Miele PKI Certification Practice Statement (CPS)
Miele PKI Certification Practice Statement (CPS)
Table of contents Document control . 7 Basic Description . 7 Version History. 7 Document Review and Signoff . 7 Related Documents . 8 1. Introduction . 9 1.1. Overview .10 1.2. Document Name and Identification .12 1.3. Policy Administration .13 1.3.1. Organization administering the document .13 1.3.2. Contact person .13 1.3.3. Person determining suitability for the policy .13 1.3.4. Approval procedures .13 1.4. 2. Definitions and Acronyms .13 Management, Operational and Physical Controls .15 2.1. Physical Security Controls .15 2.1.1. Site location and construction .15 2.1.2. Physical access .15 2.1.3. Power and air conditioning .15 2.1.4. Water exposures .15 2.1.5. Fire prevention and protection .15 2.1.6. Media storage .15 2.1.7. Waste disposal .15 2.1.8. Off-site backup .15 2.2. Procedural Controls .16 2.2.1. Trusted roles .16 2.2.2. Number of persons required per task .16 2.2.3. Identification and authentication for each role .16 2.2.4. Roles requiring separation of duties .16 2.3. Personnel Security Controls.16 2.3.1. Qualifications, experience, and clearance requirements . 16 2.3.2. Background check procedures .16 2.3.3. Training requirements .17 2.3.4. Retraining frequency and requirements.17 2.3.5. Job rotation frequency and sequence.17
2.3.6. Sanctions for unauthorized actions .17 2.3.7. Independent contractor requirements .17 2.3.8. Documentation supplied to personnel .17 2.4. Audit Logging Procedures .17 2.4.1. Types of events recorded .17 2.4.2. Frequency of processing log .17 2.4.3. Retention period for audit log .17 2.4.4. Protection of audit log .17 2.4.5. Audit log backup procedures .17 2.4.6. Audit collection system (internal vs. external) .18 2.4.7. Notification to event-causing subject .18 2.4.8. Vulnerability assessments .18 2.5. Records Archival .18 2.5.1. Types of records archived .18 2.5.2. Retention period for archive .18 2.5.3. Protection of archive .18 2.5.4. Archive backup procedures .18 2.5.5. Requirements for time-stamping of records .18 2.5.6. Archive collection system (internal or external). 18 2.5.7. Procedures to obtain and verify archive information. 18 2.6. Key Changeover .19 2.7. Compromise and Disaster Recovery .19 2.7.1. Incident and compromise handling procedures .19 2.7.2. Computing resources, software, and/or data are corrupted . 19 2.7.3. Entity private key compromise procedures .20 2.7.4. Business continuity capabilities after a disaster . 20 2.8. 3. CA or RA Termination.20 Technical Security Controls .21 3.1. Key Pair Generation and Installation .21 3.1.1. Key pair generation .21 3.1.2. Private Key delivery to subscriber .21 3.1.3. Public key delivery to certificate issuer .21 3.1.4. CA public key delivery to relying parties .22 3.1.5. Key Sizes .22 3.1.6. Public key parameters generation and quality checking .22 3.1.7. Key usage purposes (as per X.509 v3 key usage field) . 23 3.2. Private Key Protection and Cryptographic Module Engineering Controls . 23
3.2.1. Cryptographic module standards and controls .23 3.2.2. Private Key (k out of n) Multi-Person Control .24 3.2.3. Private Key escrow .24 3.2.4. Private Key backup .24 3.2.5. Private Key archival .24 3.2.6. Private Key transfer into or from a cryptographic module . 24 3.2.7. Private Key storage using cryptographic module .24 3.2.8. Method of activating private key .25 3.2.9. Method of deactivating private keys .25 3.2.10. Method of destroying private keys .25 3.2.11. Cryptographic Module Rating .26 3.3. 3.3.1. Public key archival .26 3.3.2. Certificate operational periods and key pair usage periods . 26 3.4. Activation Data .27 3.4.1. Activation data generation and installation .27 3.4.2. Activation data protection .27 3.4.3. Other aspects of activation data .27 3.5. Computer Security Controls .27 3.5.1. Specific computer security technical requirements .27 3.5.2. Computer security rating .27 3.6. 4. Other Aspects of Key Pair Management .26 Life Cycle Technical Controls .28 3.6.1. System development controls .28 3.6.2. Security management controls .28 3.6.3. Life cycle security controls .28 3.7. Network Security Controls.28 3.8. Time-stamping .28 Certificate and CRL Profiles.29 4.1. Certificate Profile .32 4.1.1. Version number(s) .35 4.1.2. Certificate extensions .36 4.1.3. Algorithm object identifiers .37 4.1.4. Name forms .37 4.1.5. Name constraints .37 4.1.6. Certificate policy object identifier .37 4.1.7. Usage of Policy Constraints extension .37 4.1.8. Policy qualifiers syntax and semantics .37
4.1.9. 4.2. 5. 6. Processing semantics for the critical Certificate Policies extension . 37 CRL Profile .38 4.2.1. Version Number .38 4.2.2. CRL and CRL Entry Extensions .38 4.2.3. OCSP Profile .40 4.2.4. Version number(s) .40 4.2.5. OCSP extensions .41 Compliance Audit and Other Assessment .42 5.1. Frequency or circumstances of assessment .42 5.2. Identity/qualifications of assessor.42 5.3. Assessor's relationship to assessed entity .42 5.4. Topics covered by assessment .42 5.5. Actions taken as a result of deficiency .42 5.6. Communication of results .42 Other Business and Legal Matters .43 6.1. Fees .43 6.1.1. Certificate issuance or renewal fees .43 6.1.2. Certificate access fees.43 6.1.3. Revocation or status information access fees .43 6.1.4. Fees for other services .43 6.1.5. Refund policy .43 6.2. Financial Responsibility .43 6.2.1. Insurance coverage .43 6.2.2. Other assets .43 6.2.3. Insurance or warranty coverage for end-entities . 43 6.3. Confidentiality of Business Information .43 6.3.1. Scope of confidential information.43 6.3.2. Information not within the scope of confidential information . 44 6.3.3. Responsibility to protect confidential information . 44 6.4. Privacy of Personal Information.44 6.4.1. Privacy plan .44 6.4.2. Information treated as private .44 6.4.3. Information not deemed private .44 6.4.4. Responsibility to protect private information . 44 6.4.5. Notice and consent to use private information .44 6.4.6. Disclosure pursuant to judicial or administrative process . 44
6.4.7. Other information disclosure circumstances .45 6.5. Intellectual Property Rights .45 6.6. Representations and Warranties .45 6.6.1. CA representations and warranties .45 6.6.2. RA representations and warranties .45 6.6.3. Subscriber representations and warranties .45 6.6.4. Relying party representations and warranties .45 6.6.5. Representations and warranties of other participants .45 6.7. Disclaimers of Warranties .45 6.8. Limitations of Liability .45 6.9. Indemnities .45 6.10. Term and Termination.45 6.10.1. Term .45 6.10.2. CPS substitution and termination.46 6.10.3. Effect of termination and survival .46 6.11. Individual notices and communications with participants . 46 6.12. Amendments .46 6.12.1. Procedure for amendment .46 6.12.2. Notification mechanism and period .46 6.12.3. Circumstances under which OID must be changed .46 6.13. Dispute Resolution Procedures .47 6.14. Governing Law .47 6.15. Compliance with Applicable Law .47 6.16. Miscellaneous Provisions .47 6.16.1. Entire agreement .47 6.16.2. Assignment .47 6.16.3. Severability .47 6.16.4. Enforcement (attorneys' fees and waiver of rights). 47 6.16.5. Force Majeure .47 6.17. Other Provisions .47
Miele PKI CPS Version 1.0 Status: FINAL Document control Basic Description Document title Miele PKI Certification Practice Statement (CPS) Topic Certification Practice Statement for the Miele PKI Service based on RFC 3647 Version 1.0 Status Final draft for discussion Document OID 1.3.6.1.4.1.44739.509.1.20.20.2 Supersedes Document ‐ Authors Dr. Dieter Krug Miele responsible contact Dr. Dieter Krug Version History Version Version Date Comment 0.1 15.04.2015 Initial Draft 0.2 24.04.2015 Substantial enhancements section 2 and 4 0.5 30.04.2015 Substantial enhancements section 5 and 6 0.7 22.05.2015 Further additions and review 0.9 29.05.2015 Final Draft 1.0 22.06.2015 Final version after minor changes Document Review and Signoff Version Version Date Reviewer Name 1.0 22.06.2015 Dr. Dieter Krug Signoff Date Page 7 of 47
Miele PKI CPS Version 1.0 Status: FINAL Related Documents Document title Miele PKI Certificate Policy (CP) Document Name Miele PKI CP v1.0.pdf Description Certificate Policy for Miele PKI Service Document OID 1.3.6.1.4.1.44739.509.1.20.20.1 Latest available version v1.0 Last changed 22.06.2015 Document title Miele PKI Certificate Profiles Document Name Miele PKI Certificate Profiles RFC 5280 v1.0.pdf Description RFC5280 Certificate Profiles for Miele PKI Latest available version v1.0 Last changed 15.04.2015 Document title Miele PKI Trust Chain Overview Document Name Miele PKI Trust Chain Overview v1.0.pdf Description Trust Chain Overview for Miele PKI hierarchy Latest available version v 1.0 Last changed 15.04.2015 Document title Miele PKI IANA PEN Namespace Document Name Miele PKI IANA PEN Namespace v1.0.pdf Description Overview of the Miele PKI related IANA PEN Namespace Latest available version v 1.0 Last changed 15.04.2015 Page 8 of 47
Miele PKI CPS Version 1.0 Status: FINAL 1. Introduction The concept of a Certification Practices Statement (CPS) was developed by the American Bar Association (ABA) in its Digital Signature Guidelines (ABA Guidelines) and is defined as a "statement of the practices, which a certification authority employs in issuing certificates." Most organizations that operate certification authorities will document their own practices in a CPS or similar statements. The CPS is one of the organization's means of protecting its PKI and positioning its business relationships with subscribers and other entities. This Certification Practice Statement document describes the practices Authorities (CA) operated by the Miele PKI. It is applicable to all relationships with the Miele PKI CAs and PKI components, including certified CAs, and Registration Authorities (RAs). This CPS provides those statement of the practices of the Miele PKI CAs. of the Certification entities that have end users-, crossentities with a clear The Certification Practice Statement (CPS) helps the user of certification services to determine the level of trust that he can put in the certificates that are issued by the Miele PKI CAs and connected infrastructure services. The Miele PKI certification service is only as trustworthy as the procedures contained in it. The Miele PKI CPS therefore covers all relevant preconditions, regulations, processes and measures within the Miele PKI certification service as a compact information source for current and potential participants. This document will rely on other parts of the Miele PKI certification service documentation and will sum up those parts that are of importance for the participating PKI users. Other related documentation is referenced in this Certification Practice Statement documentation where relevant while an overview of other documents is listed in the document control section. It should be provided for free and publicly accessible to any Miele PKI user. Page 9 of 47
Miele PKI CPS Version 1.0 1.1. Status: FINAL Overview The Miele & Cie. KG PKI (Miele PKI) in general consists of a two-tier CA hierarchy trust chain, terminating in a trusted Root Authority (“Miele Root CA 01”). The Root CA and two subordinate CAs define the CA hierarchy, while the subordinate certification authorities are implemented to issue different types of end-entity certificates. While the first subordinate CA (“Miele Sub CA 01”) is intended to issue machine oriented certificates, the second subordinate CA (“Miele Sub CA 02”) is planned to issue user based certificates. The current level of implementation is focused on machine certificates only, while “Miele Sub CA 02” was already built for future use. All CA certificates and respective keys are protected using Hardware Security Modules to implement an additional layer of security and to protect the CA’s keys. In addition, the Root CA is implemented using a physical isolated and offline server in combination with a multieye principle based key authorization mechanism from the HSM requiring k/n authorization for key access. All installed components, especially the CAs are reduced to a minimal level of installed components to provide additional security while different components and roles are installed on separate servers in the infrastructure as required from a functional perspective. The whole trust chain is built for a corporate Miele use-case implementing up to date key length and algorithms. This includes deprecation of older algorithms like “SHA-1” and intentionally implementing large key sizes and up to date hashing algorithms while security was decided to be more important than backward compatibility with older cryptographic implementations. This may lead to certain issues with older cryptographic implementations and application consuming certificates from the Miele PKI which once discovered in turn need to be resolved on the application side by upgrading consuming applications and operating systems. As the primary information source for Miele PKI is hosted on a load balancer enabled web server infrastructure, CRLs, CA certificates and the current versions of the CP and CPS documents are also located on these web servers while the main references to revocation and authority information are implemented using HTTP based location information and URLs. In addition to the CRL based revocation information Miele PKI is also supporting the OCSP protocol (RFC 5019, a profile of the Online Certificate Status Protocol (OCSP) outlined in RFC 2560) based on the current CRL information from authoritative subordinate CAs for OCSP aware PKI clients. Besides several additional infrastructure components four high-available web site clusters using load balancer infrastructure exist as part of the Miele PKI for all related HTTP based locations and references including the OCSP responder service. Two high-available web clusters (one for CRL, one for OCSP) are implemented to support internal network Miele clients and servers, while two web clusters are dedicated to external traffic providing identical services as the two internal facing web clusters. The external facing web clusters are protected by an application layer gateway infrastructure to provide additional security measures and to enforce protocol compliance of incoming requests. Page 10 of 47
Miele PKI CPS Version 1.0 Status: FINAL Miele PKI implementation The following section is a brief overview of the implemented Miele PKI trust chain model and the CA hierarchy for the Miele trust chain including the Miele PKI certification services provided by this architecture. Overview of the Miele trust chain: Page 11 of 47
Miele PKI CPS Version 1.0 1.2. Status: FINAL Document Name and Identification This CPS is called “Miele PKI Certification Practice Statement” and has its own Object Identifier. For details please refer to the Miele PKI IANA PEN namespace document outlined in the related documents section. X.509 OID – Miele PKI 1.3.6.1.4.1.44739.509 Base of the Miele PKI Namespace X.509 OID – Miele PKI Class identifier 1.3.6.1.4.1.44739.509.1 Base of the Miele PKI trust chain namespace X.509 OID –Environment 1.3.6.1.4.1.44739.509.1.20 Base of the Miele PKI production environment X.509 OID – Issuance Policy namespace 1.3.6.1.4.1.44739.509.1.20.10 Base of the Miele PKI issuance policy reference X.509 OID – Issuance Policy identifiers 1.3.6.1.4.1.44739.509.1.20.10.1 Miele PKI issuance policy reference X.509 OID – PKI Policy: 1.3.6.1.4.1.44739.509.1.20.20 Base of the Miele PKI documents namespace X.509 OID – Current CP documentation: 1.3.6.1.4.1.44739.509.1.20.20.1 Miele PKI Certificate Policy v1.0 X.509 OID – Current CPS documentation: 1.3.6.1.4.1.44739.509.1.20.20.2 Miele PKI Certification Practice Statement v1.0 Along with other documentation CP and CPS document locations are accessible to Miele PKI certification service participants at http://www.pki.miele.com Page 12 of 47
Miele PKI CPS Version 1.0 1.3. Status: FINAL Policy Administration 1.3.1. Organization administering the document This Miele PKI Certification Practice Statement is administered by the Miele Security Team represented by the named contact outlined in section 1.3.2. 1.3.2. Contact person Miele & Cie. KG Dr. Dieter Krug Carl-Miele-Straße 29 33325 Gütersloh Germany Voice: Fax: Email: Web: 49 52 41 – 89-28 28 49 52 41 – 89-28 28 hotline@miele.com http://www.pki.miele.com 1.3.3. Person determining suitability for the policy see 1.3.2 “Contact person”. 1.3.4. Approval procedures Miele & Cie. KG Director Compliance/Security approved this document prior to publication. This document is regularly re-evaluated. 1.4. Definitions and Acronyms Certificate (Public Key Certificate) A data structure containing the public key of an electronic identity and additional information. A certificate is digitally signed using the private key of the issuing CA binding the subject’s identity to the respective public key. Certificate Policy (CP) A document containing the rules that indicate the applicability and use of certificates issued to Miele PKI subscribers Certification Practices Statement (CPS) A document containing the practices that Miele PKI certification authority employs in issuing certificates and maintaining PKI related operational status. Certification Authority (CA) The unit within Miele PKI to create, assign and revoke public key certificates. Directory A database containing information and data related to identities, certificates and CAs. End-Entity An entity that is a subscriber, a relying party or both. Page 13 of 47
Miele PKI CPS Version 1.0 Status: FINAL Public Key Infrastructure (PKI) Framework of technical components and related o
Document Name Miele PKI CP v1.0.pdf Description Certificate Policy for Miele PKI Service Document OID 1.3.6.1.4.1.44739.509.1.20.20.1 Latest available version v1.0 Last changed 22.06.2015 Document title Miele PKI Certificate Profiles Document Name Miele PKI Certificate Profiles RFC 5280 v1.0.pdf
PKI belonging to the testers' organization, in this case the DoD PKI, is referred to as the Host PKI, and the external PKI to be tested is referred to as the Partner PKI. For the purpose of testing transitive trust, the third party PKI cross-certified with the Partner PKI but not the Host PKI will be referred to as the Third Party PKI.
The US DoD has two PKI: DoD PKI is their internal PKI; DoD ECA PKI is the PKI for people outside of the DoD [External Certification Authority] who need to communicate with the DoD [i.e. you]. Fortunately, the DoD has created a tool for Microsoft to Trust the DoD PKI and ECA PKI; the DoD PKE InstallRoot tool.File Size: 1MBPage Count: 10
Document title Miele PKI Certificate Policy (CP) Topic Certificate Policy for the Miele PKI Service based on RFC 3647 Version 1.0 Status Final draft for discussion Document OID 1.3.6.1.4.1.44739.509.1.20.20.1 Supersedes Document ‐ Author Dr. Dieter Krug Miele responsible contact Dr. Dieter Krug
IMPORTANT SAFETY INSTRUCTIONS 9 Miele tumble dryers and Miele washing machines can be installed as a washer-dryer stack. A Miele washer-dryer connection kit is re-quired as an optional accessory for this. Please ensure that the washer-dryer connection kit is suitable for the Miele tumble dryer and the Miele washing machine.
Important safety instructions 9 Miele tumble dryers and Miele washing machines can be installed as a washer-dryer stack. A Miele washer-dryer connection kit is required as an optional accessory for this. Please ensure that the washer-dryer connection kit is suitable for the Miele tumble dryer and the Miele washing machine.
Configuring PKI This chapter describes the Public Key Infrastructure (PKI) support on the Cisco NX-OS device. PKI allows the device to obtain and use digital certificates for secure communication in the network. This chapter includes the following sections: Information About PKI, page 5-1 † Licensing Requirements for PKI, page 5-6
Ce document décrit des fonctionnalités de serveur et de client de PKI IOS en détail. Il adresse des considérations de conception et de déploiement d'initiale de PKI IOS. Infrastructure de PKI Autorité de certification L'Autorité de certification (CA), également désigné sous le nom du serveur de PKI dans tout le
ArtificialIntelligence: A Modern Approachby Stuart Russell and Peter Norvig, c 1995 Prentice-Hall,Inc. Section 2.3. Structure of Intelligent Agents 35 the ideal mapping for much more general situations: agents that can solve a limitless variety of tasks in a limitless variety of environments. Before we discuss how to do this, we need to look at one more requirement that an intelligent agent .
