3 Assessor's Relationship to Assessed Party

No stipulation.

8.4 Topics Covered by Assessment

No stipulation.

8.5 Actions Taken as a Result of Deficiency

SiGNET CA will take immediate action if the assessment shows conflicts between the provisions of this CP/CPS document and the actual practice.

If any discovered conflicts show consequences on the reliability of cetrification process, any certificates issued under the influance of the problem shall be revoked imediatelly.

8.6 Communication of Results

SiGNET CA will report assessment results to EU Grid PMA members and relying parties.

9 OTHER BUISINESS AND LEGAL MATTERS

9.1 Fees

No fees are charged for any service provided by SiGNET CA.

9.1.1 Certificate Issuance or Renewal Fees

See section 9.1.

9.1.2 Certificate Access Fees

See section 9.1.

9.1.3 Revocation or Status Information Access Fees

See section 9.1.

9.1.4 Fees for Other Services

See section 9.1.

9.1.5 Refund Policy

See section 9.1.

9.2 Financial Responsibility

No financial responsibility is accepted.

9.2.1 Insurance Coverage

No stipulation.

9.2.2 Other Assets

No stipulation.

9.2.3 Insurance or Warranty Coverage for End-Entities

No stipulation.

9.3 Confidentiality of Business Information

9.3.1 Scope of Confidential Information

No stipulation.

9.3.2 Information not within the Scope of Confidential Information

No stipulation.

9.4 Privacy of Personal Information

9.4.1 Privacy Plan

SiGNET CA collects personal information about the subscribers (e.g. full name, organisation, organisation unit, e-mail address, phone number public key, certificate request file).

These data will be protected according to law of Republic of Slovenia.

By making an application for a certificate a subscriber is deemed to have consented to their personal data being stored and processed, subject to the Personal Data Protection Act of the Republic of Slovenia (ZVOP, 210-01/89-3/20, 1999 art. 3).

The full name is included in the certificate. Any info on organisation and organisational unit is included in the certificate. E-mail address and phone number are not included in the certificate.

9.4.2 Information Treated as Private

Any information about subscriber that is not present in the certificate and CRL is considered private and confidential and will not be released outside of SiGNET CA.

Record of the e-mail messages sent and received by SiGNET CA is considered private and confidential.

Under no circumstances will SiGNET CA have access to the private keys of the subscribers to whom it issues a certificate.

9.4.3 Information not Deemed Private

Data contained in the CRLs and the subscriber certificate shall not be considered private and confidential and will be published in a publicly accessible location.

9.4.4 Responsibility to Protect Private Information

SiGNET CA and its accreddited RA are responsible to protect private information.

Subscribers allow SiGNET CA and its accredited RAs to process and store their private information according to this document with the act of applying for a certificate, in accordance with the Personal Data Protection Act of the Republic of Slovenia (ZVOP, 210-01/89-3/20, 1999 art. 3).

No other use of private information is allowed without specific consent for such specific use from the subscriber. Such consent is not needed for regular operation of the CA and no subscribers can be forced to give such consent to SiGNET CA.

9.4.6 Disclosure Persuant to Judicial or Administrative Process

SiGNET CA will not disclose certificate or any certificate-related information to any third party, aside from information publicly available, except when so required by a legal authority of competent jurisdiction.

9.4.7 Other Information Disclosure Circumstances

In the case of certificate revocation/suspension, SiGNET CA will notify and inform the following entities:

  1. The subject of the personal certificate;

  2. The requester of the host or service certificate;

  3. The IJS Networking Center security officer in case of security compromise.

No information about the reason for a revocation is published.

9.5 Intellectual Property Rights

This document is based on the following sources:

This text may be used by others without prior approval; acknowledgments are welcomed but not required.

Unmodified copies may be published without permission.

SiGNET CA claims no intellectual property rights on issued certificates, certificate revocation lists, practice/policy specifications, names or keys.

9.6 Representations and Warranties

9.6.1 CA Representations and Warranties

  1. SiGNET CA only guarantees to control the identity of the subjects requesting a certificate according to the practices described in this document;

  2. SiGNET CA will not give any guarantees about the security or suitability of the service;

  3. SiGNET CA aims to achieve a reasonable level of security, but its certification services are provided on a best-effort basis only;

9.6.2 RA Representations and Warranties

Section 9.6.1 applies mutatis mutandis to the representatons and warranties of the RA.

It is the RA's responsibility to authenticate the identity of subscribers requesting certificates, according to the practices described in this document. It is the RA's responsibility to request revocation of a certificate if the RA is aware that circumstances for revocation are satisfied.

9.6.3 Subscriber Representations and Warranties

In addition, applicants for SiGNET CA certificates must:

  1. Accept conditions and adhere to the procedures described in this document;

  2. Represent correct information on the certificate application and only such information as he/she is entitled to submit for the purposes of this document.

  3. Authorise the treatment and conservation of personal data;

  4. Generate a key pair using a trustworthy method;

  5. Take reasonable precautions to prevent any loss, disclosure or unauthorised use of the private key associated with the certificate, including

  6. Use the certificate exclusively for authorised and legal purposes, consistent with this document;

  7. Notify SiGNET CA when the certificate is no longer required;

  8. Notify SiGNET CA when the information in the certificate becomes wrong or inaccurate;

  9. Notify SiGNET CA immediately if the private key associated with the certificate is destroyed, lost, compromised or suspected to be compromised;

  10. Notify SiGNET CA when they no longer fulfill the conditions for use of a SiGNET CA certificate, and cease usage immediately;

  11. By using the authentication procedures described in this document subscribers accept the restrictions to liability described in section 9.8.

9.6.4 Relying Party Representations and Warranties

In using a certificate issued by SiGNET CA relying parties agree to:

  1. Accept conditions and adhere to the policies and procedures described in this document;

  2. Verify the certificate revocation information before validating a certificate; #already in 4.9.6

  3. Use the certificate exclusively for authorised and legal purposes, consistent with this document;

9.6.5 Representations and Warranties of other Participants

No stipulation.

9.7 Disclaimers of Warranties

SiGNET CA and its RAs provide no warranties, express or implied, including in respect of security and confidentiality, and of fitness for a particular purpose, for their procedures, repositories, databases and certificates, and will take no responsibility for problems arising from their operation, or for the use made of the certificates they provide.

9.8 Limitations of Liability

IJS, F9 IJS, SiGNET CA and its RAs accept no liability for or in connection with the certification services and the parties using or relying on them shall hold IJS, F9 department and SiGNET CA free and harmless from liability resulting from such use or reliance;

9.9 Indemnities

IJS, F9 IJS, SiGNET CA and its RAs deny any financial or any other kind of responsibilities for damages or impairments resulting from SiGNET CA's operation.

9.10 Term and Termination

9.10.2 Term

No stipulation.

9.10.2 Termination

IJS shall be entitled to terminate the certification services at any time.

9.10.3 Effect of Termination and Survival

SiGNET CA will make all reasonable efforts to notify all its subscribers, all cross-certifying CAs, and any relying parties known to SiGNET CA to be currently and actively relying on certificates issued by SiGNET CA on such termination.

All certificates issued by SiGNET CA that reference this document will be revoked no later than the time of termination.

9.11 Individual Notices and Communications with Participants

All e-mail communications between the CA and its accredited RAs must be signed with a certified key.

All e-mail communications between the CA or an RA and a subscriber must be signed with a certified key in order to have the value of a proof. All requests for any action must be signed.

9.12 Amendments

9.12.1 Procedure for Amendment

Users will not be advised in advance of changes to SiGNET CA's CP and CPS. Changes are made available as defined in section 2.

9.12.2 Notification Mechanism and Period

This document and any older versions are available from the on-line repository given in section 2.1.

9.12.3 Circumstances Under Which OID Must be Changed

Any change to this document that changes actual policy and practice of SiGNET CA requires a change of document OID.

9.13 Dispute Resolution Provisions

SiGNET CA will resolve naming disputes according to best current practice.

9.14 Governing law

This document is subject to all applicable laws of the Republic of Slovenia.

9.15 Compliance with Applicable Law

This document is subject to all applicable laws of the Republic of Slovenia.

9.16 Miscellaneous Provisions

9.16.1 Entire Agreement

This CP/CPS document superseeds any prior agreements, written or oral, between the parties covered by this present document.

9.16.2 Assignment

No stipulation.

RFC 2527: N/A

9.16.3 Severability

Should a clause of the present CP/CPS document become void because of a conflict with the governing law as per section 9.14 or because it has been declared invalid or unenforceable by a law-enforcing entity, this clause shall become void but the remainder of this document shall remain in force.

SiGNET CA is free to either replace the voided clause as per section 9.12 or to terminate the CA as per section 9.10.2 per its dicretion.

9.16.4 Enforcement (Attorneys' Fees and Waiver of Rights)

No stipulation.

9.16.5 Force Majeure

No stipulation.

9.17 Other Provisions

No stipulation.

Appendix A.

Registration Authority Agreement

 This forms part of the operating procedures of the SiGNET Certification
 Authority (CA).
 
 1. In acting as a Registration Authority (RA) for SiGNET CA I have
 read and understood and accepted the responsibilities and tasks
 assigned to an RA laid out in SiGNET CA Certification Policy and
 Practice Statement (CP/CPS) document available on SiGNET CA web site -
 http://signet-ca.ijs.si/.
 
 2. I understand that SiGNET CA will notify me by email of changes to
 CP/CPS and I will immediately notify SiGNET CA if I am no longer willing
 to act as an RA under any new CP/CPS.
 
 3. I understand that failure to fulfill my responsibilities and tasks
 under this agreement may result in the termination of my appointment
 as an RA.
 
 4. In the event of resignation, I will inform the SiGNET CA at least 
 90 days prior to my resignation.
  
  
 Signed by  ........................................ on ..............
 
 
 
 Email:     ........................................
  
 
 
 Signature:                                     ......................
 
 

Appendix B.

Bibliography

Appendix C.

Changelog

1.1 (updates for RFCs 3647 and 3289, updates for IGTF-AP-classic profile version 4.1) - 22-May-2008
1.0 (public draft implementing dg-eur-ca list comments) - 25-Sept-2004
0.3 (public draft implementing dg-eur-ca list comments) - 18-Sept-2004
0.2 (first public draft) - 30-April-2004

Name changes and internal revisions.

A number of changes based on the IUCC Certification Authority CA/CPS document and others.

0.1 (internal draft)- April-2004

Initial revision.