C i s c o S y s t e m s • 7 0 2 5 K i t C r e e k R o a d , R e s e a r c h T r i a n g l e P a r k , N C
Cisco ECC Root CA Certificate Policy Identity Assurance Services
version 1.0 2013-Sep-30
CiscoECCRootCACertificatePolicy
CiscoPublic Page2of28 2013-Sep-30
TableofContentsVersionInformation.............................................................................................................................................5 Version1.0–2013-Sep-30.................................................................................................................................5 Approvals...........................................................................................................................................................5 AnnualReviews.................................................................................................................................................5
1 Introduction..................................................................................................................................................6 1.1 Background....................................................................................................................................6 1.1.1 PKIHierarchy.................................................................................................................................6 1.2 PolicyIdentification.......................................................................................................................6 1.2.1 CertificateTypes............................................................................................................................7 1.2.1.1 CertificateProfile...........................................................................................................................7 1.3 Community&Applicability............................................................................................................7 1.3.1 CertificationAuthorities(CAs).......................................................................................................7 1.3.1.1 CAsAuthorizedtoIssueCertificatesunderthisPolicy..................................................................7 1.3.2 RegistrationAuthorities.................................................................................................................7 1.3.3 ValidationServices.........................................................................................................................7 1.3.4 Subscribers....................................................................................................................................7 1.3.5 BenefitingParties..........................................................................................................................7 1.3.6 Applicability...................................................................................................................................8 1.3.6.1 SuitableApplications.....................................................................................................................8 1.4 ContactDetails..............................................................................................................................8 1.4.1 ChangestotheCertificatePolicy...................................................................................................8 1.4.1.1 ProcedureforChanges..................................................................................................................8 1.4.1.2 ChangeNotification.......................................................................................................................8 1.4.2 ContactInformation......................................................................................................................8
2 GeneralProvisions........................................................................................................................................9 2.1 Obligations.....................................................................................................................................9 2.1.1 CAObligations...............................................................................................................................9 2.1.1.1 RepresentationsbytheCA............................................................................................................9 2.1.1.2 BenefitingPartyWarranties..........................................................................................................9 2.1.1.3 WarrantyLimitations...................................................................................................................10 2.1.1.4 TimebetweenCertificateRequestandIssuance........................................................................10 2.1.1.5 CertificateRevocationandRenewal............................................................................................10 2.1.1.6 EndEntityAgreements................................................................................................................10 2.1.1.7 EnsuringCompliance...................................................................................................................11 2.1.2 RegistrationAuthority(RA)Obligations......................................................................................11 2.1.3 CertificateStatusValidationObligations.....................................................................................12 2.1.4 SubscriberObligations.................................................................................................................12 2.1.5 BenefitingPartyObligations........................................................................................................12 2.2 Liability........................................................................................................................................12 2.3 Interpretation&Enforcement.....................................................................................................13 2.3.1 GoverningLaw.............................................................................................................................13 2.3.2 DisputeResolutionProcedures...................................................................................................13 2.3.3 Severability..................................................................................................................................13 2.3.4 Survival........................................................................................................................................13 2.3.5 Merger/Integration.....................................................................................................................14 2.3.6 Notice..........................................................................................................................................14 2.4 Fees..............................................................................................................................................14 2.5 Publication&ValidationServices................................................................................................14
CiscoECCRootCACertificatePolicy
CiscoPublic Page3of28 2013-Sep-30
2.5.1 PublicationofCAInformation.....................................................................................................14 2.5.2 FrequencyofPublication.............................................................................................................14 2.5.3 AccessControls............................................................................................................................14 2.6 ComplianceAudit........................................................................................................................15 2.7 ConfidentialityPolicy...................................................................................................................15 2.8 IntellectualPropertyRights.........................................................................................................16
3 IdentificationandAuthentication................................................................................................................16 3.1 InitialRegistration.......................................................................................................................16 3.1.1 TypesofNames...........................................................................................................................16 3.1.2 NameMeanings...........................................................................................................................16 3.1.3 RulesforInterpretingVariousNameForms................................................................................16 3.1.4 NameUniqueness........................................................................................................................16 3.1.5 VerificationofKeyPair................................................................................................................16 3.1.6 SubscriberIdentification&Authentication(I&A)........................................................................16 3.1.7 CiscoSystemsAgentIdentificationandAuthentication(I&A)....................................................17 3.2 RenewalApplications..................................................................................................................17 3.3 Re-KeyafterRevocation..............................................................................................................17 3.4 RevocationRequest.....................................................................................................................17
4 OperationalRequirements..........................................................................................................................18 4.1 CertificateApplication.................................................................................................................18 4.2 CertificateIssuance.....................................................................................................................18 4.3 CertificateAcceptance.................................................................................................................18 4.4 CertificateRevocation.................................................................................................................18 4.4.1 CircumstancesforRevocation.....................................................................................................18 4.4.1.1 PermissiveRevocation.................................................................................................................18 4.4.1.2 RequiredRevocation...................................................................................................................19 4.4.2 WhoCanRequestRevocation.....................................................................................................19 4.4.3 ProcedureforRevocationRequest..............................................................................................19 4.4.3.1 CertificateStatusorCRLUpdate.................................................................................................19 4.4.4 RevocationRequestGracePeriod...............................................................................................19 4.4.5 CertificateSuspension.................................................................................................................19 4.4.6 CRLIssuanceFrequency..............................................................................................................19 4.4.7 On-LineRevocation/StatusCheckingAvailability........................................................................19 4.5 ComputerSecurityAuditProcedures..........................................................................................19 4.6 RecordsArchival..........................................................................................................................20 4.6.1 TypesofRecordsArchived..........................................................................................................20 4.6.2 RetentionPeriodforArchive.......................................................................................................20 4.6.3 ProtectionofArchive...................................................................................................................20 4.6.4 ArchiveBackupProcedures.........................................................................................................20 4.6.5 ProcedurestoObtainandVerifyArchiveInformation................................................................20 4.7 KeyChangeover...........................................................................................................................20 4.8 CompromiseandDisasterRecovery............................................................................................20 4.8.1 DisasterRecoveryPlan................................................................................................................20 4.8.2 KeyCompromisePlan..................................................................................................................21 4.9 CATermination............................................................................................................................21
5 Physical,Procedural,andPersonnelSecurityControls.................................................................................21 5.1 PhysicalSecurity—AccessControls.............................................................................................21 5.2 ProceduralControls.....................................................................................................................21 5.2.1 TrustedRoles...............................................................................................................................21 5.2.2 MultipleRoles(NumberofPersonsRequiredPerTask)..............................................................21
CiscoECCRootCACertificatePolicy
CiscoPublic Page4of28 2013-Sep-30
5.2.3 IdentificationandAuthenticationforEachRole.........................................................................22 5.3 PersonalSecurityControls...........................................................................................................22 5.3.1 BackgroundandQualifications....................................................................................................22 5.3.2 BackgroundInvestigation............................................................................................................22 5.3.3 TrainingRequirements................................................................................................................22 5.3.4 DocumentationSuppliedtoPersonnel........................................................................................23
6 TechnicalSecurityControls..........................................................................................................................23 6.1 KeyPairGenerationandProtection............................................................................................23 6.1.1 KeyPairGeneration.....................................................................................................................23 6.1.2 PrivateKeyDeliverytoEntity......................................................................................................23 6.1.3 SubscriberPublicKeyDeliverytoCA...........................................................................................23 6.1.4 CAPublicKeyDeliverytoUsers...................................................................................................23 6.1.5 KeySizes......................................................................................................................................23 6.2 CAPrivateKeyProtection............................................................................................................23 6.2.1 StandardsforCryptographicModule..........................................................................................24 6.2.2 PrivateKeyMulti-PersonControl(M-of-N).................................................................................24 6.2.3 SubscriberPrivateKeyEscrow.....................................................................................................24 6.2.4 PrivateKeyBackup......................................................................................................................24 6.2.5 PrivateKeyArchival.....................................................................................................................24 6.2.6 PrivateKeyEntryintoCryptographicModule.............................................................................24 6.2.7 MethodofActivatingPrivateKey................................................................................................24 6.2.8 MethodofDeactivatingPrivateKey............................................................................................24 6.2.9 MethodofDestroyingPrivateKey...............................................................................................25 6.3 OtherAspectsofKeyPairManagement......................................................................................25 6.3.1 PublicKeyArchival.......................................................................................................................25 6.3.2 KeyReplacement.........................................................................................................................25 6.3.3 RestrictionsonCA'sPrivateKeyUse...........................................................................................25 6.4 ActivationData............................................................................................................................25 6.5 SecurityManagementControls...................................................................................................25 6.5.1 NetworkSecurityControls...........................................................................................................25 6.5.2 CryptographicModuleEngineeringControls..............................................................................25
7 CertificatesandCRLProfiles........................................................................................................................26 7.1 CertificateProfile.........................................................................................................................26 7.2 CRLProfile....................................................................................................................................26
8 Definitions...................................................................................................................................................26
CiscoECCRootCACertificatePolicy
CiscoPublic Page5of28 2013-Sep-30
VersionInformation
Version1.0–2013-Sep-30
Firstversionofdocument
Approvals
Version Name Title Date1.0 AlexWight
EricHampshireJ.P.HamiltonJosPurvisBillFriedman
PKIArchitectPKIOperationsPKIManagerPKIComplianceSeniorCorporateCounsel
2013-Sep-262013-Sep-262013-Sep-262013-Sep-202013-Sep-25
AnnualReviews
Version Name Title Date1.0 JosPurvis PKICompliance 2014-Sep-02
1.0 JosPurvis PKICompliance 2015-Sep-25
1.0 JosPurvis PKICompliance 2016-Nov-16
CiscoECCRootCACertificatePolicy
CiscoPublic Page6of28 2013-Sep-30
1 IntroductionCiscoSystemshasimplementedaRootCertificateAuthority(CA)toprovideatrustanchorforcryptographiccommunicationsusingX.509certificates.TheRootCAconsistsofsystems,productsandservicesthatbothprotecttheRootCA’sprivatekey,andmanagethesubordinateCAX.509certificates(sub-CAcertificates)issuedfromtheRootCA.
Thepurposeofthisdocumentistodescribetheframeworkfortheuse(issuance,renewal,revocation,andpolicies)oftheECCRootCertificateAuthoritywithinCiscoSystemsInc.,andwithexternalentities.
1.1 Background
Apublic-keycertificatebindsapublic-keyvaluetoasetofinformationthatidentifiestheentityassociatedwithuseofthecorrespondingprivatekey(thisentityisknownasthe"subject"ofthecertificate).Acertificateisusedbya"certificateuser"or"benefitingparty"thatneedstoutilizethepublickeydistributedviathatcertificate(acertificateuseristypicallyanentitythatisverifyingadigitalsignaturecreatedbythecertificate'ssubject).Thedegreetowhichacertificateusercantrustthebindingembodiedinacertificatedependsonseveralfactors.ThesefactorsincludethepracticesfollowedbytheCertificationAuthority(CA)inauthenticatingthesubject;theCA'soperatingpolicy,procedures,andsecuritycontrols;thesubject'sobligations(forexample,inprotectingtheprivatekey);andthestatedundertakingsandlegalobligationsoftheCA(forexample,warrantiesandlimitationsonliability).
1.1.1 PKIHierarchy
TheCiscoECCRootCAisaself-signedRootCAcreatedinasecurekeygenerationprocessbymultipleagentsofCiscoSystems,Inc.
TheCiscoECCRootCAwillonlyissuesubordinateCAcertificates,accordingtothepoliciesstatedinthisdocument.
TheCiscoECCRootCAisoperatedinanoffline(non-networked)modeandisphysicallysecuredseparatelyfromtherestoftheCiscoSystems’computingassets.TheCiscoCorporateInformationSecuritygroupisresponsibleforthephysicalaccesscontrolsprotectingtheofflineRootCA.
Beingaself-signedroot,theCiscoECCRootCAhierarchyconsistsofonlyonecertificate-theCiscoECCRootCA(RX-E2),whichisownedandoperatedbyCiscoSystems,Inc.
1.2 PolicyIdentification
TheassertionofaCertificatePoliciesObjectIdentifier(CPOID)withintheCertificatePoliciesX.509v3extensionwillonlybecarriedoutbysubordinateCAsthatissueend-entitycertificates.Therefore,thereisnoCPextensionpresentintheCiscoECCRootCAcertificateandtheassignmentofaCPOIDisnotwithinthescopeofthisdocument.
CiscoECCRootCACertificatePolicy
CiscoPublic Page7of28 2013-Sep-30
1.2.1 CertificateTypes
TheCiscoECCRootCAissuesonlysubordinateCAcertificates.Noend-entitycertificateswillbeissuedfromtheCiscoECCRootCA.Thesub-CAcertificatesissuedbytheCiscoECCRootCAwillincludetheCPOID(s)assignedtotheCertificatePolicyoftheparticulartypeofend-entitycertificateissuedbythesub-CA.
1.2.1.1 CertificateProfileTheCiscoECCRootCAcertificateprofileisobtainablebydownloadingtheactualRootCAcertificateitselffromhttp://www.cisco.com/security/pki/certs/eccroot.cerorthroughcorrespondencetothepartieslistedinsection1.4.
1.3 Community&Applicability
1.3.1 CertificationAuthorities(CAs)
ThisPolicyisbindingontheofflinerootCA“CiscoECCRootCA”.SpecificpracticesandproceduresbywhichtheRootCAimplementstherequirementsofthisPolicyshallbesetforthbytheCAinacertificationpracticestatement("CPS")orotherpubliclyavailabledocument,orbycontractwithanyBenefitingParty(see1.3.5below).
1.3.1.1 CAsAuthorizedtoIssueCertificatesunderthisPolicyTheofflinerootCA“CiscoECCRootCA”,ownedbyCiscoSystems,Inc.andoperatedbyCiscoSystemsCorporateInformationSecuritygroup,istheonlyCAauthorizedtoissuecertificatesunderthispolicy.
1.3.2 RegistrationAuthorities
SeeSection2.1.2.
1.3.3 ValidationServices
SeeSection2.1.2.
1.3.4 Subscribers
TheSubscribersoftheCiscoECCRootCAarelimitedtosubordinateCAsonly.
1.3.5 BenefitingParties
ThisPolicyisintendedforthebenefitofthefollowingpersonswhomayrelyoncertificatesthatreferencethisPolicy("BenefitingParties"):
• CiscoagenciesandbusinessesthatcontractuallyagreetothisPolicywiththeCorporateInformationSecurityDepartmentand/orwiththeCA;
• IndividualsthatcontractuallyagreetothisPolicywiththeCorporateInformationSecurityDepartmentand/orwiththeCA;
• EntitiesthathaveenteredintoaCertificateTrustAgreementwithCiscoSystemswhereinthisCertificatePolicyisspecificallyreferenced.
CiscoECCRootCACertificatePolicy
CiscoPublic Page8of28 2013-Sep-30
1.3.6 Applicability
1.3.6.1 SuitableApplicationsSub-CAcertificatesissuedunderthispolicymaybeusedinanyapplicationwhichrequirestheassemblyofacryptographicchainuptotheCiscoECCRootCAforsignatureverification,establishmentoftrust,and/orcertificatevalidationpurposes.
1.4 ContactDetails
ThisPolicyisadministeredbytheCorporateInformationSecuritygroupofCiscoSystems,Inc.
1.4.1 ChangestotheCertificatePolicy
1.4.1.1 ProcedureforChangesChangestothisCParemadebytheCisco'sPolicyManagementAuthority(PMA),whichincludesCisco’sCorporateSecurityProgramsOfficeandLegaldepartment.Changeswillbeintheformofadocumentupdatewithchangesreflectedintheversionsection.ChangedversionswillbelinkedtobythemainCiscoPKIPoliciespagelocatedat:http://www.cisco.com/security/pki/policies/index.html.
1.4.1.2 ChangeNotificationBenefitingPartiesaredefinedhereasentitieswhohaveenteredintoaCertificateTrustAgreementwithCiscoSystemswhereinthisCertificatePolicyisspecificallyreferenced.Cisco'sPMAwillnotifyallBenefitingPartiesofanychangestotheCPorCPSasdefinedinthespecificCertificateTrustAgreementbetweenCiscoSystemsandtheBenefitingParty.EntitieswhoarenotBenefitingPartieswillnotbenotifiedofchangesbutmaylearnofchangesbyviewingthecurrentCPorCPSpublishedtoCisco'spublicrepository.
1.4.2 ContactInformation
CorporateHeadquartersCiscoSystems,Inc.170WestTasmanDriveSanJose,CA95134
PleasesendPKI-basedcorrespondenceto:CiscoSystemsInc.7025KitCreekRoadP.O.Box14987ResearchTrianglePark,NC27709-4987Attn:J.P.HamiltonPhoneNo.:+1919-392-1481E-mailaddress:[email protected]
CiscoECCRootCACertificatePolicy
CiscoPublic Page9of28 2013-Sep-30
2 GeneralProvisions
2.1 Obligations
2.1.1 CAObligations
TherootCA“CiscoECCRootCA”isresponsibleforallaspectsoftheissuanceandmanagementofitsissuedcertificates,includingcontrolovertheapplication/enrollmentprocess,theidentificationandauthenticationprocess,thecertificatemanufacturingprocess,publicationofthecertificate(ifrequired),suspensionand/orrevocationofthecertificate,renewalofthecertificate,validationservices,andforensuringthatallaspectsoftheCAServicesandCAoperationsandinfrastructurerelatedtocertificatesissuedunderthisPolicyareperformedinaccordancewiththerequirementsandrepresentationsofthisPolicy.
2.1.1.1 RepresentationsbytheCAByissuingacertificatethatreferencesthisPolicy,theIssuingCAcertifiestoBenefitingPartieswhoreasonablyandingoodfaithrelyontheinformationcontainedinthecertificateduringitsoperationalperiodandinaccordancewiththisPolicy,that:
• TheCAhasissued,andwillmanage,thecertificateinaccordancewiththisPolicy;• TheCAhascompliedwiththerequirementsofthisPolicyanditsapplicableCPSwhen
authenticatingthesubscriberandissuingthecertificate;• TherearenomisrepresentationsoffactinthecertificateknowntotheCA,andtheCA
hastakenreasonablestepstoverifyadditionalinformationinthecertificateunlessotherwisenotedinitsCPS;
• Informationprovidedbythesubscriberinthecertificateapplicationforinclusioninthecertificatehasbeenaccuratelytranscribedtothecertificate;and
• ThecertificatemeetsallmaterialrequirementsofthisPolicyandwasprocessedaccordingtotheCA'sCPS.
2.1.1.2 BenefitingPartyWarranties
UnlessanexplicitcontractualagreementexistsbetweenCiscoSystemsandaBenefitingParty,CiscoSystemsisnotrepresentinganywarrantytoaBenefitingPartythatexercisesrelianceoncertificatesissuedbytheCiscoECCRootCA.InsuchinstanceswhereanexplicitandseparateCertificateWarrantyagreementexistsbetweentheBenefitingPartyandCiscoSystems,CiscoSystemsmaywarrantthat:
• TheIssuingCAhasissuedandmanagedtheCertificateinaccordancewiththisPolicy;• TheIssuingCAcompliedwiththerequirementsofthisPolicyandanyapplicableCPS
whenauthenticatingrequestsforsubordinateCAcertificates;• TherearenomaterialmisrepresentationsoffactintheCertificateknowntotheIssuing
CA,andtheIssuingCAhastakenstepsasrequiredunderthisPolicytoverifytheinformationcontainedintheCertificate;
• TheIssuingCAhastakenthestepsrequiredbythisPolicytoensurethattheCertificateHolder'ssubmittedinformationhasbeenaccuratelytranscribedtotheCertificate;
CiscoECCRootCACertificatePolicy
CiscoPublic Page10of28 2013-Sep-30
• InformationprovidedbytheIssuingCAconcerningthecurrentvalidityoftheCertificateisaccurateandthatvalidityhasnotbeendiminishedbytheIssuingCA'sfailuretopromptlyrevoketheCertificateinaccordancewiththisCertificatePolicy;and
• TheissuedCertificatemeetsallmaterialrequirementsofthisPolicyandanyapplicableCPS.
ThesewarrantiesmaybeappliedtoanyBenefitingPartywho:(i)entersintoaseparatelyexecutedwarrantyagreementwithCiscoSystems;(ii)reliesontheissuedCertificateinanelectronictransactioninwhichtheissuedCertificateplayedamaterialroleinverifyingtheidentityofoneormorepersonsordevices;(iii)exercisesReasonableRelianceonthatCertificate;and(iv)followsallproceduresrequiredbythisPolicyandbytheapplicableBenefitingPartyAgreementforverifyingthestatusoftheissuedCertificate.ThesewarrantiesaremadetotheBenefitingPartyasofthetimetheCA'scertificatevalidationmechanismisutilizedtodetermineCertificatevalidity,andonlyiftheCertificaterelieduponisvalidandnotrevokedatthattime.
2.1.1.3 WarrantyLimitations
ThewarrantiesofferedtobothCertificateHoldersandBenefitingPartieswillbesubjecttothelimitationssetforthinthisPolicy.CiscoSystemsmayprovidefurtherlimitationsandexclusionsonthesewarrantiesasdeemedappropriate,relatingto:(i)failuretocomplywiththeprovisionsofthisPolicyorofanyagreementwiththeIssuingCA;(ii)otheractionsgivingrisetoanyloss;(iii)eventsbeyondthereasonablecontroloftheCA;and(iv)timelimitationsforthefilingofclaims.However,suchlimitationsandexclusionsmaynot,inanyevent,belessthanthoseprovidedforin2.1.1.2.
2.1.1.4 TimebetweenCertificateRequestandIssuance
ThereisnostipulationfortheperiodbetweenthereceiptofanapplicationforaCertificateandtheissuanceofaCertificate,buttheIssuingCAwillmakereasonableeffortstoensurepromptissuance.
2.1.1.5 CertificateRevocationandRenewalTheIssuingCAmustensurethatanyproceduresfortheexpiration,revocationandrenewalofanissuedCertificatewillconformtotherelevantprovisionsofthisPolicyandwillbeexpresslystatedinaCertificateAgreementandanyotherapplicabledocumentoutliningthetermsandconditionsofcertificateuse,includingensuringthat:(i)KeyChangeoverProceduresareinaccordancewiththisPolicy;(ii)noticeofrevocationofaCertificatewillbepostedtoanonlinecertificatestatusdatabaseand/oracertificaterevocationlist(CRL),asapplicable,withinthetimelimitsstatedinthisPolicy;and(iii)theaddressoftheonlinecertificatestatusdatabaseand/orCRLisdefinedintheissuedcertificate.
2.1.1.6 EndEntityAgreements
TheIssuingCAwillenterintoagreementswithEndEntitiesgoverningtheprovisionofCertificateandRepositoryservicesanddelineatingtheparties’respectiverightsandobligations.
CiscoECCRootCACertificatePolicy
CiscoPublic Page11of28 2013-Sep-30
TheIssuingCAwillensurethatanyCertificateAgreementsincorporatebyreferencetheprovisionsofthisPolicyregardingtheIssuingCA’sandtheCertificateHolder'srightsandobligations.Inthealternative,theIssuingCAmayensurethatanyCertificateAgreements,bytheirterms,providetherespectiverightsandobligationsoftheIssuingCAandtheCertificateHoldersassetforthinthisPolicy,includingwithoutlimitationtheparties’rightsandresponsibilitiesconcerningthefollowing:
• Procedures,rightsandresponsibilitiesgoverning(i)applicationforanissuedCertificate,(ii)theenrollmentprocess,(iii)Certificateissuance,and(iv)CertificateAcceptance;
• TheCertificateHolder’sdutiestoprovideaccurateinformationduringtheapplicationprocess;
• TheCertificateHolder'sdutieswithrespecttogeneratingandprotectingitsKeys;• Procedures,rightsandresponsibilitieswithrespecttoIdentificationandAuthentication
(I&A);• AnyrestrictionsontheuseofissuedCertificatesandthecorrespondingKeys;• Procedures,rightsandresponsibilitiesgoverning(a)notificationofchangesinCertificate
information,and(b)revocationofissuedCertificates;• Procedures,rightsandresponsibilitiesgoverningrenewalofissuedCertificates;• AnyobligationoftheCertificateHoldertoindemnifyanyotherParticipant;• Provisionsregardingfees;• TherightsandresponsibilitiesofanyRAthatispartytotheagreement;• AnywarrantiesmadebytheIssuingCAandanylimitationsonwarrantiesorliabilityof
theIssuingCAand/oranRA;• Provisionsregardingtheprotectionofprivacyandconfidentialinformation;and• ProvisionsregardingAlternativeDisputeResolution.
NothinginanyCertificateAgreementmaywaiveorotherwiselessentheobligationsoftheCertificateHolderasprovidedinSection2.1.4ofthisPolicy.
TheIssuingCAwillensurethatanyBenefitingPartyAgreementincorporatebyreferencetheprovisionsofthisPolicyregardingtheIssuingCA’sandtheBenefitingParty’srightsandobligations.NothinginaBenefitingPartyAgreementmaywaiveorotherwiselessentheobligationsoftheBenefitingPartyasprovidedinthisPolicy.
2.1.1.7 EnsuringCompliance
TheIssuingCAmustensurethat:(i)itonlyacceptsinformationfromentitiesthatunderstandandareobligatedtocomplywiththisPolicy;(ii)itcomplieswiththeprovisionsofthisPolicyinitscertificationandRepositoryservices,issuanceandrevocationofCertificatesandissuanceofCRLs;(iii)itmakesreasonableeffortstoensureadherencetothisPolicywithregardtoanyCertificatesissuedunderit;and(iv)anyidentificationandauthenticationproceduresareimplementedassetforthinPart3.
2.1.2 RegistrationAuthority(RA)Obligations
TheoperatorsoftheCiscoECCRootCAshallberesponsibleforperformingallidentificationandauthenticationfunctionsandallcertificatemanufacturingandissuingfunctions.TheCiscoECC
CiscoECCRootCACertificatePolicy
CiscoPublic Page12of28 2013-Sep-30
RootCAmayNOTdelegateperformanceoftheseobligationstoaregistrationauthority(RA).TheCAmustremainprimarilyresponsiblefortheperformanceofallCAservicesinamannerconsistentwiththerequirementsofthisPolicy.Theabilitytodelegateorsubcontracttheseobligationsisnotpermitted.
2.1.3 CertificateStatusValidationObligations
TheCAshallberesponsibleforprovidingameansbywhichcertificatestatus(validorrevoked)canbedeterminedbyaBenefitingParty.However,theCAmay[delegate/subcontract]performanceofthisobligationtoanidentifiedvalidationservicesprovider("VSP"),providedthattheCAremainsprimarilyresponsibleforperformanceofthoseservicesbysuchthirdpartyinamannerconsistentwiththerequirementsofthisPolicy.
2.1.4 SubscriberObligations
Inallcases,thesubscriberisobligatedto:
• Generateakeypairusingatrustworthysystem,andtakereasonableprecautionstopreventanyloss,disclosure,orunauthorizeduseoftheprivatekey;
• Warrantthatallinformationandrepresentationsmadebythesubscriberthatareincludedinthecertificatearetrue;
• Usethecertificateexclusivelyforauthorizedandlegalpurposes,consistentwiththisPolicy;
• InstructtheCAtorevokethecertificatepromptlyuponanyactualorsuspectedloss,disclosure,orothercompromiseofthesubscriber’sprivatekey.
ASubscriberwhoisfoundtohaveactedinamannercountertotheseobligationswillhaveitscertificaterevoked,andwillforfeitallclaimsitmayhaveagainsttheIssuingCA.
2.1.5 BenefitingPartyObligations
ABenefitingPartyhasarighttorelyonacertificatethatreferencesthisPolicyonlyifthecertificatewasusedandrelieduponforlawfulpurposesandundercircumstanceswhere:
• TheBenefitingPartyenteredintoaBenefitingPartyAgreementwhichincorporatesbyreferencetheprovisionsofthisPolicyregardingtheIssuingCA’sandtheBenefitingParty’srightsandobligations;
• Thereliancewasreasonableandingoodfaithinlightofallthecircumstancesknowntothebenefitingpartyatthetimeofreliance;
• ThepurposeforwhichthecertificatewasusedwasappropriateunderthisPolicy;• Thebenefitingpartycheckedthestatusofthecertificatepriortoreliance.
ABenefitingPartyfoundtohaveactedinamannercountertotheseobligationswouldforfeitallclaimshe,sheoritmayhaveagainsttheIssuingCA.
2.2 Liability
TheIssuingCAassumeslimitedliabilityonlytoBenefitingPartieswhohaveenteredintoaBenefitingPartyAgreement.TheIssuingCAmayberesponsiblefordirectdamagessufferedby
CiscoECCRootCACertificatePolicy
CiscoPublic Page13of28 2013-Sep-30
benefitingpartieswhohaveexecutedaBenefitingPartyAgreementthatarecausedbythefailureoftheIssuingCAtocomplywiththetermsofthisPolicy(exceptwhenwaivedbycontract),andsustainedbysuchbenefitingpartiesasaresultofrelianceonacertificateinaccordancewiththisPolicy,butonlytotheextentthatthedamagesresultfromtheuseofcertificatesforthesuitableapplicationslistedinSection1.3.6.TheliabilityoftheIssuingCAislimitedtotheseconditionsandtoconditionssetforthinthetermsofspecificBenefitingPartyAgreements.
ExceptasexpresslyprovidedinthisPolicyandinitsCPS,theIssuingCAdisclaimsallotherwarrantiesandobligationsofanytype,includinganywarrantyofmerchantability,anywarrantyoffitnessforaparticularpurpose,andanywarrantyofaccuracyofinformationprovided.
TheliabilityoftheIssuingCAunderthisPolicytoBenefitingPartieswhohaveexecutedaBenefitingPartyagreementshallbelimitedtodirectdamages,andshallnotexceed$1000.00,exceptwhenwaivedbycontract.TheIssuingCAshallhavenoliabilityforconsequentialdamages.UndernocircumstanceswilltheIssuingCAberesponsiblefordirectorconsequentialdamagestobenefitingpartieswhohavenotenteredintoaBenefitingPartyAgreementwithCiscoSystems,Inc.
2.3 Interpretation&Enforcement
EachprovisionofthisPolicyhasbeensubjecttomutualconsultation,negotiation,andagreement,andshallnotbeconstruedfororagainstanyparty.
2.3.1 GoverningLaw
ThisPolicyshallbeconstrued,andanylegalrelationsbetweenthepartiesheretoshallbedetermined,inaccordancewiththelawsoftheUnitedStatesandtheStateofCalifornia,withoutregardtoanyconflictoflawprovisionsthereof.
2.3.2 DisputeResolutionProcedures
DisputesamongCiscoSystemsandaBenefitingPartywillberesolvedpursuanttoprovisionsintheapplicableCertificateTrustAgreementsbetweenCiscoandtheBenefitingParty.DisputesbetweenentitieswhoarenotBenefitingPartiesandCiscoSystemscarrynostipulation.
2.3.3 Severability
IfanyportionortermofthisPolicyisheldunenforceablebyacourtofcompetentjurisdiction,theremainderofthisPolicyshallnotbeaffectedandshallremainfullyinforceandenforceable.
2.3.4 Survival
NostipulationunlesspartieshaveenteredintoaBenefitingPartyAgreementwithCiscoSystems.
CiscoECCRootCACertificatePolicy
CiscoPublic Page14of28 2013-Sep-30
2.3.5 Merger/Integration
NostipulationunlesspartieshaveenteredintoaBenefitingPartyAgreementwithCiscoSystems.
2.3.6 Notice
Allnoticesandothercommunicationshereundershallbeinwritingandshallbedeemedgiven(a)onthesamedayifdeliveredpersonally,(2)threebusinessdaysafterbeingmailedbyregisteredorcertifiedmail(returnreceiptrequested),or(c)onthesamedayifsentbytelecopy,confirmedbytelephone,toeachofthecontactslistedinsection1.4.2above.
2.4 Fees
TheIssuingCAshallnotimposeanyfeesonthereadingofthisPolicyoritsCPS.TheIssuingCAmaychargeaccessfeesoncertificates,certificatestatusinformation,orCRLs,subjecttoagreementbetweentheCAandsubscriberand/orbetweentheCAandaBenefitingParty,andinaccordancewithafeeschedulepublishedbytheCAinitsCPSorotherwise.
2.5 Publication&ValidationServices
2.5.1 PublicationofCAInformation
TheIssuingCAshalloperateasecureon-linerepositoryand/orothercertificatevalidationservicethatisavailabletoBenefitingPartiesandthatcontains:(1)issuedcertificatesthatreferencethisPolicy,whenpublicationisauthorizedbythesubscriber;(2)aCertificateRevocationList("CRL")oron-linecertificatestatusdatabase;(3)theCA'scertificateforitssigningkey;(4)pastandcurrentversionsoftheCA'spublicCPS;(5)acopyofthisPolicy;and(6)otherrelevantinformationrelatingtocertificatesthatreferencethisPolicy.
2.5.2 FrequencyofPublication
AllinformationauthorizedtobepublishedinarepositoryshallbepublishedpromptlyaftersuchinformationisauthorizedandavailabletotheIssuingCA.CertificatesissuedbytheCAthatreferencethisPolicywillbepublishedpromptlyuponacceptanceofsuchcertificatebythesubscriber,andwhenpublicationisauthorizedbythesubscriber.Informationrelatingtotherevocationofacertificatewillbepublishedinaccordancewithsection4.4.3.
2.5.3 AccessControls
TherepositorywillbeavailabletoBenefitingParties(andsubscribers)onasubstantially24hoursperday,7daysperweekbasis,subjecttoreasonablescheduledmaintenanceandtheCA'sthencurrenttermsofaccess.TheCAshallnotimposeanyaccesscontrolsonthisPolicy,theCA'scertificateforitssigningkey,andpastandcurrentversionsoftheCA'spublicCPS.CAmayimposeaccesscontrolsoncertificates,certificatestatusinformation,orCRLsatitsdiscretion,subjecttoagreementbetweentheCAandsubscriberand/ortheCAandBenefitingParties,inaccordancewithprovisionspublishedinitsCPSorotherwise.
CiscoECCRootCACertificatePolicy
CiscoPublic Page15of28 2013-Sep-30
2.6 ComplianceAudit
TheIssuingCA(andeachRAand/orVSP,asapplicable)shallsubmittoanannualcomplianceauditbyanentityasdirectedbyCiscoSystems’CorporateInformationSecuritygroup.SaidentityshallbeapprovedbyCiscoSystemsandqualifiedtoperformasecurityauditonaCAbasedonsignificantexperienceintheapplicationofPKIandcryptographictechnologies.ThepurposeofsuchauditshallbetoverifythattheCAhasinplaceasystemtoassurethequalityoftheCAServicesthatitprovides,andthatcomplieswithalloftherequirementsofthisPolicyanditsCPS.
IssuingCAinspectionresultsmustbesubmittedtotheIssuingCA’sregulatororlicensingbodywhereapplicable,andthePolicyManagementAuthority(PMA)ofthisPolicy.Ifirregularitiesarefound,theIssuingCAmustsubmitareporttoitsregulatororlicensingbodyandthePMAastoanyactiontheIssuingCAwilltakeinresponsetotheinspectionreport.WheretheIssuingCAfailstotakeappropriateactioninresponsetotheinspectionreport,theIssuingCA’sregulator,licensingbodyorthePMAmay:(i)indicatetheirregularities,butallowtheIssuingCAtocontinueoperationsuntilthenextprogrammedinspection;(ii)allowtheIssuingCAtocontinueoperationsforamaximumofthirty(30)dayspendingcorrectionofanyproblemspriortorevocation;(iii)downgradetheassurancelevelofanyCertificatesissuedbytheIssuingCA(includingCrossCertificates);or(iv)revoketheIssuingCA'sCertificate.Anydecisionregardingwhichoftheseactionstotakewillbebasedontheseverityoftheirregularities.AnyremedymayincludepermanentortemporaryCAcessation,butallrelevantfactorsmustbeconsideredpriortomakingadecision.Aspecialauditmayberequiredtoconfirmtheimplementationandeffectivenessoftheremedy.TheIssuingCAwillpostanyappropriateresultsofaninspection,inwholeorinpart,sothatitisaccessibleforreviewbyCertificateHolders,AuthorizedBenefitingPartiesandRAs.ThemannerandextentofthepublicationwillbedefinedbytheIssuingCA.
2.7 ConfidentialityPolicy
InformationregardingsubscribersthatissubmittedonapplicationsforcertificateswillbekeptconfidentialbytheIssuingCAandshallnotbereleasedwithoutthepriorconsentofthesubscriber,unlessotherwiserequiredbylaw.Inaddition,personalinformationsubmittedtotheCAbysubscribersmust:
• Bemadeavailabletothesubscriberforindividualreviewfollowinganauthenticatedrequestbysaidsubscriber;
• Besubjecttocorrectionand/orupdatebysaidsubscriber;• BeprotectedbytheCAinsuchawayastoinsuretheintegrityofsaidpersonal
information.
Theforegoingshallnotapply,however,toinformationappearingoncertificates,ortoinformationregardingsubscribersthatisobtainedbyCAfrompublicsources.UndernocircumstancesshalltheCA,anyRA,oranyVSPhaveaccesstotheprivatekeysofanysubscribertowhomitissuesacertificatethatreferencesthisPolicy.
CiscoECCRootCACertificatePolicy
CiscoPublic Page16of28 2013-Sep-30
2.8 IntellectualPropertyRights
TheCiscoECCRootCAkeypair,certificate,certificationpracticestatement,andthiscertificatepolicyarethephysicalandintellectualpropertyofCiscoSystems,Inc.CiscoretainsallIntellectualPropertyRightsinandtotheseitems.IntellectualPropertyRightsbetweenCiscoandBenefitingPartieswillbegovernedbythisCertificateTrustAgreement.
3 IdentificationandAuthentication
3.1 InitialRegistration
DuetotheofflinenatureoftheRootCA,andsubjecttotherequirementsnotedbelow,certificateapplicationsmayonlybecommunicatedfromtheapplicanttotheCAinpersonviaphysicalmedia(suchasafloppydisk,CD-ROMorUSBstoragedevice).
3.1.1 TypesofNames
Thesubjectnameusedforcertificateapplicantsshallbethesubscriber'sauthenticatedcommonnameintheformofanX.500DistinguishedName.
3.1.2 NameMeanings
Thesubjectnamelistedinallcertificatesmusthaveareasonableassociationwiththeauthenticatedinformationofthesubscriber.
3.1.3 RulesforInterpretingVariousNameForms
Nostipulation.
3.1.4 NameUniqueness
ThesubjectnameoracombinationofthesubjectnameandotherdatafieldslistedinacertificateshallbeunambiguousanduniqueforallcertificatesissuedbytheCA.Ifnecessary,additionalcharactersmaybeappendedtotheauthenticatedcommonnametoensurethename'suniquenesswithinthedomainofcertificatesissuedbytheCA.
3.1.5 VerificationofKeyPair
TheCAshallestablishthattheapplicantisinpossessionoftheprivatekeycorrespondingtothepublickeysubmittedwiththeapplicationinaccordancewithanappropriatesecureprotocol,suchasthatdescribedintheIETFPKIXCertificateManagementProtocolorthroughotherverifiablemeans.
3.1.6 SubscriberIdentification&Authentication(I&A)
AcertificaterequestmayonlybemadebyanagentofCiscoSystemsInc.onbehalfofcurrentorproposedsubordinateCertificateAuthorityandforwhomthecertificaterequestisattributableforthepurposesofaccountabilityandresponsibility.ForI&Aoftherequestingagent,theIssuingCAmustfollowthisPolicy'srequirements,asoutlinedinsection3.1.7Theapplicantis
CiscoECCRootCACertificatePolicy
CiscoPublic Page17of28 2013-Sep-30
requiredtoprovideauthenticationinformationandanyapplicableattributes,publickeysandcontactinformation.
3.1.7 CiscoSystemsAgentIdentificationandAuthentication(I&A)
TheIssuingCAmustestablishtheidentityoftheagentandauthenticatetheagent’spermissiontorepresentacurrentorproposedsubordinateCApriortocertificateissuance.
Inaddition,theCAmaydelivercertificateactivationdatawithrespecttosuchagentby(i)in-persondelivery,basedontheCA’spersonalknowledgeoftheagentorreasonableidentificationatthetimeofdelivery,or(ii)useofaSharedSecretbetweentheCAandtheagent,previouslyestablishedinconnectionwiththeprioridentificationandongoingrelationshipdescribedabove.
TheCAwillensurethatithascollected,reviewed,andkeptrecordsoftheinformationregardingtheagent’sidentitythatmeetstheminimumrequirementsofitsHumanResourcepolicy,orothersimilarprocedures,whichmayincludeverificationofallofthefollowingidentificationinformationsuppliedbytheApplicant:(i)photographicidentification;(ii)firstname,middleinitial,andlastname;(iii)streetaddress;and(iv)homeorworktelephonenumber.
3.2 RenewalApplications
RenewalsshallbeperformedunderthisPolicybytreatingallrenewalrequestsasiftheywerefirst-timecertificateapplicationrequests.AllSubscriberandIssuingCAobligationsstatedinthisPolicyapplytotherenewalrequest.AsubscriberwillsubmitthenewcertificaterequesttotheIssuingCA.TheIssuingCAshallissueanewcertificateusingthenewlysubmittedinformationandadheringtotheI&ApoliciessetforthhereinandintheassociatedCPS.
3.3 Re-KeyafterRevocation
Revokedorexpiredcertificatesshallneverberenewed.ApplicantsthatreferencethisPolicyshallbere-authenticatedbytheCAorRAduringthecertificateapplicationprocess,justaswithafirst-timeapplication.
3.4 RevocationRequest
TheIssuingCA,whenfacedwitharevocationrequest,mustadoptauthenticationmechanismsthatbalancetheneedtopreventunauthorizedrequestsagainsttheneedtoquicklyrevoketheCertificate.
Uponreceiptofarevocationrequest,theidentityoftherequestorwillbeauthenticatedusingthesamemechanisms.
CiscoECCRootCACertificatePolicy
CiscoPublic Page18of28 2013-Sep-30
4 OperationalRequirements
4.1 CertificateApplication
AnapplicantforacertificateshallcompleteacertificateapplicationinaformatprescribedbytheIssuingCA.Allapplicationsaresubjecttoreview,approvalandacceptancebytheIssuingCA.ThesubscribercertificateapplicationprocessmayonlybeinitiatedbyagentsofCiscoSystems,Inc.
4.2 CertificateIssuance
UponsuccessfulcompletionofthesubscriberI&AprocessinaccordancewiththisPolicyandtheCPS,theCAshallissuetherequestedcertificate,notifytheapplicantthereof,andmakethecertificateavailabletotheapplicantpursuanttoaprocedurewherebythecertificateisinitiallydeliveredto,oravailableforpickupbythesubscriberonly.
4.3 CertificateAcceptance
Followingissuanceofacertificate,theacceptanceorrejectionofthecertificatebythesubscriber,inthiscasethesub-CA,issolelyatthediscretionofthesub-CAoperator,providedtheacceptanceorrejectionisinaccordancewithproceduresestablishedbytheIssuingRootCAand/orspecifiedintheCPS.
4.4 CertificateRevocation
4.4.1 CircumstancesforRevocation
TheissuingCAshallrevokeacertificate:
• Uponrequestofthesubscriber;• UponfailureofthesubscribertomeetitsmaterialobligationsunderthisCertificate
Policy,anyapplicableCPS,oranyotheragreement,regulation,orlawapplicabletothecertificatethatmaybeinforce;
• Ifknowledgeorreasonablesuspicionofcompromiseisobtained;• IftheCAdeterminesthatthecertificatewasnotproperlyissuedinaccordancewiththis
Policyand/oranyapplicableCPS.
IntheeventthattheIssuingCAceasesoperations,allcertificatesissuedbytheCAshallberevokedpriortothedatethattheCAceasesoperations.TheIssuingCAisrequiredtoprovidesubscribersadequatenoticetoprovidethemtheopportunitytoaddressanybusinessimpactingissues.
4.4.1.1 PermissiveRevocation
Asubscribermayrequestrevocationitscertificateatanytimeforanyreason.TheissuingCAmayalsorevokeacertificateuponfailureofthesubscribertomeetitsobligationsunderthisCertificatePolicy,theapplicableCPS,oranyotheragreement,regulation,orlawapplicabletothecertificatethatmaybeinforce.
CiscoECCRootCACertificatePolicy
CiscoPublic Page19of28 2013-Sep-30
4.4.1.2 RequiredRevocationAsubscribershallpromptlyrequestrevocationofacertificatewheneveranyoftheinformationonthecertificatechangesorbecomesobsolete,orwhenevertheprivatekeyassociatedwiththecertificate,orthemediaholdingtheprivatekeyassociatedwiththecertificateiscompromisedorissuspectedofhavingbeencompromised.
4.4.2 WhoCanRequestRevocation
TheonlypersonspermittedtorequestrevocationofacertificateissuedpursuanttothisPolicyarethesubscriberandtheIssuingCA.
4.4.3 ProcedureforRevocationRequest
AcertificaterevocationrequestshouldbepromptlycommunicatedtotheIssuingCA.DuetotheofflinenatureoftherootCA,allcertificaterevocationrequestsmustbecommunicatedtotherootCAinpersonbyprovidingadequateproofofidentificationinaccordancewiththisPolicy.
4.4.3.1 CertificateStatusorCRLUpdatePromptlyfollowingrevocation,theCRLorcertificatestatusdatabase,asapplicable,shallbeupdatedinaccordancewiththeCPSforthatCA.AllrevocationrequestsandtheresultingactionstakenbytheCAshallbearchivedinaccordancewiththeCPSforthatCA.
4.4.4 RevocationRequestGracePeriod
RequestsforrevocationshallbeprocessedwithinthetimeframedelineatedbytheCPSfortheissuingCA.
4.4.5 CertificateSuspension
Theproceduresandrequirementsstatedforcertificaterevocationmustalsobefollowedforcertificatesuspensionwhereimplemented.
4.4.6 CRLIssuanceFrequency
CRLswillbeissuedatleastannually,eveniftherearenochangesorupdatestobemade.Uponanewrevocation,anewCRLwillbeissuedandpublishedwithintwohours.TheIssuingCAwillensurethatsupercededCRLsareremovedfromtheCRLDistributionPointlocationuponpostingofthelatestCRL.
4.4.7 On-LineRevocation/StatusCheckingAvailability
Wheneveranon-linecertificatestatusdatabaseisusedasanalternativetoaCRL,suchdatabaseshallbeupdatedassoonasistechnicallypossibleafterrevocationorsuspension.
4.5 ComputerSecurityAuditProcedures
AllsignificantsecurityeventsontheIssuingCAsystemshouldbeautomaticallyrecordedinaudittrailfiles.Suchfilesshallberetainedforatleastsix(6)monthsonsite,andthereaftershallbesecurelyarchivedasperSection4.6.
CiscoECCRootCACertificatePolicy
CiscoPublic Page20of28 2013-Sep-30
4.6 RecordsArchival
4.6.1 TypesofRecordsArchived
Thefollowingdataandfilesmustbearchivedby,oronbehalfof,theCA:
• AllcomputersecurityauditdataproducedbytheRootCAmachine;• Allcertificateapplicationdata;• Allcertificates,andallCRLsorcertificatestatusrecords;• Keyhistories;• AllcorrespondencebetweentheCA,RAs,VSPs,and/orsubscribers.
4.6.2 RetentionPeriodforArchive
ArchiveofthekeyandcertificateinformationmustberetainedforatleastthelifetimeoftheCA.Archivesoftheaudittrailfilesmustberetainedforatleastfive(5)yearsafterthelifetimeoftheCAhasended.
4.6.3 ProtectionofArchive
Thearchivemediamustbeprotectedeitherbyphysicalsecurityalone,oracombinationofphysicalsecurityandsuitablecryptographicprotection.Itshouldalsobeprovidedadequateprotectionfromenvironmentalthreatssuchastemperature,humidityandmagnetism.
4.6.4 ArchiveBackupProcedures
Adequatebackupproceduresmustbeinplacesothatintheeventofthelossordestructionoftheprimaryarchives,acompletesetofbackupcopieswillbereadilyavailablewithinashortperiodoftime.
4.6.5 ProcedurestoObtainandVerifyArchiveInformation
DuringthecomplianceauditrequiredbythisPolicy,theauditorshallverifytheintegrityofthearchives,andifeithercopyisfoundtobecorruptedordamagedinanyway,itshallbereplacedwiththeothercopyheldintheseparatelocation.
4.7 KeyChangeover
KeyChangeoverisnotsupportedfortheCiscoECCRootCA.
4.8 CompromiseandDisasterRecovery
4.8.1 DisasterRecoveryPlan
TheCAmusthaveinplaceanappropriatedisasterrecovery/businessresumptionplanandmustsetupandrenderoperational,afacility,locatedinanareathatisgeographicallyremotefromtheprimaryoperationalsite,thatiscapableofprovidingCAServicesinaccordancewiththisPolicywithinseventy-two(72)hoursofanunanticipatedemergency.Suchplanshallincludeacompleteandperiodictestofreadinessforsuchfacility.SuchplanshallbereferencedwithinappropriatedocumentationavailabletoBenefitingParties.
CiscoECCRootCACertificatePolicy
CiscoPublic Page21of28 2013-Sep-30
4.8.2 KeyCompromisePlan
TheCAmusthaveinplaceanappropriatekeycompromiseplanthataddressestheproceduresthatwillbefollowedintheeventofacompromiseoftheprivatesigningkeyusedbytheCAtoissuecertificates.SuchplanshallincludeproceduresforrevokinganyaffectedcertificatesandpromptlynotifyingsubscribersandBenefitingParties.
4.9 CATermination
IntheeventthattheCAceasesoperation,thesubscribers,RAs,VSPs,andBenefitingPartieswillbepromptlynotifiedofthetermination.Inaddition,allCAswithwhichcross-certificationagreementsarecurrentatthetimeofcessationwillbepromptlyinformedofthetermination.AllcertificatesissuedbytheCAthatreferencethisPolicywillberevokednolaterthanthetimeoftermination.TheCAprivatekeywillbemaintainedinitsHardwareSecurityModule(HSM)for7yearspasteitherterminationorexpirationoftheCAcertificate,afterwhichitwillbedestroyedusingtheFIPS140-1level3orhigherapprovedmechanismsuppliedbytheHSM.
5 Physical,Procedural,andPersonnelSecurityControls
5.1 PhysicalSecurity—AccessControls
TheCA,allRAs,andVSPs,shallimplementappropriatephysicalsecuritycontrolstorestrictaccesstothehardwareandsoftware(includingtheserver,workstations,andanyexternalcryptographichardwaremodulesortokens)usedinconnectionwithprovidingCAServices.AccesstosuchhardwareandsoftwareshallbelimitedtothosepersonnelperforminginaTrustedRoleasdescribedinSection5.2.1.Accessshallbecontrolledthroughtheuseof;electronicaccesscontrols,mechanicalcombinationlocksets,ordeadbolts.Suchaccesscontrolsmustbemanuallyorelectronicallymonitoredforunauthorizedintrusionatalltimes.
5.2 ProceduralControls
5.2.1 TrustedRoles
Allemployees,contractors,andconsultantsoftheIssuingCA(collectively"personnel")thathaveaccesstoorcontrolovercryptographicoperationsthatmaymateriallyaffecttheCA'sissuance,use,suspension,orrevocationofcertificates,includingaccesstorestrictedoperationsoftheCA'srepository,shall,forpurposesofthisPolicy,beconsideredasservinginatrustedrole.Suchpersonnelinclude,butarenotlimitedto,systemadministrationpersonnel,operators,engineeringpersonnel,andexecutiveswhoaredesignatedtooverseetheCA'soperations.
5.2.2 MultipleRoles(NumberofPersonsRequiredPerTask)
Toensurethatonepersonactingalonecannotcircumventsafeguards,responsibilitiesataCAservershouldbesharedbymultiplerolesandindividuals.EachaccountontheCAservershallhavecapabilitiescommensuratewiththeroleoftheaccountholder.
CiscoECCRootCACertificatePolicy
CiscoPublic Page22of28 2013-Sep-30
TheRootCAmustensurethatnosingleindividualmaygainaccesstotheprivatekeyoftheRootCA.Ataminimum,proceduraloroperationalmechanismsmustbeinplaceforkeyrecovery,suchasaSplitKnowledgeTechnique,topreventthedisclosureoftheEncryptionKeytoanunauthorizedindividual.Multi-usercontrolisalsorequiredforCAKeygenerationasoutlinedinSection6.2.2.AllotherdutiesassociatedwithCArolesmaybeperformedbyanindividualoperatingalone.TheIssuingCAmustensurethatanyverificationprocessitemploysprovidesforoversightofallactivitiesperformedbyprivilegedCAroleholders.
TobestensuretheintegrityoftheIssuingCAequipmentandoperation,itisrecommendedthatwhereverpossibleaseparateindividualbeidentifiedforeachTrustedRole.TheseparationprovidesasetofchecksandbalancesovertheIssuingCAoperation.UndernocircumstanceswilltheincumbentofaCAroleperformhisorherownauditorfunction.
5.2.3 IdentificationandAuthenticationforEachRole
AllIssuingCApersonnelmusthavetheiridentityandauthorizationverifiedbeforetheyare:(i)includedintheaccesslistfortheIssuingCAsite;(ii)includedintheaccesslistforphysicalaccesstothesystem;(iii)givenaCertificatefortheperformanceoftheirCArole;or(iv)givenanaccountonthePKIsystem.EachoftheseCertificatesand/oraccounts(withtheexceptionofCAsigningCertificates)must:(i)bedirectlyattributabletoanindividual;and(ii)berestrictedtoactionsauthorizedforthatrolethroughtheuseofCAsoftware,operatingsystemandproceduralcontrols.Whenaccessedacrosssharednetworks,CAoperationsmustbesecured,usingmechanismssuchastoken-basedstrongauthenticationandencryption.
5.3 PersonalSecurityControls
5.3.1 BackgroundandQualifications
CAs,RAs,andVSPsshallformulateandfollowpersonnelandmanagementpoliciessufficienttoprovidereasonableassuranceofthetrustworthinessandcompetenceoftheiremployeesandofthesatisfactoryperformanceoftheirdutiesinmannerconsistentwiththisPolicy.
5.3.2 BackgroundInvestigation
CAsshallconductanappropriateinvestigationofallpersonnelwhoserveintrustedroles(priortotheiremploymentandperiodicallythereafterasnecessary),toverifytheirtrustworthinessandcompetenceinaccordancewiththerequirementsofthisPolicyandCA'spersonnelpracticesorequivalent.Allpersonnelwhofailaninitialorperiodicinvestigationshallnotserveorcontinuetoserveinatrustedrole.
5.3.3 TrainingRequirements
AllCA,RA,andVSPpersonnelmustreceivepropertraininginordertoperformtheirduties,andupdatebriefingsthereafterasnecessarytoremaincurrent.
CiscoECCRootCACertificatePolicy
CiscoPublic Page23of28 2013-Sep-30
5.3.4 DocumentationSuppliedtoPersonnel
AllCA,RA,andVSPpersonnelmustbeprovidedwithcomprehensiveusermanualsdetailingtheproceduresforcertificatecreation,update,renewal,suspension,andrevocation,andsoftwarefunctionality.
6 TechnicalSecurityControls
6.1 KeyPairGenerationandProtection
6.1.1 KeyPairGeneration
KeypairsfortheIssuingCA,RAs,VSPs,andsubscribersmustbegeneratedinsuchawaythattheprivatekeyisnotknownbyanyoneotherthantheauthorizeduserofthekeypair.Acceptablewaysofaccomplishingthisinclude:
• Havingallusers(CAs,RAs,VSPs,andsubscribers)generatetheirownkeysonatrustworthysystem,andnotrevealtheprivatekeystoanyoneelse;
• Havingkeysgeneratedinhardwaretokensfromwhichtheprivatekeycannotbeextracted.
CA,andRAkeysmustbegeneratedinhardwaretokens.KeypairsforVSPsandsubscriberscanbegeneratedineitherhardwareorsoftware.
6.1.2 PrivateKeyDeliverytoEntity
SeeSection6.1.1.
6.1.3 SubscriberPublicKeyDeliverytoCA
Thesubscriber'spublickeymustbetransferredtotheRAorCAinawaythatensuresthat(1)ithasnotbeenchangedduringtransit;(2)thesenderpossessestheprivatekeythatcorrespondstothetransferredpublickey;and(3)thesenderofthepublickeyisthelegitimateuserclaimedinthecertificateapplication.
6.1.4 CAPublicKeyDeliverytoUsers
ThepublickeyoftheCAsigningkeypairmaybedeliveredtosubscribersinanon-linetransactioninaccordancewithIETFPKIXPart3,orviaanotherappropriatemechanism.
6.1.5 KeySizes
TheCiscoECCRootCACertificateAuthorityutilizesasecp384r1RSAkeypair.TheCPSmustrequireaminimumof384-bitkeysizesforallsubscriber(sub-CA)certificatesinordertocomplywiththisPolicy.
6.2 CAPrivateKeyProtection
TheIssuingCAshallprotectitsprivatekey(s)usingaFIPS140-1level3orhighercomplianthardwarebaseddevice,inaccordancewiththeprovisionsofthisPolicy.
CiscoECCRootCACertificatePolicy
CiscoPublic Page24of28 2013-Sep-30
TheCA,RAs,andVSPsshalleachprotectitsprivatekey(s)inaccordancewiththeprovisionsofthisPolicy.
6.2.1 StandardsforCryptographicModule
The“CiscoECCRootCA”signingkeygeneration,storageandsigningoperationsshallbeperformedusingahardware-basedcryptographicmoduleratedatFIPS140-1Level3orhigher.Subscribers(sub-CAs)shallalsouseFIPS140-1Level3orhigherapprovedcryptographicmodules.
6.2.2 PrivateKeyMulti-PersonControl(M-of-N)
Multi-personcontrolisasecuritymechanismthatrequiresmultipleauthorizationsforaccesstotheCAPrivateSigningKey.Forexample,accesstotheCAPrivateSigningKeyshouldrequireauthorizationandvalidationbymultipleparties,includingCApersonnelandseparatesecurityofficers.Thismechanismpreventsasingleparty(CAorotherwise)fromgainingaccesstotheCAPrivateSigningKey.
TheIssuingCA’sprivatekeymustbeprotectedbymultipersoncontrolforallfunctions.Thepartiesusedfortwo-personcontrolwillbemaintainedonalistthatwillbemadeavailableforinspectionbytheauditpersonnelidentifiedinsection2.6above.
6.2.3 SubscriberPrivateKeyEscrow
SubscriberprivatekeysmustneverberevealedtotheIssuingCAandarethereforeneverescrowed.
6.2.4 PrivateKeyBackup
TheprivatekeysforboththeIssuingCAandSubscribers(sub-CAs)mustbebackedupinaccordancewithCiscoSystems’“PKIRootCreationandStorageGuidelines”document.
6.2.5 PrivateKeyArchival
TheprivatekeysforboththeIssuingCAandSubscribers(sub-CAs)mustbearchivedinaccordancewithCiscoSystems’“PKIRootCreationandStorageGuidelines”document.
6.2.6 PrivateKeyEntryintoCryptographicModule
TheprivatekeysforboththeIssuingCAandSubscribers(sub-CAs)mustbegenerated/enteredintocryptographicmodulesinaccordancewithCiscoSystems’“PKIRootCreationandStorageGuidelines”document.
6.2.7 MethodofActivatingPrivateKey
TheprivatekeyofboththeIssuingCAandSubscribers(sub-CAs)mustbeactivatedbytwoormorepersonnelinaccordancewiththeFIPS140-1Level3orhigherstandard.
6.2.8 MethodofDeactivatingPrivateKey
TheprivatekeyofboththeIssuingCAandSubscribers(sub-CAs)mustbeactivatedbytwoormorepersonnelinaccordancewiththeFIPS140-1Level3orhigherstandard.
CiscoECCRootCACertificatePolicy
CiscoPublic Page25of28 2013-Sep-30
6.2.9 MethodofDestroyingPrivateKey
Uponexpirationorrevocationofacertificate,orotherterminationofuseofaprivatekeyforcreatingsignatures,allcopiesoftheprivatekeyshallbesecurelydestroyed.
6.3 OtherAspectsofKeyPairManagement
6.3.1 PublicKeyArchival
ThepublickeyoftheIssuingCAandSubscriberpublickeysarearchivedbothinthesystembackupsoftheofflineRootCA,andintheregularbackupsoftheRepositorywherethedigitalcertificatesarepublished.
6.3.2 KeyReplacement
TheIssuingCAkeypairmaybereplacedasitscertificateexpires.
6.3.3 RestrictionsonCA'sPrivateKeyUse
TheCA'ssigningkeyusedforissuingcertificatesthatconformtothisPolicyshallbeusedonlyforsigningcertificatesand,optionally,CRLsorothervalidationserviceresponses.
AprivatekeyusedbyaRAorVSPforpurposesassociatedwithitsRAorVSPfunctionshallnotbeusedforanyotherpurposewithouttheexpresspermissionoftheCA.
6.4 ActivationData
ThereisnoactivationdataneededorrequiredforsubscribersoftheCiscoECCRootCAbecauseeverysubscriberisasubordinateCAandthesub-CAcertificatesarehand-deliveredbacktothesub-CAandinstalledbyagentsofCiscoSystems,Inc.
6.5 SecurityManagementControls
6.5.1 NetworkSecurityControls
TheIssuingCA(CiscoECCRootCA)servermustbeofflineatalltimes.Undernocircumstanceswilltheserverbenetworkedinanyfashion.Anyrepositoriesmustbeprotectedthroughapplicationlevelfirewalls(orseparateportsofasinglefirewall)configuredtoallowonlytheprotocolsandcommandsrequiredforthesecureoperationoftherepository.
6.5.2 CryptographicModuleEngineeringControls
TheIssuingCAmustonlyusecryptographicmodulesthatmeettherequirementsinsection6.2,6.2.1,and6.2.2.
CiscoECCRootCACertificatePolicy
CiscoPublic Page26of28 2013-Sep-30
7 CertificatesandCRLProfiles
7.1 CertificateProfile
TheCiscoECCRootCAcertificateprofileisobtainablebydownloadingtheactualRootCAcertificateitselffromhttp://www.cisco.com/security/pki/certs/eccroot.cerorthroughcorrespondencetothepartieslistedinsection1.4.
7.2 CRLProfile
CRLswillbeissuedintheX.509version2format.ThepublicCPSshallidentifytheCRLextensionssupportedandthelevelofsupportfortheseextensions.
8 DefinitionsAffiliatedIndividual-AnaffiliatedindividualisthesubjectofacertificatethatisaffiliatedwithasponsorapprovedbytheCA(suchasanemployeeaffiliatedwithanemployer).Certificatesissuedtoaffiliatedindividualsareintendedtobeassociatedwiththesponsorandtheresponsibilityforauthenticationlieswiththesponsor.
AuthorizedCA-AcertificationauthoritythathasbeenauthorizedbytheCertificatePolicyManagementAuthoritytoissuecertificatesthatreferencethispolicy.
BenefitingParty-Arecipientofadigitallysignedmessagewhoreliesonacertificatetoverifytheintegrityofadigitalsignatureonthemessage(throughtheuseofthepublickeycontainedinthecertificate),andtheidentityoftheindividualthatcreatedsaiddigitalsignature.
CA-CertificationAuthority
Certificate-Arecordthat,ataminimum:(a)identifiesthecertificationauthorityissuingit;(b)namesorotherwiseidentifiesitssubscriber;(c)containsapublickeythatcorrespondstoaprivatekeyunderthesolecontrolofthesubscriber;(d)identifiesitsoperationalperiod;and(e)containsacertificateserialnumberandisdigitallysignedbythecertificationauthorityissuingit.AsusedinthisPolicy,thetermof"Certificate"referstocertificatesthatexpresslyreferencethisPolicyinthe"CertificatePolicies"fieldofanX.509v.3certificate.
CertificateRevocationList(CRL)-Atime-stampedlistofrevokedcertificatesthathasbeendigitallysignedbyacertificationauthority.
CertificationAuthority-Acertificationauthorityisanentitythatisresponsibleforauthorizingandcausingtheissuanceofacertificate.Acertificationauthoritycanperformthefunctionsofaregistrationauthority(RA)andacertificatemanufacturingauthority(CMA),oritcandelegateeitherofthesefunctionstoseparateentities.
Acertificationauthorityperformstwoessentialfunctions.First,itisresponsibleforidentifyingandauthenticatingtheintendedsubscribertobenamedinacertificate,andverifyingthatsuchsubscriberpossessestheprivatekeythatcorrespondstothepublickeythatwillbelistedinthecertificate.Second,thecertificationauthorityactuallycreates(ormanufactures)anddigitallysignsthecertificate.Thecertificateissuedbythecertificationauthoritythenrepresentsthat
CiscoECCRootCACertificatePolicy
CiscoPublic Page27of28 2013-Sep-30
certificationauthority'sstatementastotheidentityofthepersonnamedinthecertificateandthebindingofthatpersontoaparticularpublic-privatekeypair.
CertificationPracticeStatement(CPS)-A"certificationpracticestatement"isastatementofthepracticesthatacertificationauthorityemploysinissuing,suspending,andrevokingcertificatesandprovidingaccesstosame.Itisrecognizedthatsomecertificationpracticedetailsconstitutebusinesssensitiveinformationthatmaynotbepubliclyavailable,butwhichshouldbeprovidedtocertificatemanagementauthoritiesundernon-disclosureagreement.
CPS-SeeCertificationPracticeStatement.
CRL-SeeCertificateRevocationList.
FIPS(FederalInformationProcessingStandards)-TheseareFederalstandardsthatprescribespecificperformancerequirements,practices,formats,communicationsprotocols,etc.forhardware,software,data,telecommunicationsoperation,etc.FederalagenciesareexpectedtoapplythesestandardsasspecifiedunlessawaiverhasbeengrantedinaccordancewithFIPSwaiverprocedures.
IETF(InternetEngineeringTaskForce)-TheInternetEngineeringTaskForceisalargeopeninternationalcommunityofnetworkdesigners,operators,vendors,andresearchersconcernedwiththeevolutionofInternetarchitectureandtheefficientandrobustoperationoftheInternet.
KeyPair-Twomathematicallyrelatedkeys,havingthepropertiesthat(a)onekeycanbeusedtoencryptamessagethatcanonlybedecryptedusingtheotherkey,and(b)evenknowingonekey,itiscomputationallyinfeasibletodiscovertheotherkey.
ObjectIdentifier-Anobjectidentifierisaspeciallyformattednumberthatisregisteredwithaninternationallyrecognizedstandardsorganization.
OID-SeeObjectIdentifier.
OperationalPeriodofaCertificate-Theoperationalperiodofacertificateistheperiodofitsvalidity.Itwouldtypicallybeginonthedatethecertificateisissued(orsuchlaterdateasspecifiedinthecertificate),andendonthedateandtimeitexpires(asnotedinthecertificate)unlesspreviouslyrevokedorsuspended.
PIN-PersonalIdentificationNumber
PKI-PublicKeyInfrastructure
PKIX-AnIETFWorkingGroupdevelopingtechnicalspecificationsforaPKIcomponentsbasedonX.509Version3certificates.
Policy-ThisCertificatePolicydocument.
PolicyAdministeringOrganization-TheentityspecifiedinSection1.4andcurrentlyenvisionedtobeknownastheFederalPolicyManagementAuthority.
PrivateKey-Thekeyofakeypairusedtocreateadigitalsignature.Thiskeymustbekeptsecret,andunderthesolecontroloftheindividualorentitywhoseidentityisassociatedwiththatdigitalsignature.
CiscoECCRootCACertificatePolicy
CiscoPublic Page28of28 2013-Sep-30
PublicKey-Thekeyofakeypairusedtoverifyadigitalsignature.Thepublickeyismadefreelyavailabletoanyonewhowillreceivedigitallysignedmessagesfromtheholderofthekeypair.Thepublickeyisusuallyprovidedviadeliveryofacertificateissuedbyacertificationauthorityandmightalsobeobtainedbyaccessingarepository.Apublickeyisusedtoverifythedigitalsignatureofamessagepurportedlysentbytheholderofthecorrespondingprivatekey.
RA-SeeRegistrationAuthority.
RegistrationAuthority-Anentitythatisresponsibleforidentificationandauthenticationofcertificatesubjects,butthatdoesnotsignorissuecertificates(i.e.,aRAisdelegatedcertaintasksonbehalfofaCA).
Repository-Atrustworthysystemforstoringandretrievingcertificatesandotherinformationrelatingtothosecertificates.
ResponsibleIndividual-Apersondesignatedbyasponsortoauthenticateindividualapplicantsseekingcertificatesonthebasisoftheiraffiliationwiththesponsor.
Revocation(Revoke)-Toprematurelyendtheoperationalperiodofacertificatefromaspecifiedtimeforward.
Sponsor-Anorganizationwithwhichasubscriberisaffiliated(e.g.,asanemployee,userofaservice,businesspartnercustomeretc.).
Subject-Apersonwhosepublickeyiscertifiedinacertificate.Alsoreferredtoasa"subscriber".
Subscriber-Asubscriberisanentitywho:(a)isthesubjectnamedoridentifiedinacertificateissuedtosuchperson;(b)holdsaprivatekeythatcorrespondstoapublickeylistedinthatcertificate;and(c)theentitytowhomdigitallysignedmessagesverifiedbyreferencetosuchcertificatearetobeattributed.See"subject."
Suspension(Suspend)–Totemporarilyhalttheoperationalvalidityofacertificateforaspecifiedtimeperiodorfromaspecifiedtimeforward.
TrustworthySystem-Computerhardware,software,andproceduresthat:(a)arereasonablysecurefromintrusionandmisuse;(b)provideareasonablelevelofavailability,reliability,andcorrectoperation;(c)arereasonablysuitedtoperformingtheirintendedfunctions;and(d)adheretogenerallyacceptedsecurityprocedures.
ValidCertificate/Validity–Acertificateisonlyvalidwhen(a)acertificationauthorityhassigned/issuedit;(b)thesubscriberlistedinithasacceptedit;(c)ithasnotyetexpired;and(d)hasnotbeenrevoked.
ValidationServicesProvider(VSP)-Anentitythatmaintainsarepositoryaccessibletothepublic(oratleasttobenefitingparties)forpurposesofobtainingcopiesofcertificatesoranentitythatprovidesanalternativemethodforverifyingthestatusofsuchcertificates.
VSP-SeeValidationServicesProvider.