RFC 3647 (rfc3647) - Page 2 of 94
Internet X
Alternative Format: Original Text Document
RFC 3647 Internet X.509 Public Key Infrastructure November 2003
3.3.1. Certificate Policies Extension . . . . . . . . . 12
3.3.2. Policy Mappings Extension. . . . . . . . . . . . 13
3.3.3. Policy Constraints Extension . . . . . . . . . . 13
3.3.4. Policy Qualifiers. . . . . . . . . . . . . . . . 14
3.4. Certification Practice Statement . . . . . . . . . . . . 15
3.5. Relationship Between CP and CPS. . . . . . . . . . . . . 16
3.6. Relationship Among CPs, CPSs, Agreements, and
Other Documents. . . . . . . . . . . . . . . . . . . . . 17
3.7. Set of Provisions. . . . . . . . . . . . . . . . . . . . 20
4. Contents of a Set of Provisions. . . . . . . . . . . . . . . . 21
4.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 22
4.1.1. Overview . . . . . . . . . . . . . . . . . . . . 22
4.1.2. Document Name and Identification . . . . . . . . 22
4.1.3. PKI Participants . . . . . . . . . . . . . . . . 23
4.1.4. Certificate Usage. . . . . . . . . . . . . . . . 24
4.1.5. Policy Administration. . . . . . . . . . . . . . 24
4.1.6. Definitions and Acronyms . . . . . . . . . . . . 24
4.2. Publication and Repository Responsibilities. . . . . . . 25
4.3. Identification and Authentication (I&A). . . . . . . . . 25
4.3.1. Naming . . . . . . . . . . . . . . . . . . . . . 25
4.3.2. Initial Identity Validation. . . . . . . . . . . 26
4.3.3. I&A for Re-key Requests. . . . . . . . . . . . . 27
4.3.4. I&A for Revocation Requests. . . . . . . . . . . 27
4.4. Certificate Life-Cycle Operational Requirements. . . . . 27
4.4.1. Certificate Application. . . . . . . . . . . . . 28
4.4.2. Certificate Application Processing . . . . . . . 28
4.4.3. Certificate Issuance . . . . . . . . . . . . . . 28
4.4.4. Certificate Acceptance . . . . . . . . . . . . . 29
4.4.5. Key Pair and Certificate Usage . . . . . . . . . 29
4.4.6. Certificate Renewal. . . . . . . . . . . . . . . 30
4.4.7. Certificate Re-key . . . . . . . . . . . . . . . 30
4.4.8. Certificate Modification . . . . . . . . . . . . 31
4.4.9. Certificate Revocation and Suspension. . . . . . 31
4.4.10. Certificate Status Services. . . . . . . . . . . 33
4.4.11. End of Subscription. . . . . . . . . . . . . . . 33
4.4.12. Key Escrow and Recovery. . . . . . . . . . . . . 33
4.5. Facility, Management, and Operational Controls . . . . . 33
4.5.1. Physical Security Controls . . . . . . . . . . . 34
4.5.2. Procedural Controls. . . . . . . . . . . . . . . 35
4.5.3. Personnel Controls . . . . . . . . . . . . . . . 35
4.5.4. Audit Logging Procedures . . . . . . . . . . . . 36
4.5.5. Records Archival . . . . . . . . . . . . . . . . 37
4.5.6. Key Changeover . . . . . . . . . . . . . . . . . 38
4.5.7. Compromise and Disaster Recovery . . . . . . . . 38
4.5.8. CA or RA Termination . . . . . . . . . . . . . . 38
4.6. Technical Security Controls. . . . . . . . . . . . . . . 39
4.6.1. Key Pair Generation and Installation . . . . . . 39
4.6.2. Private Key Protection and Cryptographic
Chokhani, et al. Informational