UCPKI Policy and Practices Statement (DRAFT)

The purpose of this document is to establish minimum standards for campus CAs to issue UCCerts. A campus my choose to subscribe to this document or submit a document for approval by UCOP. If the campus choses to submit a document, it must cover substantially the topics covered in this document.

It owes much to the University of Colorado UMS Public Key Infrastructure Policy and Procedure Statement.

UCPKI Policy and Practices Statement (DRAFT)

1. Purpose

UCCerts are X.509v3 digital certificates which bind a particular public/private key pair to a particular individual or resource in order to certify that the owner of the key pair is who or what the certificate says they are. UCCerts are intended solely for use in identifying the individual or entity (or the class of the individual in the case of anonymous certs). In particular, their use for encryption of documents or email is not supported and usage for digital signatures is experimental.

This addresses:

architecture of the CA hierarchy
content of UCCerts
procedures for issuing UCCerts
procedures for revoking UCCerts
procedures for maintaining the CA
liability issues
maintainence procedures for this policy
termination of operation
definitions
a sample certificate

2. Architecture

The will be a hierarchy of CA's. A root CA will be maintained by UCOP. It's sole function will be to issue certificates to certificate authorities on the campuses. (It might in turn be certified by some outside authority; that remains a desireable but perhaps unachieveable feature.)

Each campus will maintian a single certificate authority for personal certificates. The campus CA will issue certificates to individuals and web servers for the campus. They might possibly also issue certificates to subsidiary certificate severs, subject to suitable policy contraints.

3. Contents of UCCerts

3.1 Types of Certificates

The NetID field, if present, is the NetID associated with the given individual. It can be used to look up authorization data on the individual (for example in the UDir).

The CampusID, if present, is the CampusID associated with the given individual. It has a meaning which is particular to the campus, but presumably can be used to look up authoriization data on the individual in some local DB.

The period of validity of the certificate shall be not more than 1 year.

4. Procedures for Issuing UCCerts

4.2 Subscriber Agreement

Subscribers are notified of the importance of the UCCert by being presented with a notice substantially like this when applying:

"I understand that the UCCert is an important form of identification. All the information I will provide and all the representations I will make in applying for a certificate are true. I have not allowed and will not allow anyone to have access to the private key that will be associated with the certificate I am requesting. I have stored that private key in a password protected file. I will inform the Certificate Authority Administrator immediately should any of the information I have provided change or should I believe the security of my private key has been compromised. I will remove the UCCert and the associated private key from the web server or my browser within 24 hours of being informed that it has been revoked."

4.2.1 Subscribers who are web server administrators enter into the following additional agreement:

"I have authority to and accept responsibility for ensuring that anyone who performs administration functions on the web server for which a UCCert is issued is fully informed of the requirements for use of the certificate and that they agree to use the certificate exclusively for authorized and legal purposes, consistent with this policy and procedure document."

4.3 Key Pair Generation

Subscribers generate their own key pairs to minimize the exposure of the private key.

4.4 Verification of Identity

The identity of the individuals requesting certificates is verified by various means as indicated by the STRENGTH field on the certificate.

Strength = 7. Means that the subject presented a picture ID (drivers license, passport, etc.) to a duly authorized officer of the university before the certificate was issued. (Possibly, the subject was then issued a password for subsequent issuing of the certificate.)
Strength = 3. Means that the subject was verified by means of some automated system, without presenting an ID to a duly authorized officer. Examples include:
- The subject was challenged for information the should only be known by them:
  - a password which was mailed to an account that the person controls
  - mother's maiden name, social security number, date of birth, etc.
- The subject was in a kerberos or other database which the university believes is reasonably administered and knew the password.

5. Procedures for Revoking UCCerts

5.1 Reasons for Revocation

A UCCert will be revoked when the private key associated with the certificate is compromised or suspected to be compromised. In general, this will become known because the subscriber notifies the CAA. (It will not normally be revoked should the subscriber status change. This includes the case where there has been some violation of acceptable use of UC computing resources. It is intended that this be handled by suitable modification to the authorization DB.)

5.2 Revocation Procedure

When a certificate is revoked, it will be added to the Certificate Revocation List (CRL) in the certificate repository and a status of revoked will be added as an attribute to the certificate in the certificate repository. The CA Administrator (CAA) will notify the subscriber that the certificate has been revoked and instruct them to remove the certificate and the associated private key from the web server or web browser.

?For revoked web server certificates, the CAA will attempt to access the server using SSL 24 hours later to verify that the certificate has been removed. This is necessary because there is no way for a browser to check a CRL and thus, no way to determine whether or not a certificate that is in use on a web server has been revoked.

6. Procedures for Maintaining the CA

6.1 Physical Controls

6.1.1 The CA workstation is located in the secure computer room where it has fire protection and climate control;

6.2 Technical Controls

6.2.1 Network access to the CA and its repository passes through a firewall that limits the type and source of access;

6.2.2 The Operator shall take all standard precautions to limit access to the system and prevent system breakins. It uses CA and certificate repository software acquired and managed so as to assure there are no unauthorized modifications.

6.3 Procedural Controls

6.3.1 Three distinct administrative roles have been established to ensure a single individual cannot act alone to create unauthorized certificates and remove evidence of that action. The roles are as follows:

a. Certification Authority Administrator (CAA)

The CAA role includes:

Verification of application information;
Certificate generation;
Administrative functions associated with maintaining the CA database and assisting in compromise investigations.
Responding to questions about the certificates issued and the UCPKI.

b. System Administrator (SA)

The SA role includes:

Performing initial configuration of the CA system including secure boot start-up and shut down of the workstation;
Initial setup of all new accounts;
Setting the initial network configuration;
Creating emergency system restart media to recover from catastrophic system loss;
Performing system backups, software upgrades and recovery
Changing of the host name and/or network address.

c. Information System Security Officer (ISSO)

The ISSO role includes:

Assigning security privileges and access controls for administrators of the CA.
Assigning passwords to all new accounts.

The ISSO, who is not directly involved in issuing certificates, performs an oversight function in examining system records or audit logs to ensure that other people are acting within the realms of their responsibilities and within the stated security policy.

6.3.2 Backup copies of the CA and repository software, CA queue contents, and the repository database contents are maintained, including appropriate offsite backup.

7. Warranties

The University of California makes no representations or warranties, express or implied, with respect to the services described above, including any warranties of title, noninfringement of copyright or patent rights of others, merchantability, or fitness or suitability for any purpose.

8. Policy and Procedure Maintenance

This policy will be amended from time to time to accommodate changes in the function of the UCPKI or changes in our understanding of required policies and procedures. If you wish to be notified of changes, you may subscribe to an email list by sending email to XXX@ucop.edu. You will be notified by email at least 10 days in advance of any change. Comments or objections to proposed changes may be sent to XXX@ucop.edu and will be given serious consideration.

9. Termination of Operation

In the event UC decides to cease operating a PKI, it will provide at least three months notice to subscribers to give them time to obtain a certificate from a commercial CA if desired. All certificates will be revoked on the termination date.

Definitions

CA - Certificate Authority. Code for granting and terminating public key certificates.

CAA - The Certificate Authority Administrator.

Certificate subject - The entity whose public key is certified in the certificate.

Certificate Revocation List (CRL) - A list of certificates that have been revoked prior to their expiration date.

Operator - The organization/people responsible for operation of the CA.

Subscriber - In the case of certificates issued to resources (such as web servers), the person responsible for the certificate for that resource. For certificates issued to individuals, same as certificate subject.

UCCert - a certificate issued by the UCPKI.

UCPKI - The UC Public Key Infrastructure - The hardware, software, policies, procedures, and personnel for creating, using, and terminating public key certificates.

Final Definition of UC Personal Certificate Payload

December 16, 1998

Sal Gurnani

Frank Whittemore

Note - final definition of the UC Anonymous Certificate Payload and WEB Server payload are under development.

To provide for UC wide interoperability, the contents of the following certificate payload fields have been specified for UC Personal Certificates:

Issuer

The Issuer field must contain the distinguished name of your certificate authority, which must conform to the following format:

C=US, O=University of California, OU=University of California [Campus], CN=Root Certificate Authority [N]

where [Campus] should be replaced with a Campus name, ie. San Diego, Los Angeles, etc., and [N] should be replaced with an integer which is unique to a given campus root certificate authority server. A given campus will most likely require multiple Root CA servers, and it is suggested the first be identified by 1, the second by 2, and so on.

Subject

The issuing campus authority is free to specify the Subject line as desired.

x509v3 Extensions

The following x509 v3 certificate extension fields have been defined for use within the UC PKI. These fields are the used to encode UC specific information within x509 certificate payloads. The issuing campus authority may add additional fields, but the required fields must be included and the OID’s for all specified fields may not be reused or redefined.




 Name: UC Netid
 OID: 2 16 840 1 113916 1 1
    Value: UCOP/UDIR assigned UC Netid for Individual
    Opt./Req.: Required
    Note: The UC NETID must be specified in order for the certificate to be 
    a personal identity certificate.  If the UC Netid extension is not 
    specified or missing, the certificate becomes an attribute certificate (see 
    CPS).

 Name: UC Strength Value
    OID: 2 16 840 1 113916 1 2
    Value: Certificate Issuance Identity Check Method/Strength for Individual
    Opt./Req.: Required
    Note: The UC Strength Value must be specified in order for the certificate 
    to be a personal identity certificate.  If the UC Netid extension is not 
    specified or missing, the certificate becomes an attribute certificate (see 
    CPS).

 Name: UC Campus Affiliation
    OID: 2 16 840 1 113916 1 3
    Value: String value from set {OP, BK, DV, IR, LA, RV, SB, SC, SD, SF}
    Opt./Req.: Required

 Name: UC Authorization Pointer Type
    OID: 2 16 840 1 113916 1 4
    Value: String
    Opt./Req.: Optional

 Name: UC Authorization Pointer Value
    OID: 2 16 840 1 113916 1 5
    Value: String
    Opt./Req.: Optional

 Name: Netscape Certificate Renewal URL
    OID: 2 16 840 1 113730 1 75
    Value: URL string
    Opt./Req.: Optional

 Netscape CA Revocation URL
    OID: 2 16 840 1 113730 1 74
    Value: URL string
    Opt./Req.: Required

 Netscape CA CRL URL
    OID: 2 16 840 1 113730 1 6
    Value: URL string
    Opt./Req.: Required

 Netscape CA Policy URL
    OID: 2 16 840 1 113730 1 76
    Value: URL string
    Opt./Req.: Required

10) Netscape Comment
    OID: 2 16 840 1 113730 1 78
    Value: Campus specified string
    Opt./Req.: Required


The following is an example text dump of the payload for a UC personal certificate:

Certificate:
    Data:
        Version: 2 (0x2)

        Serial Number: 1 (0x1)

        Signature Algorithm: md5withRSAEncryption

        Issuer: C=US, O=University of California, OU=University of California 
                Campus, CN=Root Certificate Authority 1

        Validity
            Not Before: May 13 21:43:51 1998 GMT
            Not After : Nov  9 21:43:51 1998 GMT

        Subject: C=US, O=University of California, OU=University of California
                 Campus, CN=Joe Student, UID=jstudent


        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Modulus:
                    00:9a:ce:44:04:e7:44:0c:80:e9:87:25:0a:f5:32:
                    d4:07:5e:34:9a:13:17:da:5b:80:d7:18:65:89:84:
                    ab:a7:a9:b1:01:05:0d:1b:0b:78:c7:d9:fb:63:71:
                    2c:94:f5:96:1a:5b:86:68:26:d2:f0:22:2a:8e:a6:
                    cb:5d:61:c9:2d
                Exponent: 65537 (0x10001)

        X509v3 extensions:
            UC Netid (2 16 840 1 113916 1 1): 
                0000000000

            UC Strength Value (2 16 840 1 113916 1 2): 
                3

            UC Campus Affiliation (2 16 840 1 113916 1 3): 
                XX

            UC Authorization Pointer Type (2 16 840 1 113916 1 4): 
                NULL

            UC Authorization Pointer Value (2 16 840 1 113916 1 5): 
                NULL

            Netscape Certificate Renewal URL (2 16 840 1 113730 1 75): 
                https://rootca1.ucxx.edu/cert-request-form.html

    Netscape CA Revocation URL (2 16 840 1 113730 1 74): 
        https://rootca1.ucxx.edu/cms?op=checkRevocation&serialNumber=1
            Netscape CA CRL URL (2 16 840 1 113730 1 6): 
                https://rootca1.ucxx.edu/cms?op=getCRL

            Netscape CA Policy URL (2 16 840 1 113730 1 76): 
                https://rootca1.ucxx.edu/client-policy.html


            Netscape Comment (2 16 840 1 113730 1 78): 
                This certificate was issued to Joe Student by UC Campus
                Root Certificate Authority 1 (https://rootca1.ucxx.edu).

    Signature Algorithm: md5withRSAEncryption
        1c:3f:10:68:0b:c4:5f:d6:1e:9b:07:a4:e7:de:73:7e:0f:8c:
        80:45:ba:fd:9b:9d:58:2a:36:52:14:72:c3:34:58:92:65:43:
        6d:c7:94:2a:2f:13:c2:16:f8:16:6e:3f:a3:cf:43:7b:ea:a9:
        77:88:58:70:8b:18:c7:77:e8:35:b8:c2:80:31:17:11:b7:32:
        2e:f0:45:95:44:4b:8f:99:4b:cb:fa:84:4d:63:32:30:f8:e2:
        67:87:2f:99:01:98:4a:e7:b8:e3:9f:6c:c2:23:ad:e7:c5:7b:
        9e:14:88:0f:c5:1b:36:33:f2:84:d2:2c:fd:b4:76:d0:3b:39:
        92:ec