Secure Inter-Domain Routing (sidr) Kent, S.InternetDraft Kong,Engineering Task Force (IETF) S. Kent Request for Comments: 7382 D.Expires: October 2014 Seo,Kong BCP: 173 K.Intended Status: BCPSeo Category: Best Current Practice BBN Technologies ISSN: 2070-1721 April20142015 Template for a Certification Practice Statement (CPS) for the Resource PKI (RPKI)draft-ietf-sidr-cps-04.txtAbstract This document contains a template to be used for creating a Certification Practice Statement (CPS) for anOrganizationorganization that is part of the Resource Public Key Infrastructure (RPKI), e.g., a resource allocation registry or an ISP. Status ofthisThis Memo ThisInternet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are workingmemo documents an Internet Best Current Practice. This document is a product of the Internet Engineering Task Force(IETF), its areas,(IETF). It represents the consensus of the IETF community. It has received public review andits working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents validhas been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 5741. Information about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. Ithttp://www.rfc-editor.org/info/rfc7382. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document isinappropriatesubject touse Internet-DraftsBCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, asreference material orthey describe your rights and restrictions with respect tocite them other thanthis document. Code Components extracted from this document must include Simplified BSD License text asworkdescribed inprogress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The listSection 4.e ofInternet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on October 31,2014.the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents Preface..........................................................7............................................................8 1. Introduction..................................................8....................................................9 1.1. Overview.................................................8..................................................10 1.2. Document Name and Identification.........................9..........................10 1.3. PKI Participants.........................................9..........................................11 1.3.1. Certification Authorities...........................9..........................11 1.3.2. Registration Authorities...........................10...........................11 1.3.3. Subscribers........................................10........................................11 1.3.4. Relying Parties....................................10....................................11 1.3.5. Other Participants.................................10.................................12 1.4. Certificate Usage.......................................10.........................................12 1.4.1. Appropriate Certificate Uses.......................10.......................12 1.4.2. Prohibited Certificate Uses........................11........................12 1.5. Policy Administration...................................11.....................................12 1.5.1. OrganizationadministeringAdministering thedocument ............11Document ............12 1.5.2. Contact Person.....................................11.....................................12 1.5.3. Person Determining CPS Suitability for the Policy..11..12 1.5.4. CPS Approval Procedures............................11............................13 1.6. Definitions and Acronyms................................11..................................13 2. Publication and Repository Responsibilities..................14....................14 2.1. Repositories............................................14..............................................14 2.2. Publication of Certification Information................14..................14 2.3. Time or Frequency of Publication........................14..........................14 2.4. Access Controls on Repositories.........................14...........................15 3. IdentificationAndand Authentication............................15..............................15 3.1. Naming..................................................15....................................................15 3.1.1. Types of Names .....................................15 3.1.2. Need for Names tobeBe Meaningful ....................15 3.1.3. Anonymity or Pseudonymity of Subscribers ...........15 3.1.4. Rules for Interpreting Various Name Forms ..........15 3.1.5. Uniqueness of Names................................15................................16 3.1.6. Recognition, Authentication, and Role ofRrademarks.16Trademarks .........................................16 3.2. Initial Identity Validation.............................16...............................16 3.2.1. Method to Prove Possession of Private Key ..........16 3.2.2. Authentication of Organization Identity ............16 3.2.3. Authentication of Individual Identity..............16..............17 3.2.4. Non-verified Subscriber Information ................17 3.2.5. Validation of Authority ............................17 3.2.6. Criteria for Interoperation ........................17 3.3. Identification and Authentication for Re-key Requests...17.....18 3.3.1. Identification and Authentication for RoutineRe-key17Re-key .....................................18 3.3.2. Identification and Authentication for Re-key after Revocation................................................18............................18 3.4. Identification and Authentication for RevocationRequest.18Request ..18 4. CertificateLife-CycleLife Cycle Operational Requirements..............19................18 4.1. Certificate Application.................................19...................................18 4.1.1. Who Can Submit a Certificate Application...........19...........18 4.1.2. Enrollment Process and Responsibilities ............19 4.2. Certificate Application Processing......................19........................19 4.2.1. Performing Identification and AuthenticationFunctions19Functions ...........................19 4.2.2. Approval or Rejection of Certificate Applications ..19 4.2.3. Time to Process Certificate Applications...........20...........19 4.3. Certificate Issuance....................................20......................................19 4.3.1. CA ActionsDuringduring Certificate Issuance.............20.............19 4.3.2. Notification to Subscriber by the CA of Issuance of Certificate...............................................20............................20 4.3.3. Notification of Certificate Issuance by the CA to Other Entities..................................................20...............................20 4.4. Certificate Acceptance..................................20....................................20 4.4.1. Conduct Constituting Certificate Acceptance ........20 4.4.2. Publication of the Certificate by the CA ...........20 4.4.3. Notification of Certificate Issuance by the CA to Other Entities..................................................21...............................20 4.5. Key Pair and Certificate Usage..........................21............................20 4.5.1. Subscriber Private Key and Certificate Usage.......21.......20 4.5.2. Relying Party Public Key and Certificate Usage .....21 4.6. Certificate Renewal.....................................21.......................................21 4.6.1. Circumstance for Certificate Renewal ...............21 4.6.2. Who May Request Renewal............................22............................21 4.6.3. Processing Certificate Renewal Requests ............22 4.6.4. Notification of New Certificate Issuance toSubscriber22Subscriber .........................................22 4.6.5. Conduct Constituting Acceptance of a Renewal Certificate..........................................................22................................22 4.6.6. Publication of the Renewal Certificate by the CA ...22 4.6.7. Notification of Certificate Issuance by the CA to Other Entities..................................................22...............................22 4.7. Certificate Re-key......................................23........................................22 4.7.1. Circumstance for Certificate Re-key................23................22 4.7.2. Who May Request Certification of a New Public Key ..23 4.7.3. Processing Certificate Re-keying Requests ..........23 4.7.4. Notification of New Certificate Issuance toSubscriber23Subscriber .........................................23 4.7.5. Conduct Constituting Acceptance of a Re-keyed Certificate...............................................23...............................23 4.7.6. Publication of the Re-keyed Certificate by the CA..24..23 4.7.7. Notification of Certificate Issuance by the CA to Other Entities..................................................24...............................23 4.8. Certificate Modification................................24..................................23 4.8.1. Circumstance for Certificate Modification..........24..........23 4.8.2. Who May Request CertificatemodificationModification ...........24 4.8.3. Processing Certificate Modification Requests .......24 4.8.4. Notification of Modified Certificate Issuance to Subscriber................................................25.............................24 4.8.5. Conduct Constituting Acceptance of Modified Certificate..........................................................25........................................24 4.8.6. Publication of the Modified Certificate by the CA..25..24 4.8.7. Notification of Certificate Issuance by the CA to Other Entities..................................................25...............................24 4.9. Certificate Revocation and Suspension...................25.....................25 4.9.1. Circumstances for Revocation .......................25 4.9.2. Who Can Request Revocation .........................25 4.9.3. Procedure for Revocation Request...................26...................25 4.9.4. Revocation Request Grace Period....................26....................25 4.9.5. TimeWithinwithin Which CA Must Process the Revocation Request..........................................................26.................................25 4.9.6. Revocation Checking Requirement for RelyingParties.26Parties ............................................25 4.9.7. CRL Issuance Frequency .............................26 4.9.8. Maximum Latency for CRLs ...........................26 4.10. Certificate Status Services............................26..............................26 5. Facility, Management, and Operational Controls...............27.................26 5.1. Physical Controls.......................................27.........................................26 5.1.1. SitelocationLocation andconstruction .....................27Construction .....................26 5.1.2. Physicalaccess ....................................27Access ....................................26 5.1.3. Power andair conditioning .........................27Air Conditioning .........................26 5.1.4. Waterexposures ....................................27Exposures ....................................26 5.1.5. FirepreventionPrevention andprotection .....................27Protection .....................26 5.1.6. Mediastorage ......................................27Storage ......................................26 5.1.7. Wastedisposal .....................................27Disposal .....................................26 5.1.8.Off-site backup ....................................27Off-Site Backup ....................................26 5.2. Procedural Controls.....................................27.......................................27 5.2.1. TrustedrolesRoles ......................................27 5.2.2. Number ofpersons requiredPersons Required pertaskTask ................27 5.2.3. Identification andauthenticationAuthentication foreach roleEach Role ....27 5.2.4. Rolesrequiring separationRequiring Separation ofdutiesDuties ...............27 5.3. Personnel Controls......................................27........................................27 5.3.1. Qualifications,experience,Experience, andclearance requirements28Clearance Requirements .......................................27 5.3.2. Backgroundcheck procedures ........................28Check Procedures ........................27 5.3.3. Trainingrequirements ..............................28Requirements ..............................27 5.3.4. RetrainingfrequencyFrequency andrequirements ..............28Requirements ..............27 5.3.5. Jobrotation frequencyRotation Frequency andsequence ................28Sequence ................27 5.3.6. Sanctions forunauthorized actions .................28Unauthorized Actions .................27 5.3.7. Independentcontractor requirements ................28Contractor Requirements ................27 5.3.8. DocumentationsuppliedSupplied topersonnel ................28Personnel ................27 5.4. Audit Logging Procedures................................28..................................28 5.4.1. Types of Events Recorded ...........................28 5.4.2. Frequency of Processing Log........................29........................28 5.4.3. Retention Period for Audit Log.....................29.....................28 5.4.4. Protection of Audit Log............................29............................28 5.4.5. Audit Log Backup Procedures........................29........................28 5.4.6. Audit Collection System (Internal vs. External) [OMITTED].................................................29................................29 5.4.7. Notification toEvent-causingEvent-Causing Subject [OMITTED] ....29 5.4.8. Vulnerability Assessments ..........................29 5.5. Records Archival [OMITTED]..............................29................................29 5.6. Key Changeover..........................................29............................................29 5.7. Compromise and Disaster Recovery........................29..........................29 5.8. CA or RA Termination....................................30......................................29 6. Technical Security Controls..................................31....................................29 6.1. Key Pair Generation and Installation....................31......................29 6.1.1. Key Pair Generation................................31................................29 6.1.2. Private Key Delivery to Subscriber.................31.................30 6.1.3. Public Key Delivery to Certificate Issuer..........31..........30 6.1.4. CA Public Key Delivery to Relying Parties..........31..........30 6.1.5. Key Sizes..........................................31..........................................30 6.1.6. Public KeyParametersParameter Generation and QualityChecking32Checking ...........................................30 6.1.7. Key Usage Purposes (as per X.509 v3 Key UsageField)32Field) .......................................30 6.2. Private Key Protection and Cryptographic Module Engineering Controls.....................................................32......................................31 6.2.1. Cryptographicmodule standardsModule Standards andcontrols ........32Controls ........31 6.2.2. Private Key (n out of m) Multi-Person Control......32......31 6.2.3. Private Key Escrow.................................32.................................31 6.2.4. Private Key Backup.................................32.................................31 6.2.5. Private Key Archival...............................33...............................31 6.2.6. Private Key Transfer into or from a Cryptographic Module..........................................................33...............................31 6.2.7. Private Key Storage on Cryptographic Module........33........31 6.2.8. Method of Activating Private Key...................33...................32 6.2.9. Method of Deactivating Private Key.................33.................32 6.2.10. Method of Destroying Private Key..................33..................32 6.2.11. Cryptographic Module Rating.......................33.......................32 6.3. OtheraspectsAspects of Key Pair Management....................33......................32 6.3.1. Public Key Archival................................33................................32 6.3.2. Certificate Operational Periods and Key Pair Usage Periods...................................................34.................................32 6.4. Activationdata .........................................34Data ...........................................32 6.4.1. Activation Data Generation and Installation........34........32 6.4.2. Activationdata protection .........................34Data Protection .........................32 6.4.3. Other Aspects of Activation Data...................34...................33 6.5. Computer Security Controls..............................34................................33 6.6. LifecycleCycle Technical Controls...........................34.............................33 6.6.1. System Development Controls........................34........................33 6.6.2. Security Management Controls.......................34.......................33 6.6.3. Life Cycle Security Controls.......................35.......................33 6.7. Network Security Controls...............................35.................................33 6.8.Time-stamping ...........................................35Time-Stamping .............................................33 7. Certificate and CRL Profiles.................................36...................................33 8. Compliance Audit and Other Assessments.......................37.........................34 9. Other BusinessAndand Legal Matters.............................38...............................34 9.1. Fees....................................................38......................................................34 9.1.1. CertificateissuanceIssuance orrenewal fees ...............38Renewal Fees ...............34 9.1.2. Certificate Access Fees [OMITTED] ..................34 9.1.3. Revocation or Status Information Access Fees [OMITTED] .....................................34 9.1.4. Fees forother servicesOther Services (ifapplicable) ............38 9.1.3.Applicable) ............34 9.1.5. Refundpolicy ......................................38Policy ......................................34 9.2. Financialresponsibility ................................38Responsibility ..................................34 9.2.1. Insurancecoverage .................................38Coverage .................................34 9.2.2. Otherassets .......................................38Assets .......................................34 9.2.3. Insurance orwarranty coverageWarranty Coverage forend-entities ....38End-Entities ....34 9.3. Confidentiality ofbusiness information .................38Business Information ...................34 9.3.1. Scope ofconfidential information ..................38Confidential Information ..................34 9.3.2. InformationnotNot within thescopeScope ofconfidential information ...............................................38Confidential Information ...........................34 9.3.3. Responsibility toprotect confidential information..38Protect Confidential Information ........................................34 9.4. Privacy ofpersonal information .........................39Personal Information ...........................34 9.4.1. Privacyplan .......................................39Plan .......................................34 9.4.2. InformationtreatedTreated asprivate .....................39Private .....................35 9.4.3. Informationnot deemed private .....................39Not Deemed Private .....................35 9.4.4. Responsibility toprotect private information ......39Protect Private Information ......35 9.4.5. Notice andconsentConsent touse private information ......39Use Private Information ......35 9.4.6. DisclosurepursuantPursuant tojudicialJudicial oradministrative process ...................................................39Administrative Process .............................35 9.4.7. Otherinformation disclosure circumstances .........39Information Disclosure Circumstances .........35 9.5. Intellectualproperty rightsProperty Rights (ifapplicable) ............39Applicable) ..............35 9.6. Representations andwarranties ..........................39Warranties ............................35 9.6.1. CArepresentationsRepresentations andwarranties ..................39Warranties ..................35 9.6.2. SubscriberrepresentationsRepresentations andwarranties ..........39Warranties ..........35 9.6.3. Relyingparty representationsParty Representations andwarranties .......39Warranties .......35 9.7. Disclaimers ofwarranties ...............................39Warranties .................................35 9.8. Limitations ofliability ................................39Liability ..................................35 9.9. Indemnities.............................................39...............................................35 9.10. Term andtermination ...................................39Termination .....................................35 9.10.1. Term..............................................39..............................................35 9.10.2. Termination.......................................39.......................................35 9.10.3. Effect ofterminationTermination andsurvival ................39Survival ................35 9.11. IndividualnoticesNotices andcommunicationsCommunications withparticipants.39Participants ..35 9.12. Amendments.............................................39...............................................35 9.12.1. Procedure foramendment ...........................39Amendment ...........................35 9.12.2. NotificationmechanismMechanism andperiod .................39Period .................35 9.13. Disputeresolution provisions ..........................40Resolution Provisions ............................35 9.14. Governinglaw ..........................................40Law ............................................35 9.15. Compliance withapplicable law .........................40Applicable Law ...........................36 9.16. Miscellaneousprovisions ...............................40Provisions .................................36 9.16.1. Entireagreement ..................................40Agreement ..................................36 9.16.2. Assignment........................................40........................................36 9.16.3. Severability......................................40......................................36 9.16.4. Enforcement(attorneys' fees(Attorneys' Fees andwaiverWaiver ofrights).40Rights) ...........................................36 9.16.5. Force Majeure.....................................40.....................................36 10. Security Considerations.....................................41.......................................36 11.IANA Considerations .........................................41 12. Acknowledgments .............................................41 13.References..................................................42 13.1.....................................................37 11.1. Normative References...................................42 13.2......................................37 11.2. Informative References.................................42 Author's...................................37 Acknowledgments ...................................................38 Authors' Addresses..............................................43 Copyright Statement .............................................43................................................38 Preface This RFC contains text intended for use as a template as designated below by the markers <BEGIN TEMPLATE TEXT> and <END TEMPLATE TEXT>. Such Template Text is subject to the provisions of Section 9(b) of the Trust Legal Provisions. This document contains a template to be used for creating a Certification Practice Statement (CPS) for anOrganizationorganization that is part of the Resource Public Key Infrastructure (RPKI). (Throughout thisdocumentdocument, the term "organization" is used broadly, e.g., the entity in question might be a business unit of a larger organization.)The user of this document should: 1. substitute a title page for page 1 saying, e.g., "<Name of Organization> Certification Practice Statement for the Resource Public Key Infrastructure (RPKI)" with date, author, etc.There is no expectation that a CPS will be published as an RFC.2. leave the table of contents intact 3. delete this Preface, headers and footers (but keep page numbers) 4. fill inAn organization will publish theinformation indicated below by <textCPS inangle brackets> 5. delete sections 10, 11, Acknowledgments, Author's Addresses, and Copyright Statement; leavingareference section (omitting RFC 2119) 6. updatemanner appropriate for access by thetableusers ofcontentsthe RPKI, e.g., on the organization's web site. As a best current practice, organizations are expected to use this template instead of creating one from scratch. This template contains both text that SHOULD appear in all Certification Practice Statements and places for text specific toreflectthechanges requiredorganization in question (indicated bysteps 4 and 5 above .<text in angle brackets>). The user of this document should: 1. Extract the text between the <BEGIN TEMPLATE TEXT> and <END TEMPLATE TEXT> delimiters. 2. Replace the instructions between the angle brackets with the required information. This document has been generated to complement the Certificate Policy (CP) for the RPKI [RFC6484]. LiketheRFC 6484, it is based on the template specified in RFC 3647 [RFC3647]. A number of sections contained in the template were omitted from this CPS because they did not apply to this PKI. However, we have retained the section numbering scheme employed inthethat RFC to facilitate comparison with the section numbering scheme employed in that RFC and intheRFC 6484. ConventionsusedUsed inthis documentThis Document: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. <BEGIN TEMPLATE TEXT> <Create a title page saying, e.g., "<Name of organization> Certification Practice Statement for the Resource Public Key Infrastructure (RPKI)" with date, author, etc.> <Create a table of contents.> 1. Introduction This document is the Certification Practice Statement (CPS) of<Name<name ofOrganization>.organization>. It describes the practices employed by the<Name<name ofOrganization>organization> Certification Authority (CA) in the Resource Public Key Infrastructure (RPKI). These practices are defined in accordance with the requirements of the Certificate Policy(CP, [RFC6484])(CP) [RFC6484] for the RPKI. The RPKI is designed to support validation of claims by current holders of Internet Number Resources(INRs, see definition in Section(INRs) (Section 1.6) in accordance with the records of the organizations that act as CAs in this PKI. The ability to verify such claims is essential to ensuring the unique, unambiguous distribution of theseresourcesresources. This PKI parallels the existing INR distribution hierarchy. These resources are distributed by the Internet Assigned Numbers Authority (IANA) to the Regional InternetRegistries.Registries (RIRs). In some regions, National Internet Registries (NIRs) form a tier of the hierarchy below the RIRs forinternet number resource (INR)INR distribution. Internet Service Providers (ISPs) and network subscribers form additional tiers below registries. Conventions Used in This Document: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.1. Overview This CPS describes:.o Participants.o Publication of the certificates andCRLs .Certificate Revocation Lists (CRLs) o How certificates are issued, managed,rekeyed, renewedre-keyed, renewed, and revoked.o Facility management (physical security, personnel, audit, etc.).o Key management.o Audit procedures.o Business and legal issues This PKI encompasses several types of certificates (see [RFC6480] for more details):.o CA certificates for each organization distributing INRs and for each subscriber INRholder) . End entityholder. o End-entity (EE) certificates for organizations to use to validate digital signatures on RPKI-signed objects (see definition in Section 1.6)..o In the future, the PKI also may includeend entityend-entity certificates in support of access control for the repository system as described in Section 2.4. 1.2. Document Name and Identification The name of this document is "<Name ofOrganization>'sorganization> Certification Practice Statement for the Resource Public Key Infrastructure(RPKI) ".(RPKI)". <If this document is available via the Internet, the CA can provide the URI for the CPS here. It SHOULD be the same URI as the URI thatwhichappears as a policy qualifier in the CA certificate for the CA, if the CA elects to make use of that feature.> 1.3. PKI Participants Note that in aPKI,PKI the term "subscriber" refers to an individual or organization that is a subject of a certificate issued by a CA. The term is used in this fashion throughout this document, without qualification, and should not be confused with the networking use of the term to refer to an individual or organization that receives service from an ISP. In suchcasescases, the term "network subscriber" will be used. Also note that, for brevity, this document always refers to PKI participants as organizations or entities, even though some of them are individuals. 1.3.1. Certification Authorities <Describe the CAs that you will operate for the RPKI. One approach is to operate two CAs: one designated "offline" and the other designated"production.""production". The offline CA is thetop leveltop-level CA for the<Name<name ofOrganization>organization> portion of the RPKI. It provides a secure revocation and recovery capability in case the production CA is compromised or becomes unavailable.ThusThus, the offline CA issues certificates only to instances of the productionCA;CA, and the CRLs it issues are used to revoke only certificates issued to the production CA. The production CA is used to issue RPKI certificates to<Name<name ofOrganization>organization> members, to whom INRs have been distributed.> 1.3.2. Registration Authorities <Describe how theregistration authorityRegistration Authority (RA) function is handled for the CA(s) that you operate. The RPKI does not require establishment or use of a separateregistration authority (RA)Registration Authority inconjunction withaddition to the CA function. The RA function MUST be provided by the same entity operating as a CA, e.g., entities listed in Section 1.3.1. An entity acting as a CA in this PKI already has a formal relationship with each organization to which it distributes INRs. These organizations already perform the RA functionimplicitlyimplicitly, since they already assume responsibility for distributing INRs.> 1.3.3. Subscribers Organizations receiving INR allocations from this CA are subscribers in the RPKI. 1.3.4. Relying Parties Entities or individuals that act in reliance on certificates orRPKI- signedRPKI-signed objects issued under this PKI are relying parties. Relying parties may or may not be subscribers within this PKI. (See Section 1.6 for the definition of an RPKI-signed object.) 1.3.5. Other Participants <Specify one or more entities thatoperatesoperate a repository holding certificates, CRLs, and other RPKI-signed objects issued by thisOrganization,organization, and provide a URL for the repository.> 1.4. Certificate Usage 1.4.1. Appropriate Certificate Uses The certificates issued under this hierarchy are for authorization in support of validation of claims of current holdings of INRs. Additional uses of the certificates, consistent with the basic goal cited above, are also permitted under RFC 6484. Some of the certificates that may be issued under this PKI could be used to support operation of this infrastructure, e.g., access control for the repository system as described in Section 2.4. Such uses also are permitted under the RPKI certificate policy. 1.4.2. Prohibited Certificate Uses Any uses other than those described in Section 1.4.1 are prohibited. 1.5. Policy Administration 1.5.1. OrganizationadministeringAdministering thedocumentDocument This CPS is administered by<Name<name ofOrganization>.organization>. <Include the mailing address,e-mail addressemail address, and similar contact info here.> 1.5.2. Contact Person <InsertOrganizationorganization contact infohere>here.> 1.5.3. Person Determining CPS Suitability for the Policy Not applicable. Each organization issuing a certificate in this PKI is attesting to the distribution of INRs to the holder of the private key corresponding to the public key in the certificate. The issuing organizations are the same organizations as the ones that perform thedistribution hencedistribution; hence, they are authoritative with respect to the accuracy of this binding. 1.5.4. CPS Approval Procedures Not applicable. Each organization issuing a certificate in this PKI is attesting to the distribution of INRs to the holder of the private key corresponding to the public key in the certificate. The issuing organizations are the same organizations as the ones that perform thedistribution, hencedistribution; hence, they are authoritative with respect to the accuracy of this binding. 1.6. Definitions and Acronyms BPKI BusinessPKI:PKI. A BPKI is an optional additional PKI used by anOrganizationorganization to identify members to whom RPKI certificates can be issued. If a BPKI is employed by a CA, it may have its own CP, separate from the RPKI CP. CP Certificate Policy. A CP is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of applications with common security requirements. The CP for the RPKI is [RFC6484]. CPS Certification Practice Statement. A CPS is a document that specifies the practices that a Certification Authority employs in issuing certificates. Distribution of INRs A process of distribution of the INRs along the respective number hierarchy. IANA distributes blocks of IP addresses and Autonomous System Numbers (ASNs) to the five Regional Internet Registries (RIRs). RIRs distribute smaller address blocks and Autonomous System Numbers to organizations within their service regions, who in turn distribute IP addresses to their customers. IANA Internet Assigned Numbers Authority. IANA is responsible for global coordination of the Internet Protocol addressing systems andAutonomous System (AS) numbersASNs used for routinginternetInternet traffic. IANA distributes INRs toRegional Internet Registries (RIRs).RIRs. INRs Internet Number Resources. INRs are number values for three protocol parameter sets, namely:.o IPVersionversion 4 addresses,.o IP version 6 addresses, and.o Identifiers used in Internet inter-domain routing, currently Border Gateway Protocol-4Autonomous System numbers.ASNs. ISP Internet Service Provider. An ISP is an organization managing and selling Internet services to other organizations. NIR National Internet Registry. An NIR is an organization that manages the distribution of INRs for a portion of the geopolitical area covered by a Regional Internet Registry. NIRs form an optional second tier in the tree scheme used to manage INR distribution. RIR Regional Internet Registry. An RIR is an organization that manages the distribution of INRs for a geopolitical area. RPKI-signed object AnRPKI signedRPKI-signed object is a digitally signed data object (other than a certificate or CRL) declared to be such an object by astandards track RFC, and thatStandards Track RFC. An RPKI-signed object can be validated using certificates issued under this PKI. The content and format of these data constructs depend on the context in which validation of claims of current holdings of INRs takes place. Examples of these objects are repository manifests [RFC6486] and Route Origin Authorizations (ROAs) [RFC6482]. 2. Publication and Repository Responsibilities 2.1. Repositories As per the CP, certificates,CRLsCRLs, and RPKI-signed objects MUST be made available for downloading by all relying parties, to enable them to validate this data. The<Name<name ofOrganization>organization> RPKI CA will publish certificates, CRLs, and RPKI-signed objects via a repository that is accessible via<Insert<insert IETF-designated protocol name here> at <insert URL here>. This repository will conform to the structure described in [RFC6481]. 2.2. Publication of Certification Information <Name ofOrganization>organization> will publish certificates,CRLsCRLs, andRPKI- signedRPKI-signed objects issued by it to a repository that operates as part of a worldwide distributed system of RPKI repositories. 2.3. Time or Frequency of Publication <Describe here your procedures for publication (to the global repository system) of the certificates,CRLsCRLs, and RPKI-signed objects that you issue. If you choose to outsource publication of PKI data, you still need to provide this information for relying parties. This MUST include the period of time within which a certificate will be published after the CA issues the certificate, and the period of time within which a CA will publish a CRL with an entry for a revoked certificate, after the CA revokes that certificate.> The<Name<name ofOrganization>organization> CA will publish its CRL prior to the nextUpdate value in the scheduled CRL previously issued by the CA. 2.4. Access Controls on Repositories <Describe the access controls used by theOrganizationorganization to ensure that only authorized parties can modify repository data, and any controls used to mitigatedenial of servicedenial-of-service attacks against the repository. If theOrganizationorganization offers repository services to its subscribers, then describe here the protocol(s) that it supports for publishing signed objects from subscribers.> 3. IdentificationAndand Authentication 3.1. Naming 3.1.1. Types of Names The subject of each certificate issued by thisOrganizationorganization is identified by an X.500 Distinguished Name (DN). The distinguished name will consist of a single Common Name (CN) attribute with a value generated by<Name<name ofOrganization>.organization>. Optionally, the serialNumber attribute may be included along with the common name (to form a terminal relative distinguished name set), to distinguish among successive instances of certificates associated with the same entity. 3.1.2. Need for Names tobeBe Meaningful The Subject name in each certificate SHOULD NOT be"meaningful,""meaningful", in the conventional, human-readable sense. The rationale here is that these certificates are used for authorization in support of applications that make use of attestations of INR holdings. They are not used to identify subjects. 3.1.3. Anonymity or Pseudonymity of Subscribers Although Subject names in certificates issued by thisOrganizationorganization SHOULD NOT bemeaningful,meaningful and may appear"random,""random", anonymity is not a function of this PKI;thusthus, no explicit support for this feature is provided. 3.1.4. Rules for Interpreting Various Name Forms None 3.1.5. Uniqueness of Names <Name ofOrganization>organization> certifiessubjectSubject names that are unique among the certificates that it issues. Although it is desirable that thesesubjectSubject names be unique throughout the PKI, to facilitate certificate path discovery, such uniqueness isneither mandatednot required, nor is it enforced through technical means. <Name ofOrganization>organization> generatessubjectSubject names to minimize the chances that two entities in the RPKI will be assigned the same name. Specifically, <insertsubjectSubject name generation description here, or cite RFC6487.>6487>. 3.1.6. Recognition, Authentication, and Role of Trademarks Because the Subject names are not intended to be meaningful,<Name<name ofOrganization>organization> makes no provisiontoeither to recognize or to authenticate trademarks, service marks, etc. 3.2. Initial Identity Validation 3.2.1. Method to Prove Possession of Private Key <Describe the method whereby each subscriber will be required to demonstrate proof-of-possession (PoP) of the private key corresponding to the public key in the certificate, prior to certificate issuance.> 3.2.2. Authentication of Organization Identity Certificates issued under this PKI do not attest to the organizational identity of subscribers. However, certificates are issued to subscribers in a fashion that preserves the accuracy of distributions of INRs as represented in<Name<name ofOrganization's>organization> records. <Describe the procedures that will be used to ensure that each RPKI certificate that isissued,issued accurately reflects your records with regard to the organization to which you have distributed (orsub- distributed)sub-distributed) the INRs identified in the certificate. For example, a BPKI certificate could be used to authenticate a certificate request that serves as a link to the<Name<name ofOrganization's>organization> subscriber database that maintains the INR distribution records. The certificate request could be matched against the database record for the subscriber in question, and an RPKI certificate would be issued only if the INRs requested were a subset of those held by the subscriber. The specific procedures employed for this purpose should be commensurate with any you already employ in the maintenance of INR distribution.> 3.2.3. Authentication of Individual Identity Certificates issued under this PKI do not attest to the individual identity of a subscriber. However,<Name<name ofOrganization>organization> maintains contact information for each subscriber in support of certificate renewal, re-key, and revocation. <Describe the procedures that are used to identify at least one individual as a representative of each subscriber. This is done in support of issuance, renewal, and revocation of the certificate issued to the organization. For example, one might say "The<Name<name ofOrganization>organization> BPKI (see Section 3.2.6) issues certificates that MUST be used to identify individuals who represent<Name<name ofOrganization>organization> subscribers." The procedures should be commensurate with those you already employ in authenticating individuals as representatives for INR holders. Note that this authentication is solely for use by you in dealing with the organizations to which you distribute (orsub- distribute) INRs,sub-distribute) INRs and thus MUST NOT be relied upon outside of this CA/subscriber relationship.> 3.2.4. Non-verified Subscriber Information No non-verified subscriber data is included in certificates issued under this certificate policy except for Subject Information Access (SIA) extensions [RFC6487]. 3.2.5. Validation of Authority <Describe the procedures used to verify that an individual claiming to represent asubscriber,subscriber is authorized to represent that subscriber in this context. For example, one couldsay,say "Only an individual to whom a BPKI certificate (see Section 3.2.6) has been issued may request issuance of an RPKI certificate. Each certificate issuance request is verified using the BPKI." The procedures should be commensurate with those you already employ in authenticating individuals as representatives of subscribers.> 3.2.6. Criteria for Interoperation The RPKI is neither intended nor designed to interoperate with any other PKI. <If you operate a separate, additional PKI for business purposes, e.g., a BPKI, then describe (or reference) how the BPKI is used to authenticate subscribers and to enable them to manage their resource distributions.> 3.3. Identification and Authentication for Re-key Requests 3.3.1. Identification and Authentication for Routine Re-key <Describe the conditions under which routine re-key is required and the manner by which it is requested. Describe the procedures that are used to ensure that a subscriber requesting routine re-key is the legitimate holder of the certificate to be re-keyed. State the approach for establishing PoP of the private key corresponding to the new public key. If you operate a BPKI, describe how that BPKI is used to authenticate routine re-key requests.> 3.3.2. Identification and Authentication for Re-key after Revocation <Describe the procedures used to ensure that an organization requesting a re-key after revocation is the legitimate holder of the INRs in the certificate being re-keyed. This MUST also include the method employed for verifying PoP of the private key corresponding to the new public key. If you operate a BPKI, describe how that BPKI is used to authenticate re-key requests. With respect to authentication of the subscriber, the procedures should be commensurate with those you already employ in the maintenance of INR distribution records.> 3.4. Identification and Authentication for Revocation Request <Describe the procedures used by an RPKI subscriber to make a revocation request. Describe the manner by which it is ensured that the subscriber requesting revocation is the subject of the certificate (or an authorized representative thereof) to be revoked. Note that there may be different procedures for the case where the legitimate subject still possesses the original private key as opposed to the case when it no longer has access to that key. These procedures should be commensurate with those you already employ in the maintenance of subscriber records.> 4. CertificateLife-CycleLife Cycle Operational Requirements 4.1. Certificate Application 4.1.1. Who Can Submit a Certificate Application Any subscriber in good standing who holds INRs distributed by<Name<name ofOrganization>organization> may submit a certificate application to this CA. (The exact meaning of "in good standing" is in accordance with the policy of <name of organization>.) 4.1.2. Enrollment Process and Responsibilities <Describe your enrollment process for issuing certificates both for initial deployment of the PKI and as an ongoing process. Note that most of the certificates in this PKI are issued as part of your normal business practices, as an adjunct to INR distribution, and thus a separate application to request a certificate may not be necessary. If so, reference should be made to where these practices are documented.> 4.2. Certificate Application Processing <Describe the certificate request/response processing that you will employ. You should make use of existing standards for certificate application processing (see [RFC6487]).> 4.2.1. Performing Identification and Authentication Functions <Describe your practices for identification and authentication of certificate applicants. Often, existing practices employed by you to identify and authenticate organizations can be used as the basis for issuance of certificates to these subscribers. Reference can be made to documentation of such existing practices.> 4.2.2. Approval or Rejection of Certificate Applications <Describe your practices for approval or rejection ofapplicationsapplications, and refer to documentation of existing business practices relevant to this process. Note that according to the CP, certificate applications will be approved based on the normal business practices of the entity operating the CA, based on the CA's records of subscribers. The CP also says that each CA will follow theproceduresprocedure specified in Section 3.2.1 to verify that the requester holds the private key corresponding to the public key that will be bound to the certificate the CA issues to the requester.> 4.2.3. Time to Process Certificate Applications <Specify here your expected time frame for processing certificate applications.> 4.3. Certificate Issuance 4.3.1. CA ActionsDuringduring Certificate Issuance <Describe your procedures for issuance and publication of a certificate.> 4.3.2. Notification to Subscriber by the CA of Issuance of Certificate <Name ofOrganization>organization> will notify the subscriber when the certificate is published. <Describe here your procedures for notifying a subscriber when a certificate has been published.> 4.3.3. Notification of Certificate Issuance by the CA to Other Entities <Describe here any other entities that will be notified when a certificate is published.> 4.4. Certificate Acceptance 4.4.1. Conduct Constituting Certificate Acceptance When a certificate is issued, the <name ofOrganization>organization> CA will publish it to the repository and notify the subscriber. <This may be done without subscriber review and acceptance. State your policy with respect to subscriber certificate acceptance here.> 4.4.2. Publication of the Certificate by the CA Certificates will be published at <insert repository URL here> once issued, following the conduct described in Section 4.4.1. This will be done within <specify thetimeframetime frame within which the certificate will be placed in the repository and the subscriber will be notified>. <Describe any additional procedures with respect to publication of the certificate here.> 4.4.3. Notification of Certificate Issuance by the CA to Other Entities <Describe here any other entities that will be notified when a certificate is published.> 4.5. Key Pair and Certificate Usage A summary of the use model for the RPKI is provided below. 4.5.1. Subscriber Private Key and Certificate Usage The certificates issued by<Name<name ofOrganization>organization> to subordinate INR holders are CA certificates. The private key associated with each of these certificates is used to sign subordinate (CA or EE) certificates and CRLs. 4.5.2. Relying Party Public Key and Certificate Usage The primary relying parties in this PKI are organizations that use RPKI EE certificates to verify RPKI-signed objects. Relying parties are referred to Section 4.5.2 of [RFC6484] for additional guidance with respect to acts of reliance on RPKI certificates. 4.6. Certificate Renewal 4.6.1. Circumstance for Certificate Renewal As per RFC 6484, a certificate will be processed for renewal based on its expiration date or a renewal request from the certificatesubject.Subject. The request may be implicit, a side effect of renewing a resource holding agreement, ormay beexplicit. If<Name<name ofOrganization>organization> initiates the renewal process based on the certificate expiration date, then<Name<name ofOrganization>organization> will notify the subscriber <insert the period of advance warning, e.g., "2 weeks in advance of the expiration date", or the general policy, e.g., "in conjunction with notification of serviceexpiration".>expiration">. The validity interval of the new (renewed) certificate will overlap that of the previous certificate by <insert length of overlap period, e.g., 1 week>, to ensure uninterrupted coverage. Certificate renewal will incorporate the same public key as the previous certificate, unless the private key has been reported as compromised (see Section4.9.3).4.9.1). If a new key pair is being used, the stipulations of Section 4.7 will apply. 4.6.2. Who May Request Renewal The subscriber or<Name<name ofOrganization>organization> may initiate the renewal process. <For the case of the subscriber, describe the procedures that will be used to ensure that the requester is the legitimate holder of the INRs in the certificate being renewed. This MUST also include the method employed for verifying PoP of the private key corresponding to the public key in the certificate being renewed or the new public key if the public key is being changed. With respect to authentication of the subscriber, the procedures should be commensurate with those you already employ in the maintenance of INR distribution records. If you operate a BPKI for this, describe how that business-based PKI is used to authenticate renewalrequestsrequests, and refer to Section 3.2.6.> 4.6.3. Processing Certificate Renewal Requests <Describe your procedures for handling certificate renewal requests. Describe how you verify that the requester is the subscriber or is authorized by the subscriber, and that the certificate in question has not been revoked.> 4.6.4. Notification of New Certificate Issuance to Subscriber <Name ofOrganization>organization> will notify the subscriber when the certificate is published. <Describe your procedure for notification of new certificate issuance to the subscriber. This should be consistent with Section 4.3.2.> 4.6.5. Conduct Constituting Acceptance of a Renewal Certificate See Section4.4.14.4.1. <If you employ a different policy from that specified in Section 4.4.1, describe it here.> 4.6.6. Publication of the Renewal Certificate by the CA See Section 4.4.2. 4.6.7. Notification of Certificate Issuance by the CA to Other Entities See Section 4.4.3. 4.7. Certificate Re-key 4.7.1. Circumstance for Certificate Re-key As per RFC 6484, re-key of a certificate will be performed only when required, based on: 1. knowledge or suspicion of compromise or loss of the associated private key, or 2. the expiration of the cryptographic lifetime of the associated key pair If a certificate is revoked to replace the RFC 3779 extensions, the replacement certificate will incorporate the same public key, not a new key. If the re-key is based on a suspected compromise, then the previous certificate will be revoked. 4.7.2. Who May Request Certification of a New Public Key Only the holder of a certificate may request a re-key. In addition,<Name<name ofOrganization>organization> may initiate a re-key based on a verified compromise report. <If the subscriber (certificate Subject) requests therekey,re-key, describe how authentication is effected, e.g., using the<Name<name ofRegistry>registry> BPKI. Describe how a compromise report received from other than a subscriber is verified.> 4.7.3. Processing Certificate Re-keying Requests <Describe your process for handling re-keying requests. As per the RPKI CP, this should be consistent with the process described in Section4.3. So4.3, so reference can be made to that section.> 4.7.4. Notification of New Certificate Issuance to Subscriber <Describe your policyregardingfor notifying the subscriberre:regarding availability of the new re-keyed certificate. This should be consistent with the notification process for any new certificate issuance (see Section 4.3.2).> 4.7.5. Conduct Constituting Acceptance of a Re-keyed Certificate When a re-keyed certificate is issued, the CA will publish it in the repository and notify the subscriber. See Section 4.4.1. 4.7.6. Publication of the Re-keyed Certificate by the CA <Describe your policy regarding publication of the new certificate. This should be consistent with the publication process for any new certificate (see Section 4.4.2).> 4.7.7. Notification of Certificate Issuance by the CA to Other Entities See Section 4.4.3. 4.8. Certificate Modification 4.8.1. Circumstance for Certificate Modification As per RFC 6484, modification of a certificate occurs to implement changes to the RFC 3779 extension values or the SIA extension in a certificate. A subscriber can request a certificate modification when this information in a currently valid certificate has changed, as a result of changes in the INR holdings of thesubscribersubscriber, or as a result of change of the repository publication point data. If a subscriber is to receive a distribution of INRs in addition to a current distribution, and if the subscriber does not request that a new certificate be issued containing only these additional INRs, then this is accomplished through a certificate modification. When a certificate modification is approved, a new certificate is issued. The new certificate will contain the same public key and the same expiration date as the original certificate, but with the incidental information corrected and/or the INR distribution expanded. When previously distributed INRs are to be removed from a certificate, then the old certificate will be revoked and a new certificate (reflecting the new distribution) issued. 4.8.2. Who May Request CertificatemodificationModification The subscriber or<Name<name ofOrganization>organization> may initiate the certificate modification process. <For the case of the subscriber, state here what steps will be taken to verify the identity and authorization of the entity requesting the modification.> 4.8.3. Processing Certificate Modification Requests <Describe your procedures for verification of the modification request and procedures for the issuance of a new certificate. These should be consistent with the processes described in Sections 4.2 and 4.3.1.> 4.8.4. Notification of Modified Certificate Issuance to Subscriber <Describe your procedure for notifying the subscriber about the issuance of a modified certificate. This should be consistent with the notification process for any new certificate (see Section 4.3.2).> 4.8.5. Conduct Constituting Acceptance of Modified Certificate When a modified certificate is issued,<Name<name ofOrganization>organization> will publish it to the repository and notify the subscriber. See Section 4.4.1. 4.8.6. Publication of the Modified Certificate by the CA <Describe your procedure for publication of a modified certificate. This should be consistent with the publication process for any new certificate (see Section 4.4.2).> 4.8.7. Notification of Certificate Issuance by the CA to Other Entities See Section 4.4.3. 4.9. Certificate Revocation and Suspension 4.9.1. Circumstances for Revocation As per RFC 6484, certificates can be revoked for several reasons. Either<Name<name ofOrganization>organization> or the subject may choose to end the relationship expressed in the certificate, thus creating cause to revoke the certificate. If one or more of the INRs bound to the public key in the certificate are no longer associated with the subject, that too constitutes a basis for revocation. A certificate also may be revoked due to loss or compromise of the private key corresponding to the public key in the certificate. Finally, a certificate may be revoked in order to invalidate data signed by the private key associated with that certificate. 4.9.2. Who Can Request Revocation The subscriber or<Name<name ofOrganization>organization> may request a revocation. <For the case of the subscriber, describe what steps will be taken to verify the identity and authorization of the entity requesting the revocation.> 4.9.3. Procedure for Revocation Request <Describe your process for handling a certificate revocation request. This should include: o Procedure to be used by the subscriber to request arevocationrevocation. o Procedure for notification of the subscriber when the revocation is initiated by<Name<name ofOrganization>.>organization>.> 4.9.4. Revocation Request Grace Period A subscriber is required to request revocation as soon as possible after the need for revocation has been identified. 4.9.5. TimeWithinwithin Which CA Must Process the Revocation Request <Describe your policy on the time period within which you will process a revocation request.> 4.9.6. Revocation Checking Requirement for Relying Parties As per RFC 6484, a relying party is responsible for acquiring and checking the most recent, scheduled CRL from the issuer of the certificate, whenever the relying party validates a certificate. 4.9.7. CRL Issuance Frequency <State the CRL issuance frequency for the CRLs that you publish.> Each CRL contains a nextUpdatevaluevalue, and a new CRL will be published at or before that time. <Name ofOrganization>organization> will set the nextUpdate value when it issues a CRL, to signal when the next scheduled CRL will be issued. 4.9.8. Maximum Latency for CRLs A CRL will be published to the repository system within <state the maximum latency> after generation. 4.10. Certificate Status Services <Name ofOrganization>organization> does not supportOCSPthe Online Certificate Status Protocol (OCSP) orSCVP.the Server-Based Certificate Validation Protocol (SCVP). <Name ofOrganization>organization> issues CRLs. 5. Facility, Management, and Operational Controls 5.1. Physical Controls <As per RFC 6484, describe the physical controls that you employ for certificate management. These should be commensuratetowith those used in the management of INR distribution.> 5.1.1. SitelocationLocation andconstructionConstruction 5.1.2. PhysicalaccessAccess 5.1.3. Power andair conditioningAir Conditioning 5.1.4. WaterexposuresExposures 5.1.5. FirepreventionPrevention andprotectionProtection 5.1.6. MediastorageStorage 5.1.7. WastedisposalDisposal 5.1.8.Off-site backupOff-Site Backup 5.2. Procedural Controls <As per RFC 6484, describe the procedural security controls that you employ for certificate management. These should be commensuratetowith those used in the management of INR distribution.> 5.2.1. TrustedrolesRoles 5.2.2. Number ofpersons requiredPersons Required pertaskTask 5.2.3. Identification andauthenticationAuthentication foreach roleEach Role 5.2.4. Rolesrequiring separationRequiring Separation ofdutiesDuties 5.3. Personnel Controls <As per RFC 6484, describe the personnel security controls that you employ for individuals associated with certificate management. These should be commensuratetowith those used in the management of INR distribution.> 5.3.1. Qualifications,experience,Experience, andclearance requirementsClearance Requirements 5.3.2. Backgroundcheck proceduresCheck Procedures 5.3.3. TrainingrequirementsRequirements 5.3.4. RetrainingfrequencyFrequency andrequirementsRequirements 5.3.5. Jobrotation frequencyRotation Frequency andsequenceSequence 5.3.6. Sanctions forunauthorized actionsUnauthorized Actions 5.3.7. Independentcontractor requirementsContractor Requirements 5.3.8. DocumentationsuppliedSupplied topersonnelPersonnel 5.4. Audit Logging Procedures <As per the CP, describe in the following sections the details of how you implement audit logging.> 5.4.1. Types of Events Recorded Audit records will be generated for the basic operations of thecertification authorityCertification Authority computing equipment. Audit records will include the date, time, responsible user or process, and summary content data relating to the event. Auditable events include:.o Access to CA computing equipment (e.g., logon, logout).o Messages received requesting CA actions (e.g., certificate requests, certificate revocation requests, compromise notifications).o Certificate creation, modification, revocation, or renewal actions.o Posting of any material to a repository.o Any attempts to change or delete audit data.o Key generation.o Software and/or configuration updates to the CA.o Clock adjustments <List here any additional types of events that will be audited.> 5.4.2. Frequency of Processing Log <Describe your procedures for review of audit logs.> 5.4.3. Retention Period for Audit Log <Describe your policies for retention of audit logs.> 5.4.4. Protection of Audit Log <Describe your policies for protection of the audit logs.> 5.4.5. Audit Log Backup Procedures <Describe your policies for backup of the audit logs.> 5.4.6. Audit Collection System (Internal vs. External) [OMITTED] 5.4.7. Notification toEvent-causingEvent-Causing Subject [OMITTED] 5.4.8. Vulnerability Assessments <Describe any vulnerability assessments that you will apply (or have already applied) to the PKI subsystems. This should include whether such assessments have taken place and any procedures or plans to perform or repeat/reassess vulnerabilities in the future.> 5.5. Records Archival [OMITTED] 5.6. Key Changeover The<Name<name ofOrganization>organization> CA certificate will contain a validity period that is at least as long as that of any certificate being issued under that certificate. When<Name<name ofOrganization>organization> CA changeskeyskeys, it will follow the procedures described in [RFC6489]. 5.7. Compromise and Disaster Recovery <Describe your plans for dealing with CA key compromise and how you plan to continue/restore operation of your RPKI CA in the event of a disaster.> 5.8. CA or RA Termination <Describe your policy for management of your CA's INR distributions in case of its own termination.> 6. Technical Security Controls This section describes the security controls used by<Name<name ofOrganization>.organization>. 6.1. Key Pair Generation and Installation 6.1.1. Key Pair Generation <Describe the procedures used to generate the CA keypair,pair and, if applicable, key pairs for subscribers. In most instances, public-key pairs will be generated by the subscriber, i.e., the organization receiving the distribution of INRs. However, your procedures may include one for generating key pairs on behalf of your subscribers if they so request.> 6.1.2. Private Key Delivery to Subscriber <If the procedures in Section 6.1.1 include providing key pair generation services for subscribers, describe the means by which private keys are delivered to subscribers in a secure fashion.OtherwiseOtherwise, say this is not applicable.> 6.1.3. Public Key Delivery to Certificate Issuer <Describe the procedures that will be used to deliver a subscriber's public keys to the<Name<name ofOrganization>organization> RPKI CA. These procedures MUST ensure that the public key has not been altered during transit and that the subscriber possesses the private key corresponding to the transferred public key.> See RFC 6487 for details. 6.1.4. CA Public Key Delivery to Relying Parties CA public keys for all entities (other than trust anchors) are contained in certificates issued by other CAs and will be published to the RPKI repository system. Relying parties will download these certificates from this system. Public key values and associated data for (putative) trust anchors will be distributed out of band and accepted by relying parties on the basis oflocally-definedlocally defined criteria, e.g., embedded in path validation software that will be made available to the Internet community. 6.1.5. Key Sizes The key sizes used in this PKI are as specified in [RFC6485]. 6.1.6. Public KeyParametersParameter Generation and Quality Checking The public key algorithms and parameters used in this PKI are as specified in [RFC6485]. <If the procedures in Section 6.1.1 include subscriber key pair generation, EITHER insert here text specifying that the subscriber is responsible for performing checks on the quality of its key pair and saying that<Name<name ofOrganization>organization> is not responsible for performing such checks for subscribers OR describe the procedures used by the CA for checking the quality of these subscriber key pairs.> 6.1.7. Key Usage Purposes (as per X.509 v3 Key Usage Field) TheKey usageKeyUsage extension bit values employed in RPKI certificates are specified in [RFC6487]. 6.2. Private Key Protection and Cryptographic Module Engineering Controls 6.2.1. Cryptographicmodule standardsModule Standards andcontrolsControls <Describe the standards and controls employed for the CA cryptographic module, e.g., it was evaluated under FIPS 140-2/3, at level 2 or 3. See [FIPS] fordetails.>.details.> 6.2.2. Private Key (n out of m) Multi-Person Control <If you choose to use multi-person controls to constrain access to your CA's private keys, then insert the following text. "There will be private key <insert here n> out of <insert here m> multi-person control."> 6.2.3. Private Key Escrow <No private key escrow procedures are required for the RPKI, but if the CA chooses to employ escrow, state so here.> 6.2.4. Private Key Backup <Describe the procedures used for backing up your CA's private key. The following aspects should be included. (1) The copying should be done under the same multi-party control as is used for controlling the original private key. (2) At least one copy should be kept at an off-site location for disaster recovery purposes.> 6.2.5. Private Key Archival SeesectionsSections 6.2.3 and6.2.46.2.4. 6.2.6. Private Key Transfer into or from a Cryptographic Module The private key for<Namethe <name ofOrganization>'sorganization> production CA <if appropriate, change "production CA" to "production and offline CAs"> will be generated by the cryptographic module specified in Section 6.2.1. The private keys will never leave the module except in encrypted form for backup and/or transfer to a new module. 6.2.7. Private Key Storage on Cryptographic Module The private key for<Namethe <name ofOrganization>'sorganization> production CA <if appropriate, change "production CA" to "production and offline CAs"> will be stored in the cryptographic module. It will be protected from unauthorized use <say how here>. 6.2.8. Method of Activating Private Key <Describe the mechanisms and data used to activate your CA's private key.> 6.2.9. Method of Deactivating Private Key <Describe the process and procedure for private key deactivation here.> 6.2.10. Method of Destroying Private Key <Describe the method used for destroying your CA's private key, e.g., when it is superseded. This will depend on the particular module.> 6.2.11. Cryptographic Module Rating <Describe the rating of the cryptographic module used by the CA, if applicable.> 6.3. OtheraspectsAspects of Key Pair Management 6.3.1. Public Key Archival <Because this PKI does not support non-repudiation, there is no need to archive public keys. If keys are not archived, say so. If they are, describe the archive processes and procedures.> 6.3.2. Certificate Operational Periods and Key Pair Usage Periods The<Name<name ofOrganization>organization> CA's key pair will have a validity interval of <insert number of years>. <These key pairs and certificates should have reasonably long validity intervals, e.g., 10 years, to minimize the disruption caused by key changeover. Note that the CA's key lifetime is under the control of its issuer, so the CPS MUST reflect the key lifetime imposed by the issuer.> 6.4. ActivationdataData 6.4.1. Activation Data Generation and Installation <Describe how activation data for your CA will be generated.> 6.4.2. Activationdata protectionData Protection Activation data for the CA private key will be protected by<Describe<describe your procedures here>. 6.4.3. Other Aspects of Activation Data <Add here any details you wish to provide with regard to the activation data for your CA. If there are none, say"None.">"None".> 6.5. Computer Security Controls <Describe your security requirements for the computers used to support this PKI, e.g., requirements for authenticated logins, audit capabilities, etc. These requirements should be commensurate with those used for the computers used for managing distribution of INRs.> 6.6. LifecycleCycle Technical Controls 6.6.1. System Development Controls <Describe any system development controls that apply to the PKI systems, e.g., use of Trusted System Development Methodology (TSDM).> 6.6.2. Security Management Controls <Describe the security management controls that will be used for the RPKI software and equipment employed by the CA. These security measures should be commensurate with those used for the systems used by the CAs for managing and distributing INRs.> 6.6.3. Life Cycle Security Controls <Describe how the equipment (hardware and software) used for RPKI functions will be procured, installed, maintained, and updated. This should be done in a fashion commensurate with the way in which equipment for the management and distribution of INRs is handled.> 6.7. Network Security Controls <Describe the network security controls that will be used for CA operation. These should be commensurate with the network security controls employed for the computers used for managing distribution of INRs.> 6.8.Time-stampingTime-Stamping The RPKI does not make use oftime stamping.time-stamping. 7. Certificate and CRL Profiles See [RFC6487]. 8. Compliance Audit and Other Assessments <List here any audit and other assessments used to ensure the security of the administration of INRs. These are sufficient for the RPKIsystems.>systems. However, additional forms of security assessments are a good idea and should be listed if performed.> 9. Other BusinessAndand Legal Matters <The sections below are optional. Fill them in as appropriate for your organization. The CP says that CAs should cover Sections 9.1 to 9.11 and 9.13 to9.169.16, although not every CA will choose to do so. Note that the manner in which you manage your business and legal matters for this PKI should be commensurate with the way in which you manage business and legal matters for the distribution of INRs.> 9.1. Fees 9.1.1. CertificateissuanceIssuance orrenewal feesRenewal Fees 9.1.2. Certificateaccess feesAccess Fees [OMITTED] 9.1.3. Revocation orstatus information access feesStatus Information Access Fees [OMITTED] 9.1.4. Fees forother servicesOther Services (ifapplicable)Applicable) 9.1.5. RefundpolicyPolicy 9.2. FinancialresponsibilityResponsibility 9.2.1. InsurancecoverageCoverage 9.2.2. OtherassetsAssets 9.2.3. Insurance orwarranty coverageWarranty Coverage forend-entitiesEnd-Entities 9.3. Confidentiality ofbusiness informationBusiness Information 9.3.1. Scope ofconfidential informationConfidential Information 9.3.2. InformationnotNot within thescopeScope ofconfidential informationConfidential Information 9.3.3. Responsibility toprotect confidential informationProtect Confidential Information 9.4. Privacy ofpersonal informationPersonal Information 9.4.1. PrivacyplanPlan 9.4.2. InformationtreatedTreated asprivatePrivate 9.4.3. Informationnot deemed privateNot Deemed Private 9.4.4. Responsibility toprotect private informationProtect Private Information 9.4.5. Notice andconsentConsent touse private informationUse Private Information 9.4.6. DisclosurepursuantPursuant tojudicialJudicial oradministrative processAdministrative Process 9.4.7. Otherinformation disclosure circumstancesInformation Disclosure Circumstances 9.5. Intellectualproperty rightsProperty Rights (ifapplicable)Applicable) 9.6. Representations andwarrantiesWarranties 9.6.1. CArepresentationsRepresentations andwarrantiesWarranties 9.6.2. SubscriberrepresentationsRepresentations andwarrantiesWarranties 9.6.3. Relyingparty representationsParty Representations andwarrantiesWarranties 9.7. Disclaimers ofwarrantiesWarranties 9.8. Limitations ofliabilityLiability 9.9. Indemnities 9.10. Term andterminationTermination 9.10.1. Term 9.10.2. Termination 9.10.3. Effect ofterminationTermination andsurvivalSurvival 9.11. IndividualnoticesNotices andcommunicationsCommunications withparticipantsParticipants 9.12. Amendments 9.12.1. Procedure foramendmentAmendment 9.12.2. NotificationmechanismMechanism andperiodPeriod 9.13. Disputeresolution provisionsResolution Provisions 9.14. GoverninglawLaw 9.15. Compliance withapplicable lawApplicable Law 9.16. MiscellaneousprovisionsProvisions 9.16.1. EntireagreementAgreement 9.16.2. Assignment 9.16.3. Severability 9.16.4. Enforcement(attorneys' fees(Attorneys' Fees andwaiverWaiver ofrights)Rights) 9.16.5. Force Majeure <END TEMPLATE TEXT> 10. Security Considerations The degree to which a relying party can trust the binding embodied in a certificate depends on several factors. These factors can include o the practices followed by thecertification authorityCertification Authority (CA) in authenticating thesubject;subject o the CA's operating policy, procedures, and technical security controls, including the scope of the subscriber's responsibilities (for example, in protecting the privatekey), andkey) o the stated responsibilities and liability terms and conditions of the CA (for example, warranties, disclaimers of warranties, and limitations ofliability).liability) This document provides a framework to address the technical, procedural, personnel, and physical security aspects of Certification Authorities, Registration Authorities, repositories, subscribers, and relying party cryptographic modules, in order to ensure that the certificate generation, publication, renewal, re-key, usage, and revocationisare done in a secure manner. Specifically, the following sections are oriented towards ensuring the secure operation of the PKI entities such as CA, RA, repository, subscriber systems, and relying party systems: Section 3Identification("Identification andAuthentication (I&A);Authentication" (I&A)) Section 4Certificate Life-Cycle("Certificate Life Cycle OperationalRequirements;Requirements") Section 5Facility("Facility, Management, and OperationalControls;Controls") Section 6Technical("Technical SecurityControls;Controls") Section 7Certificate("Certificate and CRLProfiles; andProfiles") Section 8Compliance("Compliance Audit and OtherAssessments are oriented towards ensuring secure operation of the PKI entities such as CA, RA, repository, subscriber systems, and relying party systems.Assessments") 11.IANA Considerations None. 12. Acknowledgments The authors would like to thank Matt Lepinski for help with the formatting, Ron Watro for assistance with the editing, and other members of the SIDR working group for reviewing this document. 13.References13.1.11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March1997.1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro,R.,"Certificate Policy (CP) for the ResourcePKI (RPKI)," February 2012. [RFC6487] Huston, G., Michaelson, G., and Loomans, R., "A Profile for X.509 PKIX Resource Certificates,"Public Key Infrastructure (RPKI)", BCP 173, RFC 6484, February2012.2012, <http://www.rfc-editor.org/info/rfc6484>. [RFC6485] Huston, G.,"A"The Profile for Algorithms and Key Sizes for Use in the Resource Public KeyInfrastructure,"Infrastructure (RPKI)", RFC 6485, February2012. 13.2.2012, <http://www.rfc-editor.org/ info/rfc6485>. [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, February 2012, <http://www.rfc-editor.org/info/rfc6487>. 11.2. Informative References [FIPS] Federal Information Processing Standards Publication 140-3 (FIPS-140-3), "Security Requirements for Cryptographic Modules", Information Technology Laboratory, National Institute of Standards and Technology,workWork inprogress.Progress. [RFC3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S. Wu,S.,"Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework", RFC 3647, November2003.2003, <http://www.rfc-editor.org/info/rfc3647>. [RFC6480]M.Lepinski, M. and S. Kent, "An Infrastructure to Support Secure InternetRouting,"Routing", RFC 6480, February2012.2012, <http://www.rfc-editor.org/info/rfc6480>. [RFC6481]G.Huston,R.G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate RepositoryStructure,"Structure", RFC 6481, February2012.2012, <http://www.rfc-editor.org/info/rfc6481>. [RFC6482]M.Lepinski,S.M., Kent, S., and D. Kong, "A Profile for Route Origin Authorizations(ROAs),"(ROAs)", RFC 6482, February2012.2012, <http://www.rfc-editor.org/info/rfc6482>. [RFC6486]R.Austein,G.R., Huston,S.G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure(RPKI),"(RPKI)", RFC 6486, February2012.2012, <http://www.rfc-editor.org/info/rfc6486>. [RFC6489]G.Huston,G.G., Michaelson, G., and S. Kent, "Certification Authority (CA) Key Rollover in the Resource Public Key Infrastructure(RPKI),(RPKI)", BCP 174, RFC 6489, February2012. Author's2012, <http://www.rfc-editor.org/info/rfc6489>. Acknowledgments The authors would like to thank Matt Lepinski for help with the formatting, Ron Watro for assistance with the editing, and other members of the SIDR working group for reviewing this document. Authors' Addresses Stephen Kent BBN Technologies 10 Moulton StreetCambridgeCambridge, MA 02138USAUnited States Phone: +1 (617) 873-3988Email:EMail: skent@bbn.com Derrick Kong BBN Technologies 10 Moulton StreetCambridgeCambridge, MA 02138USAUnited States Phone: +1 (617) 873-1951Email:EMail: dkong@bbn.com Karen Seo BBN Technologies 10 Moulton StreetCambridgeCambridge, MA 02138USAUnited States Phone: +1 (617) 873-3152Email:EMail: kseo@bbn.comCopyright Statement Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.