UNCLASSIFIED(PUBLICDOMAIN)
UNCLASSIFIED(PUBLICDOMAIN)
X.509CertificatePolicyforthe
AustralianDepartmentofDefenceCodeSigningResourceCertificates
Version5.2Feb2018
UNCLASSIFIED(PUBLICDOMAIN)
X.509CertificatePolicy
CodeSigningResourceCertificates,Version5.2 ii
Unclassified(PublicDomain)
NoticetoallpartiesseekingtorelyReliance on a Certificate issued under this Certificate Policy, identified by subarcs of the objectidentifier 1.2.36.1.334.1.1.3.4, is only permitted as set forth in this document. Use of a certificateissuedunderthisCPconstitutesacceptanceofthetermsandconditionssetoutinthisdocument,assuch,acceptanceofaCertificatebyaRelyingPartyisattheRelyingParty’srisk.RefertotheCPandDefenceCPSforrelevantdisclaimersofwarranties,liabilitiesandindemnities.
DocumentManagement
Thisdocumentiscontrolledby:
DefencePublicKeyInfrastructurePolicyBoard.(DPKIPB)
Changesareauthorisedby: DefencePublicKeyInfrastructurePolicyBoard.GatekeeperCompetentAuthority.(GCA)
ChangeHistory
Version IssueDate
Description/Amendment Changedby
0.1 28Apr08 InitialDraft SarahMoylan1.0 23Nov09 Released GJF
2.0 Nov2011 Released(minoramendments,certprofilechanges)
SJP
2.1 Dec2011 UpdatedforimplementationofOCSP VerizonBusiness
2.2 May2012 Minoramendments,harmonisationwithdocsuite,formatting AKK
2.3 June2012 AGIMO&AGSreview.Minoramendments. AKK3.0 July2012 Released SJP4.0 May2014 Reviewedforrelease PKIOpsMan
4.1 Feb2016GK2015compliance&minorformatupdates
CogitoGroup(CJP)
4.2 July2016 UpdatedbaseduponLegalandGatekeeperreviews
CogitoGroup(CJP)
4.3 Sept2016 UpdatedAIAinformationinCertificateprofile(AppendixB.1)
CogitoGroup(CJP)
5.0 Oct2016 ReleasedPKIOperationsManager
5.1 Dec2016 Updatedwww.defence.gov.autocrl.defence.gov.au
CogitoGroup(BB)
5.2 Feb2018 UpdatesandcorrectionsonreviewbyGK PKIOpsMan
UNCLASSIFIED(PUBLICDOMAIN)
X.509CertificatePolicy
CodeSigningResourceCertificates,Version5.2 iii
Unclassified(PublicDomain)
Signatures
Appointment Organisation Signature
DefencePKIPolicyBoard(DPKIPB)Chair
Dept.ofDefence PKIDocumentationpublishedasPDFfileshaveundergoneanextensivereviewandendorsementprocessbytherelevantauthoritiesinaccordancewithCDMCPKIpublishingprocesses.
GatekeeperCompetentAuthority(GCA)
DigitalTransformationAgency (DTA)
PKIDocumentationpublishedasPDFfileshaveundergoneanextensivereviewandendorsementprocessbytherelevantauthoritiesinaccordancewithCDMCPKIpublishingprocesses.
UNCLASSIFIED(PUBLICDOMAIN)
X.509CertificatePolicy
CodeSigningResourceCertificates,Version5.2 iv
Unclassified(PublicDomain)
Contents
1. INTRODUCTION.........................................................................................................................................9 1.1 Overview......................................................................................................................................................9 1.2 Documentnameandidentification....................................................................................................9 1.3 PKIparticipants......................................................................................................................................10 1.3.1 Certificationauthorities..............................................................................................................................10 1.3.2 Registrationauthorities..............................................................................................................................10 1.3.3 Subscribers.......................................................................................................................................................10 1.3.4 Relyingparties................................................................................................................................................10 1.3.5 Otherparticipants.........................................................................................................................................10
1.4 Certificateusage.....................................................................................................................................10 1.4.1 Appropriatecertificateuses......................................................................................................................10 1.4.2 Prohibitedcertificateuses.........................................................................................................................10
1.5 Policyadministration...........................................................................................................................11 1.5.1 Organisationadministeringthedocument.........................................................................................11 1.5.2 Contactperson................................................................................................................................................11 1.5.3 AuthoritydeterminingCPSsuitabilityforthepolicy.....................................................................11 1.5.4 CPSapprovalprocedures...........................................................................................................................11
1.6 Definitions,acronymsandinterpretation....................................................................................11 2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES............................................................................11 2.1 Repositories.............................................................................................................................................11 2.2 Publicationofcertificateinformation............................................................................................11 2.3 Timeorfrequencyofpublication.....................................................................................................11 2.4 Accesscontrolsonrepositories........................................................................................................11
3. IDENTIFICATIONANDAUTHENTICATION..............................................................................................12 3.1 Naming.......................................................................................................................................................12 3.1.1 TypesofNames..............................................................................................................................................12 3.1.2 Needfornamestobemeaningful...........................................................................................................12 3.1.3 AnonymityofpseudonymityofSubscribers......................................................................................12 3.1.4 Rulesforinterpretingvariousnameforms........................................................................................12 3.1.5 Uniquenessofnames...................................................................................................................................12 3.1.6 Recognition,authentication,androleoftrademarks.....................................................................12
3.2 Initialidentityvalidation....................................................................................................................12 3.2.1 Methodtoprovepossessionofprivatekey........................................................................................12 3.2.2 Authenticationoforganisationidentity...............................................................................................12 3.2.3 Authenticationofindividualidentity....................................................................................................12 3.2.4 Non‐verifiedsubscriberinformation....................................................................................................13 3.2.5 Validationofauthority................................................................................................................................13 3.2.6 Criteriaforinteroperation.........................................................................................................................13
3.3 IdentificationandAuthenticationforRe‐KeyRequests..........................................................13 3.3.1 Identificationandauthenticationforroutinere‐key......................................................................13 3.3.2 Identificationandauthenticationforre‐keyafterrevocation....................................................13
3.4 IdentificationandAuthenticationforRevocationRequests..................................................13 4. CERTIFICATELIFECYCLEOPERATIONALREQUIREMENTS...................................................................13 4.1 Certificateapplication..........................................................................................................................13 4.1.1 Whocansubmitacertificateapplication............................................................................................13 4.1.2 Enrolmentprocessandresponsibilities..............................................................................................13
4.2 Certificateapplicationprocessing...................................................................................................14 4.2.1 Performingidentificationandauthenticationfunctions...............................................................14
UNCLASSIFIED(PUBLICDOMAIN)
X.509CertificatePolicy
CodeSigningResourceCertificates,Version5.2 v
Unclassified(PublicDomain)
4.2.2 Approvalorrejectionofcertificateapplications..............................................................................14 4.2.3 Timetoprocesscertificateapplications..............................................................................................14
4.3 Certificateissuance...............................................................................................................................14 4.3.1 CAactionsduringcertificateissuance..................................................................................................14 4.3.2 NotificationtosubscriberbytheCAofissuanceofcertificate...................................................14
4.4 Certificateacceptance..........................................................................................................................14 4.4.1 Conductconstitutingcertificateacceptance......................................................................................14 4.4.2 PublicationofthecertificatebytheCA................................................................................................14 4.4.3 NotificationofcertificateissuancebytheCAtootherentities..................................................14
4.5 Keypairandcertificateusage...........................................................................................................15 4.5.1 Subscriberprivatekeyandcertificateusage.....................................................................................15 4.5.2 Relyingpartypublickeyandcertificateusage..................................................................................15
4.6 Certificaterenewal................................................................................................................................15 4.6.1 Circumstanceforcertificaterenewal....................................................................................................15 4.6.2 Whomayrequestrenewal.........................................................................................................................15 4.6.3 Processingcertificaterenewalrequests..............................................................................................15 4.6.4 Notificationofnewcertificateissuancetosubscriber...................................................................15 4.6.5 Conductconstitutingacceptanceofarenewalcertificate............................................................15 4.6.6 PublicationoftherenewalcertificatebytheCA...............................................................................15 4.6.7 NotificationofcertificateissuancebytheCAtootherentities..................................................15
4.7 Certificatere‐key....................................................................................................................................16 4.7.1 Circumstanceforcertificatere‐key........................................................................................................16 4.7.2 Whomayrequestcertificationofanewpublickey?......................................................................16 4.7.3 Processingcertificatere‐keyingrequests...........................................................................................16 4.7.4 Notificationofnewcertificateissuancetosubscriber...................................................................16 4.7.5 Conductconstitutingacceptanceofare‐keyedcertificate...........................................................16 4.7.6 Publicationofthere‐keyedcertificatebytheCA.............................................................................16 4.7.7 NotificationofcertificateissuancebytheCAtootherentities..................................................16
4.8 Certificatemodification.......................................................................................................................16 4.8.1 Circumstanceforcertificatemodification...........................................................................................16 4.8.2 Whomayrequestcertificatemodification..........................................................................................16 4.8.3 Processingcertificatemodificationrequests.....................................................................................16 4.8.4 Notificationofnewcertificateissuancetosubscriber...................................................................16 4.8.5 Conductconstitutingacceptanceofmodifiedcertificate..............................................................17 4.8.6 PublicationofthemodifiedcertificatebytheCA.............................................................................17 4.8.7 NotificationofcertificateissuancebytheCAtootherentities..................................................17
4.9 Certificaterevocationandsuspension...........................................................................................17 4.9.1 Circumstancesforrevocation...................................................................................................................17 4.9.2 Whocanrequestrevocation.....................................................................................................................17 4.9.3 Procedureforrevocationrequest...........................................................................................................17 4.9.4 Revocationrequestgraceperiod............................................................................................................17 4.9.5 TimewithinwhichCAmustprocesstherevocationrequest......................................................17 4.9.6 Revocationcheckingrequirementforrelyingparties...................................................................17 4.9.7 CRLissuancefrequency(ifapplicable)................................................................................................17 4.9.8 MaximumlatencyforCRLs(ifapplicable)..........................................................................................17 4.9.9 On‐linerevocation/statuscheckingavailability...............................................................................18 4.9.10 On‐linerevocationcheckingrequirements........................................................................................18 4.9.11 Otherformsofrevocationadvertisementsavailable.....................................................................18 4.9.12 Specialrequirementsrekeycompromise...........................................................................................18 4.9.13 Circumstancesforsuspension.................................................................................................................18 4.9.14 Whocanrequestsuspension....................................................................................................................18 4.9.15 Procedureforsuspensionrequest.........................................................................................................18 4.9.16 Limitsonsuspensionperiod.....................................................................................................................18
UNCLASSIFIED(PUBLICDOMAIN)
X.509CertificatePolicy
CodeSigningResourceCertificates,Version5.2 vi
Unclassified(PublicDomain)
4.10 Certificatestatusservices...............................................................................................................18 4.10.1 Operationalcharacteristics.......................................................................................................................18 4.10.2 Serviceavailability........................................................................................................................................18 4.10.3 Optionalfeatures...........................................................................................................................................18
4.11 Endofsubscription...........................................................................................................................18 4.12 Keyescrowandrecovery................................................................................................................19 4.12.1 Keyescrowandrecoverypolicyandpractices.................................................................................19 4.12.2 Sessionkeyencapsulationandrecoverypolicyandpractices...................................................19
5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS..................................................................19 5.1 Physicalcontrols....................................................................................................................................19 5.2 Proceduralcontrols..............................................................................................................................19 5.3 Personnelcontrols................................................................................................................................19 5.4 Auditloggingprocedures....................................................................................................................19 5.5 Recordsarchival.....................................................................................................................................19 5.5.1 Typesofrecordsarchived..........................................................................................................................19 5.5.2 Retentionperiodforarchive.....................................................................................................................19 5.5.3 Protectionofarchive....................................................................................................................................19 5.5.4 Archivebackupprocedures......................................................................................................................19 5.5.5 Requirementsfortime‐stampingofrecords......................................................................................19 5.5.6 Archivecollectionsystem(internalorexternal)..............................................................................20 5.5.7 Procedurestoobtainandverifyarchiveinformation....................................................................20
5.6 Keychangeover.......................................................................................................................................20 5.7 Compromiseanddisasterrecovery................................................................................................20 5.8 CAorRAtermination............................................................................................................................20
6. TECHNICALSECURITYCONTROLS.........................................................................................................20 6.1 Keypairgenerationandinstallation..............................................................................................20 6.1.1 Keypairgeneration......................................................................................................................................20 6.1.2 Privatekeydeliverytosubscriber..........................................................................................................20 6.1.3 Publickeydeliverytocertificateissuer...............................................................................................20 6.1.4 CApublickeydeliverytorelyingparties.............................................................................................20 6.1.5 Keysizes............................................................................................................................................................20 6.1.6 Publickeyparametersgenerationandqualitychecking..............................................................20 6.1.7 Keyusagepurposes(asperX.509v3keyusagefield)..................................................................21
6.2 Privatekeyprotectionandcryptographicmoduleengineeringcontrols.........................21 6.2.1 Cryptographicmodulestandardsandcontrols................................................................................21 6.2.2 Privatekey(noutofm)multi‐personcontrol..................................................................................21 6.2.3 Privatekeyescrow........................................................................................................................................21 6.2.4 Privatekeybackup........................................................................................................................................21 6.2.5 Privatekeyarchival......................................................................................................................................21 6.2.6 Privatekeytransferintoorfromacryptographicmodule..........................................................21 6.2.7 Privatekeystorageoncryptographicmodule..................................................................................21 6.2.8 Methodofactivatingprivatekey.............................................................................................................21 6.2.9 Methodofdeactivatingprivatekey.......................................................................................................21 6.2.10 Methodofdestroyingprivatekey...........................................................................................................21 6.2.11 CryptographicModuleRating..................................................................................................................21
6.3 Otheraspectsofkeypairmanagement..........................................................................................22 6.3.1 Publickeyarchival........................................................................................................................................22 6.3.2 Certificateoperationalperiodsandkeypairusageperiods........................................................22
6.4 Activationdata........................................................................................................................................22 6.4.1 Activationdatagenerationandinstallation.......................................................................................22 6.4.2 Activationdataprotection.........................................................................................................................22 6.4.3 Otheraspectsofactivationdata..............................................................................................................22
UNCLASSIFIED(PUBLICDOMAIN)
X.509CertificatePolicy
CodeSigningResourceCertificates,Version5.2 vii
Unclassified(PublicDomain)
6.5 Computersecuritycontrols................................................................................................................22 6.6 Lifecycletechnicalcontrols...............................................................................................................22 6.7 Networksecuritycontrols..................................................................................................................22 6.8 Time‐stamping........................................................................................................................................22
7. CERTIFICATE,CRLANDOCSPPROFILES............................................................................................22 7.1 Certificateprofile...................................................................................................................................22 7.1.1 Versionnumber(s)........................................................................................................................................22 7.1.2 Certificateextensions...................................................................................................................................22 7.1.3 Algorithmobjectidentifiers......................................................................................................................23 7.1.4 Nameforms......................................................................................................................................................23 7.1.5 Nameconstraints...........................................................................................................................................23 7.1.6 Certificatepolicyobjectidentifier..........................................................................................................23 7.1.7 Usageofpolicyconstraintsextension...................................................................................................23 7.1.8 Policyqualifierssyntaxandsemantics.................................................................................................23 7.1.9 Processingsemanticsforthecriticalcertificatepoliciesextension.........................................23
7.2 CRLprofile................................................................................................................................................23 7.2.1 Versionnumber(s)........................................................................................................................................23 7.2.2 CRLandCRLentryextensions.................................................................................................................24
7.3 OCSPprofile..............................................................................................................................................24 7.3.1 VersionNumbers...........................................................................................................................................24 7.3.2 OCSPExtensions............................................................................................................................................24
8. COMPLIANCEAUDITANDOTHERASSESSMENTS..................................................................................24 8.1 Frequencyorcircumstancesofassessment.................................................................................24 8.2 Identity/qualificationsofassessor..................................................................................................24 8.3 Assessor'srelationshiptoassessedentity....................................................................................24 8.4 Topicscoveredbyassessment..........................................................................................................24 8.5 Actionstakenasaresultofdeficiency...........................................................................................24 8.6 Communicationofresults...................................................................................................................24
9. OTHERBUSINESSANDLEGALMATTERS..............................................................................................24 9.1 Fees.............................................................................................................................................................24 9.1.1 Certificateissuanceorrenewalfees......................................................................................................24 9.1.2 Certificateaccessfees..................................................................................................................................25 9.1.3 Revocationorstatusinformationaccessfees....................................................................................25 9.1.4 Feesforotherservices................................................................................................................................25 9.1.5 Refundpolicy...................................................................................................................................................25
9.2 Financialresponsibility.......................................................................................................................25 9.2.1 Insurancecoverage.......................................................................................................................................25 9.2.2 Otherassets......................................................................................................................................................25 9.2.3 Insuranceorwarrantycoverageforend‐entities............................................................................25
9.3 Confidentialityofbusinessinformation........................................................................................25 9.3.1 Scopeofconfidentialinformation..........................................................................................................25 9.3.2 Informationnotwithinthescopeofconfidentialinformation...................................................25 9.3.3 Responsibilitytoprotectconfidentialinformation.........................................................................25
9.4 Privacyofpersonalinformation.......................................................................................................25 9.5 Intellectualpropertyrights................................................................................................................25 9.6 Representationsandwarranties......................................................................................................26 9.6.1 CArepresentationsandwarranties.......................................................................................................26 9.6.2 RArepresentationsandwarranties.......................................................................................................26 9.6.3 Subscriberrepresentationsandwarranties.......................................................................................26 9.6.4 Relyingpartyrepresentationsandwarranties.................................................................................26 9.6.5 Representationsandwarrantiesofotherparticipants.................................................................26
9.7 Disclaimerofwarranties.....................................................................................................................26
UNCLASSIFIED(PUBLICDOMAIN)
X.509CertificatePolicy
CodeSigningResourceCertificates,Version5.2 viii
Unclassified(PublicDomain)
9.8 Limitationsofliability..........................................................................................................................26 9.9 Indemnities..............................................................................................................................................27 9.10 Termandtermination.....................................................................................................................27 9.10.1 Term....................................................................................................................................................................27 9.10.2 Termination.....................................................................................................................................................27 9.10.3 Effectofterminationandsurvival..........................................................................................................27
9.11 Individualnoticesandcommunicationswithparticipants................................................27 9.12 Amendments.......................................................................................................................................27 9.13 Disputeresolutionprovisions......................................................................................................27 9.14 GoverningLaw....................................................................................................................................27 9.15 CompliancewithApplicableLaw.................................................................................................27 9.16 Miscellaneousprovisions...............................................................................................................27 9.17 Otherprovisions................................................................................................................................27
APPENDIXA. REFERENCES......................................................................................................................28 APPENDIXB. CERTIFICATEPROFILES.....................................................................................................29 B.1 CodeSigningLocalKeyGen.................................................................................................................29
APPENDIXC. CRLPROFILE.....................................................................................................................31 APPENDIXD. LEVELOFASSURANCEMAPPING.......................................................................................32 D.1 AssuranceLevel......................................................................................................................................32 D.2 RiskAssessment.....................................................................................................................................33
ListofTables
Table1‐SignatureOIDs..........................................................................................................................................................23 Table2‐AlgorithmOIDs.........................................................................................................................................................23 Table3‐References..................................................................................................................................................................28 Table4–CertificateProfile–Codesigningcertificate...............................................................................................30
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates INTRODUCTION
CodeSigningResourceCertificates, Version 5.2 9of34
UNCLASSIFIED(PUBLICDOMAIN)
1. INTRODUCTIONCertificatePolicies(CPs)are,intheX.509version3digitalcertificatestandard,thenamedsetofrulesregardingtheapplicabilityofaCertificatetoaparticularcommunityand/orclassofapplicationswithcommonsecurityrequirements.ACPmaybeusedbyaRelyingParty tohelp indecidingwhetheracertificate, and the binding therein, are sufficiently trustworthy and otherwise appropriate for aparticularapplication.
ThisCP identifies the rules tomanage theAustralianGovernmentDepartmentofDefence (Defence)CodeSigningResourceCertificates thatareusedtoattest theauthenticityand integrityofsoftwarecode. It includes theobligationsof thePublicKey Infrastructure (PKI)entities,andhowtheparties,indicatedbelow,usethem.Itdoesnotdescribehowtoimplementtheserulesasthatinformationisin theDefencePKICertificationPracticeStatement (CPS), or documents referencedby theCPS. Ingeneral,therulesinthisCPidentifytheminimumstandardsintermsofperformance,securityand/orquality.
TheheadingsinthisCPfollowtheframeworksetoutinInternetEngineeringTaskForceRequestforComment (RFC) 3647: Internet X.509 Public Key Infrastructure Certificate Policy and CertificationPracticesFramework.
A document hierarchy applies: the provisions of any applicable contract such as a SubscriberAgreement, Deed of Agreement or other relevant contract override the provisions of this CP. TheprovisionsofthisCPprevailovertheprovisionsofCPStotheextentofanydirectinconsistency.TheprovisionsofCPSgovernanymatteronwhichthisCPissilent.(Note:wheresubtitledsectionsoftheframeworkprovidenoadditionalinformationtodetailprovidedintheCPStheyhavenotbeenfurtherextrapolatedinthisdocument.)
This section identifies and introduces the set of provisions, and indicates the types of entities andapplicationsapplicableforthisCP.
1.1 OverviewThis CP only applies to certificates issued to Defence Code Signing Resource Custodians for thepurpose of digitally signing software code on behalf of Defence attesting to the authenticity andintegrity of the code that has been signed, and does not apply to other non‐individuals (e.g.organisations,resourcesordevices)orindividuals.
Noauthority,orprivilege,appliestoanapprovedCodeSigningResourceCustodiancertificateholder,other than conferring an ability to digitally sign code, on behalf of Defence, that attests to theauthenticityandintegrityofthecode.
TheprincipaldocumentsreferencedbythisCPareshowninAppendixA.Thecontentsofareferenceddocumentmaybeclassified.
1.2 DocumentnameandidentificationThetitleforthisCPis“X.509CertificatePolicyfortheAustralianGovernmentDepartmentofDefenceCodeSigningResourceCertificates”.TheObjectIdentifier(OID)forthisCPis1.2.36.1.334.1.1.3.4.
{iso(1)iso‐member(2)australia(36)government(1)departmentofdefence(334)pki(1)certificatepolicy(1)resource(3)code‐signing(4)}
ExtensionsofthisOIDrepresentthecertificatevariantsgovernedbythisCP.TheyareidentifiedinAppendixB.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates INTRODUCTION
CodeSigningResourceCertificates, Version 5.2 10of34
UNCLASSIFIED(PUBLICDOMAIN)
1.3 PKIparticipants
1.3.1 CertificationauthoritiesTheCertificationAuthorities(CAs)thatissuecertificatesunderthisCPareGatekeeper‐accredited.Forfurtherinformation,seeCPS.
1.3.2 RegistrationauthoritiesThe Registration Authorities (RAs) that perform the registration function under this CP areGatekeeper‐accreditedDefenceRAs.Forfurtherinformation,seeCPS.
1.3.3 SubscribersIn this document ‐ and as allowed by the definition of Subscriber in the CPS ‐ the Subscriber of aDefence Code Signing Resource Certificatemay, depending on the context, refer to theNon‐PersonEntity(NPE)whosenameappearsasthesubjectinthecertificate,ortothepersonorlegalentitythatappliedforthatCertificate.
In the case of a Defence Code Signing Certificate, the Subscriber (person or legal entity) is a CodeSigningResourceCustodian.TheCodeSigningResourceCustodianisresponsiblefortheappropriateuseoftheCodeSigningCertificate.
Insomeinstances,certainresponsibilitiesoftheSubscriber(personorlegalentity)maybedelegatedtoaKeyCustodian.TheSubscriberpersonorlegalentityisfullyresponsibleandaccountablefortheactsoromissionsofitsdelegate.
1.3.4 RelyingpartiesSeeCPS.
1.3.5 OtherparticipantsSeeCPS.
1.4 Certificateusage
1.4.1 AppropriatecertificateusesTheappropriateuseforCertificatesissuedunderthisCP,inconjunctionwiththeirassociatedprivatekeys,isto:
i. allowDefencetodigitallysigncodetoattesttheauthenticityandintegrityofthecode;andii. permitrelyingpartiestovalidatethatthesignedcodeisauthenticandissuedbyatrusted
authority.
1.4.2 ProhibitedcertificateusesTheprohibitedusesforcertificatesissuedunderthisCPare:
i. validatinganyResourcetoconductanytransaction,orcommunication,whichisanyorallofthefollowing:
a) UnrelatedtoDefencebusiness;b) Illegal;c) Unauthorised;d) Unethical;ore) ContrarytoDefencepolicy.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates PUBLICATION AND REPOSITORY RESPONSIBILITIES
CodeSigningResourceCertificates, Version 5.2 11of34
UNCLASSIFIED(PUBLICDOMAIN)
EngaginginprohibitedcertificateuseisabreachoftheresponsibilitiesandobligationsagreedtobytheCodeSigningResourceCustodian(RC).
1.5 Policyadministration
1.5.1 OrganisationadministeringthedocumentSeeCPS.
1.5.2 ContactpersonSeeCPS.
1.5.3 AuthoritydeterminingCPSsuitabilityforthepolicySeeCPS.
1.5.4 CPSapprovalproceduresSeeCPS.
1.6 Definitions,acronymsandinterpretationAcronymsandtermsusedinthisCParedefinedintheCPS.NotethatdefinedtermsinthisCPappearinitalicsthefirsttimetheyareusedandotherwisearenotidentifiedinthismannerwhenappearinglaterthroughouttheCP.Definedtermsmaybeupperorlowercase.
TheinterpretationclauseinPart3ofAppendixBoftheCPS(B.3)alsoappliestothisCP.
2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES
2.1 RepositoriesSeeCPS.
2.2 PublicationofcertificateinformationSeeCPS.
2.3 TimeorfrequencyofpublicationSee4.9.7forCRLissuancefrequency.Forfurtherinformation,seeCPS.
2.4 AccesscontrolsonrepositoriesSeeCPS.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates IDENTIFICATION AND AUTHENTICATION
CodeSigningResourceCertificates, Version 5.2 12of34
UNCLASSIFIED(PUBLICDOMAIN)
3. IDENTIFICATIONANDAUTHENTICATION
3.1 Naming
3.1.1 TypesofNamesAcleardistinguishableanduniqueDistinguishedName(DN)mustbepresentinthecertificateSubjectfield.
3.1.2 NeedfornamestobemeaningfulTheDPKIPBshallensurethattheDNinsubjectNamefieldusedtoidentifytheSubjectofacertificateis:
i. Meaningful;andii. RelatesdirectlytoanattributeoridentifieroftheResource.
3.1.3 AnonymityofpseudonymityofSubscribersNotapplicable.
3.1.4 RulesforinterpretingvariousnameformsNostipulationasthereisonlyoneform.
3.1.5 UniquenessofnamesNamesareuniquewithinthePKInamespace.
3.1.6 Recognition,authentication,androleoftrademarksSeeCPS.
3.2 Initialidentityvalidation
3.2.1 MethodtoprovepossessionofprivatekeyCertificate requests submitted to the CA must be PKCS#10 formatted requests where proof ofpossessionofthePrivateKeyisensuredandthattheKeyPairisgeneratedatthetimethecertificaterequestiscreated.
3.2.2 AuthenticationoforganisationidentityThe RC is responsible for the resource being deployed. Authentication of organisation identity isthereforeimplicitinanRC’sauthorisationforregistrationoftheresourcewiththePKI.
TheCodeSigningResourceCustodian thatwillberesponsible for theCodeSigningcertificatemustproveaffiliationwithDefencebeforebeingissuedkeysandcertificate.
3.2.3 AuthenticationofindividualidentityThis CP is for a non‐person entity, and not an individual. The identifying characteristics of theresource will be resource‐specific. The RC authenticates the identity of the resource during theapprovalofthecertificationrequestaftercheckingthattheinformationintherequestiscorrect.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS
CodeSigningResourceCertificates, Version 5.2 13of34
UNCLASSIFIED(PUBLICDOMAIN)
TheCodeSigningResourceCustodian thatwillberesponsible for theCodeSigningcertificatemustprovideEvidenceof Identity (EOI) to satisfyGatekeeperHighAssurance requirementsbeforebeingissuedkeysandcertificate.
3.2.4 Non‐verifiedsubscriberinformationAllSubscriberinformationincludedinthecertificaterequestisverifiedbytheRC.
3.2.5 ValidationofauthorityPriortotheissueofacertificate,affiliationwithDefenceisvalidatedbytheRC.
3.2.6 CriteriaforinteroperationSeeCPS.
3.3 IdentificationandAuthenticationforRe‐KeyRequests
3.3.1 Identificationandauthenticationforroutinere‐keyTheCAwillallowroutinere‐keyingbeforeexpirationof thesubscriberscurrentcertificate.There‐key request must be accompanied by a validly signed email from the Code‐Signing ResourceCustodian's1Starsupervisorconfirmingtheon‐goingneedforthecodesigningcapability.
3.3.2 Identificationandauthenticationforre‐keyafterrevocationSee3.2.2(Authenticationoforganisationidentity)and3.2.3(Authenticationofindividualidentity).
3.4 IdentificationandAuthenticationforRevocationRequestsDual authentication is required for all requests to revoke (either two RCs or one RC and a PKIOperator).Priortorevocation,therequestisverifiedandtherequestorandreasonsdocumented.
Revocationrequests,fromsourcesotherthantheRC,shouldbedigitallysigned.Ifthatisnotpossible,thenasignedlettershouldbesentbypostorfax.
Revocationrequests,fromsourcesotherthananRC,areauthenticatedbyverifyingthattherequestissignedby thepersonmaking the request, validating that the sender is affiliatedwithDefence, andcheckingthattherequestcontainsallthecorrectandrequiredinformation.
Onlyinextraordinary(emergency)circumstancescanarevocationrequestbesubmittedverbally.
See4.9(Certificaterevocationandsuspension)formoreinformationonrevocation.
4. CERTIFICATELIFECYCLEOPERATIONALREQUIREMENTS
4.1 Certificateapplication
4.1.1 WhocansubmitacertificateapplicationSeeCPS.
4.1.2 EnrolmentprocessandresponsibilitiesThe Code Signing Resource Custodian that is to be responsible for the code signing keys andcertificatemustattendaface‐to‐faceregistrationduringwhichtheyneedtopresenttheirEOItothe
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS
CodeSigningResourceCertificates, Version 5.2 14of34
UNCLASSIFIED(PUBLICDOMAIN)
RC.TheRCconfirmsaffiliationwithDefence,andtheCodeSigningResourceCustodiansignsaformoutliningtheirresponsibilities.
Depending on the environment requiring the code signing certificate, the RC may either use theresource'ssecurity functionalityor thePKIsoftwaretogenerateakeypairandsubmitacertificaterequest.TheRCverifiestheinformationintherequestandthenapprovesitforregistration.TheRAvalidatesandsignstherequest,andsendsittotheCA.
4.2 Certificateapplicationprocessing
4.2.1 PerformingidentificationandauthenticationfunctionsTheRCwillperformenrolmentaspersection4.1.2,andsubmitthevalidatedrequesttotheRA.TheRAwillvalidateandsubmittherequesttotheCA.
4.2.2 ApprovalorrejectionofcertificateapplicationsAn RC may reject or approve a certificate application. Reasons for rejection may include invalidapplication, insufficient affiliation with Defence, or the provision of incorrect or insufficientidentificationdetails.
4.2.3 TimetoprocesscertificateapplicationsSeeCPS.
4.3 Certificateissuance
4.3.1 CAactionsduringcertificateissuanceSeeCPS.
4.3.2 NotificationtosubscriberbytheCAofissuanceofcertificateSeeCPS.
4.4 Certificateacceptance
4.4.1 ConductconstitutingcertificateacceptanceUseofthecertificateconstitutesacceptance.
4.4.2 PublicationofthecertificatebytheCASeeCPS.
4.4.3 NotificationofcertificateissuancebytheCAtootherentitiesNostipulation.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS
CodeSigningResourceCertificates, Version 5.2 15of34
UNCLASSIFIED(PUBLICDOMAIN)
4.5 Keypairandcertificateusage
4.5.1 SubscriberprivatekeyandcertificateusageTheCodeSigningResourceCustodianmustensurethatprivatekeysareonlyusedinaccordancewiththekeyusageparameterssetinthecertificateandasdefinedinsection1.4(CertificateUsage).Useoftheprivatekey isonlypermitted followingapprovalof thecorrespondingcertificatebytheRCandmustbediscontinuedimmediatelyfollowingexpirationorrevocationofthecertificate.ASubscribermustincludethecorrespondingcertificatewithadigitalsignaturetoallowRelyingPartiestoperformsignatureverification.
4.5.2 Relyingpartypublickeyandcertificateusage1.4(CertificateUsage)and1.3.4(RelyingParties)detailtheRelyingParty’spublickeyandcertificateusageandresponsibilities.
TheinterpretationandcompliancewithextendedKeyUsageattributes,andanyassociatedlimitationsontheuseofthecertificateand/orprivatekey,isinaccordancewithRFC5280.
4.6 Certificaterenewal
4.6.1 CircumstanceforcertificaterenewalSeeCPSforcertificaterenewalcriteria.
Certificate renewal is only permitted in exceptional circumstances andmust not be used to avoidcertificate re‐key or the associated identification and authentication processes. For furtherinformation,seeCPS.
4.6.2 WhomayrequestrenewalSeeCPS.
4.6.3 ProcessingcertificaterenewalrequestsProcessing of certificate renewal requests is consistent with the processing of new certificaterequests,asdetailedin4.2(CertificateApplicationProcessing).
4.6.4 NotificationofnewcertificateissuancetosubscriberSee4.3.2(NotificationtosubscriberbytheCAofissuanceofcertificate).
4.6.5 ConductconstitutingacceptanceofarenewalcertificateSee4.4.1(Conductconstitutingcertificateacceptance).
4.6.6 PublicationoftherenewalcertificatebytheCASee4.4.2(PublicationofthecertificatebytheCA).
4.6.7 NotificationofcertificateissuancebytheCAtootherentitiesNostipulation.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS
CodeSigningResourceCertificates, Version 5.2 16of34
UNCLASSIFIED(PUBLICDOMAIN)
4.7 Certificatere‐key
4.7.1 Circumstanceforcertificatere‐keySeeCPS.
4.7.2 Whomayrequestcertificationofanewpublickey?See4.1.1(Whocansubmitacertificateapplication).
4.7.3 Processingcertificatere‐keyingrequestsProcessingofcertificatere‐keyrequestsisconsistentwiththeprocessingofnewcertificaterequests,asdetailedin4.2.1(Performingidentificationandauthenticationfunctions).
4.7.4 NotificationofnewcertificateissuancetosubscriberSee4.3.2(NotificationtosubscriberbytheCAofissuanceofcertificate).
4.7.5 Conductconstitutingacceptanceofare‐keyedcertificateSee4.4.1(Conductconstitutingcertificateacceptance).
4.7.6 Publicationofthere‐keyedcertificatebytheCASee4.4.2(PublicationofthecertificatebytheCA).
4.7.7 NotificationofcertificateissuancebytheCAtootherentitiesNostipulation.
4.8 Certificatemodification
4.8.1 CircumstanceforcertificatemodificationThecircumstancespermittedforcertificatemodificationinclude(butmaynotbelimitedto):
i. Detailsinthecertificaterelevanttothecertificatesubjecthavechangedorbeenfoundtobeincorrect.
ii. Interoperationwithapproved“thirdparty”PKI,orDefenceassetsandsystems,requirecertificateattributesorcontentsinserted,modifiedordeleted.
TheDPKIPBwilldetermineothercircumstancesasappropriate.
SeeCPSforfurtherinformation.
4.8.2 WhomayrequestcertificatemodificationSee4.1.1(Whocansubmitacertificateapplication).
4.8.3 ProcessingcertificatemodificationrequestsTheprocessforcertificatemodificationisconsistentwith4.2(Certificateapplicationprocessing).Theidentificationandauthenticationprocedurescomplywith3.3 (IdentificationandAuthentication forRe‐KeyRequests).
4.8.4 NotificationofnewcertificateissuancetosubscriberSee4.3.2(NotificationtosubscriberbytheCAofissuanceofcertificate)
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS
CodeSigningResourceCertificates, Version 5.2 17of34
UNCLASSIFIED(PUBLICDOMAIN)
4.8.5 ConductconstitutingacceptanceofmodifiedcertificateSee4.4.1(Conductconstitutingcertificateacceptance)
4.8.6 PublicationofthemodifiedcertificatebytheCASeeCPS.
4.8.7 NotificationofcertificateissuancebytheCAtootherentitiesNostipulation.
4.9 Certificaterevocationandsuspension
4.9.1 CircumstancesforrevocationSeeCPS.
4.9.2 WhocanrequestrevocationSeeCPS.
4.9.3 ProcedureforrevocationrequestRevocationrequestsareverifiedonreceiptinaccordancewith3.4(Identificationandauthenticationforrevocationrequests)andprocessedinpriorityorder.
AfterverificationtheRC(orPKIOperator)processesrevocationrequestsbyusingthePKIsoftware,whichcapturesanauditablerecordoftheprocess.
Afteracertificateisrevoked,theCAincludestheapplicablecertificate(certificateserialnumber)intheCRLthatissignedbytheCAandpublishedintherepositories.
4.9.4 RevocationrequestgraceperiodAgraceperiodofoneOperationalDayispermitted.
The DPKIPB, or an approved delegate, in exceptional circumstances (such as a security or lawenforcementinvestigation),mayapproveadelayinthesubmissionofarevocationrequest.Anauditrecordofthisapprovalisrequired,andmustbesubmittedwiththerevocationrequestuponexpiryoftheapproveddelay.
4.9.5 TimewithinwhichCAmustprocesstherevocationrequestACAshallprocessrevocationrequestsforcertificatesissuedunderthisCPpromptlyafterreceipt.
4.9.6 RevocationcheckingrequirementforrelyingpartiesSeeCPS.
4.9.7 CRLissuancefrequency(ifapplicable)CRLissuancefrequencyforcertificatesunderthisCParepublishedoneachcertificaterevocationoratintervalsnolongerthan24hoursiftherearenoupdates.
4.9.8 MaximumlatencyforCRLs(ifapplicable)ThemaximumlatencybetweenthegenerationandpublicationofCRLsis3days.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS
CodeSigningResourceCertificates, Version 5.2 18of34
UNCLASSIFIED(PUBLICDOMAIN)
4.9.9 On‐linerevocation/statuscheckingavailabilityOnlineCertificateStatusProtocolservice(OCSP)isavailableat
http://ocsp.defence.gov.au
RefertotherelevantCertificateProfileinAppendixB‐ifthecertificateisissuedwithanOCSPaccesslocationreference(AuthorityInformationAccessextension),OCSPisavailabletotheRelyingPartyasacertificatestatuscheckingmethod.
The latest CRL is available from the published repositories; refer to 2.1 (Repositories) and thecertificatesCRLDistributionPointforfurtherinformation.
4.9.10 On‐linerevocationcheckingrequirementsNostipulation.
4.9.11 OtherformsofrevocationadvertisementsavailableSeeCPS.
4.9.12 SpecialrequirementsrekeycompromiseCode signing certificates that have been revoked due to key compromise or has been issued tounauthorizedpersonsmustbemaintainedintheCA’spublicrevocationdatabaseforatleast20years.
4.9.13 CircumstancesforsuspensionCertificatesuspensionisnotsupportedunderthisCP.
4.9.14 WhocanrequestsuspensionCertificatesuspensionisnotsupportedunderthisCP.
4.9.15 ProcedureforsuspensionrequestCertificatesuspensionisnotsupportedunderthisCP.
4.9.16 LimitsonsuspensionperiodCertificatesuspensionisnotsupportedunderthisCP.
4.10 Certificatestatusservices
4.10.1 OperationalcharacteristicsSeeCPS.
4.10.2 ServiceavailabilitySeeCPS.
4.10.3 OptionalfeaturesNostipulation.
4.11 EndofsubscriptionSeeCPS.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS
CodeSigningResourceCertificates, Version 5.2 19of34
UNCLASSIFIED(PUBLICDOMAIN)
4.12 KeyescrowandrecoveryKeyswillnotbeescrowed.
4.12.1 KeyescrowandrecoverypolicyandpracticesNostipulation.
4.12.2 SessionkeyencapsulationandrecoverypolicyandpracticesNostipulation.
5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS
5.1 PhysicalcontrolsSeeCPS.
5.2 ProceduralcontrolsSeeCPS.
5.3 PersonnelcontrolsSeeCPS.
5.4 AuditloggingproceduresSeeCPS.
5.5 Recordsarchival
5.5.1 TypesofrecordsarchivedSeeCPS.
5.5.2 RetentionperiodforarchiveSeeCPS.
5.5.3 ProtectionofarchiveSeeCPS.
5.5.4 ArchivebackupproceduresSeeCPS.
5.5.5 Requirementsfortime‐stampingofrecordsSeeCPS.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates TECHNICAL SECURITY CONTROLS
CodeSigningResourceCertificates, Version 5.2 20of34
UNCLASSIFIED(PUBLICDOMAIN)
5.5.6 Archivecollectionsystem(internalorexternal)NoStipulation.
5.5.7 ProcedurestoobtainandverifyarchiveinformationSeeCPS.
5.6 KeychangeoverSeeCPS.
5.7 CompromiseanddisasterrecoverySeeCPS.
5.8 CAorRAterminationSeeCPS.
6. TECHNICALSECURITYCONTROLS
6.1 Keypairgenerationandinstallation
6.1.1 KeypairgenerationKeysareprimarilygeneratedlocallywithintheresourceduringtherequestingprocess.Whereakeypair is generated on behalf of the resource, the generation occurs centrally by a trusted role andfollowing the placement of the keys in the custody of the resource the copy of the key pair isdestroyed.
6.1.2 PrivatekeydeliverytosubscriberGenerallythekeygenerationisperformedwithintheresourcesonodeliveryisrequired.Wherekeysaregeneratedexternally theprivatekey isdeliveredtothesubscriberwithinaprotectedcontainerknownasaPKCS12 file.ThePKCS12 formatensures theprivatekeydata isencrypted,and isonlyaccessiblewiththeprovisionofanunlockingpassword.TheCodeSigningResourceCustodianistosupplytheprotectingpasswordatthetimeofkeygeneration.
6.1.3 PublickeydeliverytocertificateissuerWhere keys are generatedwithin theResource, its public key is provided to the CA in a PKCS#10certificaterequestfilesignedwiththecorrespondingprivatekey.
6.1.4 CApublickeydeliverytorelyingpartiesSeeCPS.
6.1.5 KeysizesKeysizeswillbeaminimumof2048bitRSAmodulus.
6.1.6 PublickeyparametersgenerationandqualitycheckingSeeCPS.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates TECHNICAL SECURITY CONTROLS
CodeSigningResourceCertificates, Version 5.2 21of34
UNCLASSIFIED(PUBLICDOMAIN)
6.1.7 Keyusagepurposes(asperX.509v3keyusagefield)Keys issued under this CP allow a Subscriber to assert the authentication and integrity of theapplication/code.SeeAppendixBandCPSforfurtherinformation.
6.2 Privatekeyprotectionandcryptographicmoduleengineeringcontrols
6.2.1 CryptographicmodulestandardsandcontrolsSeeCPS.
6.2.2 Privatekey(noutofm)multi‐personcontrolSeeCPS.
6.2.3 PrivatekeyescrowEscrowofkeysdoesnotoccur.
6.2.4 PrivatekeybackupSeeCPS.
6.2.5 PrivatekeyarchivalSeeCPS.
6.2.6 PrivatekeytransferintoorfromacryptographicmoduleSeeCPS.
6.2.7 PrivatekeystorageoncryptographicmoduleSeeCPS.
6.2.8 MethodofactivatingprivatekeyActivatingprivatekeysoccursbytheKeyCustodianauthenticatingtothecryptographicmodule.Thesessionstaysliveuntildeactivated(see6.2.9).
6.2.9 MethodofdeactivatingprivatekeyDeactivationcanbeachievedvia:
i. Shutdownorrestartofthesystem;ii. Removalofthetoken;oriii. Shutdownoftheservicethatoperatesthetoken.
6.2.10 MethodofdestroyingprivatekeySeeCPS.
6.2.11 CryptographicModuleRatingSeeCPS.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CERTIFICATE, CRL AND OCSP PROFILES
CodeSigningResourceCertificates, Version 5.2 22of34
UNCLASSIFIED(PUBLICDOMAIN)
6.3 Otheraspectsofkeypairmanagement
6.3.1 PublickeyarchivalSeeCPS.
6.3.2 CertificateoperationalperiodsandkeypairusageperiodsThe Subscriber certificate has a maximum validity period of 2 years to limit the key lifetime. Forfurtherinformation,seeCPS.
6.4 Activationdata
6.4.1 ActivationdatagenerationandinstallationNostipulation.
6.4.2 ActivationdataprotectionSeeCPS.
6.4.3 OtheraspectsofactivationdataNostipulation.
6.5 ComputersecuritycontrolsSeeCPS.
6.6 LifecycletechnicalcontrolsSeeCPS.
6.7 NetworksecuritycontrolsSeeCPS.
6.8 Time‐stampingSeeCPS.
7. CERTIFICATE,CRLANDOCSPPROFILES
7.1 Certificateprofile
7.1.1 Versionnumber(s)AllcertificatesareX.509Version3certificates.
7.1.2 CertificateextensionsSeeAppendixB.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CERTIFICATE, CRL AND OCSP PROFILES
CodeSigningResourceCertificates, Version 5.2 23of34
UNCLASSIFIED(PUBLICDOMAIN)
7.1.3 AlgorithmobjectidentifiersCertificatesunderthisCPwilluseoneofthefollowingOIDsforsignatures.
sha‐1WithRSAEncryption {iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)5}sha256WithRSAEncryption {iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)11}
Table1‐SignatureOIDs
CertificatesunderthisCPwilluseoneof the followingOIDsfor identifyingthealgorithmforwhichthesubjectkeywasgenerated.
id‐ecPublicKey {iso(1)member‐body(2)us(840)ansi‐x9‐62(10045)public‐key‐type(2)1}rsaEncryption {iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)1}Dhpublicnumber {iso(1)member‐body(2)us(840)ansi‐x942(10046)number‐type(2)1}id‐keyExchangeAlgorithm {joint‐iso‐ccitt(2)country(16)us(840)organization(1)gov(101)dod(2)infosec(1)
algorithms(1)22}
Table2‐AlgorithmOIDs
7.1.4 NameformsSeeCPSandAppendixBforfurtherinformation.
7.1.5 NameconstraintsNameconstraintsarenotpresent.
7.1.6 CertificatepolicyobjectidentifierCertificatesissuedunderthisCPshallassertthisCP’sOID(1.2.36.1.334.1.1.3.4).
CertificatesissuedunderthispolicyshallalsoassertthefollowingLoAOID:
{1.2.36.1.334.1.2.2.2}LevelofAssurance–Medium(Resource)
Inaddition; toenabletheuseofthecertificateat lowerLevelsofAssurance,thispolicyalsoassertsthefollowingOID:
{1.2.36.1.334.1.2.2.1}LevelofAssurance–Low(Resource).
SeealsoAppendixB.
7.1.7 UsageofpolicyconstraintsextensionSeeAppendixB.
7.1.8 PolicyqualifierssyntaxandsemanticsSeeAppendixB.
7.1.9 ProcessingsemanticsforthecriticalcertificatepoliciesextensionThisCPdoesnotrequirethecertificatepoliciesextensiontobecritical.RelyingPartieswhoseclientsoftwaredoesnotprocessthisextensiondosoattheirownrisk.
7.2 CRLprofile
7.2.1 Versionnumber(s)CRLsissuedshallbeX.509version2CRLs
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates COMPLIANCE AUDIT AND OTHER ASSESSMENTS
CodeSigningResourceCertificates, Version 5.2 24of34
UNCLASSIFIED(PUBLICDOMAIN)
7.2.2 CRLandCRLentryextensionsSeeAppendixC.
7.3 OCSPprofile
7.3.1 VersionNumbersOSCPisimplementedusingversion1asspecifiedunderRFC2560.
7.3.2 OCSPExtensionsRefertoCPSandValidationAuthority(VA)CPforfullOCSPprofile.
8. COMPLIANCEAUDITANDOTHERASSESSMENTS
8.1 FrequencyorcircumstancesofassessmentSeeCPS.
8.2 Identity/qualificationsofassessorSeeCPS.
8.3 Assessor'srelationshiptoassessedentitySeeCPS.
8.4 TopicscoveredbyassessmentSeeCPS.
8.5 ActionstakenasaresultofdeficiencySeeCPS.
8.6 CommunicationofresultsSeeCPS.
9. OTHERBUSINESSANDLEGALMATTERS
9.1 Fees
9.1.1 CertificateissuanceorrenewalfeesNostipulation.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates OTHER BUSINESS AND LEGAL MATTERS
CodeSigningResourceCertificates, Version 5.2 25of34
UNCLASSIFIED(PUBLICDOMAIN)
9.1.2 CertificateaccessfeesThereisnofeeforaccessingCertificatesfromapprovedrepositories.
9.1.3 RevocationorstatusinformationaccessfeesThereisnofeeforaccessingtheCRLfromapprovedrepositories.
9.1.4 FeesforotherservicesSeeCPSregardingfeesforaccesstothisCP.Nofeehasbeenstipulatedforotherservices.
9.1.5 RefundpolicySeeCPS.
9.2 Financialresponsibility
9.2.1 InsurancecoverageNostipulation.
9.2.2 OtherassetsNostipulation.
9.2.3 Insuranceorwarrantycoverageforend‐entitiesNostipulation.
9.3 ConfidentialityofbusinessinformationSeeCPS.
9.3.1 ScopeofconfidentialinformationNostipulation.
9.3.2 InformationnotwithinthescopeofconfidentialinformationNostipulation.
9.3.3 ResponsibilitytoprotectconfidentialinformationSeeCPS.
9.4 PrivacyofpersonalinformationResourceCertificatespertaintonon‐personentities,notindividuals,anddonotcontainanypersonalinformation(asdefinedinthePrivacyAct1988(Cth)).
9.5 IntellectualpropertyrightsSeeCPS.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates OTHER BUSINESS AND LEGAL MATTERS
CodeSigningResourceCertificates, Version 5.2 26of34
UNCLASSIFIED(PUBLICDOMAIN)
9.6 RepresentationsandwarrantiesSeeCPS.
9.6.1 CArepresentationsandwarrantiesSeeCPS.
9.6.2 RArepresentationsandwarrantiesSeeCPS.
9.6.3 SubscriberrepresentationsandwarrantiesAsthetrustedroleresponsiblefortheprivatekeys,theCodeSigningResourceCustodianwarrantsto:
i. ensurethattheprivatekeys,andtokenPersonalIdentificationNumber(PIN),areprotectedatalltimesagainstloss,disclosuretoanyunauthorisedparty,modificationorunauthoriseduse;
ii. usethePKItoken,includingkeys,onlyforthepurposesthattheyareauthorisedbyDefencetousethemforandnotforanyotherpurpose,includingforanyunlawfulorimproperpurpose;
iii. immediatelynotifythePKIiftheysuspectthattheirtokenPINorkeyshave,ormayhavebeen,compromised;and
iv. notsignanycodewiththeirsigningprivatekeyaftertheassociatedcertificateexpires.
9.6.4 RelyingpartyrepresentationsandwarrantiesSeeCPS.Inaddition,certificatesissuedunderthisCPdonotcontain,orimply,anyauthority,accessorprivilege. Relying Parties assume responsibility for any financial limit theymaywish to apply fortransactionsauthenticatedusingcertificatesissuedunderthisCP.
9.6.5 RepresentationsandwarrantiesofotherparticipantsNoStipulation.
9.7 DisclaimerofwarrantiesSeeCPS.
9.8 LimitationsofliabilitySeeCPS.
InAddition:GATEKEEPERACCREDITATIONDISCLAIMER
The Gatekeeper Competent Authority is responsible for ensuring that the accreditation process isconducted with due care and in accordance with published Gatekeeper Criteria and Policies. TheGatekeeperCompetentAuthorityisnotliableforanyerrorsand/oromissionsinthefinalApprovedDocuments, which remain the responsibility of the accredited Service Provider. The DigitalTransformationOfficeisnotresponsibleandcannotbeheldliableforanylossofanykindinrelationto the use of digital keys and certificates issued by a Gatekeeper accredited Service Provider. Bygranting a Service Provider Gatekeeper Accreditation the Digital Transformation Office makes norepresentationandgivesnowarrantyastothe:
Accuracy of any statements or representations made in, or suitability of, the ApprovedDocumentsofaGatekeeperaccreditedServiceProvider;
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates OTHER BUSINESS AND LEGAL MATTERS
CodeSigningResourceCertificates, Version 5.2 27of34
UNCLASSIFIED(PUBLICDOMAIN)
Accuracyofanystatementorrepresentationmadein,orsuitabilityof,thedocumentationofaServiceProviderinaGatekeeperrecognisedPKIdomain;or
StandardorsuitabilityofanyservicestherebyprovidedbyanySubscriberorRelyingPartyorapplication.
9.9 IndemnitiesSeeCPS.
9.10 Termandtermination
9.10.1 TermThis CP and any amendments shall become effective upon publication in the Repository and willremainineffectuntilthenoticeofitsterminationiscommunicatedbytheDefencePKIonitswebsiteorRepository.
9.10.2 TerminationSeeCPS.
9.10.3 EffectofterminationandsurvivalSeeCPS.
9.11 IndividualnoticesandcommunicationswithparticipantsSeeCPS.
9.12 AmendmentsSeeCPS.
9.13 DisputeresolutionprovisionsSeeCPS.
9.14 GoverningLawSeeCPS.
9.15 CompliancewithApplicableLawSeeCPS.
9.16 MiscellaneousprovisionsSeeCPS.
9.17 OtherprovisionsSeeCPS.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates REFERENCES
CodeSigningResourceCertificates, Version 5.2 28of34
UNCLASSIFIED(PUBLICDOMAIN)
APPENDIXA. REFERENCES
ThefollowingdocumentsarereferencedinthisCP:
[2560] RFC2560InternetX.509PublicKeyInfrastructureOn‐lineCertificateStatusProtocol(ocsp),InternetEngineeringTaskForce,availableathttp://www.ietf.org/rfc/rfc2560.txt
[3161] RFC3161InternetX.509PublicKeyInfrastructureTimestampProtocol,InternetEngineeringTaskForce,availableathttp://www.ietf.org/rfc/rfc3161.txt
[3647] RFC3647InternetX.509PublicKeyInfrastructureCertificatePolicyandCertificationPracticesFramework,InternetEngineeringTaskForce,availableathttp://www.ietf.org/rfc/rfc3647.txt
[5280] RFC5280InternetX.509PublicKeyInfrastructureCertificateandCertificateRevocationList(CRL)Profile,InternetEngineeringTaskForce,availableathttp://www.ietf.org/rfc/rfc5280.txt
[CPS] X.509CertificationPracticeStatementfortheAustralianDepartmentofDefence,availableathttp://crl.defence.gov.au/pkicps/Defence‐CPS.pdf
[GK2015] DigitalTransformationOffice,GatekeeperPKIFrameworkv3.1Dec2015,availableathttps://www.dto.gov.au/standard/design‐guides/authentication‐frameworks/gatekeeper‐public‐key‐infrastructure‐framework/
[ISM2015] AustralianSignalsDirectorate,2015AustralianGovernmentInformationSecurityManualControls,availableathttp://www.asd.gov.au/infosec/ism/index.htm
[KMP] DepartmentofDefencePublicKeyInfrastructureKeyManagementPlan(classified)
[LOA] DepartmentofDefencePublicKeyInfrastructureAssuranceLevelRequirementsdocument,availableathttp://crl.defence.gov.au/pki/LOA.pdf
[RCACP] X.509CertificatePolicyfortheAustralianDepartmentofDefenceRootCertificationAuthorityandSubordinateCertificateAuthorities,availableathttp://crl.defence.gov.au/pki/
[VACP] X.509CertificatePolicyfortheAustralianDepartmentofDefenceValidationAuthorityCertificates,availableathttp://crl.defence.gov.au/pki/
Table3‐References
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CERTIFICATE PROFILES
CodeSigningResourceCertificates, Version 5.2 29of34
UNCLASSIFIED(PUBLICDOMAIN)
APPENDIXB. CERTIFICATEPROFILES
NB.VariationstotheRegistrationProfilesassociatedwiththisAnnexwilloccurovertimeduetotechnicalimplementations.AssuchvariationswillbemarginalandnotmateriallyaffectthecertificatesissuedunderthisCPtheywillnotbereviewedbytheGatekeeperCompetentAuthority.
B.1 CodeSigningLocalKeyGen
Variation1:CodeSigning_LocalKeyGen_V1.0
Field Critical Value NotesVersion V3(2) Serial <octetstring> MustbeuniquewithinDefencenamespaceIssuersignaturealgorithm sha‐1WithRSAEncryption Minimumcryptographiclevel–SHA‐1forLegacypurposesonly;
SHA‐2fornewrequests.Issuerdistinguishedname CN=ADOCA<serial>
OU=CAsOU=PKIOU=DoDO=GOVC=AU
SerialisuniquewithinPKI.
Validityperiod Notbefore<UTCtime>Notafter<UTCtime>
2yearsfromdateofissue
Subjectdistinguishedname <uniqueidentifier> Asdeterminedbydevice.Subjectpublickeyinformation
2048bitRSAkeymodulus
Issueruniqueidentifier ‐ NotPresentSubjectuniqueidentifier ‐ NotPresentX.509v3extensions Authoritykeyidentifier No <octetstring> 160bitSHA‐1hashofbinaryDERencodingofsigningCA’spublic
keySubjectkeyidentifier No <octetstring> 160bitSHA‐1hashofbinaryDERencodingofsubject’spublickeyKeyusage Yes digitalSignature
Extendedkeyusage No codeSigning Privatekeyusageperiod ‐ NotPresentCertificatepolicies No [1]PolicyId:{1.2.36.1.334.1.1.3.4}
Policyqualifier–CPSpointer:http://crl.defence.gov.au/pkiTheOIDofthisCP
[2]PolicyOID:{1.2.36.1.334.1.2.2.2} LevelofAssurance–MediumTheLevelofAssuranceofthiscertificate
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CERTIFICATE PROFILES
CodeSigningResourceCertificates, Version 5.2 30of34
UNCLASSIFIED(PUBLICDOMAIN)
Field Critical Value Notes [3]PolicyOID:{1.2.36.1.334.1.2.2.1} LevelofAssurance–Low
Includedtoallowthecertificatetobeusedinlowerassurancecontext.
Policymapping ‐ NotPresentSubjectAlternativeName ‐ NotPresentIssueralternativename ‐ NotPresentSubjectdirectoryattributes ‐ NotPresentBasicconstraints ‐ NotPresentNameconstraints ‐ NotPresentPolicyconstraints ‐ NotPresentAuthorityinformationaccess No [1]Accessmethod:OCSP{1.3.6.1.5.5.7.48.1}
Accesslocation:http://ocsp.defence.gov.au[1]Accessmethod:CAIssuer{1.3.6.1.5.5.7.48.2}Accesslocation:http://crl.defence.gov.au/pki/Certificates/ADOCA<serial>[3]Accessmethod:CAIssuer{1.3.6.1.5.5.7.48.2}Accesslocation:ldap://dir.defence.gov.au/cn=ADOCA<serial>,ou=CAs,ou=PKI,ou=DoD,o=GOV,c=AU?cACertificate;binary,crossCertificatePair;binary
DefenceusesaURLrewrite(redirection)ruleintheWebServertoensurethatAIAurlswithoutafileextensionareassignedthecorrectfiletype(.crtor.p7c)
CRLDistributionPoint No [1]DistributionPointName(http):http://crl.defence.gov.au/pki/crl/ADOCA<serial>.crl[2]DistributionPointName(ldap):ldap://dir.defence.gov.au/cn=ADOCA<serial>,ou=CAs,ou=PKI,ou=DoD,o=GOV,c=AU?certificateRevocationList
TheCRLdistributionpointextensionshallonlypopulatethedistributionPointfield.ThefieldshallonlycontaintheURInameform.ThereasonsandcRLIssuerfieldsshallnotbepopulated.TheCRLshallpointtoafullandcompleteCRLonly(i.e.,aCRLthatdoesNOTcontaintheissuerdistributionpointextension).
MicrosoftCertificateTemplate
DomainComputer
Table4–CertificateProfile–Codesigningcertificate
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates CRL PROFILE
CodeSigningResourceCertificates, Version 5.2 31of34
UNCLASSIFIED(PUBLICDOMAIN)
APPENDIXC. CRLPROFILE
PleaserefertotheissuingCA’sCertificatePolicy.
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates LEVEL OF ASSURANCE MAPPING
CodeSigningResourceCertificates, Version 5.2 32of34
UNCLASSIFIED(PUBLICDOMAIN)
APPENDIXD. LEVELOFASSURANCEMAPPING
D.1 AssuranceLevel
ThefollowingtabledocumentsthemappingofthisCPtotherequirementsofanassociatedassurancelevelasdocumentedintheDefencePKIAssuranceLevelRequirementspaper[LOA]:
CP’sLevelofAssurance:Medium Assurance (Resource) {1.2.36.1.334.1.2.2.2}. Asdocumentedinsection7.1.6above.
REQUIREMENT CP’SMAPPINGTOREQUIREMENT
IDENTITYPROOFING
EOI
AResourceCustodianisresponsiblefortheidentificationofaCodeSigningResourceCustodianviaaface‐to‐faceregistrationthatsatisfiesGatekeeperHighAssurancerequirementsandtheverificationofacertificaterequestduringtheenrolmentoftheCustodian,asdescribedin4.1.2(Enrolmentprocessandresponsibilities).TheRCisatrustedrole,andtheRChasproventheiraffiliationwithDefenceandidentityaspartoftheirenrolment.
Inaddition,theCodeSigningResourceCustodianisresponsibleforverifyingtheauthenticity,integrityandaffiliationwithDefenceofthecodepriortosigningthecode.
EvidenceofRelationship
TheRCisalsorequiredtoconfirmtheCodeSigningResourceCustodian’saffiliationtoDefencebyidentifyingthemintheDefencedirectory.
BybeingconfiguredforuseontheDefenceDIEbyatrustedadministratorwiththerequiredaccesspermissions,thecodeisauthorisedforsigningbytheCodeSigningResourceCustodian.
Location Theidentificationofaresourcemaybelocalorremote.
CREDENTIALSTRENGTH
TokenProtection
Private and public key pairs are generated on the resourceusing a cryptographic software module which also providesprotection for the soft token during its lifecycle. See 6.2(Privatekeyprotectionandcryptographicmoduleengineeringcontrols).
TokenActivationAccess to the private key is protected by passphrase inaccordancewithDefencesecurityrequirements.
Life(Time)ofKeyStrength
As documented in Appendix B, the Key Strengthwill be RSA2048andSHA1whichinaccordancewithNISTSP800‐57‐1isdeprecated but can be used to support legacy systems until2030[GK2015].
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates LEVEL OF ASSURANCE MAPPING
CodeSigningResourceCertificates, Version 5.2 33of34
UNCLASSIFIED(PUBLICDOMAIN)
REQUIREMENT CP’SMAPPINGTOREQUIREMENT
CERTIFICATEMANAGEMENT
CAProtectionThe CA is both physically and logically secure from theunauthorised access. The CA protection requirements aredocumentedintheCPSandsections5and6ofthisCP.
Binding
As documented in section 4 (Certificate LifecycleOperationalRequirements),thekeygenerationandissuanceofacertificateto a resource is carried out by trusted roles, using thecryptographiccapabilityontheresourceitself.
While the issuance process is not necessarily contiguous, thecertificate signing request binds the certificate to the privatekey generated on the resource. The certificate also has asubject namewhich contains an identifier determined by theresource(seeAppendixB.CertificateProfiles).
Revocation(Publication)Ascoveredinsection4.9.7,theCRLispublishedweekly,oronacertificaterevocation,whichexceedstherequirements.ThisisasaresultofissuingfromtheHighAssuranceCA.
Compliance
The Compliance requirements are covered in the CPS andsection 8 (Compliance audit and other assessments). TheDefence PKI environment is certified under the AustralianGovernment Gatekeeper program, to support the issuance ofuptoaHighAssurancelevel.
D.2 RiskAssessment
TheissuancesofcertificatesusingthethisCPhasbeenalignedwithanAustralianDefenceMediumAssurance,whichasdocumentedinthe[LOA]papershouldprovidearelyingpartysomeassuranceintheassertedidentity.
As discussed in the section 1.3 of the [LOA] paper, any deviations within the CP from thoserequirementsdocumentedfortheassociatedassurancelevelshouldbeappropriatelyriskmanaged.
Thefollowingriskswere identifiedandmanagedinthealignmentof thisCPwiththerequirementsfor Medium Assurance. The DPKIPB has accepted the risks through the appropriateness of thecontrolslisted.
LOAREQUIREMENT IDENTIFIEDRISK MITIGATION/CONTROLS
Life(Time)ofKeyStrength
Thereisariskthatthekeystrengthisinsufficient.(DuetotheuseofRSA1024andSHA‐1,whichhavebeendeprecatedbyNISTfrom2010.)
Anumberofinternalapplicationscannotacceptlargerkeysizes(bothalgorithmandhashfunction).IssuanceofSHA1Certificatestokeysof1024bitsisbyexceptiononrequestoftheapplicationowner.NOTE:Defence’sSHA1CAcertificateexpiresDec2018andnofurtherfacilityforSHA1willbeoffered,removingallowancefor1024‐bitkeys.
TheSHA1hashfunctionnowhasaproofofcompromise.SHA1wasdeprecatedbyNISTto
UNCLASSIFIED(PUBLICDOMAIN)
Code Signing Resource Certificates LEVEL OF ASSURANCE MAPPING
CodeSigningResourceCertificates, Version 5.2 34of34
UNCLASSIFIED(PUBLICDOMAIN)
2013anddisallowedfrom2014.
Gatekeeper2015controlsallowlegacyuseofSHA‐1until2030.[GK2015]