Domain 6 A2 Requirements Testing Procedures
6D-4 The loading of keys or key components must incorporate a validation mechanism such that the authenticity of the keys is ensured and it can be ascertained that they have not been tampered with, substituted, or compromised.
6D-4.6 Key pairs generated external to the device that uses the key pair must be securely transferred and loaded into the device and must provide for key protection in accordance with this document. That is, the secrecy of the private key and the integrity of the public key must be ensured. The process must ensure that once keys are injected they are no longer
available for injection into other POI devices—i.e., key pairs are unique per POI device.
6D-4.6 If key pairs are generated external to the device that uses the key pair, perform the following:
Examine documented procedures to verify that controls are defined to ensure the secrecy of private keys and the integrity of public keys during key transfer and loading.
Observe key transfer and loading operations to verify that the secrecy of private keys and the integrity of the public keys are ensured.
Verify the process ensures that key pairs are unique per POI device.
6E-3 Cryptographic keys must be used only for their sole intended purpose and must never be shared between production and test systems.
6E-3.5 If a business rationale exists, a production platform (HSM and server/standalone computer) may be temporarily used for test purposes. However, all keying material must be deleted from the HSM(s) and the server/computer platforms prior to testing. Subsequent to completion of testing, all keying materials must be deleted, the server/computer platforms must be wiped and rebuilt from read-only media, and the relevant production keying material restored using the principles of dual control and split knowledge as stated in these requirements.
At all times, the HSMs and servers/computers must be physically and logically secured in accordance with these requirements.
6E-3.5 Interview personnel to determine whether production platforms are ever temporarily used for testing.
If they are, verify that documented procedures require that:
All keying material is deleted from the HSM(s) and the server /computer platforms prior to testing.
Subsequent to completion of testing, all keying materials must be deleted and the server/computer platforms must be wiped and rebuilt from read-only media.
Prior to reuse for production purposes the HSM is returned to factory state.
The relevant production keying material is restored using the principles of dual control and split knowledge as stated in these requirements.
6E-3.6 Key pairs must not be reused for certificate renewal or replacement—i.e., new key pairs must be generated.
Each key pair must result in only one certificate.
6E-3.6.a Examine documented procedures for requesting certificate issue, renewal, and replacement to verify procedures include generation of a unique key pair for each:
New certificate issue request
Certificate replacement request
Each key pair generated results in only one certificate
6E-3.6.b Interview responsible personnel and observe certificate issuing and replacement processes to verify that:
Only one certificate is requested for each key pair generated.
Certificates are replaced by generating a new key pair and requesting a new certificate.
Each key pair generated results in only one certificate.
6E-3.9.1 CA certificate signature keys, certificate (entity) status checking (e.g., Certificate Revocation Lists) signature keys, or signature keys for updating valid/authorized host lists in encryption devices must not be used for any purpose other than subordinate entity certificate requests, certificate status checking, and self-signed root certificates.
Note: The keys used for certificate signing and certificate (entity) status checking (and if applicable, self-signed roots) may be for combined usage or may exist as separate keys dedicated to either certificate-signing or certificate (entity) status checking.
6E-3.9.1.a Examine certificate policy and documented procedures to verify that:
Certificate signature keys,
Certificate status checking (e.g., Certificate Revocation Lists) signature keys, or
Signature keys for updating valid/authorized host lists in POIs Must not be used for any purpose other than:
Subordinate entity certificate requests,
Certificate status checking, and/or
Self-signed root certificates.
6E-3.9.1.b Interview responsible personnel and observe demonstration to verify that:
Certificate signature keys,
Status checking (e.g., Certificate Revocation Lists) signature keys, or
Signature keys for updating valid/authorized host lists in POIs Are not used for any purpose other than:
Subordinate entity certificate requests,
Certificate status checking, and/or
Self-signed root certificates.
6E-3.9.2 CAs that issue certificates to other CAs must not be used to issue certificates to POIs.
6E-3.9.2 If a CA issues certificates to other CAs, examine the CA certificate policy and documented procedures to verify that the CA does not also issue certificates to POI devices.
6E-3.10 Public-key-based implementations must provide mechanisms for restricting and controlling the use of public and private keys. For example, this can be accomplished through the use of X.509 compliant certificate extensions.
6E-3.10 Examine documented procedures to verify that mechanisms are defined for restricting and controlling the use of public and private keys such that they can only be used for their intended purpose.
6E-3.11 CA private keys must not be shared between devices except for load balancing and disaster recovery.
6E-3.11 Examine CA’s documented processes to verify that CA private keys are not permitted to be shared between devices, except for load balancing and disaster recovery.
6E-3.12 The PKI used for remote key distribution must not be used for any other purpose, e.g., cannot be used for firmware or application authentication.
6E-3.12.a Interview responsible personnel to verify that the PKI is operated solely for the purposes of remote key distribution:
6E-3.12.b Examine the documented certificate policy to verify that the CA is operated solely for the purposes of remote key distribution.