USC
University of Southern California
USC Authentication & Authorization

 

Site Links

Contact Us

authX Home

authX:USC CA

authX:News

authX:Scheduled Administrative Activities

authX:Services

 

USC PKI Lite CA Certificate Policy

This document describes a certificate policy (CP) for USC PKI Lite CA based on the work done by the Higher Education PKI Technical Advisory Group in the area of model certificate policy for Certificate Authorities (CA) operating within higher education community. The goal of this CP is to help the USC research community take advantage of PKI deployed at USC to support technical inter-operation between USC PKI resources (such as USCGrid) and other, possibly grid-based, PKI resources.

  1. Introduction
  2. HEPKI Lite Certificate Policy
    1. User Identity
    2. Certificate Revocation
    3. CA Private Key Protection
    4. Subject Key-Pair Generation & Private Key Protection
    5. Certificate Profile
    6. Certificate Usage
    7. Certification Practice Statement (CPS)
  3. HEPKI Lite Certificate Practices Statement
    1. CPS Introduction
    2. No Warranty
    3. CA Private Key Protection
    4. Authentication upon Registration
    5. Lifetime of Issued Credential
    6. Revocation
    7. Host and Persistent Service Private Key Protection
  4. Certificate Profile for the Institution
  5. Acknowledgements

  1. Introduction

    2. This CP was modeled after the HEPKI Lite model certificate policy, with a piece of the introductory material based on the model CP of the Global Grid Forum. This CP is meant to provide technical guidance in the deployment of PKI policies for the USC PKI Lite CA, and to provide information to PKI Relying Parties that wish to make a decision on the trustworthiness of certificates issued by the USC PKI Lite Certificate Authority.

    Within this document the words "MUST", "MUST NOT", "REQUIRED", "SHALL", "OPTIONAL" are to be interpreted as in RFC 2119 [2].

    In this document, the expression "conforming CA" is used to indicate a CA whose behavior is conforming to the set of provisions specified in this document.


    1. Overview

      This document describes a set of rules that indicates the applicability of a certificate issued by the USC PKI Lite CA to its community of users and/or class of application with common security requirements.

      This certificate policy MAY be used by a certificate user to help in deciding whether a certificate, and the binding therein, is sufficiently trustworthy for a particular application. An X.509 Version 3 certificate issued by the USC PKI Lite CA SHOULD contain a reference to this certificate policy.


    2. Identification

      This certificate policy is identified by the following unique registered Object Identifier (OID):

      1.3.6.1.4.1.13363.2.1.3

       

      ISO assigned1
      Organization acknowledged by ISO3
      US Department of Defense6
      Internet1
      Private4
      IANA registered private enterprises1
      University of Southern California13363
      USC PKI Lite CA2
      Major version1
      Minor version3

    3. Community and applicability

      The USC PKI Lite CA can choose freely the community or communities it serves and applicability of their issued certificates, but it MUST clearly specify them in its own CP and CPS. In every case, the USC PKI Lite CA MUST NOT issue certificates to entities that don't belong to its community or for applications that haven't been carefully evaluated. Moreover, the USC PKI Lite CA SHALL address all the limitations imposed by the following sections of this policy.

      In particular, the USC PKI Lite CA's community is comprised of USC-related faculty, staff and students, plus persons affiliated with research projects sponsored or co-sponsored by USC departments, as evidenced by the issuance of a USC Unix login ID. In no case will a certificate be issued by USC for any other entity. Issuance of a certificate by the USC PKI Lite CA is further restricted to hosts and persistent services. The only user certificates issued by the USC PKI Lite will be to administrators of the USC PKI Lite CA, restricted to use within the USC domain.


      1. Certification authority

        The USC PKI Lite CA has to take particular care when it has to decide if a certain organization or individual can manage a subject CA performing all the controls and checks detailed in this policy. The USC PKI Lite CA MAY use as many RAs (registration authorities) as it wishes. the USC PKI Lite CA MAY also have the role of RA if the CA itself can do the entity authentication. Subordinate CAs MUST sign an agreement with the USC PKI Lite CA, stating the obligation to adhere to the agreed procedures.

        At the current time, the USC PKI Lite CA recognizes a single subordinate CA: the USC KCA used by USC ISD's installation of kx.509 to issue user proxy certificates based on Kerberos principals.


      2. Registration authorities

        Registration Authories (RA) are useful for physical identification/authentication of entities. These authorities MUST not be permitted to issue certificates. The RA MUST sign an agreement with the certifying CA, stating the obligation to adhere to the agreed procedures as identified in the CA's CPS.

        The USC PKI Lite CA will work to establish formal recognition of the University's Administrative Information Services as a Registration Authority capable of authenticating persons such as systems administrators and technical contacts who may request host or persistent service certificates for entities under their control. In order for formal recognition to be established, a Service Level Agreement must be negotiated and agreed upon by the USC AIS and the USC PKI Lite CA.

        The USC PKI Lite CA will also work to establish formal recognition of isi-ra@isi.edu as a Registration Authority capable of authenticating hosts and persistent services within the isi.edu domain for the purpose of issuing USC PKI Lite CA certificates. In order for formal recognition to be established, a Service Level Agreement must be negotiated and agreed upon by isi-ra@isu.edu and the USC PKI Lite CA.

  2. HEPKI Lite Certificate Policy

    3. As an institution issuing HEPKI Lite X.509 certificates, the University of Southern California agrees to make reasonable efforts to adhere to this policy but assumes no liability for policy violations. Parties relying on certificates issued by the USC PKI Lite CA should study this policy and the USC PKI Lite CA Certification Practices Statement to determine if the assurance level and operational practices are sufficient for the needs of their application.

    1. User Identity
      As a HEPKI lite certification authority, the USC PKI Lite CA agrees to use existing campus practice for identifying the certificate Subject before issuing the certificate
      1. People requesting HEPKI Lite certificates for a host or persistent service identified in HEPKI Lite certificates are authenticated using standard university practices for identifying people for other applications, such as issuing user IDs and passwords for on-campus systems.
      2. Subject names in the certificate must uniquely map to the host or persistent service for the validity period of the certificate. Furthermore, it is strongly recommended that Subject names uniquely map to the host or persistent service in perpetuity regardless of the certificate's validity period but this is not required. A Relying Party must examine the associated CPS before making any assumptions about the persistent binding of a certificate Subject name.
    2. Certificate Revocation
      As a HEPKI Lite Certification Authority, the USC PKI Lite CA is not required to be able to revoke certificates, issue certificates containing a Certificate Revocation List (CRL) or OCSP distribution point extension, or maintain a CRL. However, if the USC PKI Lite CA issues certificates containing a Certification Revocation List (CRL) or OCSP distribution point extension, then the USC PKI Lite CA is obligated to issue CRLs and must update the CRLs and/or OCSP database as specified in the Next Update field of the CRL.
    3. CA Private Key Protection
      Operators of the USC PKI Lite CA must understand the significance of the CA's private key(s) and take action to protect the key appropriately. As an on-line CA, the USC PKI Lite CA is specifically permitted in the PKI Lite framework to help make certificates easier to obtain. The operator of the USC PKI Lite CA is expected to take reasonable precautions to protect the private key and must publish an outline of these measures in the CPS for the USC PKI Lite CA.
    4. Subject Key-Pair Generation & Private Key Protection
      HEPKI Lite requires that the certificate Subject's key-pair be generated by the Subject's computer. Typically, this will be accomplished with software in a standard browser or using a Unix shell command. It may be accomplished with a hardware device, such as a smartcard, but this is not required.
      Once generated, the private key will be encrypted and protected with a pass-phrase. It may be backed up in this form on portable media as long as it remains completely under the control of the Subject. The private key may not be archived by a third party.
    5. Certificate Profile
      As a HEPKI Lite certificate authority, the USC PKI Lite CA shall issue certificates that conform to the basic HEPKI Lite Certificate Profile. Additional fields or extensions may be included but must be documented in a Certificate Profile for the University of Southern California in the associated CPS. The certificate policy OID should be the generic HEPKI OID for PKI Lite certificates if and only if all requirements of the PKI Lite CP are met. Otherwise, the University should arrange for its own OID and define its meaning in the associated CPS.
      In practice, the OID pertaining to this CP and CPS is given at the beginning of this document.
    6. Certificate Usage
      PKI Lite certificates may be used for digital signatures and key encipherment. The University of Southern California may also choose to allow their use for data encryption, but this might raise key escrow and recovery issues. If decryption keys are escrowed, the method should be described in the associated CPS.
      The USC PKI Lite CA will issue an authority certificate only the CAs within the control of the same University department that administers the USC PKI Lite CA. In particular, the USC PKI Lite CA was requested to sign the certificate for the USC KCA, in order to subordinate that Kerberos Certification Authority to the USC PKI Lite CA. This use of the USC PKI Lite CA should be extremely rare, approaching unique.
      Other than the exception noted immediately above, the USC PKI Lite CA is specifically limited to issuing host and persistent service certificates only. No end-user certs will be issued, with the exception of a strictly limited and tightly controlled number of certs issued to system administration personnel for internal test purposes only. No end-user certs should ever be seen by outside relying parties.
    7. Certification Practice Statement
      Operators of the USC PKI Lite Certificate Authority must publish a Certification Practice Statement (see below). A URI pointing to this statement must be included in the certificate's CPSuri extension. In the spirit of PKI Lite, the CPS should be a brief document, but one that conveys information sufficient for a PKI-knowledgeable person at a Relying Party institution to determine whether they are willing to rely on the CA to meet the needs of their application.

  3. HEPKI Lite Certification Practices Statement

    4. This section contains the Certification Practices Statement for the USC PKI Lite CA.

    1. CPS Introduction
      This statement defines the policies and procedures followed by the University of Southern California in the issuance of Public Key Certificate credentials through the USC PKI Lite CA.
      The University of Southern California issues host and persistent services certificates to members of its community. This includes Faculty, Staff and Students.
    2. No Warranty
      Although the University of Southern California makes its best efforts to ensure that correct credentials are issued only to appropriate members of its community, the University of Southern California has no actual control over how members of the community protect their own credentials.
      UNDER NO CIRCUMSTANCES IS THE UNIVERSITY OF SOUTHERN CALIFORNIA RESPONSIBLE FOR THE CONSEQUENCES TO A RELYING PARTY OF MAKING USE OF CREDENTIALS ISSUED BY THE UNIVERSITY OF SOUTHERN CALIFORNIA. THE UNIVERSITY OF SOUTHERN CALIFORNIA OFFERS NO WARRANTY OF ANY KIND AND DISCLAIMS ANY WARRANTY OF MERCHANTABILITY OR OF FITNESS FOR A PARTICULAR PURPOSE. THE UNIVERSITY OF SOUTHERN CALIFORNIA CANNOT BE HELD LIABLE FOR ANY DAMAGES OF ANY KIND WHETHER DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL EVEN IF THE UNIVERSITY OF SOUTHERN CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    3. CA Private Key Protection
      The private key for the University of Southern California's USC PKI Lite Certificate Authority is maintained in software on a network-connected computer.
      Thirty-five (35) employees have access to this key and two (2) employees are in a position to issue certificates signed by this key.
    4. Authentication upon Registration
      In general, the University of Southern California verifies the identity of people requesting certificates in a way that is generally considered proper and appropriate for a higher education institution. Specifically:
      • Each member of the community is issued a Unix login ID and Kerberos principal at the point of entry to the community. Security protocols require that these passwords change every six months.
      • When requesting a host or persistent service certificate, a member of the community is required to authenticate against that member's Unix login ID and/or Kerberos principal, after presenting a University picture ID.
      • The CSR is transmitted via PGP-signed email to the operators of the CA. Ownership or control of the host or persistent service for which the certificate will be used is verified before signing.
      • Signing of the CSR is performed by separate staff once verification has been confirmed. The cert is then transmitted back to the requesting party via PGP-signed email.

      The possession of a certificate issued by the University of Southern California's USC PKI Lite CA implies that at some point the University of Southern California believed that the possessor was a member of its community. However, the mere possession of a certificate should not be construed by relying parties that possessor has a current association with the University of Southern California or that possessor may legally bind the University of Southern California in any form of negotiation.
    5. Lifetime of Issued Credential
      Certificates issued by the USC PKI Lite CA are valid for no more than 12 months from the data of issuance. Note, however, that some applications may require, and the CA may choose to issue, certificates that have arbitrarily shorter validity periods. Certificates will NOT be issued to individual end users.
    6. Revocation
      The USC PKI Lite CA revokes certificates via a Certificate Revocation List, posted to the authx webpage with a URI included in the signed certs. The posted CRL will be updated at least weekly. The expected frequency of revocations is extremely rare, approaching never.
      The USC PKI Lite CA will revoke a certificate when informed by the certificate owner that the key associated with the certificate may have been compromised. The posted CRL will be updated as soon thereafter as possible, but no later than a week after the previous prior posting
      Because the USC PKI Lite CA does not issue end user certificates, it is not necessary for it to revoke certificates for people who leave the employment of the University of Southern California. Certificates for hosts under the control of such people may be revoked, depending on the individual circumstances.
    7. Host and Persistent Service Private Key Protection
      The University of Southern California does not establish standards for how host or persistent service private keys are maintained. Keys stored on the hard drives of individually owned or maintained computer systems will likely be as secure (or not) as other information stored on such systems.
      Some host or persistent services may have their private key stored in the campus distributed file system. The security of such stored files will depend on the security of the distributed file system and the strength of the password/key chosen by the user to protect the stored file.

  4. Certificate Profile for the Institution

    5. The certificate profile for the USC PKI Lite CA can be found at USC-PKI-Lite-root-profile.html

    As of the date of this document, the posted root profile is identical to the HEPKI Lite root profile. It is being reviewed to ensure conformity of the USC PKI Lite CA with the HEPKI Lite root profile.

  5. Acknowledgements

    6. Questions about this Certificate Policy or Certification Practices Statement should be directed to the online authentication & authorization group of the Information Infrastructure Core in the Information Services Division of the University of Southern California.

    The original framework for this CP and CPS was developed by James A. Jokl, Jeffrey I. Schiller, and other members of the Higher Education PKI Technical Advisory Group under the aegis of the Internet2 Middleware activities group.

Related Links