unclassified (public domain) - department of defence · 2019-07-19 · unclassified (public domain)...

UNCLASSIFIED(PUBLICDOMAIN)


X.509CertificatePolicyforthe

AustralianDepartmentofDefenceCodeSigningResourceCertificates

Version5.2Feb2018


X.509CertificatePolicy

CodeSigningResourceCertificates,Version5.2 ii

Unclassified(PublicDomain)

NoticetoallpartiesseekingtorelyReliance on a Certificate issued under this Certificate Policy, identified by subarcs of the objectidentifier 1.2.36.1.334.1.1.3.4, is only permitted as set forth in this document. Use of a certificateissuedunderthisCPconstitutesacceptanceofthetermsandconditionssetoutinthisdocument,assuch,acceptanceofaCertificatebyaRelyingPartyisattheRelyingParty’srisk.RefertotheCPandDefenceCPSforrelevantdisclaimersofwarranties,liabilitiesandindemnities.

DocumentManagement

Thisdocumentiscontrolledby:

DefencePublicKeyInfrastructurePolicyBoard.(DPKIPB)

Changesareauthorisedby: DefencePublicKeyInfrastructurePolicyBoard.GatekeeperCompetentAuthority.(GCA)

ChangeHistory

Version IssueDate

Description/Amendment Changedby

0.1 28Apr08 InitialDraft SarahMoylan1.0 23Nov09 Released GJF

2.0 Nov2011 Released(minoramendments,certprofilechanges)

SJP

2.1 Dec2011 UpdatedforimplementationofOCSP VerizonBusiness

2.2 May2012 Minoramendments,harmonisationwithdocsuite,formatting AKK

2.3 June2012 AGIMO&AGSreview.Minoramendments. AKK3.0 July2012 Released SJP4.0 May2014 Reviewedforrelease PKIOpsMan

4.1 Feb2016GK2015compliance&minorformatupdates

CogitoGroup(CJP)

4.2 July2016 UpdatedbaseduponLegalandGatekeeperreviews

CogitoGroup(CJP)

4.3 Sept2016 UpdatedAIAinformationinCertificateprofile(AppendixB.1)

CogitoGroup(CJP)

5.0 Oct2016 ReleasedPKIOperationsManager

5.1 Dec2016 Updatedwww.defence.gov.autocrl.defence.gov.au

CogitoGroup(BB)

5.2 Feb2018 UpdatesandcorrectionsonreviewbyGK PKIOpsMan



CodeSigningResourceCertificates,Version5.2 iii


Signatures

Appointment Organisation Signature

DefencePKIPolicyBoard(DPKIPB)Chair

Dept.ofDefence PKIDocumentationpublishedasPDFfileshaveundergoneanextensivereviewandendorsementprocessbytherelevantauthoritiesinaccordancewithCDMCPKIpublishingprocesses.

GatekeeperCompetentAuthority(GCA)

DigitalTransformationAgency (DTA)

PKIDocumentationpublishedasPDFfileshaveundergoneanextensivereviewandendorsementprocessbytherelevantauthoritiesinaccordancewithCDMCPKIpublishingprocesses.



CodeSigningResourceCertificates,Version5.2 iv


Contents

1. INTRODUCTION.........................................................................................................................................9 1.1 Overview......................................................................................................................................................9 1.2 Documentnameandidentification....................................................................................................9 1.3 PKIparticipants......................................................................................................................................10 1.3.1 Certificationauthorities..............................................................................................................................10 1.3.2 Registrationauthorities..............................................................................................................................10 1.3.3 Subscribers.......................................................................................................................................................10 1.3.4 Relyingparties................................................................................................................................................10 1.3.5 Otherparticipants.........................................................................................................................................10

1.4 Certificateusage.....................................................................................................................................10 1.4.1 Appropriatecertificateuses......................................................................................................................10 1.4.2 Prohibitedcertificateuses.........................................................................................................................10

1.5 Policyadministration...........................................................................................................................11 1.5.1 Organisationadministeringthedocument.........................................................................................11 1.5.2 Contactperson................................................................................................................................................11 1.5.3 AuthoritydeterminingCPSsuitabilityforthepolicy.....................................................................11 1.5.4 CPSapprovalprocedures...........................................................................................................................11

1.6 Definitions,acronymsandinterpretation....................................................................................11 2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES............................................................................11 2.1 Repositories.............................................................................................................................................11 2.2 Publicationofcertificateinformation............................................................................................11 2.3 Timeorfrequencyofpublication.....................................................................................................11 2.4 Accesscontrolsonrepositories........................................................................................................11

3. IDENTIFICATIONANDAUTHENTICATION..............................................................................................12 3.1 Naming.......................................................................................................................................................12 3.1.1 TypesofNames..............................................................................................................................................12 3.1.2 Needfornamestobemeaningful...........................................................................................................12 3.1.3 AnonymityofpseudonymityofSubscribers......................................................................................12 3.1.4 Rulesforinterpretingvariousnameforms........................................................................................12 3.1.5 Uniquenessofnames...................................................................................................................................12 3.1.6 Recognition,authentication,androleoftrademarks.....................................................................12

3.2 Initialidentityvalidation....................................................................................................................12 3.2.1 Methodtoprovepossessionofprivatekey........................................................................................12 3.2.2 Authenticationoforganisationidentity...............................................................................................12 3.2.3 Authenticationofindividualidentity....................................................................................................12 3.2.4 Non‐verifiedsubscriberinformation....................................................................................................13 3.2.5 Validationofauthority................................................................................................................................13 3.2.6 Criteriaforinteroperation.........................................................................................................................13

3.3 IdentificationandAuthenticationforRe‐KeyRequests..........................................................13 3.3.1 Identificationandauthenticationforroutinere‐key......................................................................13 3.3.2 Identificationandauthenticationforre‐keyafterrevocation....................................................13

3.4 IdentificationandAuthenticationforRevocationRequests..................................................13 4. CERTIFICATELIFECYCLEOPERATIONALREQUIREMENTS...................................................................13 4.1 Certificateapplication..........................................................................................................................13 4.1.1 Whocansubmitacertificateapplication............................................................................................13 4.1.2 Enrolmentprocessandresponsibilities..............................................................................................13

4.2 Certificateapplicationprocessing...................................................................................................14 4.2.1 Performingidentificationandauthenticationfunctions...............................................................14



CodeSigningResourceCertificates,Version5.2 v


4.2.2 Approvalorrejectionofcertificateapplications..............................................................................14 4.2.3 Timetoprocesscertificateapplications..............................................................................................14

4.3 Certificateissuance...............................................................................................................................14 4.3.1 CAactionsduringcertificateissuance..................................................................................................14 4.3.2 NotificationtosubscriberbytheCAofissuanceofcertificate...................................................14

4.4 Certificateacceptance..........................................................................................................................14 4.4.1 Conductconstitutingcertificateacceptance......................................................................................14 4.4.2 PublicationofthecertificatebytheCA................................................................................................14 4.4.3 NotificationofcertificateissuancebytheCAtootherentities..................................................14

4.5 Keypairandcertificateusage...........................................................................................................15 4.5.1 Subscriberprivatekeyandcertificateusage.....................................................................................15 4.5.2 Relyingpartypublickeyandcertificateusage..................................................................................15

4.6 Certificaterenewal................................................................................................................................15 4.6.1 Circumstanceforcertificaterenewal....................................................................................................15 4.6.2 Whomayrequestrenewal.........................................................................................................................15 4.6.3 Processingcertificaterenewalrequests..............................................................................................15 4.6.4 Notificationofnewcertificateissuancetosubscriber...................................................................15 4.6.5 Conductconstitutingacceptanceofarenewalcertificate............................................................15 4.6.6 PublicationoftherenewalcertificatebytheCA...............................................................................15 4.6.7 NotificationofcertificateissuancebytheCAtootherentities..................................................15

4.7 Certificatere‐key....................................................................................................................................16 4.7.1 Circumstanceforcertificatere‐key........................................................................................................16 4.7.2 Whomayrequestcertificationofanewpublickey?......................................................................16 4.7.3 Processingcertificatere‐keyingrequests...........................................................................................16 4.7.4 Notificationofnewcertificateissuancetosubscriber...................................................................16 4.7.5 Conductconstitutingacceptanceofare‐keyedcertificate...........................................................16 4.7.6 Publicationofthere‐keyedcertificatebytheCA.............................................................................16 4.7.7 NotificationofcertificateissuancebytheCAtootherentities..................................................16

4.8 Certificatemodification.......................................................................................................................16 4.8.1 Circumstanceforcertificatemodification...........................................................................................16 4.8.2 Whomayrequestcertificatemodification..........................................................................................16 4.8.3 Processingcertificatemodificationrequests.....................................................................................16 4.8.4 Notificationofnewcertificateissuancetosubscriber...................................................................16 4.8.5 Conductconstitutingacceptanceofmodifiedcertificate..............................................................17 4.8.6 PublicationofthemodifiedcertificatebytheCA.............................................................................17 4.8.7 NotificationofcertificateissuancebytheCAtootherentities..................................................17

4.9 Certificaterevocationandsuspension...........................................................................................17 4.9.1 Circumstancesforrevocation...................................................................................................................17 4.9.2 Whocanrequestrevocation.....................................................................................................................17 4.9.3 Procedureforrevocationrequest...........................................................................................................17 4.9.4 Revocationrequestgraceperiod............................................................................................................17 4.9.5 TimewithinwhichCAmustprocesstherevocationrequest......................................................17 4.9.6 Revocationcheckingrequirementforrelyingparties...................................................................17 4.9.7 CRLissuancefrequency(ifapplicable)................................................................................................17 4.9.8 MaximumlatencyforCRLs(ifapplicable)..........................................................................................17 4.9.9 On‐linerevocation/statuscheckingavailability...............................................................................18 4.9.10 On‐linerevocationcheckingrequirements........................................................................................18 4.9.11 Otherformsofrevocationadvertisementsavailable.....................................................................18 4.9.12 Specialrequirementsrekeycompromise...........................................................................................18 4.9.13 Circumstancesforsuspension.................................................................................................................18 4.9.14 Whocanrequestsuspension....................................................................................................................18 4.9.15 Procedureforsuspensionrequest.........................................................................................................18 4.9.16 Limitsonsuspensionperiod.....................................................................................................................18



CodeSigningResourceCertificates,Version5.2 vi


4.10 Certificatestatusservices...............................................................................................................18 4.10.1 Operationalcharacteristics.......................................................................................................................18 4.10.2 Serviceavailability........................................................................................................................................18 4.10.3 Optionalfeatures...........................................................................................................................................18

4.11 Endofsubscription...........................................................................................................................18 4.12 Keyescrowandrecovery................................................................................................................19 4.12.1 Keyescrowandrecoverypolicyandpractices.................................................................................19 4.12.2 Sessionkeyencapsulationandrecoverypolicyandpractices...................................................19

5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS..................................................................19 5.1 Physicalcontrols....................................................................................................................................19 5.2 Proceduralcontrols..............................................................................................................................19 5.3 Personnelcontrols................................................................................................................................19 5.4 Auditloggingprocedures....................................................................................................................19 5.5 Recordsarchival.....................................................................................................................................19 5.5.1 Typesofrecordsarchived..........................................................................................................................19 5.5.2 Retentionperiodforarchive.....................................................................................................................19 5.5.3 Protectionofarchive....................................................................................................................................19 5.5.4 Archivebackupprocedures......................................................................................................................19 5.5.5 Requirementsfortime‐stampingofrecords......................................................................................19 5.5.6 Archivecollectionsystem(internalorexternal)..............................................................................20 5.5.7 Procedurestoobtainandverifyarchiveinformation....................................................................20

5.6 Keychangeover.......................................................................................................................................20 5.7 Compromiseanddisasterrecovery................................................................................................20 5.8 CAorRAtermination............................................................................................................................20

6. TECHNICALSECURITYCONTROLS.........................................................................................................20 6.1 Keypairgenerationandinstallation..............................................................................................20 6.1.1 Keypairgeneration......................................................................................................................................20 6.1.2 Privatekeydeliverytosubscriber..........................................................................................................20 6.1.3 Publickeydeliverytocertificateissuer...............................................................................................20 6.1.4 CApublickeydeliverytorelyingparties.............................................................................................20 6.1.5 Keysizes............................................................................................................................................................20 6.1.6 Publickeyparametersgenerationandqualitychecking..............................................................20 6.1.7 Keyusagepurposes(asperX.509v3keyusagefield)..................................................................21

6.2 Privatekeyprotectionandcryptographicmoduleengineeringcontrols.........................21 6.2.1 Cryptographicmodulestandardsandcontrols................................................................................21 6.2.2 Privatekey(noutofm)multi‐personcontrol..................................................................................21 6.2.3 Privatekeyescrow........................................................................................................................................21 6.2.4 Privatekeybackup........................................................................................................................................21 6.2.5 Privatekeyarchival......................................................................................................................................21 6.2.6 Privatekeytransferintoorfromacryptographicmodule..........................................................21 6.2.7 Privatekeystorageoncryptographicmodule..................................................................................21 6.2.8 Methodofactivatingprivatekey.............................................................................................................21 6.2.9 Methodofdeactivatingprivatekey.......................................................................................................21 6.2.10 Methodofdestroyingprivatekey...........................................................................................................21 6.2.11 CryptographicModuleRating..................................................................................................................21

6.3 Otheraspectsofkeypairmanagement..........................................................................................22 6.3.1 Publickeyarchival........................................................................................................................................22 6.3.2 Certificateoperationalperiodsandkeypairusageperiods........................................................22

6.4 Activationdata........................................................................................................................................22 6.4.1 Activationdatagenerationandinstallation.......................................................................................22 6.4.2 Activationdataprotection.........................................................................................................................22 6.4.3 Otheraspectsofactivationdata..............................................................................................................22



CodeSigningResourceCertificates,Version5.2 vii


6.5 Computersecuritycontrols................................................................................................................22 6.6 Lifecycletechnicalcontrols...............................................................................................................22 6.7 Networksecuritycontrols..................................................................................................................22 6.8 Time‐stamping........................................................................................................................................22

7. CERTIFICATE,CRLANDOCSPPROFILES............................................................................................22 7.1 Certificateprofile...................................................................................................................................22 7.1.1 Versionnumber(s)........................................................................................................................................22 7.1.2 Certificateextensions...................................................................................................................................22 7.1.3 Algorithmobjectidentifiers......................................................................................................................23 7.1.4 Nameforms......................................................................................................................................................23 7.1.5 Nameconstraints...........................................................................................................................................23 7.1.6 Certificatepolicyobjectidentifier..........................................................................................................23 7.1.7 Usageofpolicyconstraintsextension...................................................................................................23 7.1.8 Policyqualifierssyntaxandsemantics.................................................................................................23 7.1.9 Processingsemanticsforthecriticalcertificatepoliciesextension.........................................23

7.2 CRLprofile................................................................................................................................................23 7.2.1 Versionnumber(s)........................................................................................................................................23 7.2.2 CRLandCRLentryextensions.................................................................................................................24

7.3 OCSPprofile..............................................................................................................................................24 7.3.1 VersionNumbers...........................................................................................................................................24 7.3.2 OCSPExtensions............................................................................................................................................24

8. COMPLIANCEAUDITANDOTHERASSESSMENTS..................................................................................24 8.1 Frequencyorcircumstancesofassessment.................................................................................24 8.2 Identity/qualificationsofassessor..................................................................................................24 8.3 Assessor'srelationshiptoassessedentity....................................................................................24 8.4 Topicscoveredbyassessment..........................................................................................................24 8.5 Actionstakenasaresultofdeficiency...........................................................................................24 8.6 Communicationofresults...................................................................................................................24

9. OTHERBUSINESSANDLEGALMATTERS..............................................................................................24 9.1 Fees.............................................................................................................................................................24 9.1.1 Certificateissuanceorrenewalfees......................................................................................................24 9.1.2 Certificateaccessfees..................................................................................................................................25 9.1.3 Revocationorstatusinformationaccessfees....................................................................................25 9.1.4 Feesforotherservices................................................................................................................................25 9.1.5 Refundpolicy...................................................................................................................................................25

9.2 Financialresponsibility.......................................................................................................................25 9.2.1 Insurancecoverage.......................................................................................................................................25 9.2.2 Otherassets......................................................................................................................................................25 9.2.3 Insuranceorwarrantycoverageforend‐entities............................................................................25

9.3 Confidentialityofbusinessinformation........................................................................................25 9.3.1 Scopeofconfidentialinformation..........................................................................................................25 9.3.2 Informationnotwithinthescopeofconfidentialinformation...................................................25 9.3.3 Responsibilitytoprotectconfidentialinformation.........................................................................25

9.4 Privacyofpersonalinformation.......................................................................................................25 9.5 Intellectualpropertyrights................................................................................................................25 9.6 Representationsandwarranties......................................................................................................26 9.6.1 CArepresentationsandwarranties.......................................................................................................26 9.6.2 RArepresentationsandwarranties.......................................................................................................26 9.6.3 Subscriberrepresentationsandwarranties.......................................................................................26 9.6.4 Relyingpartyrepresentationsandwarranties.................................................................................26 9.6.5 Representationsandwarrantiesofotherparticipants.................................................................26

9.7 Disclaimerofwarranties.....................................................................................................................26



CodeSigningResourceCertificates,Version5.2 viii


9.8 Limitationsofliability..........................................................................................................................26 9.9 Indemnities..............................................................................................................................................27 9.10 Termandtermination.....................................................................................................................27 9.10.1 Term....................................................................................................................................................................27 9.10.2 Termination.....................................................................................................................................................27 9.10.3 Effectofterminationandsurvival..........................................................................................................27

9.11 Individualnoticesandcommunicationswithparticipants................................................27 9.12 Amendments.......................................................................................................................................27 9.13 Disputeresolutionprovisions......................................................................................................27 9.14 GoverningLaw....................................................................................................................................27 9.15 CompliancewithApplicableLaw.................................................................................................27 9.16 Miscellaneousprovisions...............................................................................................................27 9.17 Otherprovisions................................................................................................................................27

APPENDIXA. REFERENCES......................................................................................................................28 APPENDIXB. CERTIFICATEPROFILES.....................................................................................................29 B.1 CodeSigningLocalKeyGen.................................................................................................................29

APPENDIXC. CRLPROFILE.....................................................................................................................31 APPENDIXD. LEVELOFASSURANCEMAPPING.......................................................................................32 D.1 AssuranceLevel......................................................................................................................................32 D.2 RiskAssessment.....................................................................................................................................33

ListofTables

Table1‐SignatureOIDs..........................................................................................................................................................23 Table2‐AlgorithmOIDs.........................................................................................................................................................23 Table3‐References..................................................................................................................................................................28 Table4–CertificateProfile–Codesigningcertificate...............................................................................................30


Code Signing Resource Certificates INTRODUCTION

CodeSigningResourceCertificates, Version 5.2 9of34


1. INTRODUCTIONCertificatePolicies(CPs)are,intheX.509version3digitalcertificatestandard,thenamedsetofrulesregardingtheapplicabilityofaCertificatetoaparticularcommunityand/orclassofapplicationswithcommonsecurityrequirements.ACPmaybeusedbyaRelyingParty tohelp indecidingwhetheracertificate, and the binding therein, are sufficiently trustworthy and otherwise appropriate for aparticularapplication.

ThisCP identifies the rules tomanage theAustralianGovernmentDepartmentofDefence (Defence)CodeSigningResourceCertificates thatareusedtoattest theauthenticityand integrityofsoftwarecode. It includes theobligationsof thePublicKey Infrastructure (PKI)entities,andhowtheparties,indicatedbelow,usethem.Itdoesnotdescribehowtoimplementtheserulesasthatinformationisin theDefencePKICertificationPracticeStatement (CPS), or documents referencedby theCPS. Ingeneral,therulesinthisCPidentifytheminimumstandardsintermsofperformance,securityand/orquality.

TheheadingsinthisCPfollowtheframeworksetoutinInternetEngineeringTaskForceRequestforComment (RFC) 3647: Internet X.509 Public Key Infrastructure Certificate Policy and CertificationPracticesFramework.

A document hierarchy applies: the provisions of any applicable contract such as a SubscriberAgreement, Deed of Agreement or other relevant contract override the provisions of this CP. TheprovisionsofthisCPprevailovertheprovisionsofCPStotheextentofanydirectinconsistency.TheprovisionsofCPSgovernanymatteronwhichthisCPissilent.(Note:wheresubtitledsectionsoftheframeworkprovidenoadditionalinformationtodetailprovidedintheCPStheyhavenotbeenfurtherextrapolatedinthisdocument.)

This section identifies and introduces the set of provisions, and indicates the types of entities andapplicationsapplicableforthisCP.

1.1 OverviewThis CP only applies to certificates issued to Defence Code Signing Resource Custodians for thepurpose of digitally signing software code on behalf of Defence attesting to the authenticity andintegrity of the code that has been signed, and does not apply to other non‐individuals (e.g.organisations,resourcesordevices)orindividuals.

Noauthority,orprivilege,appliestoanapprovedCodeSigningResourceCustodiancertificateholder,other than conferring an ability to digitally sign code, on behalf of Defence, that attests to theauthenticityandintegrityofthecode.

TheprincipaldocumentsreferencedbythisCPareshowninAppendixA.Thecontentsofareferenceddocumentmaybeclassified.

1.2 DocumentnameandidentificationThetitleforthisCPis“X.509CertificatePolicyfortheAustralianGovernmentDepartmentofDefenceCodeSigningResourceCertificates”.TheObjectIdentifier(OID)forthisCPis1.2.36.1.334.1.1.3.4.

{iso(1)iso‐member(2)australia(36)government(1)departmentofdefence(334)pki(1)certificatepolicy(1)resource(3)code‐signing(4)}

ExtensionsofthisOIDrepresentthecertificatevariantsgovernedbythisCP.TheyareidentifiedinAppendixB.


Code Signing Resource Certificates INTRODUCTION



1.3 PKIparticipants

1.3.1 CertificationauthoritiesTheCertificationAuthorities(CAs)thatissuecertificatesunderthisCPareGatekeeper‐accredited.Forfurtherinformation,seeCPS.

1.3.2 RegistrationauthoritiesThe Registration Authorities (RAs) that perform the registration function under this CP areGatekeeper‐accreditedDefenceRAs.Forfurtherinformation,seeCPS.

1.3.3 SubscribersIn this document ‐ and as allowed by the definition of Subscriber in the CPS ‐ the Subscriber of aDefence Code Signing Resource Certificatemay, depending on the context, refer to theNon‐PersonEntity(NPE)whosenameappearsasthesubjectinthecertificate,ortothepersonorlegalentitythatappliedforthatCertificate.

In the case of a Defence Code Signing Certificate, the Subscriber (person or legal entity) is a CodeSigningResourceCustodian.TheCodeSigningResourceCustodianisresponsiblefortheappropriateuseoftheCodeSigningCertificate.

Insomeinstances,certainresponsibilitiesoftheSubscriber(personorlegalentity)maybedelegatedtoaKeyCustodian.TheSubscriberpersonorlegalentityisfullyresponsibleandaccountablefortheactsoromissionsofitsdelegate.

1.3.4 RelyingpartiesSeeCPS.

1.3.5 OtherparticipantsSeeCPS.

1.4 Certificateusage

1.4.1 AppropriatecertificateusesTheappropriateuseforCertificatesissuedunderthisCP,inconjunctionwiththeirassociatedprivatekeys,isto:

i. allowDefencetodigitallysigncodetoattesttheauthenticityandintegrityofthecode;andii. permitrelyingpartiestovalidatethatthesignedcodeisauthenticandissuedbyatrusted

authority.

1.4.2 ProhibitedcertificateusesTheprohibitedusesforcertificatesissuedunderthisCPare:

i. validatinganyResourcetoconductanytransaction,orcommunication,whichisanyorallofthefollowing:

a) UnrelatedtoDefencebusiness;b) Illegal;c) Unauthorised;d) Unethical;ore) ContrarytoDefencepolicy.


Code Signing Resource Certificates PUBLICATION AND REPOSITORY RESPONSIBILITIES



EngaginginprohibitedcertificateuseisabreachoftheresponsibilitiesandobligationsagreedtobytheCodeSigningResourceCustodian(RC).

1.5 Policyadministration

1.5.1 OrganisationadministeringthedocumentSeeCPS.

1.5.2 ContactpersonSeeCPS.

1.5.3 AuthoritydeterminingCPSsuitabilityforthepolicySeeCPS.

1.5.4 CPSapprovalproceduresSeeCPS.

1.6 Definitions,acronymsandinterpretationAcronymsandtermsusedinthisCParedefinedintheCPS.NotethatdefinedtermsinthisCPappearinitalicsthefirsttimetheyareusedandotherwisearenotidentifiedinthismannerwhenappearinglaterthroughouttheCP.Definedtermsmaybeupperorlowercase.

TheinterpretationclauseinPart3ofAppendixBoftheCPS(B.3)alsoappliestothisCP.

2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES

2.1 RepositoriesSeeCPS.

2.2 PublicationofcertificateinformationSeeCPS.

2.3 TimeorfrequencyofpublicationSee4.9.7forCRLissuancefrequency.Forfurtherinformation,seeCPS.

2.4 AccesscontrolsonrepositoriesSeeCPS.


Code Signing Resource Certificates IDENTIFICATION AND AUTHENTICATION



3. IDENTIFICATIONANDAUTHENTICATION

3.1 Naming

3.1.1 TypesofNamesAcleardistinguishableanduniqueDistinguishedName(DN)mustbepresentinthecertificateSubjectfield.

3.1.2 NeedfornamestobemeaningfulTheDPKIPBshallensurethattheDNinsubjectNamefieldusedtoidentifytheSubjectofacertificateis:

i. Meaningful;andii. RelatesdirectlytoanattributeoridentifieroftheResource.

3.1.3 AnonymityofpseudonymityofSubscribersNotapplicable.

3.1.4 RulesforinterpretingvariousnameformsNostipulationasthereisonlyoneform.

3.1.5 UniquenessofnamesNamesareuniquewithinthePKInamespace.

3.1.6 Recognition,authentication,androleoftrademarksSeeCPS.

3.2 Initialidentityvalidation

3.2.1 MethodtoprovepossessionofprivatekeyCertificate requests submitted to the CA must be PKCS#10 formatted requests where proof ofpossessionofthePrivateKeyisensuredandthattheKeyPairisgeneratedatthetimethecertificaterequestiscreated.

3.2.2 AuthenticationoforganisationidentityThe RC is responsible for the resource being deployed. Authentication of organisation identity isthereforeimplicitinanRC’sauthorisationforregistrationoftheresourcewiththePKI.

TheCodeSigningResourceCustodian thatwillberesponsible for theCodeSigningcertificatemustproveaffiliationwithDefencebeforebeingissuedkeysandcertificate.

3.2.3 AuthenticationofindividualidentityThis CP is for a non‐person entity, and not an individual. The identifying characteristics of theresource will be resource‐specific. The RC authenticates the identity of the resource during theapprovalofthecertificationrequestaftercheckingthattheinformationintherequestiscorrect.


Code Signing Resource Certificates CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS



TheCodeSigningResourceCustodian thatwillberesponsible for theCodeSigningcertificatemustprovideEvidenceof Identity (EOI) to satisfyGatekeeperHighAssurance requirementsbeforebeingissuedkeysandcertificate.

3.2.4 Non‐verifiedsubscriberinformationAllSubscriberinformationincludedinthecertificaterequestisverifiedbytheRC.

3.2.5 ValidationofauthorityPriortotheissueofacertificate,affiliationwithDefenceisvalidatedbytheRC.

3.2.6 CriteriaforinteroperationSeeCPS.

3.3 IdentificationandAuthenticationforRe‐KeyRequests

3.3.1 Identificationandauthenticationforroutinere‐keyTheCAwillallowroutinere‐keyingbeforeexpirationof thesubscriberscurrentcertificate.There‐key request must be accompanied by a validly signed email from the Code‐Signing ResourceCustodian's1Starsupervisorconfirmingtheon‐goingneedforthecodesigningcapability.

3.3.2 Identificationandauthenticationforre‐keyafterrevocationSee3.2.2(Authenticationoforganisationidentity)and3.2.3(Authenticationofindividualidentity).

3.4 IdentificationandAuthenticationforRevocationRequestsDual authentication is required for all requests to revoke (either two RCs or one RC and a PKIOperator).Priortorevocation,therequestisverifiedandtherequestorandreasonsdocumented.

Revocationrequests,fromsourcesotherthantheRC,shouldbedigitallysigned.Ifthatisnotpossible,thenasignedlettershouldbesentbypostorfax.

Revocationrequests,fromsourcesotherthananRC,areauthenticatedbyverifyingthattherequestissignedby thepersonmaking the request, validating that the sender is affiliatedwithDefence, andcheckingthattherequestcontainsallthecorrectandrequiredinformation.

Onlyinextraordinary(emergency)circumstancescanarevocationrequestbesubmittedverbally.

See4.9(Certificaterevocationandsuspension)formoreinformationonrevocation.

4. CERTIFICATELIFECYCLEOPERATIONALREQUIREMENTS

4.1 Certificateapplication

4.1.1 WhocansubmitacertificateapplicationSeeCPS.

4.1.2 EnrolmentprocessandresponsibilitiesThe Code Signing Resource Custodian that is to be responsible for the code signing keys andcertificatemustattendaface‐to‐faceregistrationduringwhichtheyneedtopresenttheirEOItothe





RC.TheRCconfirmsaffiliationwithDefence,andtheCodeSigningResourceCustodiansignsaformoutliningtheirresponsibilities.

Depending on the environment requiring the code signing certificate, the RC may either use theresource'ssecurity functionalityor thePKIsoftwaretogenerateakeypairandsubmitacertificaterequest.TheRCverifiestheinformationintherequestandthenapprovesitforregistration.TheRAvalidatesandsignstherequest,andsendsittotheCA.

4.2 Certificateapplicationprocessing

4.2.1 PerformingidentificationandauthenticationfunctionsTheRCwillperformenrolmentaspersection4.1.2,andsubmitthevalidatedrequesttotheRA.TheRAwillvalidateandsubmittherequesttotheCA.

4.2.2 ApprovalorrejectionofcertificateapplicationsAn RC may reject or approve a certificate application. Reasons for rejection may include invalidapplication, insufficient affiliation with Defence, or the provision of incorrect or insufficientidentificationdetails.

4.2.3 TimetoprocesscertificateapplicationsSeeCPS.

4.3 Certificateissuance

4.3.1 CAactionsduringcertificateissuanceSeeCPS.

4.3.2 NotificationtosubscriberbytheCAofissuanceofcertificateSeeCPS.

4.4 Certificateacceptance

4.4.1 ConductconstitutingcertificateacceptanceUseofthecertificateconstitutesacceptance.

4.4.2 PublicationofthecertificatebytheCASeeCPS.

4.4.3 NotificationofcertificateissuancebytheCAtootherentitiesNostipulation.





4.5 Keypairandcertificateusage

4.5.1 SubscriberprivatekeyandcertificateusageTheCodeSigningResourceCustodianmustensurethatprivatekeysareonlyusedinaccordancewiththekeyusageparameterssetinthecertificateandasdefinedinsection1.4(CertificateUsage).Useoftheprivatekey isonlypermitted followingapprovalof thecorrespondingcertificatebytheRCandmustbediscontinuedimmediatelyfollowingexpirationorrevocationofthecertificate.ASubscribermustincludethecorrespondingcertificatewithadigitalsignaturetoallowRelyingPartiestoperformsignatureverification.

4.5.2 Relyingpartypublickeyandcertificateusage1.4(CertificateUsage)and1.3.4(RelyingParties)detailtheRelyingParty’spublickeyandcertificateusageandresponsibilities.

TheinterpretationandcompliancewithextendedKeyUsageattributes,andanyassociatedlimitationsontheuseofthecertificateand/orprivatekey,isinaccordancewithRFC5280.

4.6 Certificaterenewal

4.6.1 CircumstanceforcertificaterenewalSeeCPSforcertificaterenewalcriteria.

Certificate renewal is only permitted in exceptional circumstances andmust not be used to avoidcertificate re‐key or the associated identification and authentication processes. For furtherinformation,seeCPS.

4.6.2 WhomayrequestrenewalSeeCPS.

4.6.3 ProcessingcertificaterenewalrequestsProcessing of certificate renewal requests is consistent with the processing of new certificaterequests,asdetailedin4.2(CertificateApplicationProcessing).

4.6.4 NotificationofnewcertificateissuancetosubscriberSee4.3.2(NotificationtosubscriberbytheCAofissuanceofcertificate).

4.6.5 ConductconstitutingacceptanceofarenewalcertificateSee4.4.1(Conductconstitutingcertificateacceptance).

4.6.6 PublicationoftherenewalcertificatebytheCASee4.4.2(PublicationofthecertificatebytheCA).






4.7 Certificatere‐key

4.7.1 Circumstanceforcertificatere‐keySeeCPS.

4.7.2 Whomayrequestcertificationofanewpublickey?See4.1.1(Whocansubmitacertificateapplication).

4.7.3 Processingcertificatere‐keyingrequestsProcessingofcertificatere‐keyrequestsisconsistentwiththeprocessingofnewcertificaterequests,asdetailedin4.2.1(Performingidentificationandauthenticationfunctions).

4.7.4 NotificationofnewcertificateissuancetosubscriberSee4.3.2(NotificationtosubscriberbytheCAofissuanceofcertificate).

4.7.5 Conductconstitutingacceptanceofare‐keyedcertificateSee4.4.1(Conductconstitutingcertificateacceptance).

4.7.6 Publicationofthere‐keyedcertificatebytheCASee4.4.2(PublicationofthecertificatebytheCA).


4.8 Certificatemodification

4.8.1 CircumstanceforcertificatemodificationThecircumstancespermittedforcertificatemodificationinclude(butmaynotbelimitedto):

i. Detailsinthecertificaterelevanttothecertificatesubjecthavechangedorbeenfoundtobeincorrect.

ii. Interoperationwithapproved“thirdparty”PKI,orDefenceassetsandsystems,requirecertificateattributesorcontentsinserted,modifiedordeleted.

TheDPKIPBwilldetermineothercircumstancesasappropriate.

SeeCPSforfurtherinformation.

4.8.2 WhomayrequestcertificatemodificationSee4.1.1(Whocansubmitacertificateapplication).

4.8.3 ProcessingcertificatemodificationrequestsTheprocessforcertificatemodificationisconsistentwith4.2(Certificateapplicationprocessing).Theidentificationandauthenticationprocedurescomplywith3.3 (IdentificationandAuthentication forRe‐KeyRequests).

4.8.4 NotificationofnewcertificateissuancetosubscriberSee4.3.2(NotificationtosubscriberbytheCAofissuanceofcertificate)





4.8.5 ConductconstitutingacceptanceofmodifiedcertificateSee4.4.1(Conductconstitutingcertificateacceptance)

4.8.6 PublicationofthemodifiedcertificatebytheCASeeCPS.


4.9 Certificaterevocationandsuspension

4.9.1 CircumstancesforrevocationSeeCPS.

4.9.2 WhocanrequestrevocationSeeCPS.

4.9.3 ProcedureforrevocationrequestRevocationrequestsareverifiedonreceiptinaccordancewith3.4(Identificationandauthenticationforrevocationrequests)andprocessedinpriorityorder.

AfterverificationtheRC(orPKIOperator)processesrevocationrequestsbyusingthePKIsoftware,whichcapturesanauditablerecordoftheprocess.

Afteracertificateisrevoked,theCAincludestheapplicablecertificate(certificateserialnumber)intheCRLthatissignedbytheCAandpublishedintherepositories.

4.9.4 RevocationrequestgraceperiodAgraceperiodofoneOperationalDayispermitted.

The DPKIPB, or an approved delegate, in exceptional circumstances (such as a security or lawenforcementinvestigation),mayapproveadelayinthesubmissionofarevocationrequest.Anauditrecordofthisapprovalisrequired,andmustbesubmittedwiththerevocationrequestuponexpiryoftheapproveddelay.

4.9.5 TimewithinwhichCAmustprocesstherevocationrequestACAshallprocessrevocationrequestsforcertificatesissuedunderthisCPpromptlyafterreceipt.

4.9.6 RevocationcheckingrequirementforrelyingpartiesSeeCPS.

4.9.7 CRLissuancefrequency(ifapplicable)CRLissuancefrequencyforcertificatesunderthisCParepublishedoneachcertificaterevocationoratintervalsnolongerthan24hoursiftherearenoupdates.

4.9.8 MaximumlatencyforCRLs(ifapplicable)ThemaximumlatencybetweenthegenerationandpublicationofCRLsis3days.





4.9.9 On‐linerevocation/statuscheckingavailabilityOnlineCertificateStatusProtocolservice(OCSP)isavailableat

http://ocsp.defence.gov.au

RefertotherelevantCertificateProfileinAppendixB‐ifthecertificateisissuedwithanOCSPaccesslocationreference(AuthorityInformationAccessextension),OCSPisavailabletotheRelyingPartyasacertificatestatuscheckingmethod.

The latest CRL is available from the published repositories; refer to 2.1 (Repositories) and thecertificatesCRLDistributionPointforfurtherinformation.

4.9.10 On‐linerevocationcheckingrequirementsNostipulation.

4.9.11 OtherformsofrevocationadvertisementsavailableSeeCPS.

4.9.12 SpecialrequirementsrekeycompromiseCode signing certificates that have been revoked due to key compromise or has been issued tounauthorizedpersonsmustbemaintainedintheCA’spublicrevocationdatabaseforatleast20years.

4.9.13 CircumstancesforsuspensionCertificatesuspensionisnotsupportedunderthisCP.

4.9.14 WhocanrequestsuspensionCertificatesuspensionisnotsupportedunderthisCP.

4.9.15 ProcedureforsuspensionrequestCertificatesuspensionisnotsupportedunderthisCP.

4.9.16 LimitsonsuspensionperiodCertificatesuspensionisnotsupportedunderthisCP.

4.10 Certificatestatusservices

4.10.1 OperationalcharacteristicsSeeCPS.

4.10.2 ServiceavailabilitySeeCPS.

4.10.3 OptionalfeaturesNostipulation.

4.11 EndofsubscriptionSeeCPS.


Code Signing Resource Certificates FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS



4.12 KeyescrowandrecoveryKeyswillnotbeescrowed.

4.12.1 KeyescrowandrecoverypolicyandpracticesNostipulation.

4.12.2 SessionkeyencapsulationandrecoverypolicyandpracticesNostipulation.

5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS

5.1 PhysicalcontrolsSeeCPS.

5.2 ProceduralcontrolsSeeCPS.

5.3 PersonnelcontrolsSeeCPS.

5.4 AuditloggingproceduresSeeCPS.

5.5 Recordsarchival

5.5.1 TypesofrecordsarchivedSeeCPS.

5.5.2 RetentionperiodforarchiveSeeCPS.

5.5.3 ProtectionofarchiveSeeCPS.

5.5.4 ArchivebackupproceduresSeeCPS.

5.5.5 Requirementsfortime‐stampingofrecordsSeeCPS.


Code Signing Resource Certificates TECHNICAL SECURITY CONTROLS



5.5.6 Archivecollectionsystem(internalorexternal)NoStipulation.

5.5.7 ProcedurestoobtainandverifyarchiveinformationSeeCPS.

5.6 KeychangeoverSeeCPS.

5.7 CompromiseanddisasterrecoverySeeCPS.

5.8 CAorRAterminationSeeCPS.

6. TECHNICALSECURITYCONTROLS

6.1 Keypairgenerationandinstallation

6.1.1 KeypairgenerationKeysareprimarilygeneratedlocallywithintheresourceduringtherequestingprocess.Whereakeypair is generated on behalf of the resource, the generation occurs centrally by a trusted role andfollowing the placement of the keys in the custody of the resource the copy of the key pair isdestroyed.

6.1.2 PrivatekeydeliverytosubscriberGenerallythekeygenerationisperformedwithintheresourcesonodeliveryisrequired.Wherekeysaregeneratedexternally theprivatekey isdeliveredtothesubscriberwithinaprotectedcontainerknownasaPKCS12 file.ThePKCS12 formatensures theprivatekeydata isencrypted,and isonlyaccessiblewiththeprovisionofanunlockingpassword.TheCodeSigningResourceCustodianistosupplytheprotectingpasswordatthetimeofkeygeneration.

6.1.3 PublickeydeliverytocertificateissuerWhere keys are generatedwithin theResource, its public key is provided to the CA in a PKCS#10certificaterequestfilesignedwiththecorrespondingprivatekey.

6.1.4 CApublickeydeliverytorelyingpartiesSeeCPS.

6.1.5 KeysizesKeysizeswillbeaminimumof2048bitRSAmodulus.

6.1.6 PublickeyparametersgenerationandqualitycheckingSeeCPS.


Code Signing Resource Certificates TECHNICAL SECURITY CONTROLS



6.1.7 Keyusagepurposes(asperX.509v3keyusagefield)Keys issued under this CP allow a Subscriber to assert the authentication and integrity of theapplication/code.SeeAppendixBandCPSforfurtherinformation.

6.2 Privatekeyprotectionandcryptographicmoduleengineeringcontrols

6.2.1 CryptographicmodulestandardsandcontrolsSeeCPS.

6.2.2 Privatekey(noutofm)multi‐personcontrolSeeCPS.

6.2.3 PrivatekeyescrowEscrowofkeysdoesnotoccur.

6.2.4 PrivatekeybackupSeeCPS.

6.2.5 PrivatekeyarchivalSeeCPS.

6.2.6 PrivatekeytransferintoorfromacryptographicmoduleSeeCPS.

6.2.7 PrivatekeystorageoncryptographicmoduleSeeCPS.

6.2.8 MethodofactivatingprivatekeyActivatingprivatekeysoccursbytheKeyCustodianauthenticatingtothecryptographicmodule.Thesessionstaysliveuntildeactivated(see6.2.9).

6.2.9 MethodofdeactivatingprivatekeyDeactivationcanbeachievedvia:

i. Shutdownorrestartofthesystem;ii. Removalofthetoken;oriii. Shutdownoftheservicethatoperatesthetoken.

6.2.10 MethodofdestroyingprivatekeySeeCPS.

6.2.11 CryptographicModuleRatingSeeCPS.


Code Signing Resource Certificates CERTIFICATE, CRL AND OCSP PROFILES



6.3 Otheraspectsofkeypairmanagement

6.3.1 PublickeyarchivalSeeCPS.

6.3.2 CertificateoperationalperiodsandkeypairusageperiodsThe Subscriber certificate has a maximum validity period of 2 years to limit the key lifetime. Forfurtherinformation,seeCPS.

6.4 Activationdata

6.4.1 ActivationdatagenerationandinstallationNostipulation.

6.4.2 ActivationdataprotectionSeeCPS.

6.4.3 OtheraspectsofactivationdataNostipulation.

6.5 ComputersecuritycontrolsSeeCPS.

6.6 LifecycletechnicalcontrolsSeeCPS.

6.7 NetworksecuritycontrolsSeeCPS.

6.8 Time‐stampingSeeCPS.

7. CERTIFICATE,CRLANDOCSPPROFILES

7.1 Certificateprofile

7.1.1 Versionnumber(s)AllcertificatesareX.509Version3certificates.

7.1.2 CertificateextensionsSeeAppendixB.


Code Signing Resource Certificates CERTIFICATE, CRL AND OCSP PROFILES



7.1.3 AlgorithmobjectidentifiersCertificatesunderthisCPwilluseoneofthefollowingOIDsforsignatures.

sha‐1WithRSAEncryption {iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)5}sha256WithRSAEncryption {iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)11}

Table1‐SignatureOIDs

CertificatesunderthisCPwilluseoneof the followingOIDsfor identifyingthealgorithmforwhichthesubjectkeywasgenerated.

id‐ecPublicKey {iso(1)member‐body(2)us(840)ansi‐x9‐62(10045)public‐key‐type(2)1}rsaEncryption {iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)1}Dhpublicnumber {iso(1)member‐body(2)us(840)ansi‐x942(10046)number‐type(2)1}id‐keyExchangeAlgorithm {joint‐iso‐ccitt(2)country(16)us(840)organization(1)gov(101)dod(2)infosec(1)

algorithms(1)22}

Table2‐AlgorithmOIDs

7.1.4 NameformsSeeCPSandAppendixBforfurtherinformation.

7.1.5 NameconstraintsNameconstraintsarenotpresent.

7.1.6 CertificatepolicyobjectidentifierCertificatesissuedunderthisCPshallassertthisCP’sOID(1.2.36.1.334.1.1.3.4).

CertificatesissuedunderthispolicyshallalsoassertthefollowingLoAOID:

{1.2.36.1.334.1.2.2.2}LevelofAssurance–Medium(Resource)

Inaddition; toenabletheuseofthecertificateat lowerLevelsofAssurance,thispolicyalsoassertsthefollowingOID:

{1.2.36.1.334.1.2.2.1}LevelofAssurance–Low(Resource).

SeealsoAppendixB.

7.1.7 UsageofpolicyconstraintsextensionSeeAppendixB.

7.1.8 PolicyqualifierssyntaxandsemanticsSeeAppendixB.

7.1.9 ProcessingsemanticsforthecriticalcertificatepoliciesextensionThisCPdoesnotrequirethecertificatepoliciesextensiontobecritical.RelyingPartieswhoseclientsoftwaredoesnotprocessthisextensiondosoattheirownrisk.

7.2 CRLprofile

7.2.1 Versionnumber(s)CRLsissuedshallbeX.509version2CRLs


Code Signing Resource Certificates COMPLIANCE AUDIT AND OTHER ASSESSMENTS



7.2.2 CRLandCRLentryextensionsSeeAppendixC.

7.3 OCSPprofile

7.3.1 VersionNumbersOSCPisimplementedusingversion1asspecifiedunderRFC2560.

7.3.2 OCSPExtensionsRefertoCPSandValidationAuthority(VA)CPforfullOCSPprofile.

8. COMPLIANCEAUDITANDOTHERASSESSMENTS

8.1 FrequencyorcircumstancesofassessmentSeeCPS.

8.2 Identity/qualificationsofassessorSeeCPS.

8.3 Assessor'srelationshiptoassessedentitySeeCPS.

8.4 TopicscoveredbyassessmentSeeCPS.

8.5 ActionstakenasaresultofdeficiencySeeCPS.

8.6 CommunicationofresultsSeeCPS.

9. OTHERBUSINESSANDLEGALMATTERS

9.1 Fees

9.1.1 CertificateissuanceorrenewalfeesNostipulation.


Code Signing Resource Certificates OTHER BUSINESS AND LEGAL MATTERS



9.1.2 CertificateaccessfeesThereisnofeeforaccessingCertificatesfromapprovedrepositories.

9.1.3 RevocationorstatusinformationaccessfeesThereisnofeeforaccessingtheCRLfromapprovedrepositories.

9.1.4 FeesforotherservicesSeeCPSregardingfeesforaccesstothisCP.Nofeehasbeenstipulatedforotherservices.

9.1.5 RefundpolicySeeCPS.

9.2 Financialresponsibility

9.2.1 InsurancecoverageNostipulation.

9.2.2 OtherassetsNostipulation.

9.2.3 Insuranceorwarrantycoverageforend‐entitiesNostipulation.

9.3 ConfidentialityofbusinessinformationSeeCPS.

9.3.1 ScopeofconfidentialinformationNostipulation.

9.3.2 InformationnotwithinthescopeofconfidentialinformationNostipulation.

9.3.3 ResponsibilitytoprotectconfidentialinformationSeeCPS.

9.4 PrivacyofpersonalinformationResourceCertificatespertaintonon‐personentities,notindividuals,anddonotcontainanypersonalinformation(asdefinedinthePrivacyAct1988(Cth)).

9.5 IntellectualpropertyrightsSeeCPS.





9.6 RepresentationsandwarrantiesSeeCPS.

9.6.1 CArepresentationsandwarrantiesSeeCPS.

9.6.2 RArepresentationsandwarrantiesSeeCPS.

9.6.3 SubscriberrepresentationsandwarrantiesAsthetrustedroleresponsiblefortheprivatekeys,theCodeSigningResourceCustodianwarrantsto:

i. ensurethattheprivatekeys,andtokenPersonalIdentificationNumber(PIN),areprotectedatalltimesagainstloss,disclosuretoanyunauthorisedparty,modificationorunauthoriseduse;

ii. usethePKItoken,includingkeys,onlyforthepurposesthattheyareauthorisedbyDefencetousethemforandnotforanyotherpurpose,includingforanyunlawfulorimproperpurpose;

iii. immediatelynotifythePKIiftheysuspectthattheirtokenPINorkeyshave,ormayhavebeen,compromised;and

iv. notsignanycodewiththeirsigningprivatekeyaftertheassociatedcertificateexpires.

9.6.4 RelyingpartyrepresentationsandwarrantiesSeeCPS.Inaddition,certificatesissuedunderthisCPdonotcontain,orimply,anyauthority,accessorprivilege. Relying Parties assume responsibility for any financial limit theymaywish to apply fortransactionsauthenticatedusingcertificatesissuedunderthisCP.

9.6.5 RepresentationsandwarrantiesofotherparticipantsNoStipulation.

9.7 DisclaimerofwarrantiesSeeCPS.

9.8 LimitationsofliabilitySeeCPS.

InAddition:GATEKEEPERACCREDITATIONDISCLAIMER

The Gatekeeper Competent Authority is responsible for ensuring that the accreditation process isconducted with due care and in accordance with published Gatekeeper Criteria and Policies. TheGatekeeperCompetentAuthorityisnotliableforanyerrorsand/oromissionsinthefinalApprovedDocuments, which remain the responsibility of the accredited Service Provider. The DigitalTransformationOfficeisnotresponsibleandcannotbeheldliableforanylossofanykindinrelationto the use of digital keys and certificates issued by a Gatekeeper accredited Service Provider. Bygranting a Service Provider Gatekeeper Accreditation the Digital Transformation Office makes norepresentationandgivesnowarrantyastothe:

Accuracy of any statements or representations made in, or suitability of, the ApprovedDocumentsofaGatekeeperaccreditedServiceProvider;





Accuracyofanystatementorrepresentationmadein,orsuitabilityof,thedocumentationofaServiceProviderinaGatekeeperrecognisedPKIdomain;or

StandardorsuitabilityofanyservicestherebyprovidedbyanySubscriberorRelyingPartyorapplication.

9.9 IndemnitiesSeeCPS.

9.10 Termandtermination

9.10.1 TermThis CP and any amendments shall become effective upon publication in the Repository and willremainineffectuntilthenoticeofitsterminationiscommunicatedbytheDefencePKIonitswebsiteorRepository.

9.10.2 TerminationSeeCPS.

9.10.3 EffectofterminationandsurvivalSeeCPS.

9.11 IndividualnoticesandcommunicationswithparticipantsSeeCPS.

9.12 AmendmentsSeeCPS.

9.13 DisputeresolutionprovisionsSeeCPS.

9.14 GoverningLawSeeCPS.

9.15 CompliancewithApplicableLawSeeCPS.

9.16 MiscellaneousprovisionsSeeCPS.

9.17 OtherprovisionsSeeCPS.


Code Signing Resource Certificates REFERENCES



APPENDIXA. REFERENCES

ThefollowingdocumentsarereferencedinthisCP:

[2560] RFC2560InternetX.509PublicKeyInfrastructureOn‐lineCertificateStatusProtocol(ocsp),InternetEngineeringTaskForce,availableathttp://www.ietf.org/rfc/rfc2560.txt

[3161] RFC3161InternetX.509PublicKeyInfrastructureTimestampProtocol,InternetEngineeringTaskForce,availableathttp://www.ietf.org/rfc/rfc3161.txt

[3647] RFC3647InternetX.509PublicKeyInfrastructureCertificatePolicyandCertificationPracticesFramework,InternetEngineeringTaskForce,availableathttp://www.ietf.org/rfc/rfc3647.txt

[5280] RFC5280InternetX.509PublicKeyInfrastructureCertificateandCertificateRevocationList(CRL)Profile,InternetEngineeringTaskForce,availableathttp://www.ietf.org/rfc/rfc5280.txt

[CPS] X.509CertificationPracticeStatementfortheAustralianDepartmentofDefence,availableathttp://crl.defence.gov.au/pkicps/Defence‐CPS.pdf

[GK2015] DigitalTransformationOffice,GatekeeperPKIFrameworkv3.1Dec2015,availableathttps://www.dto.gov.au/standard/design‐guides/authentication‐frameworks/gatekeeper‐public‐key‐infrastructure‐framework/

[ISM2015] AustralianSignalsDirectorate,2015AustralianGovernmentInformationSecurityManualControls,availableathttp://www.asd.gov.au/infosec/ism/index.htm

[KMP] DepartmentofDefencePublicKeyInfrastructureKeyManagementPlan(classified)

[LOA] DepartmentofDefencePublicKeyInfrastructureAssuranceLevelRequirementsdocument,availableathttp://crl.defence.gov.au/pki/LOA.pdf

[RCACP] X.509CertificatePolicyfortheAustralianDepartmentofDefenceRootCertificationAuthorityandSubordinateCertificateAuthorities,availableathttp://crl.defence.gov.au/pki/

[VACP] X.509CertificatePolicyfortheAustralianDepartmentofDefenceValidationAuthorityCertificates,availableathttp://crl.defence.gov.au/pki/

Table3‐References


Code Signing Resource Certificates CERTIFICATE PROFILES



APPENDIXB. CERTIFICATEPROFILES

NB.VariationstotheRegistrationProfilesassociatedwiththisAnnexwilloccurovertimeduetotechnicalimplementations.AssuchvariationswillbemarginalandnotmateriallyaffectthecertificatesissuedunderthisCPtheywillnotbereviewedbytheGatekeeperCompetentAuthority.

B.1 CodeSigningLocalKeyGen

Variation1:CodeSigning_LocalKeyGen_V1.0

Field Critical Value NotesVersion V3(2) Serial <octetstring> MustbeuniquewithinDefencenamespaceIssuersignaturealgorithm sha‐1WithRSAEncryption Minimumcryptographiclevel–SHA‐1forLegacypurposesonly;

SHA‐2fornewrequests.Issuerdistinguishedname CN=ADOCA<serial>

OU=CAsOU=PKIOU=DoDO=GOVC=AU

SerialisuniquewithinPKI.

Validityperiod Notbefore<UTCtime>Notafter<UTCtime>

2yearsfromdateofissue

Subjectdistinguishedname <uniqueidentifier> Asdeterminedbydevice.Subjectpublickeyinformation

2048bitRSAkeymodulus

Issueruniqueidentifier ‐ NotPresentSubjectuniqueidentifier ‐ NotPresentX.509v3extensions Authoritykeyidentifier No <octetstring> 160bitSHA‐1hashofbinaryDERencodingofsigningCA’spublic

keySubjectkeyidentifier No <octetstring> 160bitSHA‐1hashofbinaryDERencodingofsubject’spublickeyKeyusage Yes digitalSignature

Extendedkeyusage No codeSigning Privatekeyusageperiod ‐ NotPresentCertificatepolicies No [1]PolicyId:{1.2.36.1.334.1.1.3.4}

Policyqualifier–CPSpointer:http://crl.defence.gov.au/pkiTheOIDofthisCP

[2]PolicyOID:{1.2.36.1.334.1.2.2.2} LevelofAssurance–MediumTheLevelofAssuranceofthiscertificate


Code Signing Resource Certificates CERTIFICATE PROFILES



Field Critical Value Notes [3]PolicyOID:{1.2.36.1.334.1.2.2.1} LevelofAssurance–Low

Includedtoallowthecertificatetobeusedinlowerassurancecontext.

Policymapping ‐ NotPresentSubjectAlternativeName ‐ NotPresentIssueralternativename ‐ NotPresentSubjectdirectoryattributes ‐ NotPresentBasicconstraints ‐ NotPresentNameconstraints ‐ NotPresentPolicyconstraints ‐ NotPresentAuthorityinformationaccess No [1]Accessmethod:OCSP{1.3.6.1.5.5.7.48.1}

Accesslocation:http://ocsp.defence.gov.au[1]Accessmethod:CAIssuer{1.3.6.1.5.5.7.48.2}Accesslocation:http://crl.defence.gov.au/pki/Certificates/ADOCA<serial>[3]Accessmethod:CAIssuer{1.3.6.1.5.5.7.48.2}Accesslocation:ldap://dir.defence.gov.au/cn=ADOCA<serial>,ou=CAs,ou=PKI,ou=DoD,o=GOV,c=AU?cACertificate;binary,crossCertificatePair;binary

DefenceusesaURLrewrite(redirection)ruleintheWebServertoensurethatAIAurlswithoutafileextensionareassignedthecorrectfiletype(.crtor.p7c)

CRLDistributionPoint No [1]DistributionPointName(http):http://crl.defence.gov.au/pki/crl/ADOCA<serial>.crl[2]DistributionPointName(ldap):ldap://dir.defence.gov.au/cn=ADOCA<serial>,ou=CAs,ou=PKI,ou=DoD,o=GOV,c=AU?certificateRevocationList

TheCRLdistributionpointextensionshallonlypopulatethedistributionPointfield.ThefieldshallonlycontaintheURInameform.ThereasonsandcRLIssuerfieldsshallnotbepopulated.TheCRLshallpointtoafullandcompleteCRLonly(i.e.,aCRLthatdoesNOTcontaintheissuerdistributionpointextension).

MicrosoftCertificateTemplate

DomainComputer

Table4–CertificateProfile–Codesigningcertificate


Code Signing Resource Certificates CRL PROFILE



APPENDIXC. CRLPROFILE

PleaserefertotheissuingCA’sCertificatePolicy.


Code Signing Resource Certificates LEVEL OF ASSURANCE MAPPING



APPENDIXD. LEVELOFASSURANCEMAPPING

D.1 AssuranceLevel

ThefollowingtabledocumentsthemappingofthisCPtotherequirementsofanassociatedassurancelevelasdocumentedintheDefencePKIAssuranceLevelRequirementspaper[LOA]:

CP’sLevelofAssurance:Medium Assurance (Resource) {1.2.36.1.334.1.2.2.2}. Asdocumentedinsection7.1.6above.

REQUIREMENT CP’SMAPPINGTOREQUIREMENT

IDENTITYPROOFING

EOI

AResourceCustodianisresponsiblefortheidentificationofaCodeSigningResourceCustodianviaaface‐to‐faceregistrationthatsatisfiesGatekeeperHighAssurancerequirementsandtheverificationofacertificaterequestduringtheenrolmentoftheCustodian,asdescribedin4.1.2(Enrolmentprocessandresponsibilities).TheRCisatrustedrole,andtheRChasproventheiraffiliationwithDefenceandidentityaspartoftheirenrolment.

Inaddition,theCodeSigningResourceCustodianisresponsibleforverifyingtheauthenticity,integrityandaffiliationwithDefenceofthecodepriortosigningthecode.

EvidenceofRelationship

TheRCisalsorequiredtoconfirmtheCodeSigningResourceCustodian’saffiliationtoDefencebyidentifyingthemintheDefencedirectory.

BybeingconfiguredforuseontheDefenceDIEbyatrustedadministratorwiththerequiredaccesspermissions,thecodeisauthorisedforsigningbytheCodeSigningResourceCustodian.

Location Theidentificationofaresourcemaybelocalorremote.

CREDENTIALSTRENGTH

TokenProtection

Private and public key pairs are generated on the resourceusing a cryptographic software module which also providesprotection for the soft token during its lifecycle. See 6.2(Privatekeyprotectionandcryptographicmoduleengineeringcontrols).

TokenActivationAccess to the private key is protected by passphrase inaccordancewithDefencesecurityrequirements.

Life(Time)ofKeyStrength

As documented in Appendix B, the Key Strengthwill be RSA2048andSHA1whichinaccordancewithNISTSP800‐57‐1isdeprecated but can be used to support legacy systems until2030[GK2015].





REQUIREMENT CP’SMAPPINGTOREQUIREMENT

CERTIFICATEMANAGEMENT

CAProtectionThe CA is both physically and logically secure from theunauthorised access. The CA protection requirements aredocumentedintheCPSandsections5and6ofthisCP.

Binding

As documented in section 4 (Certificate LifecycleOperationalRequirements),thekeygenerationandissuanceofacertificateto a resource is carried out by trusted roles, using thecryptographiccapabilityontheresourceitself.

While the issuance process is not necessarily contiguous, thecertificate signing request binds the certificate to the privatekey generated on the resource. The certificate also has asubject namewhich contains an identifier determined by theresource(seeAppendixB.CertificateProfiles).

Revocation(Publication)Ascoveredinsection4.9.7,theCRLispublishedweekly,oronacertificaterevocation,whichexceedstherequirements.ThisisasaresultofissuingfromtheHighAssuranceCA.

Compliance

The Compliance requirements are covered in the CPS andsection 8 (Compliance audit and other assessments). TheDefence PKI environment is certified under the AustralianGovernment Gatekeeper program, to support the issuance ofuptoaHighAssurancelevel.

D.2 RiskAssessment

TheissuancesofcertificatesusingthethisCPhasbeenalignedwithanAustralianDefenceMediumAssurance,whichasdocumentedinthe[LOA]papershouldprovidearelyingpartysomeassuranceintheassertedidentity.

As discussed in the section 1.3 of the [LOA] paper, any deviations within the CP from thoserequirementsdocumentedfortheassociatedassurancelevelshouldbeappropriatelyriskmanaged.

Thefollowingriskswere identifiedandmanagedinthealignmentof thisCPwiththerequirementsfor Medium Assurance. The DPKIPB has accepted the risks through the appropriateness of thecontrolslisted.

LOAREQUIREMENT IDENTIFIEDRISK MITIGATION/CONTROLS

Life(Time)ofKeyStrength

Thereisariskthatthekeystrengthisinsufficient.(DuetotheuseofRSA1024andSHA‐1,whichhavebeendeprecatedbyNISTfrom2010.)

Anumberofinternalapplicationscannotacceptlargerkeysizes(bothalgorithmandhashfunction).IssuanceofSHA1Certificatestokeysof1024bitsisbyexceptiononrequestoftheapplicationowner.NOTE:Defence’sSHA1CAcertificateexpiresDec2018andnofurtherfacilityforSHA1willbeoffered,removingallowancefor1024‐bitkeys.

TheSHA1hashfunctionnowhasaproofofcompromise.SHA1wasdeprecatedbyNISTto





2013anddisallowedfrom2014.

Gatekeeper2015controlsallowlegacyuseofSHA‐1until2030.[GK2015]