NanoGrid Certification Authority
Certificate Policy and
Certification Practice Statement
| |
|
Version: | 1.0 |
|
Date: | January 20, 2011 |
|
OID: | 1.3.6.1.4.1.22139.2.1.0 |
| |
| |
This Certification Policy and Practice Statement (CP/CPS) is structured
according to RFC2527. It describes the set of rules used by
NanoGrid Certification Authority (NanoGrid CA), operated by the Grid team of the
Russian Research Centre ``Kurchatov Institute'' (RRC KI).
This document can be referred as
NanoGrid Certification Authority Certificate Policy
and Certification Practice Statement version 1.0 or OID 1.3.6.1.4.1.22139.2.1.0.
|
Document name: |
NanoGrid Certification Authority Certificate Policy and |
| Certification Practice Statement. |
|
Version: | 1.0. |
|
Date: | January 20, 2011. |
|
OID: | 1.3.6.1.4.1.22139.2.1.0. |
NanoGrid Certification Authority is the root certification authority for NanoGrid
project.
The current list of registration authorities for NanoGrid CA may be obtained
from the following URL:
http://ca.nanogrid.kiae.ru/requests/ra-list.html.
NanoGrid CA may issue certificates for people, hosts and host applications
(services) involved in the Russian Data Intensive Grid consortium.
- The person certificates may be used for user authentication and data
integrity checking in various applications: Globus, LCG, gLite and similar GRID
middleware, electronic mail, Web server access, etc.
- The host certificates may be used for server authentication and
communication encryption.
- The host application certificates may be used for server applications
authentication and communication encryption.
The certificates issued by NanoGrid CA may not be used in financial transactions
of any sort.
The NanoGrid CA is operated by:
|
Eygene Ryabinkin, RRC KI, |
|
Russia, 123128, Moscow, Kurchatov square, 1. |
|
phone: +7 499 196-95-19. |
|
e-mail: rea@grid.kiae.ru. |
Generic contact for the NanoGrid CA:
|
e-mail: nng-ca-support@grid.kiae.ru. |
The contact person for this CP/CPS is:
|
Eygene Ryabinkin, RRC KI, |
|
Russia, 123182, Moscow, Kurchatov square, 1. |
|
phone: +7 499 196-95-19. |
|
e-mail: rea@grid.kiae.ru. |
General URL:
http://ca.nanogrid.kiae.ru/.
Policy documents:
http://ca.nanogrid.kiae.ru/policy/.
Certificate repository:
http://ca.nanogrid.kiae.ru/certificates/.
Certificate revocation list:
http://ice.grid.kiae.ru/ca/NNG/cacrl.pem.
CA root certificate:
http://ca.nanogrid.kiae.ru/cacrt.pem.
The NanoGrid CA:
- accepts all requests validated by the registration authorities,
- creates and delivers certificates to registration authorities,
- publishes the issued certificates to publicly-accessible on-line stores,
- accepts all revocations from the registration authorities,
- issues and publishes a CRL,
- revoke any issued certificate if NanoGrid CA possesses the proofs of
certificate compromise or certificate usage that violates the NanoGrid CA CP/CPS.
The NanoGrid CA Registration Authorities:
- authenticates the person requesting a person certificate,
- (for user certificate)
determines if the person has the right to have a NanoGrid CA certificate,
- sends validated person certificate requests to the NanoGrid CA,
- (for a host or host application certificate)
determines if the host has the right to have a NanoGrid CA certificate,
- sends validated host and host application certificate requests to
the NanoGrid CA,
- delivers certificates to the subscribers if it was not done by the
NanoGrid CA itself,
- creates and sends revocation requests to the CA,
- communicates with NanoGrid CA using signed electronic mail or via
voice conversations with known persons.
It is up to the Registration Authority to decide wheither user or host has the
rights to have a NanoGrid CA certificate. In the process of making such a
decision, Registration Authority can contact the superior person of a requester
to verify the requester's participation in the NanoGrid project.
Subscribers:
- must be involved in the NanoGrid project,
- must provide accurate information in their certificate requests,
- (for a user certificate) must protect their private key with the
strong password, that is at least fifteen characters in length,
- (for a user certificate) must not keep their private key in
unencrypted form and must not keep private key password along with
the key itself,
- must immediately notify the NanoGrid CA Registration Authority in the case
of actual or suspected key loss, disclosure or other compromise.
- must be familiar with the NanoGrid CA CP/CPS document and follow the rules
of the certificate usage specified in the CP/CPS document.
- should ask for certificate revocation if the certificate is no longer
needed or the certificated entity is no longer takes part in the NanoGrid
project.
- should ask for certificate revocation if the data provided in the
certificate is no longer valid.
Relying party:
- must be familiar with this CP/CPS before making any decisions on a
thrustworthness of a certificate issued by NanoGrid CA,
- must use the certificate only for purposes that are permitted by this
CP/CPS,
- must check the authencity of NanoGrid CA root certificate before using it,
- must verify the current CRL before validating a certificate,
- should update local CRL copy at least once per day.
NanoGrid CA will upload all issued certificates to the publicly-accessible
on-line repository. NanoGrid CA will maintain Certificate Revocation List (CRL).
NanoGrid CA may publish information about pending certificate requests.
The certification service is run with a reasonable level of security but is
provided on a best effort basis. NanoGrid CA takes no responsibility for problems
arising from its operation or from the use of certificates it provides.
NanoGrid CA denies any financial or other kind of responsibility for damages or
inpayments resulting from its operation.
No financial responsibility is accepted.
This document must be treated according to the current law of Russian
Federation. Legal disputes arising from the operation of the
NanoGrid CA will be resolved according with the Russian Federation law.
No fees are charged.
NanoGrid CA operates a public web site http://ca.nanogrid.kiae.ru/ that contains:
- the certificate for CA signing key,
- current Certificate Revocation List (CRL) signed by NanoGrid CA,
- all certificates issued by NanoGrid CA,
- past and current versions of NanoGrid CA CP/CPS document,
- various information about NanoGrid CA and certificates, that can be helpful
to users of NanoGrid CA.
The user, host and host application certificates are published as soon as they
are generated. The new Certificate Revocation List (CRL) is issued after each
revocation and at least 7 days before expiration of previous CRL.
The CRL has 30 days validity time.
No access controls to these publications are performed.
No stipulation.
NanoGrid CA collects subscriber's full name, organization and unit names and
electronic mailing address. Subscriber's organization, unit name and full name
is included in the user certificate. All collected information is not
confidential. NanoGrid CA will not publish subscriber's electronic mailing
address in the list of issued certificates on the NanoGrid CA web site.
NanoGrid CA by no means wants to access user's, host's or host application's
private key.
Private key is generated only by users or host/service administrators
and must not be disclosed to anyone else. NanoGrid CA by no means asks users
to pass their private keys along with the certificate requests.
NanoGrid CA does not claim any intellectual property rights on issued
certificates and Certificate Revocation Lists.
3.1 Initial Registration
3.1.1 Types of names
NanoGrid CA uses the following types of names for different types of certificates:
- distinguished names for a person certificate:
/C=RU/O=NanoGrid/OU=users/OU=Organisation/CN=Name,
- distinguished name for a host certificate:
/C=RU/O=NanoGrid/OU=hosts/OU=Organisation/CN=FQDN,
- distinguished name for a host application certificate:
/C=RU/O=NanoGrid/OU=services/OU=Organisation/CN=service name/FQDN.
CN component of distinguished name for a person certificate must contain the
person's first and last names.
An optional OU attribute can be inserted between OU=Organisation
component and the CN component in the cases, when organisation name
is not enough to clearly identify the administrative domain
for the certificate holder. One example of such a situation is the organisation
with rich administrative infrastructure and the loose administrative coupling
between its units.
All distinguished names are unique. In cases when user's
first name and last name coincide with existing certificate ones,
middle name or initial may be inserted into the CN field of the
distinguished name.
3.1.2 Method to prove possession of private key
Each request must be signed with the private key corresponding to the
public key provided in certificate request.
NanoGrid CA will neither generate nor store any private keys for subscribers.
NanoGrid CA Registration Authority verifies the organization identity by checking:
- that the organisation is known to participate in NanoGrid project,
- and the organisation is located in Russia or ex-USSR, by checking
organisational contact information.
3.1.4 Authentication of
individual identity
The NanoGrid CA Registration Authority verifies the person identity and it's
affiliation with the claimed organisation entity by face-to-face meeting
with the person, who request the certificate.
Routine re-keying is allowed to current subscribers of NanoGrid CA and must take
place before expiration of subscriber's current certificate. The re-key request
must be consisted of certificate request with the new key pair and is to be
signed with the private key of subscriber's current certificate. Resigning of
existing public key is not allowed.
NanoGrid CA will not recertify a revoked key. User of a revoked certificate must
obtain a new one following the procedure of initial registration, described in
section 3.1.
3.4 Revocation request
Revocation request must be authenticated, unless NanoGrid CA can independently
verify that a key compromise has happened. The preferred method for
authentification is electronic mail message, digitally signed with a non-expired
and previously non-revoked certificate issued by NanoGrid CA.
If this is not possible, subscriber
must contact the NanoGrid CA Registration Authority which verifies user's
identity using procedures simular to those described in section
3.1.2.
Applicants must generate their own key pair themselves; NanoGrid CA will
never generate a key pair for an applicant. NanoGrid CA will not accept
private key escrow responsibilities and will reject any certificate request
containing the private key.
The minimum key length for all applications is 1024 bits. The maximum validity
time for each certificate is one year and 31 days.
Generated certificate request must be sent by electronic mail to the
corresponding NanoGrid CA Registration Authority. Mail message must be sent from
electronic mail address that does exists and can be mailed to.
NanoGrid CA will reject all non-legitimate certification requests; in the case
of rejection applicant will be notified by electronic mail, except for obvious
nonsense requests that will be rejected silently.
Upon a receipt of a certificate request, that is qualified to be valid according
to this CP/CPS, NanoGrid CA Registration Authority will verify the request
and authenticate applicant as described in section 3.1. After
successful verification and authentication, NanoGrid CA Registration Authority
digitally signs new request and transfers it to NanoGrid CA, where certificate
will be issued. The applicant will be notified of issuance by electronic mail
or using another means of communication, if requested by a subscriber. If
communication fails permanently, the certificate will be revoked without
further notice.
A certification request is normally handled in the period of one week, however,
during vacation or national holidays periods the response time can increase
to three weeks.
Valid certificate issued by the NanoGrid CA must pass the following requirements:
- Certificate must not be expired.
- Distinguished name must be in the NanoGrid CA name space, i.e. it must match
one of the name templates described in section 3.1.1.
- Certificate must have a valid NanoGrid CA signature which can be validated with
NanoGrid CA certificate, that is available on the URL http://ca.nanogrid.kiae.ru/cacrt.pem.
- Certificate must not be listed in the Certificate Revocaton List (CRL)
issued by NanoGrid CA, that is available on the URL http://ice.grid.kiae.ru/ca/NNG/cacrl.pem.
- The CRL must have a valid NanoGrid CA signature and must not be expired,
- To guarantee the maximum level of security one should check for new CRL just
before validating the certificate.
A certificate will be revoked when
- the information it contains is no longer correct or proved
to be incorrect, or
- the private key is lost or suspected to be compromised, or
- the certification entity is no longer participated in the NanoGrid
project, or
- NanoGrid CA have the proofs that certificate usage violates
NanoGrid CA CP/CPS rules.
The certificate holder or any other entity presenting proof of knowledge of the
private key compromise or subscriber's data variation can request a
certificate revocation.
NanoGrid CA will handle any revocation request, authenticated or unauthenticated.
If NanoGrid CA can independently verify that a certificate has been compromised
or misused, NanoGrid CA will revoke the certificate. In all other cases, the
revocation request will be authenticated as described in section
3.4.
Revocation request must be passed to the NanoGrid CA Registration Authority
who signed the certificate request for the certificate to be revoked.
The rules for passing revocation request to the NanoGrid CA
Registration Authority are described in section 3.4.
Revocation request can be canceled within 24 hours after it was received at the
NanoGrid CA. But in the case of proved compromise the certificate will be revoked
immediately.
For cancellation of the revocation request the certificate holder
must contact the same RA, as for revocation request.
The rules for passing cancellation request to the NanoGrid CA
Registration Authority are just the same as in section 3.4.
4.4.5 Circumstances for suspension
Certificate suspension is not currently supported.
Certificate suspension is not currently supported.
Certificate suspension is not currently supported.
Certificate suspension is not currently supported.
The Certificate Revocation List (CRL) is issued after each revocation and
at least every 7 days. The lifetime of CRL is 30 days. CRL will be made
available for downloading as soon as it was published.
- The CRL must have a valid NanoGrid CA signature and must not be expired.
- To guarantee the maximum level of security one should download the new CRL
just before validating the certificate.
All valid certificates issued by NanoGrid CA are available online the following
URL:
http://ca.nanogrid.kiae.ru/certificates/.
Not applicable.
The certificate holder is notified if some other person asks for his/her
certificate revocation.
Not applicable.
When the certificate revocation is a result of a private key compromise all
NanoGrid CA Registration Authorities and the holder of the private key
are notified by email about this case immediately after new CRL issuance.
The following events are recorded:
- certificate requests (by persons),
- certificate acceptations (by Registration Authority),
- revocation requests (by Registration Authority),
- certificate issuance,
- certificate rekey and renewal requests.
Not defined.
Audit logs will be kept for at least 3 years.
Audit logs may be consulted only by:
Audit logs are copied to an offline medium. Online audit logs are protected
using the file system security.
Audit logs are copied to an offline medium.
The audit logs archive is internal to the NanoGrid CA.
No stipulation.
Operational audit is performed twice per year and includes auditing of all
NanoGrid CA staff including Registration Authorities.
The following types of events are recorded:
- certificate requests (by persons),
- certificate acceptations (by Registration Authority),
- revocation requests (by Registration Authority),
- certificate issuance,
- CRL issuance,
- email messages sent and received by NanoGrid CA.
Records will be kept for at least 3 years.
Records may be consulted only by:
All records are copied to an offline medium. Online records are protected
using the file system security.
No stipulation.
No stipulation.
The records archive is internal to the NanoGrid CA.
No stipulation.
Public keys are distributed by electronic mail or using online system at
the following URL:
http://ca.nanogrid.kiae.ru/certificates/.
In case the NanoGrid CA private key is compromised the NanoGrid CA will:
- Notify all subscribers and cross-certifying Certification Authorities.
- Notify Registration Authorities.
- Terminate the issuance and distribution of the certificates and CRLs.
- Notify relevant security contacts.
- Notify as widely as possible about service termination.
In case the NanoGrid CA Registration Authority private key is compromised
the NanoGrid CA will:
- Notify all subscribers and cross-certifying Certification Authorities.
- Notify Registration Authorities.
- Terminate the operation of the compromised Registration Authority.
- Revoke all certificates validated by the compromised Registration
Authority.
- Notify as widely as possible about Registration Authority compromise.
Upon termination NanoGrid CA will:
- Notify all subscribers and cross-certifying Certification Authorities.
- Notify Registration Authorities.
- Terminate the issuance of certificates and CRLs.
- Notify relevant security contacts.
- Notify as widely as possible about service termination.
The NanoGrid CA is located at the Russian Research Centre ``Kurchatov Institute''
in Moscow, Russia and is hosted on a professional collocation area.
Physical access to the NanoGrid CA hosts is restricted to authorized personnel.
The NanoGrid CA signing machine and the NanoGrid CA web server are both protected
with uninterruptable power supplies. Environmental temperature in room
containing NanoGrid CA related equipment is maintained at appropriate level
by an air conditioning system.
Due to the location of NanoGrid CA facilities floods are not expected.
Buildings containing NanoGrid CA facilities obey to the Russian laws regarding
fire prevention and protection of buildings.
The NanoGrid CA key is kept in several removable storage media. Backup copies of
NanoGrid CA related information are kept on CD-ROM and flash disks.
Waste carrying potential confidential information such as old storage media are
physically destroyed before being trashed.
No off-site backups are currently performed.
No stipulation.
NanoGrid CA personnel is recruited from the ``Kurchatov Institute'' Grid team.
Registration Authorities personnel is recruited from personnel of corresponding
institutions.
No other personnel is authorized to access NanoGrid CA facilities without the
physical presence of NanoGrid CA personnel.
Internal training is given to the NanoGrid CA operators and Registration
Authorities operators.
Repeated training is given on every change of this document or used software.
Job rotation is not performed.
No stipulation.
No stipulation.
All personnel is supplied with copies of this document and NanoGrid CA Operation
Manual.
Each subscriber must generate its own key pair. NanoGrid CA does not generate
private keys for subscribers.
Private key deliverance is not supported.
Public keys are delivered by electronic mail. They are also accessible
from public web page at http://ca.nanogrid.kiae.ru/certificates/.
NanoGrid CA public key is accessible from public web page at
http://ca.nanogrid.kiae.ru/cacrt.pem.
The minimum key length for user, host or host application certificate is 1024
bits. The NanoGrid CA key length is 2048 bits.
No stipulation.
No stipulation.
Keys are generated using software algorithms.
Keys must be used according to the value of X.509v3 keyUsage field.
No stipulation.
No stipulation.
The NanoGrid CA private key is kept encrypted in multiple copies on CD-ROM
and flash disks in safe places. One copy of encrypted key and its passphrase
is sealed in the envelope and kept in a safe.
The NanoGrid CA private key validity period is 15 years.
Each copy of the NanoGrid CA private key is protected by its own passphrase which
is at least 15 characters long.
The NanoGrid CA operating systems are maintained at a high level of security by
applying all relevant patches. Monitoring is performed to detect unauthorized
software changes.
Not tested.
No stipulation.
The NanoGrid CA public-interface machine is protected by a firewall.
The server access is restricted to a few stations.
No stipulation.
X.509 v3.
The following extensions may be included in the certificate issued by NanoGrid CA:
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid:always,issuer:always
- basicConstraints (CRITICAL): CA:false
- keyUsage (CRITICAL): digitalSignature, nonRepudiation,
keyEncipherment, dataEncipherment, keyAgreement
- certificatePolicies: OID 1.3.6.1.4.1.22139.2.1.0
- issuerAlternativeName: e-mail address of NanoGrid CA
- subjectAlternativeName: subscriber's e-mail address
- cRLDistributionPoints: URI
- nsCaPolicy: URL
- nsComments: an issuer description
- nsCertType: (for user certificates) client, email, objsign
- nsCertType: (for host certificates) client, server, objsign
No stipulation
Issuer: C=RU,O=NanoGrid,CN=NanoGrid CA.
For Subject field name forms check section 3.1.1.
Subject attribute constraints:
- countryName: must be ``RU''
- organizationName: must be ``NanoGrid''
- organisationalUnit: first component
must be either ``users'', ``hosts'' or ``services'' as determined by the
certificate type, see section 3.1.1.
- commonName: determined according to section 3.1.1.
This policy is identified by OID 1.3.6.1.4.1.22139.2.1.0.
No stipulation.
No stipulation.
X.509 v1.
None.
No stipulation.
The last version of this document is available at the following URL:
http://ca.nanogrid.kiae.ru/policy/.
No stipulation.