Cisco - Global Home Page · 2016-11-21 · Cisco ECC Root CA Certificate Policy Cisco Public Page 5...

C i s c o S y s t e m s • 7 0 2 5 K i t C r e e k R o a d , R e s e a r c h T r i a n g l e P a r k , N C

Cisco ECC Root CA Certificate Policy Identity Assurance Services

version 1.0 2013-Sep-30

CiscoECCRootCACertificatePolicy

CiscoPublic Page2of28 2013-Sep-30

TableofContentsVersionInformation.............................................................................................................................................5 Version1.0–2013-Sep-30.................................................................................................................................5 Approvals...........................................................................................................................................................5 AnnualReviews.................................................................................................................................................5

1 Introduction..................................................................................................................................................6 1.1 Background....................................................................................................................................6 1.1.1 PKIHierarchy.................................................................................................................................6 1.2 PolicyIdentification.......................................................................................................................6 1.2.1 CertificateTypes............................................................................................................................7 1.2.1.1 CertificateProfile...........................................................................................................................7 1.3 Community&Applicability............................................................................................................7 1.3.1 CertificationAuthorities(CAs).......................................................................................................7 1.3.1.1 CAsAuthorizedtoIssueCertificatesunderthisPolicy..................................................................7 1.3.2 RegistrationAuthorities.................................................................................................................7 1.3.3 ValidationServices.........................................................................................................................7 1.3.4 Subscribers....................................................................................................................................7 1.3.5 BenefitingParties..........................................................................................................................7 1.3.6 Applicability...................................................................................................................................8 1.3.6.1 SuitableApplications.....................................................................................................................8 1.4 ContactDetails..............................................................................................................................8 1.4.1 ChangestotheCertificatePolicy...................................................................................................8 1.4.1.1 ProcedureforChanges..................................................................................................................8 1.4.1.2 ChangeNotification.......................................................................................................................8 1.4.2 ContactInformation......................................................................................................................8

2 GeneralProvisions........................................................................................................................................9 2.1 Obligations.....................................................................................................................................9 2.1.1 CAObligations...............................................................................................................................9 2.1.1.1 RepresentationsbytheCA............................................................................................................9 2.1.1.2 BenefitingPartyWarranties..........................................................................................................9 2.1.1.3 WarrantyLimitations...................................................................................................................10 2.1.1.4 TimebetweenCertificateRequestandIssuance........................................................................10 2.1.1.5 CertificateRevocationandRenewal............................................................................................10 2.1.1.6 EndEntityAgreements................................................................................................................10 2.1.1.7 EnsuringCompliance...................................................................................................................11 2.1.2 RegistrationAuthority(RA)Obligations......................................................................................11 2.1.3 CertificateStatusValidationObligations.....................................................................................12 2.1.4 SubscriberObligations.................................................................................................................12 2.1.5 BenefitingPartyObligations........................................................................................................12 2.2 Liability........................................................................................................................................12 2.3 Interpretation&Enforcement.....................................................................................................13 2.3.1 GoverningLaw.............................................................................................................................13 2.3.2 DisputeResolutionProcedures...................................................................................................13 2.3.3 Severability..................................................................................................................................13 2.3.4 Survival........................................................................................................................................13 2.3.5 Merger/Integration.....................................................................................................................14 2.3.6 Notice..........................................................................................................................................14 2.4 Fees..............................................................................................................................................14 2.5 Publication&ValidationServices................................................................................................14



2.5.1 PublicationofCAInformation.....................................................................................................14 2.5.2 FrequencyofPublication.............................................................................................................14 2.5.3 AccessControls............................................................................................................................14 2.6 ComplianceAudit........................................................................................................................15 2.7 ConfidentialityPolicy...................................................................................................................15 2.8 IntellectualPropertyRights.........................................................................................................16

3 IdentificationandAuthentication................................................................................................................16 3.1 InitialRegistration.......................................................................................................................16 3.1.1 TypesofNames...........................................................................................................................16 3.1.2 NameMeanings...........................................................................................................................16 3.1.3 RulesforInterpretingVariousNameForms................................................................................16 3.1.4 NameUniqueness........................................................................................................................16 3.1.5 VerificationofKeyPair................................................................................................................16 3.1.6 SubscriberIdentification&Authentication(I&A)........................................................................16 3.1.7 CiscoSystemsAgentIdentificationandAuthentication(I&A)....................................................17 3.2 RenewalApplications..................................................................................................................17 3.3 Re-KeyafterRevocation..............................................................................................................17 3.4 RevocationRequest.....................................................................................................................17

4 OperationalRequirements..........................................................................................................................18 4.1 CertificateApplication.................................................................................................................18 4.2 CertificateIssuance.....................................................................................................................18 4.3 CertificateAcceptance.................................................................................................................18 4.4 CertificateRevocation.................................................................................................................18 4.4.1 CircumstancesforRevocation.....................................................................................................18 4.4.1.1 PermissiveRevocation.................................................................................................................18 4.4.1.2 RequiredRevocation...................................................................................................................19 4.4.2 WhoCanRequestRevocation.....................................................................................................19 4.4.3 ProcedureforRevocationRequest..............................................................................................19 4.4.3.1 CertificateStatusorCRLUpdate.................................................................................................19 4.4.4 RevocationRequestGracePeriod...............................................................................................19 4.4.5 CertificateSuspension.................................................................................................................19 4.4.6 CRLIssuanceFrequency..............................................................................................................19 4.4.7 On-LineRevocation/StatusCheckingAvailability........................................................................19 4.5 ComputerSecurityAuditProcedures..........................................................................................19 4.6 RecordsArchival..........................................................................................................................20 4.6.1 TypesofRecordsArchived..........................................................................................................20 4.6.2 RetentionPeriodforArchive.......................................................................................................20 4.6.3 ProtectionofArchive...................................................................................................................20 4.6.4 ArchiveBackupProcedures.........................................................................................................20 4.6.5 ProcedurestoObtainandVerifyArchiveInformation................................................................20 4.7 KeyChangeover...........................................................................................................................20 4.8 CompromiseandDisasterRecovery............................................................................................20 4.8.1 DisasterRecoveryPlan................................................................................................................20 4.8.2 KeyCompromisePlan..................................................................................................................21 4.9 CATermination............................................................................................................................21

5 Physical,Procedural,andPersonnelSecurityControls.................................................................................21 5.1 PhysicalSecurity—AccessControls.............................................................................................21 5.2 ProceduralControls.....................................................................................................................21 5.2.1 TrustedRoles...............................................................................................................................21 5.2.2 MultipleRoles(NumberofPersonsRequiredPerTask)..............................................................21



5.2.3 IdentificationandAuthenticationforEachRole.........................................................................22 5.3 PersonalSecurityControls...........................................................................................................22 5.3.1 BackgroundandQualifications....................................................................................................22 5.3.2 BackgroundInvestigation............................................................................................................22 5.3.3 TrainingRequirements................................................................................................................22 5.3.4 DocumentationSuppliedtoPersonnel........................................................................................23

6 TechnicalSecurityControls..........................................................................................................................23 6.1 KeyPairGenerationandProtection............................................................................................23 6.1.1 KeyPairGeneration.....................................................................................................................23 6.1.2 PrivateKeyDeliverytoEntity......................................................................................................23 6.1.3 SubscriberPublicKeyDeliverytoCA...........................................................................................23 6.1.4 CAPublicKeyDeliverytoUsers...................................................................................................23 6.1.5 KeySizes......................................................................................................................................23 6.2 CAPrivateKeyProtection............................................................................................................23 6.2.1 StandardsforCryptographicModule..........................................................................................24 6.2.2 PrivateKeyMulti-PersonControl(M-of-N).................................................................................24 6.2.3 SubscriberPrivateKeyEscrow.....................................................................................................24 6.2.4 PrivateKeyBackup......................................................................................................................24 6.2.5 PrivateKeyArchival.....................................................................................................................24 6.2.6 PrivateKeyEntryintoCryptographicModule.............................................................................24 6.2.7 MethodofActivatingPrivateKey................................................................................................24 6.2.8 MethodofDeactivatingPrivateKey............................................................................................24 6.2.9 MethodofDestroyingPrivateKey...............................................................................................25 6.3 OtherAspectsofKeyPairManagement......................................................................................25 6.3.1 PublicKeyArchival.......................................................................................................................25 6.3.2 KeyReplacement.........................................................................................................................25 6.3.3 RestrictionsonCA'sPrivateKeyUse...........................................................................................25 6.4 ActivationData............................................................................................................................25 6.5 SecurityManagementControls...................................................................................................25 6.5.1 NetworkSecurityControls...........................................................................................................25 6.5.2 CryptographicModuleEngineeringControls..............................................................................25

7 CertificatesandCRLProfiles........................................................................................................................26 7.1 CertificateProfile.........................................................................................................................26 7.2 CRLProfile....................................................................................................................................26

8 Definitions...................................................................................................................................................26



VersionInformation

Version1.0–2013-Sep-30

Firstversionofdocument

Approvals

Version Name Title Date1.0 AlexWight

EricHampshireJ.P.HamiltonJosPurvisBillFriedman

PKIArchitectPKIOperationsPKIManagerPKIComplianceSeniorCorporateCounsel

2013-Sep-262013-Sep-262013-Sep-262013-Sep-202013-Sep-25

AnnualReviews

Version Name Title Date1.0 JosPurvis PKICompliance 2014-Sep-02

1.0 JosPurvis PKICompliance 2015-Sep-25

1.0 JosPurvis PKICompliance 2016-Nov-16



1 IntroductionCiscoSystemshasimplementedaRootCertificateAuthority(CA)toprovideatrustanchorforcryptographiccommunicationsusingX.509certificates.TheRootCAconsistsofsystems,productsandservicesthatbothprotecttheRootCA’sprivatekey,andmanagethesubordinateCAX.509certificates(sub-CAcertificates)issuedfromtheRootCA.

Thepurposeofthisdocumentistodescribetheframeworkfortheuse(issuance,renewal,revocation,andpolicies)oftheECCRootCertificateAuthoritywithinCiscoSystemsInc.,andwithexternalentities.

1.1 Background

Apublic-keycertificatebindsapublic-keyvaluetoasetofinformationthatidentifiestheentityassociatedwithuseofthecorrespondingprivatekey(thisentityisknownasthe"subject"ofthecertificate).Acertificateisusedbya"certificateuser"or"benefitingparty"thatneedstoutilizethepublickeydistributedviathatcertificate(acertificateuseristypicallyanentitythatisverifyingadigitalsignaturecreatedbythecertificate'ssubject).Thedegreetowhichacertificateusercantrustthebindingembodiedinacertificatedependsonseveralfactors.ThesefactorsincludethepracticesfollowedbytheCertificationAuthority(CA)inauthenticatingthesubject;theCA'soperatingpolicy,procedures,andsecuritycontrols;thesubject'sobligations(forexample,inprotectingtheprivatekey);andthestatedundertakingsandlegalobligationsoftheCA(forexample,warrantiesandlimitationsonliability).

1.1.1 PKIHierarchy

TheCiscoECCRootCAisaself-signedRootCAcreatedinasecurekeygenerationprocessbymultipleagentsofCiscoSystems,Inc.

TheCiscoECCRootCAwillonlyissuesubordinateCAcertificates,accordingtothepoliciesstatedinthisdocument.

TheCiscoECCRootCAisoperatedinanoffline(non-networked)modeandisphysicallysecuredseparatelyfromtherestoftheCiscoSystems’computingassets.TheCiscoCorporateInformationSecuritygroupisresponsibleforthephysicalaccesscontrolsprotectingtheofflineRootCA.

Beingaself-signedroot,theCiscoECCRootCAhierarchyconsistsofonlyonecertificate-theCiscoECCRootCA(RX-E2),whichisownedandoperatedbyCiscoSystems,Inc.

1.2 PolicyIdentification

TheassertionofaCertificatePoliciesObjectIdentifier(CPOID)withintheCertificatePoliciesX.509v3extensionwillonlybecarriedoutbysubordinateCAsthatissueend-entitycertificates.Therefore,thereisnoCPextensionpresentintheCiscoECCRootCAcertificateandtheassignmentofaCPOIDisnotwithinthescopeofthisdocument.



1.2.1 CertificateTypes

TheCiscoECCRootCAissuesonlysubordinateCAcertificates.Noend-entitycertificateswillbeissuedfromtheCiscoECCRootCA.Thesub-CAcertificatesissuedbytheCiscoECCRootCAwillincludetheCPOID(s)assignedtotheCertificatePolicyoftheparticulartypeofend-entitycertificateissuedbythesub-CA.

1.2.1.1 CertificateProfileTheCiscoECCRootCAcertificateprofileisobtainablebydownloadingtheactualRootCAcertificateitselffromhttp://www.cisco.com/security/pki/certs/eccroot.cerorthroughcorrespondencetothepartieslistedinsection1.4.

1.3 Community&Applicability

1.3.1 CertificationAuthorities(CAs)

ThisPolicyisbindingontheofflinerootCA“CiscoECCRootCA”.SpecificpracticesandproceduresbywhichtheRootCAimplementstherequirementsofthisPolicyshallbesetforthbytheCAinacertificationpracticestatement("CPS")orotherpubliclyavailabledocument,orbycontractwithanyBenefitingParty(see1.3.5below).

1.3.1.1 CAsAuthorizedtoIssueCertificatesunderthisPolicyTheofflinerootCA“CiscoECCRootCA”,ownedbyCiscoSystems,Inc.andoperatedbyCiscoSystemsCorporateInformationSecuritygroup,istheonlyCAauthorizedtoissuecertificatesunderthispolicy.

1.3.2 RegistrationAuthorities

SeeSection2.1.2.

1.3.3 ValidationServices

SeeSection2.1.2.

1.3.4 Subscribers

TheSubscribersoftheCiscoECCRootCAarelimitedtosubordinateCAsonly.

1.3.5 BenefitingParties

ThisPolicyisintendedforthebenefitofthefollowingpersonswhomayrelyoncertificatesthatreferencethisPolicy("BenefitingParties"):

• CiscoagenciesandbusinessesthatcontractuallyagreetothisPolicywiththeCorporateInformationSecurityDepartmentand/orwiththeCA;

• IndividualsthatcontractuallyagreetothisPolicywiththeCorporateInformationSecurityDepartmentand/orwiththeCA;

• EntitiesthathaveenteredintoaCertificateTrustAgreementwithCiscoSystemswhereinthisCertificatePolicyisspecificallyreferenced.



1.3.6 Applicability

1.3.6.1 SuitableApplicationsSub-CAcertificatesissuedunderthispolicymaybeusedinanyapplicationwhichrequirestheassemblyofacryptographicchainuptotheCiscoECCRootCAforsignatureverification,establishmentoftrust,and/orcertificatevalidationpurposes.

1.4 ContactDetails

ThisPolicyisadministeredbytheCorporateInformationSecuritygroupofCiscoSystems,Inc.

1.4.1 ChangestotheCertificatePolicy

1.4.1.1 ProcedureforChangesChangestothisCParemadebytheCisco'sPolicyManagementAuthority(PMA),whichincludesCisco’sCorporateSecurityProgramsOfficeandLegaldepartment.Changeswillbeintheformofadocumentupdatewithchangesreflectedintheversionsection.ChangedversionswillbelinkedtobythemainCiscoPKIPoliciespagelocatedat:http://www.cisco.com/security/pki/policies/index.html.

1.4.1.2 ChangeNotificationBenefitingPartiesaredefinedhereasentitieswhohaveenteredintoaCertificateTrustAgreementwithCiscoSystemswhereinthisCertificatePolicyisspecificallyreferenced.Cisco'sPMAwillnotifyallBenefitingPartiesofanychangestotheCPorCPSasdefinedinthespecificCertificateTrustAgreementbetweenCiscoSystemsandtheBenefitingParty.EntitieswhoarenotBenefitingPartieswillnotbenotifiedofchangesbutmaylearnofchangesbyviewingthecurrentCPorCPSpublishedtoCisco'spublicrepository.

1.4.2 ContactInformation

CorporateHeadquartersCiscoSystems,Inc.170WestTasmanDriveSanJose,CA95134

PleasesendPKI-basedcorrespondenceto:CiscoSystemsInc.7025KitCreekRoadP.O.Box14987ResearchTrianglePark,NC27709-4987Attn:J.P.HamiltonPhoneNo.:+1919-392-1481E-mailaddress:[email protected]



2 GeneralProvisions

2.1 Obligations

2.1.1 CAObligations

TherootCA“CiscoECCRootCA”isresponsibleforallaspectsoftheissuanceandmanagementofitsissuedcertificates,includingcontrolovertheapplication/enrollmentprocess,theidentificationandauthenticationprocess,thecertificatemanufacturingprocess,publicationofthecertificate(ifrequired),suspensionand/orrevocationofthecertificate,renewalofthecertificate,validationservices,andforensuringthatallaspectsoftheCAServicesandCAoperationsandinfrastructurerelatedtocertificatesissuedunderthisPolicyareperformedinaccordancewiththerequirementsandrepresentationsofthisPolicy.

2.1.1.1 RepresentationsbytheCAByissuingacertificatethatreferencesthisPolicy,theIssuingCAcertifiestoBenefitingPartieswhoreasonablyandingoodfaithrelyontheinformationcontainedinthecertificateduringitsoperationalperiodandinaccordancewiththisPolicy,that:

• TheCAhasissued,andwillmanage,thecertificateinaccordancewiththisPolicy;• TheCAhascompliedwiththerequirementsofthisPolicyanditsapplicableCPSwhen

authenticatingthesubscriberandissuingthecertificate;• TherearenomisrepresentationsoffactinthecertificateknowntotheCA,andtheCA

hastakenreasonablestepstoverifyadditionalinformationinthecertificateunlessotherwisenotedinitsCPS;

• Informationprovidedbythesubscriberinthecertificateapplicationforinclusioninthecertificatehasbeenaccuratelytranscribedtothecertificate;and

• ThecertificatemeetsallmaterialrequirementsofthisPolicyandwasprocessedaccordingtotheCA'sCPS.

2.1.1.2 BenefitingPartyWarranties

UnlessanexplicitcontractualagreementexistsbetweenCiscoSystemsandaBenefitingParty,CiscoSystemsisnotrepresentinganywarrantytoaBenefitingPartythatexercisesrelianceoncertificatesissuedbytheCiscoECCRootCA.InsuchinstanceswhereanexplicitandseparateCertificateWarrantyagreementexistsbetweentheBenefitingPartyandCiscoSystems,CiscoSystemsmaywarrantthat:

• TheIssuingCAhasissuedandmanagedtheCertificateinaccordancewiththisPolicy;• TheIssuingCAcompliedwiththerequirementsofthisPolicyandanyapplicableCPS

whenauthenticatingrequestsforsubordinateCAcertificates;• TherearenomaterialmisrepresentationsoffactintheCertificateknowntotheIssuing

CA,andtheIssuingCAhastakenstepsasrequiredunderthisPolicytoverifytheinformationcontainedintheCertificate;

• TheIssuingCAhastakenthestepsrequiredbythisPolicytoensurethattheCertificateHolder'ssubmittedinformationhasbeenaccuratelytranscribedtotheCertificate;



• InformationprovidedbytheIssuingCAconcerningthecurrentvalidityoftheCertificateisaccurateandthatvalidityhasnotbeendiminishedbytheIssuingCA'sfailuretopromptlyrevoketheCertificateinaccordancewiththisCertificatePolicy;and

• TheissuedCertificatemeetsallmaterialrequirementsofthisPolicyandanyapplicableCPS.

ThesewarrantiesmaybeappliedtoanyBenefitingPartywho:(i)entersintoaseparatelyexecutedwarrantyagreementwithCiscoSystems;(ii)reliesontheissuedCertificateinanelectronictransactioninwhichtheissuedCertificateplayedamaterialroleinverifyingtheidentityofoneormorepersonsordevices;(iii)exercisesReasonableRelianceonthatCertificate;and(iv)followsallproceduresrequiredbythisPolicyandbytheapplicableBenefitingPartyAgreementforverifyingthestatusoftheissuedCertificate.ThesewarrantiesaremadetotheBenefitingPartyasofthetimetheCA'scertificatevalidationmechanismisutilizedtodetermineCertificatevalidity,andonlyiftheCertificaterelieduponisvalidandnotrevokedatthattime.

2.1.1.3 WarrantyLimitations

ThewarrantiesofferedtobothCertificateHoldersandBenefitingPartieswillbesubjecttothelimitationssetforthinthisPolicy.CiscoSystemsmayprovidefurtherlimitationsandexclusionsonthesewarrantiesasdeemedappropriate,relatingto:(i)failuretocomplywiththeprovisionsofthisPolicyorofanyagreementwiththeIssuingCA;(ii)otheractionsgivingrisetoanyloss;(iii)eventsbeyondthereasonablecontroloftheCA;and(iv)timelimitationsforthefilingofclaims.However,suchlimitationsandexclusionsmaynot,inanyevent,belessthanthoseprovidedforin2.1.1.2.

2.1.1.4 TimebetweenCertificateRequestandIssuance

ThereisnostipulationfortheperiodbetweenthereceiptofanapplicationforaCertificateandtheissuanceofaCertificate,buttheIssuingCAwillmakereasonableeffortstoensurepromptissuance.

2.1.1.5 CertificateRevocationandRenewalTheIssuingCAmustensurethatanyproceduresfortheexpiration,revocationandrenewalofanissuedCertificatewillconformtotherelevantprovisionsofthisPolicyandwillbeexpresslystatedinaCertificateAgreementandanyotherapplicabledocumentoutliningthetermsandconditionsofcertificateuse,includingensuringthat:(i)KeyChangeoverProceduresareinaccordancewiththisPolicy;(ii)noticeofrevocationofaCertificatewillbepostedtoanonlinecertificatestatusdatabaseand/oracertificaterevocationlist(CRL),asapplicable,withinthetimelimitsstatedinthisPolicy;and(iii)theaddressoftheonlinecertificatestatusdatabaseand/orCRLisdefinedintheissuedcertificate.

2.1.1.6 EndEntityAgreements

TheIssuingCAwillenterintoagreementswithEndEntitiesgoverningtheprovisionofCertificateandRepositoryservicesanddelineatingtheparties’respectiverightsandobligations.



TheIssuingCAwillensurethatanyCertificateAgreementsincorporatebyreferencetheprovisionsofthisPolicyregardingtheIssuingCA’sandtheCertificateHolder'srightsandobligations.Inthealternative,theIssuingCAmayensurethatanyCertificateAgreements,bytheirterms,providetherespectiverightsandobligationsoftheIssuingCAandtheCertificateHoldersassetforthinthisPolicy,includingwithoutlimitationtheparties’rightsandresponsibilitiesconcerningthefollowing:

• Procedures,rightsandresponsibilitiesgoverning(i)applicationforanissuedCertificate,(ii)theenrollmentprocess,(iii)Certificateissuance,and(iv)CertificateAcceptance;

• TheCertificateHolder’sdutiestoprovideaccurateinformationduringtheapplicationprocess;

• TheCertificateHolder'sdutieswithrespecttogeneratingandprotectingitsKeys;• Procedures,rightsandresponsibilitieswithrespecttoIdentificationandAuthentication

(I&A);• AnyrestrictionsontheuseofissuedCertificatesandthecorrespondingKeys;• Procedures,rightsandresponsibilitiesgoverning(a)notificationofchangesinCertificate

information,and(b)revocationofissuedCertificates;• Procedures,rightsandresponsibilitiesgoverningrenewalofissuedCertificates;• AnyobligationoftheCertificateHoldertoindemnifyanyotherParticipant;• Provisionsregardingfees;• TherightsandresponsibilitiesofanyRAthatispartytotheagreement;• AnywarrantiesmadebytheIssuingCAandanylimitationsonwarrantiesorliabilityof

theIssuingCAand/oranRA;• Provisionsregardingtheprotectionofprivacyandconfidentialinformation;and• ProvisionsregardingAlternativeDisputeResolution.

NothinginanyCertificateAgreementmaywaiveorotherwiselessentheobligationsoftheCertificateHolderasprovidedinSection2.1.4ofthisPolicy.

TheIssuingCAwillensurethatanyBenefitingPartyAgreementincorporatebyreferencetheprovisionsofthisPolicyregardingtheIssuingCA’sandtheBenefitingParty’srightsandobligations.NothinginaBenefitingPartyAgreementmaywaiveorotherwiselessentheobligationsoftheBenefitingPartyasprovidedinthisPolicy.

2.1.1.7 EnsuringCompliance

TheIssuingCAmustensurethat:(i)itonlyacceptsinformationfromentitiesthatunderstandandareobligatedtocomplywiththisPolicy;(ii)itcomplieswiththeprovisionsofthisPolicyinitscertificationandRepositoryservices,issuanceandrevocationofCertificatesandissuanceofCRLs;(iii)itmakesreasonableeffortstoensureadherencetothisPolicywithregardtoanyCertificatesissuedunderit;and(iv)anyidentificationandauthenticationproceduresareimplementedassetforthinPart3.

2.1.2 RegistrationAuthority(RA)Obligations

TheoperatorsoftheCiscoECCRootCAshallberesponsibleforperformingallidentificationandauthenticationfunctionsandallcertificatemanufacturingandissuingfunctions.TheCiscoECC



RootCAmayNOTdelegateperformanceoftheseobligationstoaregistrationauthority(RA).TheCAmustremainprimarilyresponsiblefortheperformanceofallCAservicesinamannerconsistentwiththerequirementsofthisPolicy.Theabilitytodelegateorsubcontracttheseobligationsisnotpermitted.

2.1.3 CertificateStatusValidationObligations

TheCAshallberesponsibleforprovidingameansbywhichcertificatestatus(validorrevoked)canbedeterminedbyaBenefitingParty.However,theCAmay[delegate/subcontract]performanceofthisobligationtoanidentifiedvalidationservicesprovider("VSP"),providedthattheCAremainsprimarilyresponsibleforperformanceofthoseservicesbysuchthirdpartyinamannerconsistentwiththerequirementsofthisPolicy.

2.1.4 SubscriberObligations

Inallcases,thesubscriberisobligatedto:

• Generateakeypairusingatrustworthysystem,andtakereasonableprecautionstopreventanyloss,disclosure,orunauthorizeduseoftheprivatekey;

• Warrantthatallinformationandrepresentationsmadebythesubscriberthatareincludedinthecertificatearetrue;

• Usethecertificateexclusivelyforauthorizedandlegalpurposes,consistentwiththisPolicy;

• InstructtheCAtorevokethecertificatepromptlyuponanyactualorsuspectedloss,disclosure,orothercompromiseofthesubscriber’sprivatekey.

ASubscriberwhoisfoundtohaveactedinamannercountertotheseobligationswillhaveitscertificaterevoked,andwillforfeitallclaimsitmayhaveagainsttheIssuingCA.

2.1.5 BenefitingPartyObligations

ABenefitingPartyhasarighttorelyonacertificatethatreferencesthisPolicyonlyifthecertificatewasusedandrelieduponforlawfulpurposesandundercircumstanceswhere:

• TheBenefitingPartyenteredintoaBenefitingPartyAgreementwhichincorporatesbyreferencetheprovisionsofthisPolicyregardingtheIssuingCA’sandtheBenefitingParty’srightsandobligations;

• Thereliancewasreasonableandingoodfaithinlightofallthecircumstancesknowntothebenefitingpartyatthetimeofreliance;

• ThepurposeforwhichthecertificatewasusedwasappropriateunderthisPolicy;• Thebenefitingpartycheckedthestatusofthecertificatepriortoreliance.

ABenefitingPartyfoundtohaveactedinamannercountertotheseobligationswouldforfeitallclaimshe,sheoritmayhaveagainsttheIssuingCA.

2.2 Liability

TheIssuingCAassumeslimitedliabilityonlytoBenefitingPartieswhohaveenteredintoaBenefitingPartyAgreement.TheIssuingCAmayberesponsiblefordirectdamagessufferedby



benefitingpartieswhohaveexecutedaBenefitingPartyAgreementthatarecausedbythefailureoftheIssuingCAtocomplywiththetermsofthisPolicy(exceptwhenwaivedbycontract),andsustainedbysuchbenefitingpartiesasaresultofrelianceonacertificateinaccordancewiththisPolicy,butonlytotheextentthatthedamagesresultfromtheuseofcertificatesforthesuitableapplicationslistedinSection1.3.6.TheliabilityoftheIssuingCAislimitedtotheseconditionsandtoconditionssetforthinthetermsofspecificBenefitingPartyAgreements.

ExceptasexpresslyprovidedinthisPolicyandinitsCPS,theIssuingCAdisclaimsallotherwarrantiesandobligationsofanytype,includinganywarrantyofmerchantability,anywarrantyoffitnessforaparticularpurpose,andanywarrantyofaccuracyofinformationprovided.

TheliabilityoftheIssuingCAunderthisPolicytoBenefitingPartieswhohaveexecutedaBenefitingPartyagreementshallbelimitedtodirectdamages,andshallnotexceed$1000.00,exceptwhenwaivedbycontract.TheIssuingCAshallhavenoliabilityforconsequentialdamages.UndernocircumstanceswilltheIssuingCAberesponsiblefordirectorconsequentialdamagestobenefitingpartieswhohavenotenteredintoaBenefitingPartyAgreementwithCiscoSystems,Inc.

2.3 Interpretation&Enforcement

EachprovisionofthisPolicyhasbeensubjecttomutualconsultation,negotiation,andagreement,andshallnotbeconstruedfororagainstanyparty.

2.3.1 GoverningLaw

ThisPolicyshallbeconstrued,andanylegalrelationsbetweenthepartiesheretoshallbedetermined,inaccordancewiththelawsoftheUnitedStatesandtheStateofCalifornia,withoutregardtoanyconflictoflawprovisionsthereof.

2.3.2 DisputeResolutionProcedures

DisputesamongCiscoSystemsandaBenefitingPartywillberesolvedpursuanttoprovisionsintheapplicableCertificateTrustAgreementsbetweenCiscoandtheBenefitingParty.DisputesbetweenentitieswhoarenotBenefitingPartiesandCiscoSystemscarrynostipulation.

2.3.3 Severability

IfanyportionortermofthisPolicyisheldunenforceablebyacourtofcompetentjurisdiction,theremainderofthisPolicyshallnotbeaffectedandshallremainfullyinforceandenforceable.

2.3.4 Survival

NostipulationunlesspartieshaveenteredintoaBenefitingPartyAgreementwithCiscoSystems.



2.3.5 Merger/Integration

NostipulationunlesspartieshaveenteredintoaBenefitingPartyAgreementwithCiscoSystems.

2.3.6 Notice

Allnoticesandothercommunicationshereundershallbeinwritingandshallbedeemedgiven(a)onthesamedayifdeliveredpersonally,(2)threebusinessdaysafterbeingmailedbyregisteredorcertifiedmail(returnreceiptrequested),or(c)onthesamedayifsentbytelecopy,confirmedbytelephone,toeachofthecontactslistedinsection1.4.2above.

2.4 Fees

TheIssuingCAshallnotimposeanyfeesonthereadingofthisPolicyoritsCPS.TheIssuingCAmaychargeaccessfeesoncertificates,certificatestatusinformation,orCRLs,subjecttoagreementbetweentheCAandsubscriberand/orbetweentheCAandaBenefitingParty,andinaccordancewithafeeschedulepublishedbytheCAinitsCPSorotherwise.

2.5 Publication&ValidationServices

2.5.1 PublicationofCAInformation

TheIssuingCAshalloperateasecureon-linerepositoryand/orothercertificatevalidationservicethatisavailabletoBenefitingPartiesandthatcontains:(1)issuedcertificatesthatreferencethisPolicy,whenpublicationisauthorizedbythesubscriber;(2)aCertificateRevocationList("CRL")oron-linecertificatestatusdatabase;(3)theCA'scertificateforitssigningkey;(4)pastandcurrentversionsoftheCA'spublicCPS;(5)acopyofthisPolicy;and(6)otherrelevantinformationrelatingtocertificatesthatreferencethisPolicy.

2.5.2 FrequencyofPublication

AllinformationauthorizedtobepublishedinarepositoryshallbepublishedpromptlyaftersuchinformationisauthorizedandavailabletotheIssuingCA.CertificatesissuedbytheCAthatreferencethisPolicywillbepublishedpromptlyuponacceptanceofsuchcertificatebythesubscriber,andwhenpublicationisauthorizedbythesubscriber.Informationrelatingtotherevocationofacertificatewillbepublishedinaccordancewithsection4.4.3.

2.5.3 AccessControls

TherepositorywillbeavailabletoBenefitingParties(andsubscribers)onasubstantially24hoursperday,7daysperweekbasis,subjecttoreasonablescheduledmaintenanceandtheCA'sthencurrenttermsofaccess.TheCAshallnotimposeanyaccesscontrolsonthisPolicy,theCA'scertificateforitssigningkey,andpastandcurrentversionsoftheCA'spublicCPS.CAmayimposeaccesscontrolsoncertificates,certificatestatusinformation,orCRLsatitsdiscretion,subjecttoagreementbetweentheCAandsubscriberand/ortheCAandBenefitingParties,inaccordancewithprovisionspublishedinitsCPSorotherwise.



2.6 ComplianceAudit

TheIssuingCA(andeachRAand/orVSP,asapplicable)shallsubmittoanannualcomplianceauditbyanentityasdirectedbyCiscoSystems’CorporateInformationSecuritygroup.SaidentityshallbeapprovedbyCiscoSystemsandqualifiedtoperformasecurityauditonaCAbasedonsignificantexperienceintheapplicationofPKIandcryptographictechnologies.ThepurposeofsuchauditshallbetoverifythattheCAhasinplaceasystemtoassurethequalityoftheCAServicesthatitprovides,andthatcomplieswithalloftherequirementsofthisPolicyanditsCPS.

IssuingCAinspectionresultsmustbesubmittedtotheIssuingCA’sregulatororlicensingbodywhereapplicable,andthePolicyManagementAuthority(PMA)ofthisPolicy.Ifirregularitiesarefound,theIssuingCAmustsubmitareporttoitsregulatororlicensingbodyandthePMAastoanyactiontheIssuingCAwilltakeinresponsetotheinspectionreport.WheretheIssuingCAfailstotakeappropriateactioninresponsetotheinspectionreport,theIssuingCA’sregulator,licensingbodyorthePMAmay:(i)indicatetheirregularities,butallowtheIssuingCAtocontinueoperationsuntilthenextprogrammedinspection;(ii)allowtheIssuingCAtocontinueoperationsforamaximumofthirty(30)dayspendingcorrectionofanyproblemspriortorevocation;(iii)downgradetheassurancelevelofanyCertificatesissuedbytheIssuingCA(includingCrossCertificates);or(iv)revoketheIssuingCA'sCertificate.Anydecisionregardingwhichoftheseactionstotakewillbebasedontheseverityoftheirregularities.AnyremedymayincludepermanentortemporaryCAcessation,butallrelevantfactorsmustbeconsideredpriortomakingadecision.Aspecialauditmayberequiredtoconfirmtheimplementationandeffectivenessoftheremedy.TheIssuingCAwillpostanyappropriateresultsofaninspection,inwholeorinpart,sothatitisaccessibleforreviewbyCertificateHolders,AuthorizedBenefitingPartiesandRAs.ThemannerandextentofthepublicationwillbedefinedbytheIssuingCA.

2.7 ConfidentialityPolicy

InformationregardingsubscribersthatissubmittedonapplicationsforcertificateswillbekeptconfidentialbytheIssuingCAandshallnotbereleasedwithoutthepriorconsentofthesubscriber,unlessotherwiserequiredbylaw.Inaddition,personalinformationsubmittedtotheCAbysubscribersmust:

• Bemadeavailabletothesubscriberforindividualreviewfollowinganauthenticatedrequestbysaidsubscriber;

• Besubjecttocorrectionand/orupdatebysaidsubscriber;• BeprotectedbytheCAinsuchawayastoinsuretheintegrityofsaidpersonal

information.

Theforegoingshallnotapply,however,toinformationappearingoncertificates,ortoinformationregardingsubscribersthatisobtainedbyCAfrompublicsources.UndernocircumstancesshalltheCA,anyRA,oranyVSPhaveaccesstotheprivatekeysofanysubscribertowhomitissuesacertificatethatreferencesthisPolicy.



2.8 IntellectualPropertyRights

TheCiscoECCRootCAkeypair,certificate,certificationpracticestatement,andthiscertificatepolicyarethephysicalandintellectualpropertyofCiscoSystems,Inc.CiscoretainsallIntellectualPropertyRightsinandtotheseitems.IntellectualPropertyRightsbetweenCiscoandBenefitingPartieswillbegovernedbythisCertificateTrustAgreement.

3 IdentificationandAuthentication

3.1 InitialRegistration

DuetotheofflinenatureoftheRootCA,andsubjecttotherequirementsnotedbelow,certificateapplicationsmayonlybecommunicatedfromtheapplicanttotheCAinpersonviaphysicalmedia(suchasafloppydisk,CD-ROMorUSBstoragedevice).

3.1.1 TypesofNames

Thesubjectnameusedforcertificateapplicantsshallbethesubscriber'sauthenticatedcommonnameintheformofanX.500DistinguishedName.

3.1.2 NameMeanings

Thesubjectnamelistedinallcertificatesmusthaveareasonableassociationwiththeauthenticatedinformationofthesubscriber.

3.1.3 RulesforInterpretingVariousNameForms

Nostipulation.

3.1.4 NameUniqueness

ThesubjectnameoracombinationofthesubjectnameandotherdatafieldslistedinacertificateshallbeunambiguousanduniqueforallcertificatesissuedbytheCA.Ifnecessary,additionalcharactersmaybeappendedtotheauthenticatedcommonnametoensurethename'suniquenesswithinthedomainofcertificatesissuedbytheCA.

3.1.5 VerificationofKeyPair

TheCAshallestablishthattheapplicantisinpossessionoftheprivatekeycorrespondingtothepublickeysubmittedwiththeapplicationinaccordancewithanappropriatesecureprotocol,suchasthatdescribedintheIETFPKIXCertificateManagementProtocolorthroughotherverifiablemeans.

3.1.6 SubscriberIdentification&Authentication(I&A)

AcertificaterequestmayonlybemadebyanagentofCiscoSystemsInc.onbehalfofcurrentorproposedsubordinateCertificateAuthorityandforwhomthecertificaterequestisattributableforthepurposesofaccountabilityandresponsibility.ForI&Aoftherequestingagent,theIssuingCAmustfollowthisPolicy'srequirements,asoutlinedinsection3.1.7Theapplicantis



requiredtoprovideauthenticationinformationandanyapplicableattributes,publickeysandcontactinformation.

3.1.7 CiscoSystemsAgentIdentificationandAuthentication(I&A)

TheIssuingCAmustestablishtheidentityoftheagentandauthenticatetheagent’spermissiontorepresentacurrentorproposedsubordinateCApriortocertificateissuance.

Inaddition,theCAmaydelivercertificateactivationdatawithrespecttosuchagentby(i)in-persondelivery,basedontheCA’spersonalknowledgeoftheagentorreasonableidentificationatthetimeofdelivery,or(ii)useofaSharedSecretbetweentheCAandtheagent,previouslyestablishedinconnectionwiththeprioridentificationandongoingrelationshipdescribedabove.

TheCAwillensurethatithascollected,reviewed,andkeptrecordsoftheinformationregardingtheagent’sidentitythatmeetstheminimumrequirementsofitsHumanResourcepolicy,orothersimilarprocedures,whichmayincludeverificationofallofthefollowingidentificationinformationsuppliedbytheApplicant:(i)photographicidentification;(ii)firstname,middleinitial,andlastname;(iii)streetaddress;and(iv)homeorworktelephonenumber.

3.2 RenewalApplications

RenewalsshallbeperformedunderthisPolicybytreatingallrenewalrequestsasiftheywerefirst-timecertificateapplicationrequests.AllSubscriberandIssuingCAobligationsstatedinthisPolicyapplytotherenewalrequest.AsubscriberwillsubmitthenewcertificaterequesttotheIssuingCA.TheIssuingCAshallissueanewcertificateusingthenewlysubmittedinformationandadheringtotheI&ApoliciessetforthhereinandintheassociatedCPS.

3.3 Re-KeyafterRevocation

Revokedorexpiredcertificatesshallneverberenewed.ApplicantsthatreferencethisPolicyshallbere-authenticatedbytheCAorRAduringthecertificateapplicationprocess,justaswithafirst-timeapplication.

3.4 RevocationRequest

TheIssuingCA,whenfacedwitharevocationrequest,mustadoptauthenticationmechanismsthatbalancetheneedtopreventunauthorizedrequestsagainsttheneedtoquicklyrevoketheCertificate.

Uponreceiptofarevocationrequest,theidentityoftherequestorwillbeauthenticatedusingthesamemechanisms.



4 OperationalRequirements

4.1 CertificateApplication

AnapplicantforacertificateshallcompleteacertificateapplicationinaformatprescribedbytheIssuingCA.Allapplicationsaresubjecttoreview,approvalandacceptancebytheIssuingCA.ThesubscribercertificateapplicationprocessmayonlybeinitiatedbyagentsofCiscoSystems,Inc.

4.2 CertificateIssuance

UponsuccessfulcompletionofthesubscriberI&AprocessinaccordancewiththisPolicyandtheCPS,theCAshallissuetherequestedcertificate,notifytheapplicantthereof,andmakethecertificateavailabletotheapplicantpursuanttoaprocedurewherebythecertificateisinitiallydeliveredto,oravailableforpickupbythesubscriberonly.

4.3 CertificateAcceptance

Followingissuanceofacertificate,theacceptanceorrejectionofthecertificatebythesubscriber,inthiscasethesub-CA,issolelyatthediscretionofthesub-CAoperator,providedtheacceptanceorrejectionisinaccordancewithproceduresestablishedbytheIssuingRootCAand/orspecifiedintheCPS.

4.4 CertificateRevocation

4.4.1 CircumstancesforRevocation

TheissuingCAshallrevokeacertificate:

• Uponrequestofthesubscriber;• UponfailureofthesubscribertomeetitsmaterialobligationsunderthisCertificate

Policy,anyapplicableCPS,oranyotheragreement,regulation,orlawapplicabletothecertificatethatmaybeinforce;

• Ifknowledgeorreasonablesuspicionofcompromiseisobtained;• IftheCAdeterminesthatthecertificatewasnotproperlyissuedinaccordancewiththis

Policyand/oranyapplicableCPS.

IntheeventthattheIssuingCAceasesoperations,allcertificatesissuedbytheCAshallberevokedpriortothedatethattheCAceasesoperations.TheIssuingCAisrequiredtoprovidesubscribersadequatenoticetoprovidethemtheopportunitytoaddressanybusinessimpactingissues.

4.4.1.1 PermissiveRevocation

Asubscribermayrequestrevocationitscertificateatanytimeforanyreason.TheissuingCAmayalsorevokeacertificateuponfailureofthesubscribertomeetitsobligationsunderthisCertificatePolicy,theapplicableCPS,oranyotheragreement,regulation,orlawapplicabletothecertificatethatmaybeinforce.



4.4.1.2 RequiredRevocationAsubscribershallpromptlyrequestrevocationofacertificatewheneveranyoftheinformationonthecertificatechangesorbecomesobsolete,orwhenevertheprivatekeyassociatedwiththecertificate,orthemediaholdingtheprivatekeyassociatedwiththecertificateiscompromisedorissuspectedofhavingbeencompromised.

4.4.2 WhoCanRequestRevocation

TheonlypersonspermittedtorequestrevocationofacertificateissuedpursuanttothisPolicyarethesubscriberandtheIssuingCA.

4.4.3 ProcedureforRevocationRequest

AcertificaterevocationrequestshouldbepromptlycommunicatedtotheIssuingCA.DuetotheofflinenatureoftherootCA,allcertificaterevocationrequestsmustbecommunicatedtotherootCAinpersonbyprovidingadequateproofofidentificationinaccordancewiththisPolicy.

4.4.3.1 CertificateStatusorCRLUpdatePromptlyfollowingrevocation,theCRLorcertificatestatusdatabase,asapplicable,shallbeupdatedinaccordancewiththeCPSforthatCA.AllrevocationrequestsandtheresultingactionstakenbytheCAshallbearchivedinaccordancewiththeCPSforthatCA.

4.4.4 RevocationRequestGracePeriod

RequestsforrevocationshallbeprocessedwithinthetimeframedelineatedbytheCPSfortheissuingCA.

4.4.5 CertificateSuspension

Theproceduresandrequirementsstatedforcertificaterevocationmustalsobefollowedforcertificatesuspensionwhereimplemented.

4.4.6 CRLIssuanceFrequency

CRLswillbeissuedatleastannually,eveniftherearenochangesorupdatestobemade.Uponanewrevocation,anewCRLwillbeissuedandpublishedwithintwohours.TheIssuingCAwillensurethatsupercededCRLsareremovedfromtheCRLDistributionPointlocationuponpostingofthelatestCRL.

4.4.7 On-LineRevocation/StatusCheckingAvailability

Wheneveranon-linecertificatestatusdatabaseisusedasanalternativetoaCRL,suchdatabaseshallbeupdatedassoonasistechnicallypossibleafterrevocationorsuspension.

4.5 ComputerSecurityAuditProcedures

AllsignificantsecurityeventsontheIssuingCAsystemshouldbeautomaticallyrecordedinaudittrailfiles.Suchfilesshallberetainedforatleastsix(6)monthsonsite,andthereaftershallbesecurelyarchivedasperSection4.6.



4.6 RecordsArchival

4.6.1 TypesofRecordsArchived

Thefollowingdataandfilesmustbearchivedby,oronbehalfof,theCA:

• AllcomputersecurityauditdataproducedbytheRootCAmachine;• Allcertificateapplicationdata;• Allcertificates,andallCRLsorcertificatestatusrecords;• Keyhistories;• AllcorrespondencebetweentheCA,RAs,VSPs,and/orsubscribers.

4.6.2 RetentionPeriodforArchive

ArchiveofthekeyandcertificateinformationmustberetainedforatleastthelifetimeoftheCA.Archivesoftheaudittrailfilesmustberetainedforatleastfive(5)yearsafterthelifetimeoftheCAhasended.

4.6.3 ProtectionofArchive

Thearchivemediamustbeprotectedeitherbyphysicalsecurityalone,oracombinationofphysicalsecurityandsuitablecryptographicprotection.Itshouldalsobeprovidedadequateprotectionfromenvironmentalthreatssuchastemperature,humidityandmagnetism.

4.6.4 ArchiveBackupProcedures

Adequatebackupproceduresmustbeinplacesothatintheeventofthelossordestructionoftheprimaryarchives,acompletesetofbackupcopieswillbereadilyavailablewithinashortperiodoftime.

4.6.5 ProcedurestoObtainandVerifyArchiveInformation

DuringthecomplianceauditrequiredbythisPolicy,theauditorshallverifytheintegrityofthearchives,andifeithercopyisfoundtobecorruptedordamagedinanyway,itshallbereplacedwiththeothercopyheldintheseparatelocation.

4.7 KeyChangeover

KeyChangeoverisnotsupportedfortheCiscoECCRootCA.

4.8 CompromiseandDisasterRecovery

4.8.1 DisasterRecoveryPlan

TheCAmusthaveinplaceanappropriatedisasterrecovery/businessresumptionplanandmustsetupandrenderoperational,afacility,locatedinanareathatisgeographicallyremotefromtheprimaryoperationalsite,thatiscapableofprovidingCAServicesinaccordancewiththisPolicywithinseventy-two(72)hoursofanunanticipatedemergency.Suchplanshallincludeacompleteandperiodictestofreadinessforsuchfacility.SuchplanshallbereferencedwithinappropriatedocumentationavailabletoBenefitingParties.



4.8.2 KeyCompromisePlan

TheCAmusthaveinplaceanappropriatekeycompromiseplanthataddressestheproceduresthatwillbefollowedintheeventofacompromiseoftheprivatesigningkeyusedbytheCAtoissuecertificates.SuchplanshallincludeproceduresforrevokinganyaffectedcertificatesandpromptlynotifyingsubscribersandBenefitingParties.

4.9 CATermination

IntheeventthattheCAceasesoperation,thesubscribers,RAs,VSPs,andBenefitingPartieswillbepromptlynotifiedofthetermination.Inaddition,allCAswithwhichcross-certificationagreementsarecurrentatthetimeofcessationwillbepromptlyinformedofthetermination.AllcertificatesissuedbytheCAthatreferencethisPolicywillberevokednolaterthanthetimeoftermination.TheCAprivatekeywillbemaintainedinitsHardwareSecurityModule(HSM)for7yearspasteitherterminationorexpirationoftheCAcertificate,afterwhichitwillbedestroyedusingtheFIPS140-1level3orhigherapprovedmechanismsuppliedbytheHSM.

5 Physical,Procedural,andPersonnelSecurityControls

5.1 PhysicalSecurity—AccessControls

TheCA,allRAs,andVSPs,shallimplementappropriatephysicalsecuritycontrolstorestrictaccesstothehardwareandsoftware(includingtheserver,workstations,andanyexternalcryptographichardwaremodulesortokens)usedinconnectionwithprovidingCAServices.AccesstosuchhardwareandsoftwareshallbelimitedtothosepersonnelperforminginaTrustedRoleasdescribedinSection5.2.1.Accessshallbecontrolledthroughtheuseof;electronicaccesscontrols,mechanicalcombinationlocksets,ordeadbolts.Suchaccesscontrolsmustbemanuallyorelectronicallymonitoredforunauthorizedintrusionatalltimes.

5.2 ProceduralControls

5.2.1 TrustedRoles

Allemployees,contractors,andconsultantsoftheIssuingCA(collectively"personnel")thathaveaccesstoorcontrolovercryptographicoperationsthatmaymateriallyaffecttheCA'sissuance,use,suspension,orrevocationofcertificates,includingaccesstorestrictedoperationsoftheCA'srepository,shall,forpurposesofthisPolicy,beconsideredasservinginatrustedrole.Suchpersonnelinclude,butarenotlimitedto,systemadministrationpersonnel,operators,engineeringpersonnel,andexecutiveswhoaredesignatedtooverseetheCA'soperations.

5.2.2 MultipleRoles(NumberofPersonsRequiredPerTask)

Toensurethatonepersonactingalonecannotcircumventsafeguards,responsibilitiesataCAservershouldbesharedbymultiplerolesandindividuals.EachaccountontheCAservershallhavecapabilitiescommensuratewiththeroleoftheaccountholder.



TheRootCAmustensurethatnosingleindividualmaygainaccesstotheprivatekeyoftheRootCA.Ataminimum,proceduraloroperationalmechanismsmustbeinplaceforkeyrecovery,suchasaSplitKnowledgeTechnique,topreventthedisclosureoftheEncryptionKeytoanunauthorizedindividual.Multi-usercontrolisalsorequiredforCAKeygenerationasoutlinedinSection6.2.2.AllotherdutiesassociatedwithCArolesmaybeperformedbyanindividualoperatingalone.TheIssuingCAmustensurethatanyverificationprocessitemploysprovidesforoversightofallactivitiesperformedbyprivilegedCAroleholders.

TobestensuretheintegrityoftheIssuingCAequipmentandoperation,itisrecommendedthatwhereverpossibleaseparateindividualbeidentifiedforeachTrustedRole.TheseparationprovidesasetofchecksandbalancesovertheIssuingCAoperation.UndernocircumstanceswilltheincumbentofaCAroleperformhisorherownauditorfunction.

5.2.3 IdentificationandAuthenticationforEachRole

AllIssuingCApersonnelmusthavetheiridentityandauthorizationverifiedbeforetheyare:(i)includedintheaccesslistfortheIssuingCAsite;(ii)includedintheaccesslistforphysicalaccesstothesystem;(iii)givenaCertificatefortheperformanceoftheirCArole;or(iv)givenanaccountonthePKIsystem.EachoftheseCertificatesand/oraccounts(withtheexceptionofCAsigningCertificates)must:(i)bedirectlyattributabletoanindividual;and(ii)berestrictedtoactionsauthorizedforthatrolethroughtheuseofCAsoftware,operatingsystemandproceduralcontrols.Whenaccessedacrosssharednetworks,CAoperationsmustbesecured,usingmechanismssuchastoken-basedstrongauthenticationandencryption.

5.3 PersonalSecurityControls

5.3.1 BackgroundandQualifications

CAs,RAs,andVSPsshallformulateandfollowpersonnelandmanagementpoliciessufficienttoprovidereasonableassuranceofthetrustworthinessandcompetenceoftheiremployeesandofthesatisfactoryperformanceoftheirdutiesinmannerconsistentwiththisPolicy.

5.3.2 BackgroundInvestigation

CAsshallconductanappropriateinvestigationofallpersonnelwhoserveintrustedroles(priortotheiremploymentandperiodicallythereafterasnecessary),toverifytheirtrustworthinessandcompetenceinaccordancewiththerequirementsofthisPolicyandCA'spersonnelpracticesorequivalent.Allpersonnelwhofailaninitialorperiodicinvestigationshallnotserveorcontinuetoserveinatrustedrole.

5.3.3 TrainingRequirements

AllCA,RA,andVSPpersonnelmustreceivepropertraininginordertoperformtheirduties,andupdatebriefingsthereafterasnecessarytoremaincurrent.



5.3.4 DocumentationSuppliedtoPersonnel

AllCA,RA,andVSPpersonnelmustbeprovidedwithcomprehensiveusermanualsdetailingtheproceduresforcertificatecreation,update,renewal,suspension,andrevocation,andsoftwarefunctionality.

6 TechnicalSecurityControls

6.1 KeyPairGenerationandProtection

6.1.1 KeyPairGeneration

KeypairsfortheIssuingCA,RAs,VSPs,andsubscribersmustbegeneratedinsuchawaythattheprivatekeyisnotknownbyanyoneotherthantheauthorizeduserofthekeypair.Acceptablewaysofaccomplishingthisinclude:

• Havingallusers(CAs,RAs,VSPs,andsubscribers)generatetheirownkeysonatrustworthysystem,andnotrevealtheprivatekeystoanyoneelse;

• Havingkeysgeneratedinhardwaretokensfromwhichtheprivatekeycannotbeextracted.

CA,andRAkeysmustbegeneratedinhardwaretokens.KeypairsforVSPsandsubscriberscanbegeneratedineitherhardwareorsoftware.

6.1.2 PrivateKeyDeliverytoEntity

SeeSection6.1.1.

6.1.3 SubscriberPublicKeyDeliverytoCA

Thesubscriber'spublickeymustbetransferredtotheRAorCAinawaythatensuresthat(1)ithasnotbeenchangedduringtransit;(2)thesenderpossessestheprivatekeythatcorrespondstothetransferredpublickey;and(3)thesenderofthepublickeyisthelegitimateuserclaimedinthecertificateapplication.

6.1.4 CAPublicKeyDeliverytoUsers

ThepublickeyoftheCAsigningkeypairmaybedeliveredtosubscribersinanon-linetransactioninaccordancewithIETFPKIXPart3,orviaanotherappropriatemechanism.

6.1.5 KeySizes

TheCiscoECCRootCACertificateAuthorityutilizesasecp384r1RSAkeypair.TheCPSmustrequireaminimumof384-bitkeysizesforallsubscriber(sub-CA)certificatesinordertocomplywiththisPolicy.

6.2 CAPrivateKeyProtection

TheIssuingCAshallprotectitsprivatekey(s)usingaFIPS140-1level3orhighercomplianthardwarebaseddevice,inaccordancewiththeprovisionsofthisPolicy.



TheCA,RAs,andVSPsshalleachprotectitsprivatekey(s)inaccordancewiththeprovisionsofthisPolicy.

6.2.1 StandardsforCryptographicModule

The“CiscoECCRootCA”signingkeygeneration,storageandsigningoperationsshallbeperformedusingahardware-basedcryptographicmoduleratedatFIPS140-1Level3orhigher.Subscribers(sub-CAs)shallalsouseFIPS140-1Level3orhigherapprovedcryptographicmodules.

6.2.2 PrivateKeyMulti-PersonControl(M-of-N)

Multi-personcontrolisasecuritymechanismthatrequiresmultipleauthorizationsforaccesstotheCAPrivateSigningKey.Forexample,accesstotheCAPrivateSigningKeyshouldrequireauthorizationandvalidationbymultipleparties,includingCApersonnelandseparatesecurityofficers.Thismechanismpreventsasingleparty(CAorotherwise)fromgainingaccesstotheCAPrivateSigningKey.

TheIssuingCA’sprivatekeymustbeprotectedbymultipersoncontrolforallfunctions.Thepartiesusedfortwo-personcontrolwillbemaintainedonalistthatwillbemadeavailableforinspectionbytheauditpersonnelidentifiedinsection2.6above.

6.2.3 SubscriberPrivateKeyEscrow

SubscriberprivatekeysmustneverberevealedtotheIssuingCAandarethereforeneverescrowed.

6.2.4 PrivateKeyBackup

TheprivatekeysforboththeIssuingCAandSubscribers(sub-CAs)mustbebackedupinaccordancewithCiscoSystems’“PKIRootCreationandStorageGuidelines”document.

6.2.5 PrivateKeyArchival

TheprivatekeysforboththeIssuingCAandSubscribers(sub-CAs)mustbearchivedinaccordancewithCiscoSystems’“PKIRootCreationandStorageGuidelines”document.

6.2.6 PrivateKeyEntryintoCryptographicModule

TheprivatekeysforboththeIssuingCAandSubscribers(sub-CAs)mustbegenerated/enteredintocryptographicmodulesinaccordancewithCiscoSystems’“PKIRootCreationandStorageGuidelines”document.

6.2.7 MethodofActivatingPrivateKey

TheprivatekeyofboththeIssuingCAandSubscribers(sub-CAs)mustbeactivatedbytwoormorepersonnelinaccordancewiththeFIPS140-1Level3orhigherstandard.

6.2.8 MethodofDeactivatingPrivateKey

TheprivatekeyofboththeIssuingCAandSubscribers(sub-CAs)mustbeactivatedbytwoormorepersonnelinaccordancewiththeFIPS140-1Level3orhigherstandard.



6.2.9 MethodofDestroyingPrivateKey

Uponexpirationorrevocationofacertificate,orotherterminationofuseofaprivatekeyforcreatingsignatures,allcopiesoftheprivatekeyshallbesecurelydestroyed.

6.3 OtherAspectsofKeyPairManagement

6.3.1 PublicKeyArchival

ThepublickeyoftheIssuingCAandSubscriberpublickeysarearchivedbothinthesystembackupsoftheofflineRootCA,andintheregularbackupsoftheRepositorywherethedigitalcertificatesarepublished.

6.3.2 KeyReplacement

TheIssuingCAkeypairmaybereplacedasitscertificateexpires.

6.3.3 RestrictionsonCA'sPrivateKeyUse

TheCA'ssigningkeyusedforissuingcertificatesthatconformtothisPolicyshallbeusedonlyforsigningcertificatesand,optionally,CRLsorothervalidationserviceresponses.

AprivatekeyusedbyaRAorVSPforpurposesassociatedwithitsRAorVSPfunctionshallnotbeusedforanyotherpurposewithouttheexpresspermissionoftheCA.

6.4 ActivationData

ThereisnoactivationdataneededorrequiredforsubscribersoftheCiscoECCRootCAbecauseeverysubscriberisasubordinateCAandthesub-CAcertificatesarehand-deliveredbacktothesub-CAandinstalledbyagentsofCiscoSystems,Inc.

6.5 SecurityManagementControls

6.5.1 NetworkSecurityControls

TheIssuingCA(CiscoECCRootCA)servermustbeofflineatalltimes.Undernocircumstanceswilltheserverbenetworkedinanyfashion.Anyrepositoriesmustbeprotectedthroughapplicationlevelfirewalls(orseparateportsofasinglefirewall)configuredtoallowonlytheprotocolsandcommandsrequiredforthesecureoperationoftherepository.

6.5.2 CryptographicModuleEngineeringControls

TheIssuingCAmustonlyusecryptographicmodulesthatmeettherequirementsinsection6.2,6.2.1,and6.2.2.



7 CertificatesandCRLProfiles

7.1 CertificateProfile

TheCiscoECCRootCAcertificateprofileisobtainablebydownloadingtheactualRootCAcertificateitselffromhttp://www.cisco.com/security/pki/certs/eccroot.cerorthroughcorrespondencetothepartieslistedinsection1.4.

7.2 CRLProfile

CRLswillbeissuedintheX.509version2format.ThepublicCPSshallidentifytheCRLextensionssupportedandthelevelofsupportfortheseextensions.

8 DefinitionsAffiliatedIndividual-AnaffiliatedindividualisthesubjectofacertificatethatisaffiliatedwithasponsorapprovedbytheCA(suchasanemployeeaffiliatedwithanemployer).Certificatesissuedtoaffiliatedindividualsareintendedtobeassociatedwiththesponsorandtheresponsibilityforauthenticationlieswiththesponsor.

AuthorizedCA-AcertificationauthoritythathasbeenauthorizedbytheCertificatePolicyManagementAuthoritytoissuecertificatesthatreferencethispolicy.

BenefitingParty-Arecipientofadigitallysignedmessagewhoreliesonacertificatetoverifytheintegrityofadigitalsignatureonthemessage(throughtheuseofthepublickeycontainedinthecertificate),andtheidentityoftheindividualthatcreatedsaiddigitalsignature.

CA-CertificationAuthority

Certificate-Arecordthat,ataminimum:(a)identifiesthecertificationauthorityissuingit;(b)namesorotherwiseidentifiesitssubscriber;(c)containsapublickeythatcorrespondstoaprivatekeyunderthesolecontrolofthesubscriber;(d)identifiesitsoperationalperiod;and(e)containsacertificateserialnumberandisdigitallysignedbythecertificationauthorityissuingit.AsusedinthisPolicy,thetermof"Certificate"referstocertificatesthatexpresslyreferencethisPolicyinthe"CertificatePolicies"fieldofanX.509v.3certificate.

CertificateRevocationList(CRL)-Atime-stampedlistofrevokedcertificatesthathasbeendigitallysignedbyacertificationauthority.

CertificationAuthority-Acertificationauthorityisanentitythatisresponsibleforauthorizingandcausingtheissuanceofacertificate.Acertificationauthoritycanperformthefunctionsofaregistrationauthority(RA)andacertificatemanufacturingauthority(CMA),oritcandelegateeitherofthesefunctionstoseparateentities.

Acertificationauthorityperformstwoessentialfunctions.First,itisresponsibleforidentifyingandauthenticatingtheintendedsubscribertobenamedinacertificate,andverifyingthatsuchsubscriberpossessestheprivatekeythatcorrespondstothepublickeythatwillbelistedinthecertificate.Second,thecertificationauthorityactuallycreates(ormanufactures)anddigitallysignsthecertificate.Thecertificateissuedbythecertificationauthoritythenrepresentsthat



certificationauthority'sstatementastotheidentityofthepersonnamedinthecertificateandthebindingofthatpersontoaparticularpublic-privatekeypair.

CertificationPracticeStatement(CPS)-A"certificationpracticestatement"isastatementofthepracticesthatacertificationauthorityemploysinissuing,suspending,andrevokingcertificatesandprovidingaccesstosame.Itisrecognizedthatsomecertificationpracticedetailsconstitutebusinesssensitiveinformationthatmaynotbepubliclyavailable,butwhichshouldbeprovidedtocertificatemanagementauthoritiesundernon-disclosureagreement.

CPS-SeeCertificationPracticeStatement.

CRL-SeeCertificateRevocationList.

FIPS(FederalInformationProcessingStandards)-TheseareFederalstandardsthatprescribespecificperformancerequirements,practices,formats,communicationsprotocols,etc.forhardware,software,data,telecommunicationsoperation,etc.FederalagenciesareexpectedtoapplythesestandardsasspecifiedunlessawaiverhasbeengrantedinaccordancewithFIPSwaiverprocedures.

IETF(InternetEngineeringTaskForce)-TheInternetEngineeringTaskForceisalargeopeninternationalcommunityofnetworkdesigners,operators,vendors,andresearchersconcernedwiththeevolutionofInternetarchitectureandtheefficientandrobustoperationoftheInternet.

KeyPair-Twomathematicallyrelatedkeys,havingthepropertiesthat(a)onekeycanbeusedtoencryptamessagethatcanonlybedecryptedusingtheotherkey,and(b)evenknowingonekey,itiscomputationallyinfeasibletodiscovertheotherkey.

ObjectIdentifier-Anobjectidentifierisaspeciallyformattednumberthatisregisteredwithaninternationallyrecognizedstandardsorganization.

OID-SeeObjectIdentifier.

OperationalPeriodofaCertificate-Theoperationalperiodofacertificateistheperiodofitsvalidity.Itwouldtypicallybeginonthedatethecertificateisissued(orsuchlaterdateasspecifiedinthecertificate),andendonthedateandtimeitexpires(asnotedinthecertificate)unlesspreviouslyrevokedorsuspended.

PIN-PersonalIdentificationNumber

PKI-PublicKeyInfrastructure

PKIX-AnIETFWorkingGroupdevelopingtechnicalspecificationsforaPKIcomponentsbasedonX.509Version3certificates.

Policy-ThisCertificatePolicydocument.

PolicyAdministeringOrganization-TheentityspecifiedinSection1.4andcurrentlyenvisionedtobeknownastheFederalPolicyManagementAuthority.

PrivateKey-Thekeyofakeypairusedtocreateadigitalsignature.Thiskeymustbekeptsecret,andunderthesolecontroloftheindividualorentitywhoseidentityisassociatedwiththatdigitalsignature.



PublicKey-Thekeyofakeypairusedtoverifyadigitalsignature.Thepublickeyismadefreelyavailabletoanyonewhowillreceivedigitallysignedmessagesfromtheholderofthekeypair.Thepublickeyisusuallyprovidedviadeliveryofacertificateissuedbyacertificationauthorityandmightalsobeobtainedbyaccessingarepository.Apublickeyisusedtoverifythedigitalsignatureofamessagepurportedlysentbytheholderofthecorrespondingprivatekey.

RA-SeeRegistrationAuthority.

RegistrationAuthority-Anentitythatisresponsibleforidentificationandauthenticationofcertificatesubjects,butthatdoesnotsignorissuecertificates(i.e.,aRAisdelegatedcertaintasksonbehalfofaCA).

Repository-Atrustworthysystemforstoringandretrievingcertificatesandotherinformationrelatingtothosecertificates.

ResponsibleIndividual-Apersondesignatedbyasponsortoauthenticateindividualapplicantsseekingcertificatesonthebasisoftheiraffiliationwiththesponsor.

Revocation(Revoke)-Toprematurelyendtheoperationalperiodofacertificatefromaspecifiedtimeforward.

Sponsor-Anorganizationwithwhichasubscriberisaffiliated(e.g.,asanemployee,userofaservice,businesspartnercustomeretc.).

Subject-Apersonwhosepublickeyiscertifiedinacertificate.Alsoreferredtoasa"subscriber".

Subscriber-Asubscriberisanentitywho:(a)isthesubjectnamedoridentifiedinacertificateissuedtosuchperson;(b)holdsaprivatekeythatcorrespondstoapublickeylistedinthatcertificate;and(c)theentitytowhomdigitallysignedmessagesverifiedbyreferencetosuchcertificatearetobeattributed.See"subject."

Suspension(Suspend)–Totemporarilyhalttheoperationalvalidityofacertificateforaspecifiedtimeperiodorfromaspecifiedtimeforward.

TrustworthySystem-Computerhardware,software,andproceduresthat:(a)arereasonablysecurefromintrusionandmisuse;(b)provideareasonablelevelofavailability,reliability,andcorrectoperation;(c)arereasonablysuitedtoperformingtheirintendedfunctions;and(d)adheretogenerallyacceptedsecurityprocedures.

ValidCertificate/Validity–Acertificateisonlyvalidwhen(a)acertificationauthorityhassigned/issuedit;(b)thesubscriberlistedinithasacceptedit;(c)ithasnotyetexpired;and(d)hasnotbeenrevoked.

ValidationServicesProvider(VSP)-Anentitythatmaintainsarepositoryaccessibletothepublic(oratleasttobenefitingparties)forpurposesofobtainingcopiesofcertificatesoranentitythatprovidesanalternativemethodforverifyingthestatusofsuchcertificates.

VSP-SeeValidationServicesProvider.

Date post:	26-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Cisco - Global Home Page · 2016-11-21 · Cisco ECC Root CA Certificate Policy Cisco Public Page 5...

Documents