Transcription of UNITED STATES DEPARTMENT OF THE TREASURY
1 UNITED STATES DEPARTMENT OF THE TREASURY DEPARTMENT OF THE TREASURY PUBLIC KEY INFRASTRUCTURE ( PKI) X .509 CERTIFICATE POLICY VERSION March 15, 2017 UNCLASSIFIED ii SIGNATURE PAGE 4/13/2017 PKI Policy Management Authority (PMA) DATE DANIEL W. WOOD UNCLASSIFIED iii DOCUMENT VERSION CONTROL Version Date Author(s) Description Reason For Change January 2008 James Schminky DEPARTMENT of the TREASURY PKI Policy in RFC 3647 format. Bring the TREASURY PKI Policy into compliance with FPKIPA change proposal requiring all cross certified PKI Policies to be in RFC 3647 format. March 17, 2009 James Schminky Errata changes to sections , , , , and As a result of mapping the TREASURY PKI Policy to Federal Policy, a number of minor changes and omissions where identified and corrected.
2 March 11, 2010 James Schminky Errata changes to sections , and Change proposal changes to , , , , , , , , and As a result of the PMA annual review a number of minor corrections, Federal Bridge Certification Authority (FBCA) Policy Change Proposal Number: 2009-02 and 2010- 01, and TREASURY Change Proposal Nb 200901 April 15, 2010 James Schminky Change proposal changes to and As a result of FBCA Policy Change Proposal Number: 2010-02. March 22, 2011 James Schminky Changes Proposal Changes to , , , , , , , and As a result of FBCA Policy Change Proposal Numbers; 2010-3 thru 8 and CPCA policy Change Proposal Number: 2011-1 September 11,2012 Daniel Wood Changes Proposal Changes to and Made changes to align the TREASURY CP with the Common Policy Framework (CPF), removed all reference to the acronym DoT and replaced with the name TREASURY .
3 UNCLASSIFIED iv October 15, 2012 Daniel Wood Changes Proposal Changes to , , , , , and Made changes to align the TREASURY CP with the CPF, August 22, 2013 Fred Asomani-Atinkah , , , , , , , , and Made changes to align the TREASURY CP with the CPF, March 26, 2015 Daniel Wood, Terry McBride Clarified TREASURY s dual role as Federal Legacy and SSP; Added PIV-I, role-based, and group certificates Provide capabilities to customers and baseline update as requested by FPKIPA March 19, 2017 Daniel Wood Adds PIV-I, and Internal PKI OIDs, changed criteria for suspension, defined the PKI Program Team,added the internal PKI addendum, changes to Common/Federal CPs and editorial updates Changes to TREASURY PKI based on user needs and updates to Fed PKI Policies UNCLASSIFIED v Table of Contents 1.
4 INTRODUCTION .. 1 2 Certificate Policy .. 2 Relationships between TREASURY PKI CP & TREASURY PKI CA CPSs .. 2 Scope .. 2 Relationships between TREASURY PKI CP, the FBCA and Other Entity CPs .. 3 Interaction with PKIs External to the Federal Government .. 4 DOCUMENT IDENTIFICATION .. 4 PKI ENTITIES .. 5 TREASURY PKI Program Team .. 5 TREASURY PMA .. 5 Registration Authority .. 8 Subscribers .. 8 Relying Parties .. 9 Other Participants .. 10 CERTIFICATE USAGE .. 10 Appropriate Certificate Uses .. 10 Prohibited Certificate Uses .. 11 POLICY ADMINISTRATION .. 12 Organization administering the document .. 12 Contact Person .. 12 Person Determining CPS Suitability for the Policy .. 12 CPS Approval Procedures .. 13 DEFINITIONS AND ACRONYMS .. 13 2. PUBLICATION & REPOSITORY RESPONSIBILITIES.
5 14 REPOSITORIES .. 14 PUBLICATION OF CERTIFICATION INFORMATION .. 14 Publication of certificates and Certificate Status .. 14 Publication of CA Information .. 15 Interoperability .. 15 FREQUENCY OF PUBLICATION .. 15 ACCESS CONTROLS ON REPOSITORIES .. 15 3. IDENTIFICATION & AUTHENTICATION .. 16 NAMING .. 16 Types of Names .. 16 Need for Names to Be Meaningful .. 20 Anonymity or Pseudonymity of Subscribers .. 20 UNCLASSIFIED vi Rules for Interpreting Various Name Forms .. 21 Uniqueness of 21 Recognition, Authentication, & Role of Trademarks .. 21 INITIAL IDENTITY VALIDATION .. 21 Method to Prove Possession of Private Key .. 22 Authentication of Organization Identity .. 22 Authentication of Individual Identity .. 23 Non-verified Subscriber Information .. 27 Validation of Authority.
6 28 Criteria for Interoperation .. 28 IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS .. 28 Identification and Authentication for Routine Re-key .. 28 Identification and Authentication for Re-key after Revocation .. 30 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST .. 30 4. CERTIFICATE LIFE-CYCLE .. 31 APPLICATION .. 31 Submission of Certificate Application .. 31 Enrollment Process and Responsibilities .. 31 CERTIFICATE APPLICATION PROCESSING .. 31 Performing Identification and Authentication Functions .. 31 Approval or Rejection of Certificate Applications .. 32 Time to Process Certificate Applications .. 32 ISSUANCE .. 33 CA Actions during Certificate Issuance .. 33 Notification to Subscriber of Certificate Issuance .. 33 ACCEPTANCE .. 33 Conduct constituting certificate acceptance.
7 33 Publication of the Certificate by the CA .. 33 Notification of Certificate Issuance by the CA to other entities .. 33 KEY PAIR AND CERTIFICATE USAGE .. 34 Subscriber Private Key and Certificate Usage .. 34 Relying Party Public key and Certificate Usage .. 34 CERTIFICATE RENEWAL .. 34 Circumstance for Certificate Renewal .. 34 Who may Request Renewal .. 34 Processing Certificate Renewal 35 Notification of new certificate issuance to Subscriber .. 35 Conduct constituting acceptance of a Renewal certificate .. 35 Publication of the Renewal certificate by the CA .. 35 Notification of Certificate Issuance by the CA to other entities .. 35 CERTIFICATE RE-KEY .. 35 Circumstance for Certificate Re-key .. 35 Who may request certification of a new public key .. 35 UNCLASSIFIED vii Processing certificate Re-keying requests.
8 36 Notification of new certificate issuance to Subscriber .. 36 Conduct constituting acceptance of a Re-keyed certificate .. 36 Publication of the Re-keyed certificate by the CA .. 36 Notification of certificate issuance by the CA to other Entities .. 36 MODIFICATION .. 36 Circumstance for Certificate Modification .. 36 Who may request Certificate Modification .. 37 Processing Certificate Modification Requests .. 37 Notification of new certificate issuance to Subscriber .. 37 Conduct constituting acceptance of modified certificate .. 37 Publication of the modified certificate by the CA .. 37 Notification of certificate issuance by the CA to other Entities .. 37 CERTIFICATE REVOCATION & SUSPENSION .. 38 Circumstances for Revocation .. 38 Who Can Request Revocation .. 39 Procedure for Revocation Request.
9 39 Revocation Request Grace Period .. 40 Time within which CA must Process the Revocation Request .. 40 Revocation Checking Requirements for Relying Parties .. 40 CRL Issuance Frequency .. 41 Maximum Latency of CRLs .. 41 On-line Revocation/Status Checking Availability .. 41 On-line Revocation Checking Requirements .. 42 Other Forms of Revocation Advertisements Available .. 42 Special Requirements Related To Key Compromise .. 42 Circumstances for Suspension .. 43 Those Authorized to Request Suspension .. 43 Procedure for Suspension .. 43 Limits on Suspension Period .. 44 CERTIFICATE STATUS SERVICES .. 44 Operational Characteristics .. 44 Service 44 Optional Features .. 44 END OF SUBSCRIPTION .. 44 KEY ESCROW & RECOVERY .. 44 Key Escrow and Recovery Policy and Practices .. 44 Session Key Encapsulation and Recovery Policy and Practices.
10 45 5. FACILITY MANAGEMENT & OPERATIONS CONTROLS .. 46 PHYSICAL CONTROLS .. 46 Site Location & Construction .. 46 Physical Access .. 46 Power and Air Conditioning .. 48 Water Exposures .. 48 Fire Prevention & 48 Media Storage .. 48 Waste Disposal .. 48 UNCLASSIFIED viii Off-Site backup .. 48 PROCEDURAL CONTROLS .. 49 Trusted Roles .. 49 Number of Persons Required per Task .. 50 Identification and Authentication for Each Role .. 51 Separation of Roles .. 51 PERSONNEL CONTROLS .. 52 Background, Qualifications, Experience, & Security Clearance Requirements .. 52 Background Check Procedures .. 53 Training Requirements .. 53 Retraining Frequency & Requirements .. 54 Job Rotation Frequency & Sequence .. 54 Sanctions for Unauthorized Actions .. 54 Independent Contractor Requirements.
