A trusted role is one who performs functions that can introduce security problems if not carried out properly, whether accidentally or maliciously. The people selected to fill these roles in the RAPIDPIV-I PKI must be extraordinarily responsible or the integrity of the CA or CMS is weakened. The functions performed in these roles form the basis of trust for all uses of the CA and CMS. Two approaches are taken to increase the likelihood that these roles can be successfully carried out. The first ensures that the person filling the role is trustworthy and properly trained. The second distributes the functions among more than one person, so that any malicious activity would require collusion.
All Eid Passport employees serving in a trusted position qualify and periodically re-qualify (every two years) for trusted status. Eid Passport maintains lists, including names, organizations and contact information, of those who act in trusted roles, and makes them available during compliance audits.
There are four roles for each main system in the Eid Passport PKI and they are:
a. Administrator – authorized to install, configure, and maintain the CA, establish and maintain user accounts, configure profiles and audit parameters, and generate component keys;
b. Officer – authorized to request or to approve certificates or certificate revocations;
c. Audit Administrator – authorized to view and maintain audit logs; and
d. Operator – authorized to perform system backup and recovery.
The following sections define these and other trusted roles.
5.2.1.1 CA System Administrator
The CA System Administrators are responsible for the following:
a. Installation, configuration, and maintenance of the CA;
b. Establishing and maintaining CA system accounts;
c. Configuring certificate profiles or templates and audit parameters; and d. Generating and backing up CA keys.
System Administrators do not issue certificates to Subscribers.
5.2.1.2 Officer
The Officers are responsible for the following:
a. Registering new Subscribers and requesting the issuance of certificates;
b. Verifying the accuracy of information included in certificates;
c. Approving and executing the issuance of certificates;
d. Requesting, approving and executing the revocation of certificates;
e. Configuring certificate profiles or templates and audit parameters for the CA software; and f. Generating and backing up CA keys.
5.2.1.3 Audit Administrator
Audit Administrators are responsible for the following:
a. Reviewing, maintaining, and archiving audit logs; and
b. Performing or overseeing internal compliance audits to ensure that the CA is operating in accordance with this CPS.
5.2.1.4 Operator
Operators are responsible for the routine operation of the CA equipment and operations such as system backups and recovery or changing recording media.
5.2.1.5 Registration Authority
Registration Authorities are responsible for the following:
a. Registering new Subscribers and requesting certificate issuance utilizing secure communications as per sections 6.1.2 and 6.1.3;
b. Verifying the identity of Subscribers in accordance with section 3.2;
c. Approving and executing certificate issuance;
d. Receiving and distributing Subscriber certificates; and e. Requesting, approving, and executing certificate revocation.
{Redacted}
5.2.1.6 CSA Roles
The RAPIDPIV-I CSA has the following roles:
a. CSA Administrators who are responsible for the following:
i. Installation, configuration, and maintenance of the CSA;
ii. Establishing and maintaining CSA system accounts;
iii. Configuring CSA application and audit parameters; and iv. Generating and backing up CSA keys.
b. CSA Audit Administrators who are responsible for the following:
i. Reviewing, maintaining, and archiving audit logs;
ii. Performing or overseeing internal compliance audits to ensure that the CSA is operating in accordance with this CPS.
c. CSA Operators who are responsible for the the following:
i. Routine operation of the CSA equipment; and
ii. Operations such as system backups and recovery or changing recording media.
5.2.1.7 CMS Roles
The RAPIDPIV-I CMS has the following roles:
a. CMS Administrators who are responsible for the following:
i. Installation, configuration, and maintenance of the CMS;
ii. Establishing and maintaining CMS system accounts;
iii. Configuring CMS application and audit parameters; and iv. Generating and backing up CMS keys.
b. CMS Audit Administrators who are responsible for the following:
i. Reviewing, maintaining, and archiving audit logs; and
ii. Performing or overseeing internal compliance audits to ensure that the CMS is operating in accordance with this CPS.
c. CMS Operators who are responsible for the following:
• Routine operation of the CMS equipment; and
• Operations such as system backups and recovery or changing recording media.
5.2.1.8 PKI Sponsor
A PKI Sponsor is a Subscriber for devices in the RAPIDPIV-I network. Alternatively, a PKI Sponsor may be an authorized official in an affiliated organization who may conduct pre-enrollment activities for authorized Subscribers. The PKI Sponsor follows procedures detailed in this CPS and the RAPIDPIV-I handbooks and SOPs to pre-enroll Subscribers, or to register components (routers, web servers, firewalls, etc.) in accordance with section 3.2.4, and is responsible for meeting the obligations of Subscribers as defined throughout this document.
A PKI Sponsor is not a trusted role, but is issued a credential at an Assurance Level that is equal to or higher than that of the credential that they are sponsoring.
5.2.1.9 Trusted Agent
A Trusted Agent is a Trusted Role authorized to act as a representative of the RA in providing Subscriber identity verification during the registration process. Trusted Agents do not have automated interfaces with the CA. All persons filling the role of Trusted Agent are US citizens.
A Trusted Agent (TA) who performs identification and authentication functions as described in the RAPIDPIV-I RPS complies with the stipulations in this CPS and the CP. A TA who is found to have acted in a manner inconsistent with these obligations is subject to revocation of TA responsibilities. A TA operating under this CPS conforms to the stipulations of this document, including:
• Performing in-person identify verification of certificate applicants in accordance with Section 3.2.3.1
• Including only valid and appropriate information in certificate requests, and maintaining evidence that due diligence was exercised in validating the information contained in the certificate
5.2.2 Number of Persons Required Per Task
Two or more persons are required to perform the following tasks:
a. CA, CSA and eidPIV-I-contentSigning key generation;
b. CA, CSA and eidPIV-I-contentSigning key activation; and c. CA, CSA and eidPIV-I-contentSigning key backup.
Where multiparty control is required, at least one of the participants is an Administrator. All participants serve in a trusted role as defined in section 5.2.1.
Audit Administrators do not take part in multiparty control operations.
5.2.3 Identification and Authentication for Each Role {Redacted}
5.2.4 Roles Requiring Separation of Duties
Role separation, when required as set forth below, is enforced either by the CA equipment, or procedurally, or by both means.
Individual RAPIDPIV-I PKI personnel are specifically designated to the four roles defined in section 5.2.1 above.
Individuals may assume more than one role, except as follows:
a. Individuals who assume a Registration Authority or Security Officer role do not assume a System Administrator role;
b. Individuals who assume an Audit Administrator role do not assume any other role on the RAPIDPIV-I PKRAPIDPIV-I component; and
c. Under no circumstances does any of the four roles perform its own compliance auditor function.
No individual fulfilling any of the roles outlined in section 5.2.1 are assigned more than one identity.