Certification Practice Statement
Version 2.0
© 2006 Continovation Services Inc. All rights reserved.
Trademark Notices
ITRANS, ITRANS logo and eQualifID are trade-marks of Continovation Services Inc. Other trade-marks and service marks in this document are the property of their respective owners.
Without limiting the rights reserved above, and except as licensed below, no part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without prior written permission of Continovation Services Inc.
Notwithstanding the above, permission is granted to reproduce and distribute this CSI Certification Practice Statement on a nonexclusive, royalty-free basis,
provided that: (i) the foregoing copyright notice and the beginning paragraphs are prominently displayed at the beginning of each copy; and (ii) this document is accurately reproduced in full, complete with attribution of the document to Continovation Services Inc.
TABLE OF CONTENTS
1.
Introduction 1
1.1 Acronyms and Definitions ... 1
1.2 Private Hierarchy ... 3
1.3 Certification Authority ... 3
1.4 Registration Authorities ... 4
1.5 Subscribers and Certificate Application ... 4
1.5 Contact Details ... 4
2.
General Provisions
4
2.1 Obligations ... 42.2 Liability ... 6
2.4 Access to Repository ... 7
2.5 Confidentiality and Privacy ... 8
2.6 Release to Law Enforcement Officials ... 8
2.7 Property Rights in Certificates and Revocation Information ... 8
3.
Identification and Authentication
8
3.1 Initial Registration ... 83.2 Authentication of CSI Identity as a CA ... 9
3.3 CSI Authentication Process ... 9
3.5 Rekey after Revocation ... 10
3.6 Revocation Request ... 10
4.
Operational Requirements
11
4.1 Certificate Applications ... 115.
Enrollment Details
11
5.1 Issuance of Certificates ... 11 5.2 Certificate Acceptance ... 116.
Certificate Suspension and Revocation
12
6.1 Circumstances for Revocation ... 126.2 CRL Issuance Frequency ... 12
6.3 Certificate Revocation List Checking Requirements ... 12
7.
Security Audit Procedures
13
7.1 Types of Events Recorded ... 137.2 Frequency of Processing Log ... 13
7.3 Retention Period for Audit Log ... 13
7.4 Protection of Audit Log ... 13
7.5 Audit Log Backup Procedures ... 14
7.6 Audit Collection System ... 14
7.7 Records Archival ... 14
7.8 Disaster Recovery and Key Compromise ... 14
8.4 Subscriber Private Keys ... 15
8.5 Method of Deactivating Private Key ... 15
8.6 Usage Periods for the Public and Private Keys ... 15
8.7 Activation Data ... 16
8.8 Specific Computer Security Technical Requirements ... 16
9.
Certificate and CRL Profile
16
9.1 Certificate Profile ... 169.2 Certificate Profile Basic Fields ... 17
1. Introduction
This document is the Continovation Services Inc. (“CSI”) Certification Practice Statement (“CPS”). It states the practices that CSI uses in providing certification services, and governs the use of Certificates by all individuals and entities who subscribe for a Certificate issued by CSI (“Subscribers”). Please note that the capitalized terms in this CPS are defined terms with specific meanings. Please see Section 1.1 for a list of definitions and acronyms.
CSI issues Certificates to Subscribers in a private hierarchy, which means that CSI digitally signs each Certificate. The root key pair used to create the CSI Certificate Authority (CA) certificate was generated by the Root CSI CA and signed by that same CA. CSI operates one or more Issuing CAs who’s certificates are issued and signed by the Root CSI CA. The Issuing CAs publish CRLs, and sign and publish Subscriber Certificates.
This CPS describes, among other things:
(i) Obligations of CSI as the CA, Registration Authorities, Subscribers, and Relying Parties within the CSI Private Hierarchy;
(ii) Summary of legal matters covered in Subscriber Agreements and Relying Party Agreements within the CSI Private Hierarchy;
(iii) Methods used by CSI to confirm the identity of Certificate Applicants; (iv) Operational procedures for Certificate lifecycle services;
(v) Physical and security practices of CSI; and
(vi) Certificate and Certificate Revocation List content. 1.1 Acronyms and Definitions
Acronyms
CA Certificate Authority
CPS Certificate Practice Statement CRL Certificate Revocations List CSR Certificate Signing Request PKI Public Key Infrastructure RA Registration Authority
Definitions
“Certificate” shall mean a message that, at least, states a name or identifies the CA, identifies the Subscriber, contains the Subscriber’s public key, identifies the Certificate’s Operational Period, contains a Certificate serial number, and is digitally signed by the CA.
“Certificate Applicant” shall mean an individual or organization that requests the issuance of a Certificate by a Certification Authority.
“Certificate Application” shall mean a request from a Certificate Applicant (or authorized agent of the Certificate Applicant) to a CA for the issuance of a Certificate.
“Certificate Chain” shall mean an ordered list of Certificates containing an end-user Subscriber Certificate and CA Certificates, which terminates in a root Certificate.
“Certificate Revocation List” shall mean a periodically (or exigently) issued list, digitally signed by a CA, of identified Certificates that have been revoked prior to their expiration dates. The list generally indicates the CRL issuer’s name, the date of issue, the date of the next scheduled CRL issue, the revoked Certificates’ serial numbers, and the specific times and reasons for revocation.
“Certification Authority” shall mean an entity authorized to issue, manage, revoke, and renew Certificates.
“Certification Practice Statement” shall mean the practices that CSI employs in approving or rejecting Certificate Applications and issuing, managing, and revoking Certificates, and requires its Subscribers and Relying Parties to employ. The CPS may be amended from time to time and may be accessed at
https://www.continovation.com/csicerts/docs/legal_cps.html.
“Nonverified Subscriber Information” means any information submitted by a Certificate Applicant to a CA or RA, and included within a Certificate, that has not been confirmed by the CA or RA and for which the applicable CA and RA provide no assurances other than the information was submitted by the Certificate Applicant.
“Operational Period” shall mean the period starting with the date and time a Certificate is issued (or on a later date and time if stated in the Certificate) and ending with the date and time on which the Certificate expires or is earlier revoked.
“Registration Authority” shall mean an entity approved by a CA to assist Certificate Applicants in applying for Certificates, and to approve or reject Certificate Applications, revoke Certificates, or renew Certificates.
“Relying Party Agreement” shall mean an agreement used by a CA setting forth the terms and conditions under which an individual or organization acts as a Relying Party. In the context of this Relying Part Agreement, “Relying Party Agreement” means this document.
“Repository” shall mean a database of Certificates and other relevant information accessible online.
“Subject” means the holder of a private key corresponding to a public key. The term “Subject” can, in the case of organizational Certificate, refer to the equipment or device that holds a private key. A Subject is assigned a name which is bound to the public key contained in the Subject’s Certificate.
“Subscriber” shall mean in the case of an individual Certificate, a person who is the Subject of and has been issued, a Certificate. In the case of an organizational Certificate, an organization that owns the equipment or device that is the Subject of, and that has been issued, a Certificate. A Subscriber is capable of using, and is authorized to use, the private key that corresponds to the public key listed in the Certificate.
“Subscriber Agreement” shall mean an agreement used by a CA or RA setting forth the terms and conditions under which an individual or organization acts as a Subscriber. 1.2 Private Hierarchy
The community governed by this CPS is the CSI Private Hierarchy. The CSI Private Hierarchy Participants include: members of the healthcare community (including licensed provider members of the professions represented by: Canadian Dental Association, Opticians Association of Canada, and the Canadian Physiotherapists Association); non-licensed healthcare related service providers; the organizations or business entities within which these providers work; and, healthcare industry allied personnel and organizations. These participants are principally in Canada, but over time will include international participants.
1.3 Certification Authority
In the CSI Private Hierarchy, the Root CSI CA is responsible for issuing both it’s own certificate and signing and issuing Certificates for subordinate Issuing CA(s). The Issuing CA(s) are responsible for signing all Subscriber Certificates and perform other CA functions in accordance with this CPS.
The Distinguished Name of the Root CSI CA is: CN = ROOT CSI CA The Distinguished Name of the CSI CA (main Issuing CA) is:
1.4 Registration Authorities
RAs within the CSI Private Hierarchy, the professional associations and professional regulatory authorities, have the ability provide CSI with member data, manually and/or electronically, which CSI uses to populate and maintain the Subscriber database, and manage the certificate lifecycle. The RAs do not have direct access to the Issuing CA(s).
1.5 Subscribers and Certificate Application
Subscribers for Certificates will be individuals or healthcare related service providing entities (clinics, vendors, insurers, etc.). CSI is also a Subscriber as it uses CSI issued Certificates to authenticate it’s transaction and processes servers.
Use of a CSI Certificate allows the Subscriber to create digital signatures for authentication and web based access control in the CSI domain, for services offered by CSI and other Relying Parties.
1.5 Contact Details
Address inquiries about the CSI CPS to: Continovation Services Inc.
800 Industrial Avenue, Suite 11 Ottawa, Ontario K1G 4B8
Telephone: 613-523-4938 Fax: 613-523-5869
ITRANS & eQualifID Help Desk
1-866-788-1212
2. General Provisions
2.1 ObligationsCA Obligations
Subscriber Obligations
Subscriber obligations within the CSI Private Hierarchy are set out in the CSI Subscriber Agreement. The CSI Subscriber Agreement is displayed whenever the user requests a certificate, for example at:
https://www.continovation.com/csicerts/_ie_enca/certificate_cda_form.aspx?type=1
The CSI Subscriber Agreement requires that Certificate Applicants provide complete and accurate information on their Certificate Applications and accept the terms and conditions of the Subscriber Agreement as a condition of obtaining a Certificate.
Subscribers are required to protect their private keys in accordance with the provisions of this CPS. A Subscriber must notify CSI promptly if the Subscriber discovers, or has reason to believe, that the Subscriber's private key or the activation data protecting the private key has been compromised, or if the information within the Certificate is
incorrect or has changed. Subscribers must cease using their private keys at the end of the specified key usage period.
Registration Authority Obligations
Professional associations and regulatory bodies, acting as an RA, have the obligation to provide and verify the professional member information. This information is provided on a regular basis to a CSI RA.
The CSI RA is responsible for checking the Subscriber supplied information with Professional associations and/or regulatory authorities and/or third parties to confirm the accuracy and authenticity of the information supplied.
The CSI RA is responsible for inputting the information received and providing certificate lifecycle management, managing the operation of the overall account and providing support to the end user community.
Relying Party Obligations
The CSI Relying Party Agreement can be accessed at:
http://www.continovation.com/csicerts/docs/legal_rely.html
The CSI Relying Party Agreement states that the Relying Party must perform certain checks and make certain independent assessments before relying on a Certificate. Under the terms of the Relying Party Agreement, relying parties must, among other things:
• assess for themselves whether or not the Certificate will be used for an appropriate purpose;
• check the status of the Certificate they wish to rely on; and
• read and agree to the terms and conditions of the Relying Party Agreement. A Relying Party is not entitled to rely on a Certificate unless all of the above checks are successful and reliance upon the Certificate is reasonable under the circumstances. If the circumstances indicate a need for additional assurances, the Relying Party must obtain such assurances for such reliance to be deemed reasonable.
Repository Obligations
CSI maintains and is responsible for the CSI Repository as part of its CA obligations. CSI publishes the certificates it issues as well as the revocation list in the CSI Repository.
2.2 Liability
CA Disclaimer of warranty and limitation of liability
To the extent permitted by applicable law, the CSI Subscriber Agreement and the Relying Party Agreement disclaim possible warranties, including any warranty of merchantability or fitness for a particular purpose and they limit CSI’s liability.
Limitations of liability include an exclusion of indirect, special, incidental, and consequential damages.
Subscriber Liability
The CSI Subscriber Agreement requires Subscribers to warrant, among other things, that:
Each digital signature created using the Subscriber’s private key is the digital signature of the Subscriber and the Certificate has been accepted and is operational (not expired or revoked) at the time the digital signature is created; No unauthorized person has ever had access to the Subscriber's private key; All information supplied by the Subscriber and contained in the Certificate is
accurate and true;
The Certificate is being used exclusively for authorized and legal purposes, consistent with the Subscriber Agreement; and
The Subscriber is an end-user Subscriber and not a CA, and is not using the Certificate for purposes of digitally signing any Certificate (or any other format of certified public key) or CRL, as a CA or otherwise.
Relying Party Liability
deciding whether or not to rely on such information, and that they are solely liable for the consequences if they fail to perform their obligations. Subscribers often act as Relying Parties as well. Note, therefore, that the terms applicable to Relying Parties are also incorporated by reference in the CSI Subscriber Agreement, which means that Subscribers accept the Relying Party terms when they accept the CSI Subscriber Agreement.
2.3 Indemnification by Subscribers and Relying Parties Indemnification by Subscribers
The CSI Subscriber Agreement requires Subscribers to indemnify CSI, and other identified entities, against, among other things:
Falsehood or misrepresentation of fact by the Subscriber on the Subscriber's Certificate Application;
The Subscriber’s failure to disclose a material fact on the Certificate Application, if the misrepresentation or omission was made negligently or with intent to deceive any party;
The Subscriber's failure to protect the Subscriber's private key, to use a
Trustworthy System, or to otherwise take the precautions necessary to prevent the compromise, loss, disclosure, modification, or unauthorized use of the Subscriber's private key; or
Infringement of the Intellectual Property Rights of a third party. Indemnification by Relying Parties
The CSI Relying Party Agreement requires Relying Parties to indemnify CSI and other identified entities against:
The Relying Party's failure to perform the obligations of a Relying Party; The Relying Party's reliance on a Certificate that is not reasonable under the
circumstances; or
The Relying Party's failure to check the status of such Certificate to determine if the Certificate is expired or revoked.
2.4 Access to Repository
2.5 Confidentiality and Privacy
The CSI privacy policy governing CSI’s confidentiality and privacy obligations can be accessed at http://www.continovation.com/itrans_legal/itrans_privacy_policy.htm
2.6 Release to Law Enforcement Officials
CSI will disclose Confidential Information if, in good faith, CSI believes disclosure is necessary in response to subpoenas, search warrants or other court or governmental orders. This section is subject to applicable privacy laws.
2.7 Property Rights in Certificates and Revocation Information
CSI retains all Intellectual Property Rights in and to the Certificates and revocation information that it issues.
3. Identification and
Authentication
3.1 Initial RegistrationTypes of Names
Distinguished Name Attributes in CSI Certificates
CSI Certificates contain an X.501 distinguished name in the Subject name field, and consist of the components specified in the Table below.
Attribute Value
CA issuer Name of the Issuing CA (eg. CSI CA) Email Address Current email address (eg. *@*.com)
Common Name (CN) Name (first and last name) or Business Name
ID OID Health Care profession namespace and unique identifier ID Type OID Type of professional occupation
Site ID OID Optional Site location namespace and unique identifier The common name value included in the Subject distinguished name of individual Certificates represents the individual's generally accepted personal name, or the entity's or device’s business name.
Method to Prove Possession of Private Key
3.2 Authentication of CSI Identity as a CA
The CSI CA Certificate is issued by the Root CSI CA. The Root CSI CA Certificate is self issued.
3.3 CSI Authentication Process
Before issuing a Certificate, CSI confirms that:
the Certificate Applicant is the person identified in the Certificate Application; the Certificate Applicant rightfully holds the private key corresponding to the
public key to be listed in the Certificate; and
the information to be included in the Certificate is accurate. In addition, CSI performs the more detailed procedures described below:
The certificate enrollment request from the end user is validated against a CSI database;
the information included in the application is consistent with the information provided by the licensing body or Registration Authority;
a confirmation of the email address; and
confirmation that applicant is a member of the healthcare community (i.e. doctor, dentist, chiropractor, clinic, service supplier).
The following table classifies the required fields for enrollment, their source, and whether the field will be shown on the Certificate. The end-user is required to fill in certain fields on the enrollment form, which is either a Web based form or CSI supplied enrollment application.
Enrollment Fields
Field Source Fields used for Authentication
O = Organization Continovation Services Inc. No CN= Individual/Business Name Pre-populated from the DB No Provider ID
- ID OID (This will be a combination of ID Issuer OID and ID Number) - ID Type OID –
1.2.43.127.4116.10.2047.1
Gathered during the enrollment process. (e.g. license number)
Yes.
Authenticated against the CSI database
Location ID
ID Site OID (This is a
combination of ID Site Issuer OID and Site ID)
Optional.
Namespace identifier and Unique ID gathered during the enrollment.
Yes.
Authenticated against the CSI database
Password Gathered during the enrollment process.
Yes.
database Email address Gathered during the
enrollment process.
Yes.
Authenticated against the CSI database
3.4 Routine Rekey and Renewal
Subscribers must renew their Certificates, by generating a new key pair, before the expiry date to ensure continued usage of the Certificate. CSI Certificates, which have not been revoked, may not be replaced. A new certificate must be requested and authenticated as if it was an original Certificate Application. For renewal, a non-revoked certificate may be used to authenticate the subscriber to allow the enrollment form to gather required information without requiring entry on the part of the user.
3.5 Rekey after Revocation CSI will not rekey after revocation if:
(i) revocation occurred because the Certificate was issued to a person other than the one named as the Subject of the Certificate;
(ii) the Certificate was issued without the authorization of the person named as the Subject of such Certificate; or
(iii) CSI discovers or has reason to believe that a material fact in the Certificate Application is false.
3.6 Revocation Request
Prior to the revocation of a Certificate, CSI verifies that the revocation has been requested by the Certificate's Subscriber and/or by the RA. Acceptable procedures for authenticating Subscriber revocation requests include:
Receiving a message purporting to be from the Subscriber that requests revocation and contains a digital signature verifiable with reference to the Certificate to be revoked; and
Communication with the Subscriber providing reasonable assurances that the person or organization requesting revocation is, in fact the Subscriber. Depending on the circumstances, such communication may include one or more of the following: telephone, facsimile, e-mail, postal mail, or courier service.
4. Operational Requirements
4.1 Certificate ApplicationsAll Certificate Applicants are required to do the following:
complete a Certificate Application and provide the required information; generate, or arrange to have generated, a key pair;
deliver his, her, or its public key, to CSI;
demonstrate to CSI that the Certificate Applicant has possession of the private key corresponding to the public key delivered to CSI; and
manifest assent to the Subscriber Agreement.
5. Enrollment Details
End-users are required to provide either: current email address,
current member password, and their license number,
site field ID (optional). Or
a currently valid CSI issued certificate.
Upon successful validation of the credentials submitted, the end user information is harvested from the database and submitted as part of the CSR (certificate signing request). The correct information is inserted into the Certificate constructed by the CA to prevent CSR tampering.
5.1 Issuance of Certificates
CSI will create and issue a Certificate to the Certificate Applicant provided the authentication procedures have been successfully carried out. CSI creates and issues to a Certificate Applicant a Certificate based on the information in a Certificate Application following approval of such Certificate Application. These procedures also apply to requests for replacement Certificates.
5.2 Certificate Acceptance
Downloading a Certificate constitutes the Subscriber's acceptance of the Certificate. Upon Certificate generation and installation, CSI notifies the Subscriber, via email to the email address on file, that a Certificate has been generated and issued to them so that the Subscriber may contact CSI to revoke the Certificate if this was not an intended action of the Subscriber.
6. Certificate Suspension and Revocation
6.1 Circumstances for RevocationCSI will revoke a Certificate under the following circumstances:
CSI or a Subscriber has reason to believe or strongly suspects that there has been a Compromise of a Subscriber's private key;
CSI has reason to believe that the Subscriber has materially breached a material obligation, representation, or warranty under the CSI Subscriber Agreement;
The Subscriber Agreement with the Subscriber has been terminated;
CSI has reason to believe that the Certificate was issued to a person other than the one named as the Subject of the Certificate, or the Certificate was issued without the authorization of the person named as the Subject of such Certificate; CSI has reason to believe that a material fact in the Certificate Application is
false;
CSI determines that a material prerequisite to Certificate Issuance was neither satisfied nor waived;
The information within the Certificate is incorrect or has changed (excluding the email address); or
The Subscriber or professional association RA requests revocation of the Certificate.
6.2 CRL Issuance Frequency
CSI publishes a CRL that shows the revocation of CSI Certificates. Full CRLs are generated every 7 days and delta CRLs are generated daily. The serial number for each revoked certificate is kept in the CA’s database and published as part of the CRL until the certificate expires. Typically, a revoked and expired certificate remains in the CRL for one additional CRL publication interval.
6.3 Certificate Revocation List Checking Requirements
Relying Parties must check the status of Certificates on which they wish to rely. Relying Parties may check the status of CSI Certificates by consulting the CRL publication site specified in the certificate, generally at http://www.continovation.com/CSI_
7. Security Audit Procedures
7.1 Types of Events RecordedCSI manually or automatically logs the following significant events: Subscriber certificate life cycle management events, including:
i. Certificate Applications, renewal, rekey, and revocation; ii. Successful or unsuccessful processing of requests; and iii. Generation and issuance of Certificates and CRLs. Log entries include the following elements:
i. Date and time of the entry;
ii. Serial or sequence number of entry, for automatic journal entries; iii. Identity of the entity making the journal entry; and
iv. Kind of entry.
CSI logs Certificate Application information including:
i. Kind of identification presented by the Certificate Applicant;
ii. Record of unique identification data, numbers, or a combination thereof; iii. Storage location of copies of applications and identification documents;
and
iv. Method used to validate identification documents. 7.2 Frequency of Processing Log
Audit logs are examined periodically for significant security and operational events. Audit log processing consists of a review of the audit logs and documentation for all significant events in an audit log summary. Audit log reviews include a verification that the log has not been tampered with, a brief inspection of all log entries, and a more thorough investigation of any alerts or irregularities in the logs. Actions taken based on audit log reviews are also documented.
7.3 Retention Period for Audit Log
Audit logs are retained at least two (2) months after processing. 7.4 Protection of Audit Log
Electronic and manual audit log files are protected from unauthorized viewing,
7.5 Audit Log Backup Procedures
Full backups of audit logs are performed daily. 7.6 Audit Collection System
Automated audit data is generated and recorded at the application, network and operating system level.
7.7 Records Archival Types of Events Recorded
In addition to the audit logs specified above, CSI maintains records that include documentation of actions and information that are material to each Certificate Application and to the creation, issuance, use, revocation, expiration, and rekey or renewal of all Certificates it issues.
CSI’s records of Certificate life cycle events include:
(i) the identity of the Subscriber named in each Certificate; (ii) the identity of persons requesting Certificates;
(iii) other facts represented in the Certificate; and (iv) time stamps.
Records may be maintained electronically or in hard copy, provided that such records are accurately and completely indexed, stored, preserved, and reproduced.
Retention Period for Archive
Records associated with a Certificate are retained for at least five (5) years following the date the Certificate expires or is revoked. If necessary, CSI may implement longer retention periods in order to comply with applicable laws.
7.8 Disaster Recovery and Key Compromise
CSI has implemented a combination of physical, logical and procedural controls to minimize the risk and potential impact of a key compromise or disaster.
Site Location and Disaster Recovery
8. Technical Security Controls
8.1 Key Pair Generation and InstallationCSI CA key pairs were generated using a FIPS 140-1 level 1 certified cryptographic module as provided in the Microsoft Windows Certificate Service.
Generation of end-user Subscriber key pairs is generally performed by the Subscriber, typically using a FIPS 140-1 level 1 certified cryptographic module provided with their browser software for key generation.
8.2 Public Key Delivery to CSI
Subscribers submit their public key to CSI for certification electronically through the use of a PKCS#10 Certificate Signing Request (CSR) or other digitally signed package in a session secured by Secure Sockets Layer (SSL).
8.3 Method of Activating Private Key
All CSI Private Hierarchy Participants are required to protect the activation data for their private keys against loss, theft, modification, unauthorized disclosure, or unauthorized use.
8.4 Subscriber Private Keys
Subscribers are required to protect the activation data for their private keys as set out below:
Use a password or security of equivalent strength to authenticate the Subscriber before the activation of the private key; and
Take commercially reasonable measures to prevent use of the Subscriber’s workstation and its associated private key without the Subscriber's
authorization.
In addition, CSI encourages Subscribers to enable mechanisms which deny export of certificates containing private keys.
8.5 Method of Deactivating Private Key
Subscriber private keys may be deactivated after each operation, upon logging off their system, or upon removal of a smart card from the smart card reader depending upon the authentication mechanism employed by the user. When deactivated, private keys should be kept in encrypted form only.
The Operational Period of a Certificate ends upon its expiration or revocation. The Operational Period for key pairs is the same as the Operational Period for the
associated Certificates, except that private keys may continue to be used for decryption and public keys may continue to be used for signature verification.
8.7 Activation Data
Activation Data Generation and Installation
CSI recommends that Subscribers store their private keys in encrypted format and optionally use hardware and / or select strong passwords to protect their private keys. CSI suggests that passwords:
be generated by the user; have at least eight characters;
have at least one alphabetic and one numeric character; have at least one lower-case letter;
not contain many occurrences of the same character; not be the same as the operator's profile name; and not contain a long substring of the user's profile name. 8.8 Specific Computer Security Technical Requirements
CSI ensures that the systems maintaining RA and CA software and data files are
Trustworthy Systems secure from unauthorized access. In addition, access is limited to production servers to those individuals with a valid business reason for such access.
9. Certificate and CRL Profile
9.1 Certificate ProfileCertificates conform to: (a) ITU-T Recommendation X.509 (1997): Information Technology - Open Systems Interconnection - The Directory: Authentication
Framework, June 1997; and (b) RFC 3280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile, April 2002 ("RFC 3280").
At a minimum, X.509 contain the basic X.509 Version 1 fields and indicated prescribed values or value constraints as below:
Field Value or Value constraint
Version X.509, Version 3.0 Serial
Number
Unique value per Issuer DN Signature
Algorithm
Field Value or Value constraint
Issuer DN O = Continovation Services Inc., and CN = CSI CA
Valid From Universal Coordinate Time base. Synchronized to Master Clock of U.S. Naval Observatory. Encoded in accordance with RFC 3280.
Valid To Universal Coordinate Time base. Synchronized to Master Clock of U.S. Naval Observatory. Encoded in accordance with RFC 3280. The validity period will be 1 year.
Subject DN See section 3.1 Subject
Public Key
Encoded in accordance with RFC 3280 using shaWithRSAEncryption (OID 1.2.840.113549.1.1.5) or md5WithRSAEncryption (OID:
1.2.840.113549.1.1.4) algorithm and key lengths of 1024. Signature Generated and encoded in accordance with RFC 3280. 9.2 Certificate Profile Basic Fields
Key Usage
The CSI CA KeyUsage criticality field extension has been set to FALSE. Basic Constraints
CSI X.509, Version 3.0 CA Certificates has a BasicConstraints extension with the Subject Type set to CA. End-user Subscriber Certificates are also populated with a BasicConstraints extension with the Subject Type equal to End Entity. The criticality of the BasicConstraints extension is generally set to FALSE for End-Entity Certificates and TRUE for CA Certificates.
Algorithm Object Identifiers
The CSI X.509 Certificates are signed with shaWithRSAEncryption (OID
1.2.840.113549.1.1.5) or md5WithRSAEncryption (OID: 1.2.840.113549.1.1.4) in accordance with RFC 3280.
9.3 Profile
CSI issues the CSI CRL that conforms to RFC 3280. At a minimum, these CRLs contain the basic fields and contents specified below:
Field Value or Value constraint
Version X.509 Version 1 or 2 CRLs. Signature
Algorithm
Algorithm used to sign the CRL. CRLs are signed using sha1WithRSAEncryption (OID 1.2.840.113549.1.1.5) or
Field Value or Value constraint
Effective Date Issue date of the CRL. CSI CRLs are effective upon issuance. Next Update Date by which the next CRL will be issued.
Revoked Certificates
Listing of revoked certificates, including the Serial Number of the revoked Certificate and the Revocation Date.
