PKI Strategy

1. PKI Strategy • PKI Requirements Standard • Based on e-MARC or other Certificate Policy Statements • Specify key aspects that must be met by CA • Cert format (X.509) • Cert types (server, application, signing, “assurance levels”) • CA Root key protection (FIPS level) • Identity proofing scheme • Key length • Key lifetime • Key delivery • CRL frequency • Subject requirements (OU field) • Etc. • Start from Jim Hansen “Requirements”

2. PKI Strategy • CA Self-certification – Legal Document • Certification Checklist • Base of sections of RFC for CPS • Enumerate requirements from standard that must be met in CPS • CA files affidavit with NAESB certifying compliance • CA Declaration/Nomination – Legal Document • Identifies Entity’s CA(s) that will be used • Agrees to abide by CA’s CPS • Attests to implementation of a PKI security program to keep certs secure • Agrees to liability for use of certs issued to end-entity provided relying party performs CRL check, Root CA validation, etc. • End-Entity files affidavit with NAESB certifying compliance

3. PKI Strategy • OASIS Application Security Standard • Must comply with PKI Standard • Must use CA that has executed Self-Certification • Must have filed End-Entity CA Declaration/Nomination • May require two-factor authentication (token, PIN, etc.) • Other? • Tagging Application Security Standard • Etc.