Minimum requirements for RA - Testbed 1 --------------------------------------- V2 - 5 June 2001 An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP. Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be: a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private key must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network minimum length of user private keys must be 1024 min length of host private key must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means CA must only sign a limited subject namespace which does not clash with other namespaces every CA must produce a CP/CPS document(s). We recommend the rfc2527 template. lifetime of CA certificate must be no longer than 5 years, if 2048 bits. lifetime of personal certificates must be no longer than one year. lifetime of host certificates must be no longer than one year. Every CA must generate and maintain a CRL. The lifetime of the CRL must be no more than 30 days and at least 7 days. The CRL must be updated immediately after every revocation. CRL's must be reissued at least 7 days before expiration even if there have been no revocations. (n.b. we recommend that all clients must update their local copies of CRL's at least once per day) user certificates must not be shared. host certificates must be linked to a single network entity. Users must generate their own private key and must keep this private and secure, i.e. the CA and RA must not generate the private key. There must be a method to identify which CP/CPS was used for the issue of a certificate, either by start date or by OIDs or some other appropriate means. Revocation ---------- loss of or compromised private key person left organisation Can be requested by either the user or the RA Publishing ---------- Publishing of user public keys is not required. Recording - audit trail ----------------------- RAs must record and archive all requests all confirmations CAs must record and archive all requests for certs all issued certs all requests for revocation all issued CRLs login/logout/reboot of the issuing machine