US BANK
ENTERPRISE PUBLIC KEY INFRASTRUCTURE
CERTIFICATE POLICY
June 2012
Version 1.0
Copyright © 2012, Entrust, Inc.
US Bank Enterprise Public Key Infrastructure Certificate Policy
Page - i
Version Control
Version Revision Date Revision Description Revised by
0.1 May 29, 2012 Initial release for internal
review.
Entrust Managed Service
Policy Authority
0.2 June 11, 2012 Initial release for review by
US Bank.
Entrust Managed Service
Policy Authority
US Bank Enterprise Public Key Infrastructure Certificate Policy
Page - ii
Table of Contents
1 INTRODUCTION............................................................................................................................... 1 1.1 OVERVIEW ........................................................................................................................................ 1 1.2 DOCUMENT NAME AND IDENTIFICATION .......................................................................................... 1
1.2.1 Policy Object Identifiers ......................................................................................................... 1 1.3 PKI PARTICIPANTS ........................................................................................................................... 2
1.3.1 Certification Authorities ......................................................................................................... 2 1.3.2 Registration Authorities .......................................................................................................... 2 1.3.3 Subscribers ............................................................................................................................. 2 1.3.4 Relying Parties ....................................................................................................................... 3 1.3.5 Other Participants .................................................................................................................. 3
1.4 CERTIFICATE USAGE ......................................................................................................................... 4 1.4.1 Assurance Levels and Acceptable Use .................................................................................... 4 1.4.2 Prohibited Certificate Uses .................................................................................................... 4
1.5 POLICY ADMINISTRATION ................................................................................................................. 4 1.5.1 Organization Responsibilities for this Certificate Policy ....................................................... 4 1.5.2 Contact Information ............................................................................................................... 4 1.5.3 Person Determining CPS Suitability for The Policy ............................................................... 4 1.5.4 Certificate Policy Amendment ................................................................................................ 4
1.6 DEFINITIONS AND ACRONYMS .......................................................................................................... 4 1.6.1 List of Definitions ................................................................................................................... 4 1.6.2 List of Acronyms ..................................................................................................................... 5
2 PUBLICATION AND REPOSITORY RESPONSIBILITIES ....................................................... 7 2.1 REPOSITORIES ................................................................................................................................... 7 2.2 PUBLICATION OF CERTIFICATION INFORMATION .............................................................................. 7 2.3 TIME OR FREQUENCY OF PUBLICATION............................................................................................. 7 2.4 ACCESS CONTROLS ON REPOSITORIES .............................................................................................. 7
3 IDENTIFICATION AND AUTHENTICATION ............................................................................. 8 3.1 NAMING ............................................................................................................................................ 8 3.2 INITIAL IDENTITY VALIDATION ......................................................................................................... 8
3.2.1 Method to Prove Possession of Private Key ........................................................................... 8 3.2.2 Authentication of Organization Identity ................................................................................. 8 3.2.3 Authentication of Individual Identity ...................................................................................... 8 3.2.4 Non-verified Subscriber Information ...................................................................................... 8 3.2.5 Validation of Authority ........................................................................................................... 8 3.2.6 Criteria for Interoperation ..................................................................................................... 8
3.3 IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS ..................................................... 8 3.3.1 Identification and Authentication for Routine Re-key ............................................................. 8 3.3.2 Identification and Authentication for Re-key after Revocation ............................................... 8
3.4 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST .............................................. 8 4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ......................................... 9
4.1 CERTIFICATE APPLICATION............................................................................................................... 9 4.1.1 Who Can Submit a Certificate Application ............................................................................. 9 4.1.2 Enrollment Process and Responsibilities................................................................................ 9
4.2 CERTIFICATE APPLICATION PROCESSING .......................................................................................... 9 4.3 CERTIFICATE ISSUANCE .................................................................................................................... 9 4.4 CERTIFICATE ACCEPTANCE............................................................................................................... 9
4.4.1 Conduct Constituting Certificate Acceptance ......................................................................... 9 4.4.2 Publication of the Certificate by the CA ................................................................................. 9 4.4.3 Notification of Certificate Issuance by the CA to Other Entities ............................................ 9
4.5 KEY PAIR AND CERTIFICATE USAGE ................................................................................................. 9 4.6 CERTIFICATE RENEWAL .................................................................................................................... 9 4.7 CERTIFICATE RE-KEY ....................................................................................................................... 9
4.7.1 Circumstance for Certificate Re-key ....................................................................................... 9 4.7.2 Who May Request Certification of a New Public Key ...........................................................10
US Bank Enterprise Public Key Infrastructure Certificate Policy
Page - iii
4.7.3 Processing Certificate Re-keying Requests ...........................................................................10 4.7.4 Notification of New Certificate Issuance to Subscriber .........................................................10 4.7.5 Conduct Constituting Acceptance of a Re-keyed Certificate .................................................10 4.7.6 Publication of the Re-keyed Certificate by the CA ................................................................10 4.7.7 Notification of Certificate Issuance by the CA to Other Entities ...........................................10
4.8 CERTIFICATE MODIFICATION ...........................................................................................................10 4.9 CERTIFICATE REVOCATION AND SUSPENSION ..................................................................................10
4.9.1 Circumstances for Revocation ...............................................................................................10 4.9.2 Who Can Request Revocation ................................................................................................10 4.9.3 Procedure for Revocation Request ........................................................................................10 4.9.4 Revocation Request Grace Period .........................................................................................10 4.9.5 Time within which CA Must Process the Revocation Request ...............................................10 4.9.6 Revocation Checking Requirement for Relying Parties .........................................................11 4.9.7 CRL Issuance Frequency .......................................................................................................11 4.9.8 Maximum Latency for CRLs ..................................................................................................11 4.9.9 On-line Revocation/Status Checking Availability ..................................................................11 4.9.10 On-line Revocation Checking Requirements ....................................................................11 4.9.11 Other Forms of Revocation Advertisements Available .....................................................11 4.9.12 Special Requirements re: Re-key Compromise .................................................................11 4.9.13 Circumstances for Suspension ..........................................................................................11 4.9.14 Who Can Request Suspension ...........................................................................................11 4.9.15 Procedure for Suspension Request ...................................................................................11 4.9.16 Limits on Suspension Period .............................................................................................11
4.10 CERTIFICATE STATUS SERVICES .................................................................................................11 4.10.1 Operational Characteristics .............................................................................................11 4.10.2 Service Availability ...........................................................................................................11 4.10.3 Optional Features .............................................................................................................11
4.11 END OF SUBSCRIPTION ................................................................................................................11 4.12 KEY ESCROW AND RECOVERY ....................................................................................................11
4.12.1 Key Escrow and Recovery Policy and Practices ..............................................................11 4.12.2 Session Key Encapsulation and Recovery Policy and Practices.......................................11
5 FACILITY MANAGEMENT, AND OPERATIONAL CONTROLS...........................................12 5.1 PHYSICAL CONTROLS ......................................................................................................................12 5.2 PROCEDURAL CONTROLS .................................................................................................................12 5.3 PERSONNEL CONTROLS ....................................................................................................................12 5.4 AUDIT LOGGING PROCEDURES ........................................................................................................12 5.5 RECORDS ARCHIVAL ........................................................................................................................12 5.6 KEY CHANGEOVER ..........................................................................................................................12 5.7 COMPROMISE AND DISASTER RECOVERY ........................................................................................12 5.8 CA TERMINATION ............................................................................................................................12
6 TECHNICAL SECURITY CONTROLS ........................................................................................13 6.1 KEY PAIR GENERATION ...................................................................................................................13
6.1.1 CA Key Pair Generation and Installation .............................................................................13 6.1.2 Key Delivery to Subscriber ....................................................................................................13 6.1.3 Public Key Delivery to Certificate Issuer ..............................................................................13 6.1.4 CA Public Key Delivery to Relying Parties ...........................................................................13 6.1.5 Key Sizes ................................................................................................................................13 6.1.6 Public Key Parameters Generation and Quality Checking ...................................................13 6.1.7 Key Usage Purposes ..............................................................................................................13
6.2 PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS ..................13 6.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT .................................................................................13
6.3.1 Public Key Archival ...............................................................................................................13 6.3.2 Certificate Operational Periods and Key Pair Usage Periods ..............................................13
6.4 ACTIVATION DATA ..........................................................................................................................14 6.5 COMPUTER SECURITY CONTROLS ....................................................................................................14 6.6 LIFE CYCLE TECHNICAL CONTROLS ................................................................................................14
US Bank Enterprise Public Key Infrastructure Certificate Policy
Page - iv
6.7 NETWORK SECURITY CONTROLS .....................................................................................................14 6.8 TIME-STAMPING ...............................................................................................................................14
7 CERTIFICATE, CRL, AND OCSP PROFILES ............................................................................15 7.1 CERTIFICATE PROFILE ......................................................................................................................15 7.2 CRL PROFILE ...................................................................................................................................15
7.2.1 Version Number .....................................................................................................................15 7.2.2 CRL and CRL Entry Extensions.............................................................................................15
7.3 OCSP PROFILE ................................................................................................................................16 7.3.1 Version Number .....................................................................................................................16 7.3.2 OCSP Extensions ...................................................................................................................16
8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS ..............................................................17 8.1 FREQUENCY OR CIRCUMSTANCES OF ASSESSMENT .........................................................................17 8.2 IDENTITY/QUALIFICATIONS OF ASSESSOR .......................................................................................17 8.3 ASSESSOR’S RELATIONSHIP TO ASSESSED ENTITY ..........................................................................17 8.4 TOPICS COVERED BY ASSESSMENT ..................................................................................................17 8.5 ACTIONS TAKEN AS A RESULT OF DEFICIENCY ................................................................................17 8.6 COMMUNICATION OF RESULTS ........................................................................................................17
9 OTHER BUSINESS AND LEGAL MATTERS ..............................................................................18
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 1
1 Introduction
1.1 Overview
This document is referred to as the US Bank Enterprise Public Key Infrastructure (PKI)
Certificate Policy (CP). This describes US Bank’s policies involved in the issuance of
digital certificates by the US Bank Root and Issuing Certification Authorities
(collectively referred to as the “US Bank CAs”).
The US Bank Enterprise PKI CP is based on the Entrust Managed Services
Commercial Private CP. Any section listed in this CP, but having no contents
means the corresponding section and subsections in the Entrust Managed Services
(EMS) Commercial Private CP (CCP) apply. In other word, the US Bank PKI CP is
presented as a ‘delta’ document to the EMS CCP.
This document is organized in structure to be fully compliant with IETF RFC3647;
however sections are only supplied with text where relevant exceptions or differences
from the EMS CCP exist. Those sections without text automatically default to that
supplied in the EMS CCP.
This CP is applicable to all entities with relationships with US Bank Enterprise PKI,
including Subscribers, Relying Parties, and Registration Authorities (RA). This CP
provides those entities with a clear statement of the policies and responsibilities of US
Bank CAs, as well as the responsibilities of each entity in dealing with the CAs.
This CP consists of policy statements that outline the principles and requirements that
govern US Bank Enterprise PKI.
A CP specifies “what” the requirements are that will be implemented, while a
corresponding Certification Practices Statement (CPS) describes “how” those
requirements are met for a specific Certificate Authority. This Certificate Policy is
therefore not designed to detail the processes and procedures that are involved in the
management and governance of US Bank PKI; this information is entailed in the
document, US Bank Public Key Infrastructure Certification Practices Statement.
1.2 Document Name and Identification
Document Name: US Bank Enterprise PKI Certificate Policy
Document Version: 0.2 Draft
Document Date: June 11th, 2012
Document Policy
Object Identifier:
2.16.840.1.114027.200.3.10.15
joint-ISO-CCITT(2) countries(16) USA(840) organization(1) entrust
(114027) EMSPKI(200) policy(3) id-emspki-policy(10) id-emspki-
USBank(15)
1.2.1 Policy Object Identifiers
Certificates that are issued under this CP will assert one or more of the policy Object
Identifiers (OIDs) listed below, depending upon the type of certificate issued:
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 2
Certificate OID
id-emspki-usbank-basic-policy 2.16.840.1.114027.200.3.10.15.1
id-emspki- usbank-medium-policy 2.16.840.1.114027.200.3.10.15.2
id-emspki-usbank-high-policy 2.16.840.1.114027.200.3.10.15.3
1.3 PKI Participants
1.3.1 Certification Authorities
The US Bank Enterprise PKI is comprised of two Certification Authorities, as follows:
The US Bank Root CA, which shall issue certificates only to subordinate CAs. Its
purpose is to provide an anchor of trust within US Bank. The US Bank Root CA
shall be subject to the stipulations of the EMS CCP for the Commercial Private
Root CA, except where otherwise noted in this CP.
US Bank Issuing CA, which shall issue certificates to US Bank internal web sites,
internal users, business partners, customers, devices and applications. It shall not
issue certificates to subordinate Certification Authorities or perform cross-
certifications with other Certification Authorities. The US Bank Issuing CA shall
be subject to the stipulations of the EMS CCP for the Commercial Private SSP
CA, except where otherwise noted in this CP.
The US Bank CAs shall be operated as Entrust Managed Service Customer Dedicated
CAs. They shall not be subordinate to any of the Entrust Managed Service Root CAs.
Where necessary, the US Bank Enterprise PKI CP distinguishes the different users and
roles accessing the CA functions. Where this distinction is not required, the term
Certification Authority is used to refer to the total CA entity, including the hardware,
software, personnel, processes, and its operations.
1.3.2 Registration Authorities
A Registration Authority (RA) shall be designated as an individual, organization or entity
responsible for verifying the identity of a Subscriber. When required, the RA shall verify
a Subscriber’s authority to act on behalf of a client organization. Client organizations
include US Bank business units/departments and third party Business Partners. RAs shall
be formally nominated by the Management of the US Bank PKI.
1.3.2.1 Local Registration Authorities
Local RAs (LRAs) are US Bank staff appointed by the RA. They are responsible for the
identification and authentication of End Entities in accordance with this CP.
1.3.3 Subscribers
A Subscriber shall be the recipient of a public key certificate issued by the US Bank
Issuing CA. Subscribers may include US Bank internal employees and contractors,
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 3
Business Partners, customers or affiliated third party entities. With respect to the usage
of US Bank Enterprise PKI certificates, subscribing entities shall be limited to:
(1) US Bank full-time or part-time employees, contractors and temporaries;
(2) US Bank customer full-time or part-time employees, contractors and temporaries;
(3) Other individuals with whom US Bank has a business relationship;
(4) External cross-certified Certification Authorities.
(5) Services on digital processing entities, property of US Bank, or used for activities in
which US Bank is involved; and
By virtue of certificate subscription, the Subscriber agrees to adhere to this Certificate
Policy and all other applicable laws and regulations that govern the use of digital
certificates. The Subscriber shall also agree to provide true information to the best of
one’s knowledge at the time of certificate application. Should information provided by
the Subscriber or contained in the Subscriber certificate appear to be false or misleading,
the Subscriber shall notify the Contact Person listed in section 1.5.2 of this Certificate
Policy.
1.3.4 Relying Parties
With respect to certificates issued under this CP, a Relying Party is as follows:
An individual, entity or organization internal or external to US Bank that relies on
a certificate issued by the US Bank Issuing CA; and
All Subscribers of the US Bank Enterprise PKI are themselves Relying Parties.
Individuals or organizations, other than those listed above, shall not be entitled to rely
upon certificates issued by US Bank Enterprise PKI and, any such reliance is done at
their own risk. US Bank disclaims any and all liability that may arise out of any such
reliance.
Relying Parties shall be responsible for checking certificate expiration and revocation
status for verifying the validity of US Bank Enterprise PKI issued certificates. Relying
Parties shall agree to use these certificates in a manner consistent with the policies set
forth in this CP.
1.3.5 Other Participants
Other participants of US Bank PKI shall include:
Participant Role
Management of the US Bank
Enterprise PKI
The Management of the US Bank PKI Enterprise
shall consist of one or more US Bank
organizational units responsible for ensuring that
US Bank CAs operate as stated in the US Bank
Enterprise PKI Certification Practice Statement.
Entrust Managed Service Policy The Entrust Managed Service Policy Authority
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 4
Participant Role
Authority (EMS PA) shall be the custodian of this CP and
shall be responsible administration of this CP
including the approval of policy changes.
Support Services Support Services shall include other US Bank
departmental groups or third parties under contract
to US Bank that support the US Bank Enterprise
PKI.
1.4 Certificate Usage
1.4.1 Assurance Levels and Acceptable Use
1.4.2 Prohibited Certificate Uses
In general terms, applications for which US Bank Enterprise PKI issued public key
certificates are prohibited are those where:
Business activities are conducted, other than for US Bank or US Bank sponsored
Business Partner or third party;
Usage contravenes the US Bank Enterprise PKI Policy and other governing US
Bank policies or this CP; or
Usage contravenes relevant law.
1.5 Policy Administration
1.5.1 Organization Responsibilities for this Certificate Policy
1.5.2 Contact Information
1.5.3 Person Determining CPS Suitability for The Policy
1.5.4 Certificate Policy Amendment
1.6 Definitions and Acronyms
1.6.1 List of Definitions
In addition to the definitions in the EMS CCP, the following are defined:
Client Organization An organization within US Bank or an affiliate third party that is a
client, either Relying Party or Subscriber, of the US Bank PKI.
Cross-certificate A certificate issued by a Certification Authority to establish a trust
relationship between it and another Certification Authority.
US Bank Business A US Bank PKI subscriber who is issued a certificate through a
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 5
Partner Trusted Agent requesting a certificate on their behalf. A Business
Partner will typically be performing operations functions (e.g.,
administration of a web site) on behalf of US Bank.
US Bank Trusted
Agent
Employees of US Bank’s clients appointed by LRAs. Trusted Agents
are responsible for the identification and authentication of End Entities
within the client’s domain in accordance with the CP. A contact at a
client site can be appointed to act as a Trusted Agent and authenticate
users (examples are client, vendor and third-party employees) to help
simplify the registration process.
Enrollment A process by which an individual or an organization registers to
receive a certificate and/or cryptographic keys for use within the US
Bank PKI.
Entity Any autonomous element within the PKI. This may be a CA, a trusted
role within a CA, an RA or an End entity.
Non-repudiation Non-repudiation means sufficient evidence to persuade an adjudicator
as to the origin and data integrity of digitally signed data, despite an
attempted denial by the purported sender.
Digital signatures on electronic transactions provide evidentiary
support for non-repudiation.
PKI Policy
Authority
The Authority responsible for the maintenance of the CP and CPS.
PKI Administrator An individual who is responsible for the management of the
Subscriber initialization process; the creation, renewal or revocation of
certificates and the distribution of tokens (where applicable).
1.6.2 List of Acronyms
In addition to the acronyms in the EMS CCP, the following are defined:
CDP CRL Distribution Point
CN Common Name
CSA Certificate Subscriber Agreement
FQDN Fully Qualified Domain Name
HA High Availability
HTTP Hyper Text Transfer Protocol
HTTPS HTTP over SSL
HSM Hardware Security Module
IDS Intrusion Detection System
LAN Local Area Network
NIPS Network Intrusion Prevention System
RSA Rivest-Shamir-Adleman
SAN Storage Area Network
SSL Secure Sockets Layer
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 6
UPS Uninterruptible Power Supply
URI Uniform Resource Identifier
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 7
2 Publication and Repository Responsibilities
2.1 Repositories
The US Bank PKI data shall be published to the following LDAP Directories:
Entrust MSO MDSA servers. The US Bank CAs shall write the CA certificates,
policy certificates, Entrust MSO PKI administrator certificates and CRLs to the
Entrust MDSA servers.
Entrust SDSA servers. The US Bank CA data written to the Entrust MSO MDSA
servers shall be replicated to the Entrust MSO SDSA servers. The Entrust MSO
SDSA servers shall be available to PKI Subscribers and Relying Parties
connecting from the public Internet.
US Bank MDSA and SDSA servers. The US Bank PKI data written to the Entrust
MSO MDSA shall be replicated to the US Bank LDAP servers.
The US Bank CA certificates and CRLs shall be published on a Web server hosted on the
US Bank network. This Web server shall be available from the public Internet and the US
Bank corporate network.
Relying Parties shall access US Bank PKI CRLs published on the Certificate Distribution
Point (CDP) hosted on the Entrust MSO SDSA LDAP Directory, the US Bank LDAP
servers and on HTTP:/crl.usbank.com/CRLs/, which shall be accessible on the public
Internet. These CRLs shall be available 24/7 under normal conditions.
2.2 Publication of Certification Information
This CP shall also be publicly accessible at the following location:
HTTP://crl.usbank.com/CP/USBankCP.pdf
Business Partners and relying third parties shall be entitled to obtain a copy of the
Certificate Policy. They may do so by submitting a written request to US Bank. By
default, US Bank will not hand out its Certification Practice Statement to external
entities. Exceptions will require approval from the EMS PA.
2.3 Time or Frequency of Publication
The US Bank Root and Issuing CAs shall publish to the Repository certificate and CRL
information within one hour of generation.
The US Bank Root CA shall issue CRLs to the Repositories at least once per year or
more frequently if needed.
The US Bank Issuing CA shall issue CRLs to the Repositories at least every 8 hours with
a 72 hours lifetime or more frequently if needed.
2.4 Access Controls on Repositories
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 8
3 Identification and Authentication
3.1 Naming
3.2 Initial Identity Validation
3.2.1 Method to Prove Possession of Private Key
3.2.2 Authentication of Organization Identity
3.2.3 Authentication of Individual Identity
3.2.3.1 Applicants for Basic Assurance Certificates
3.2.3.2 Applicants for Medium Assurance Certificates
3.2.3.3 Applicants for High Assurance Certificates
3.2.3.4 Applicants for Group or Role Certificates
3.2.4 Non-verified Subscriber Information
3.2.5 Validation of Authority
3.2.6 Criteria for Interoperation
The US Bank Issuing CA shall interoperate only with the US Bank Root CA.
Interoperation with other Certification Authorities shall be provided through the US Bank
Root CA. The EMS PA shall determine the interoperability criteria for the CAs operating
under the US Bank PKI.
3.3 Identification and Authentication for Re-key Requests
3.3.1 Identification and Authentication for Routine Re-key
3.3.2 Identification and Authentication for Re-key after Revocation
3.4 Identification and Authentication for Revocation Request
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 9
4 Certificate Life-Cycle Operational Requirements
4.1 Certificate Application
4.1.1 Who Can Submit a Certificate Application
4.1.1.1 CA Certificates
4.1.1.2 User Certificates
4.1.1.3 Device Certificates
An application for a device certificate shall be submitted by either the human sponsor
(i.e. Designated Certificate Holder) or by the device itself upon positive authentication
and authorization of the device by an RA application against an approved data source
(e.g. Windows Domain Controller).
4.1.2 Enrollment Process and Responsibilities
4.2 Certificate Application Processing
4.3 Certificate Issuance
4.4 Certificate Acceptance
4.4.1 Conduct Constituting Certificate Acceptance
4.4.2 Publication of the Certificate by the CA
The US Bank CAs shall publish certificates to the US Bank PKI Repository (see section
2.1).
4.4.3 Notification of Certificate Issuance by the CA to Other Entities
The US Bank CAs shall not notify entities, other than the above mentioned Repository, of
certificate issuance.
4.5 Key Pair and Certificate Usage
4.6 Certificate Renewal
4.7 Certificate Re-key
4.7.1 Circumstance for Certificate Re-key
The US Bank Root CA shall permit certificate re-key under the following conditions:
Current certificate is in the process of expiring.
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 10
The US Bank Issuing CA shall permit certificate re-key under the following conditions:
Current certificate has expired or is in the process of expiring;
Current certificate is allowed re-instantiation after revocation;
Current certificate private keys has been compromised;
Current certificate private key has been lost or is irrecoverable; or
Current certificate requires an update or modification of information.
4.7.2 Who May Request Certification of a New Public Key
4.7.3 Processing Certificate Re-keying Requests
4.7.4 Notification of New Certificate Issuance to Subscriber
4.7.5 Conduct Constituting Acceptance of a Re-keyed Certificate
4.7.6 Publication of the Re-keyed Certificate by the CA
See Section 4.4.2.
4.7.7 Notification of Certificate Issuance by the CA to Other Entities
The US Bank CAs shall not notify entities, other than the above mentioned Repository, of
certificate re-key.
4.8 Certificate Modification
See Section 4.7 and subsections thereof.
4.9 Certificate Revocation and Suspension
4.9.1 Circumstances for Revocation
4.9.2 Who Can Request Revocation
4.9.3 Procedure for Revocation Request
4.9.4 Revocation Request Grace Period
Subscribers shall place a revocation request within four (4) hours of the time of discovery
of a key compromises or certificate usage abuse. For other reasons leading to the need
for revocation, the certificate revocation request shall be placed within 24 hours.
4.9.5 Time within which CA Must Process the Revocation Request
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 11
4.9.6 Revocation Checking Requirement for Relying Parties
Relying Parties shall perform revocation checking through the access of US Bank
published CRLs, which shall be made accessible as described in section 2.1.
4.9.7 CRL Issuance Frequency
See section 2.3.
4.9.8 Maximum Latency for CRLs
4.9.9 On-line Revocation/Status Checking Availability
4.9.10 On-line Revocation Checking Requirements
4.9.11 Other Forms of Revocation Advertisements Available
4.9.12 Special Requirements re: Re-key Compromise
4.9.13 Circumstances for Suspension
4.9.14 Who Can Request Suspension
4.9.15 Procedure for Suspension Request
4.9.16 Limits on Suspension Period
4.10 Certificate Status Services
4.10.1 Operational Characteristics
4.10.2 Service Availability
4.10.3 Optional Features
4.11 End of Subscription
4.12 Key Escrow and Recovery
4.12.1 Key Escrow and Recovery Policy and Practices
4.12.2 Session Key Encapsulation and Recovery Policy and Practices
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 12
5 Facility Management, and Operational Controls
The US Bank CAs shall be operated under the controls stipulated in the EMS CCP.
5.1 Physical Controls
5.2 Procedural Controls
5.3 Personnel Controls
5.4 Audit Logging Procedures
5.5 Records Archival
5.6 Key Changeover
5.7 Compromise and Disaster Recovery
5.8 CA Termination
The EMS PA shall designate an US Bank entity as the custodian of all US Bank PKI
archived data in the event of termination.
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 13
6 Technical Security Controls
6.1 Key Pair Generation
6.1.1 CA Key Pair Generation and Installation
6.1.2 Key Delivery to Subscriber
6.1.3 Public Key Delivery to Certificate Issuer
6.1.4 CA Public Key Delivery to Relying Parties
6.1.5 Key Sizes
US Bank CA and RA certificate key-pairs shall use 2048-bit RSA keys.
Subscriber certificate key-pairs shall use 2048-bit RSA keys.
Hashing algorithms used to generate signatures on certificates and CRLs shall be SHA-
256.
End-entity certificates issued under this policy shall contain RSA public keys that are at
least RSA 2048 in length.
Use of TLS or another protocol providing similar security to accomplish any of the
requirements of this CP shall require at a minimum triple-DES or equivalent for the
symmetric key, and at least 2048-bit RSA keys.
6.1.6 Public Key Parameters Generation and Quality Checking
6.1.7 Key Usage Purposes
6.2 Private Key Protection and Cryptographic Module Engineering Controls
6.3 Other Aspects of Key Pair Management
6.3.1 Public Key Archival
6.3.2 Certificate Operational Periods and Key Pair Usage Periods
The key-pair for a certificate issued by the US Bank PKI shall only be valid during the
operational lifetime of the certificate.
Certificates shall be issued with the following maximum lifetimes:
In line with NIST 800-57 Part 1 Rev 3, US Bank CA signing certificates with
2048-bit RSA keys shall have a lifetime that will not exceed December 2030.
RA and Subscriber signing certificates issued with 2048-bit RSA keys shall have
a maximum lifetime of three (3) years after the date of issuance.
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 14
6.4 Activation Data
6.5 Computer Security Controls
6.6 Life Cycle Technical Controls
6.7 Network Security Controls
6.8 Time-stamping
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 15
7 Certificate, CRL, and OCSP Profiles
7.1 Certificate Profile
Certificate profiles are defined in the US Bank Architecture Document.
7.2 CRL Profile
The US Bank CAs shall issue all Certificate Revocation Lists in the X.509 Version 2
certificate format. CRL fields supported by US Bank CAs shall abide by the following
requirements:
CRL Field Requirements
Version Version 2
Signature The signature algorithm shall use RSA with SHA-256.
Issuer US Bank Root CA Distinguished Name:
{cn=US Bank Root CA, ou=Certification Authorities, o=U.S. Bank,
National Association, c=US}
US Bank Issuing CA Distinguished Name:
{cn=US Bank Issuing CA, ou=Certification Authorities, o=U.S. Bank,
National Association, c=US}
This Update The effective date shall indicate the CRL’s time of issuance.
Next Update The next update date shall indicate the next expected CRL update which
shall be approximately 24 hours after the time of the last CRL issuance
for the CRL produced by the Issuing CA and 1 year for the CRL
produced by the Root CA.
Extensions Refer to section 7.2.2 below.
7.2.1 Version Number
The US Bank CAs shall only issue CRLs in the X.509 Version 2 format.
7.2.2 CRL and CRL Entry Extensions
The US Bank CAs shall use the following X.509 CRL extensions and entry extensions:
CRL Extension Criticality
CRL Number Non Critical
Authority Key Identifier Non Critical
Issuing Distribution Point Critical
CRL Entry Extension Criticality
Reason Code Non Critical
Invalidity Date Non Critical
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 16
7.3 OCSP Profile
7.3.1 Version Number
The US Bank PKI does not use OCSP.
7.3.2 OCSP Extensions
The US Bank PKI does not use OCSP.
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 17
8 Compliance Audit and Other Assessments
Audit of the US Bank PKI shall be subject to the audit requirements stated in the EMS
CCP.
8.1 Frequency or Circumstances of Assessment
8.2 Identity/Qualifications of Assessor
8.3 Assessor’s Relationship to Assessed Entity
8.4 Topics Covered by Assessment
8.5 Actions Taken as a Result of Deficiency
8.6 Communication of Results
The results of US Bank PKI compliance audits shall be classified as confidential and
communicated by the audit entity to the EMS PA. The EMS PA shall determine whether
or not further communications of the audit results are necessary.
US Bank Enterprise Public Key Infrastructure Certificate Policy
©2012, Entrust. Inc.
Page - 18
9 Other Business and Legal Matters