1. INTRODUCTION

This document describes the rules and procedures used by the AEGIS Certification Authority.

1.1 Overview

AEGIS (Academic and Educational Grid Initiative of Serbia) has been established on April 14, 2005. The main focus of AEGIS is:

· coordinate efforts to further develop academic and high performance computing facilities and help them integrate into AEGIS;

· organize dissemination and training activities and help Serbian research communities to develop and deploy applications that use AEGIS infrastructure;

· coordinate fund raising efforts to improve AEGIS infrastructure and human resources;

· facilitate wider participation of AEGIS members in Framework 6, Framework 7, and other international GRID projects;

· create a national GRID development policy;

Any additional information can be obtained at: http://aegis.phy.bg.ac.rsyu/

In order to stregthen AEGIS infrastructure and facilitate its efficient usage by Serbian research community, as well as to allow full integration of our user community and computing resources into the pan-European and other Grid infrastructures, it was necessary to establish AEGIS Certification Authority. The AEGIS CA will provide security infrastructure needed for the operation of all AEGIS resources and authentication of all AEGIS users, hosts and services.

This document is a combined certification policy and certificate practice statement. It describes the set of procedures followed by the AEGIS Certification Authority (CA) in issuing certificates as well as the responsibilities of the involved parties.

The AEGIS CA is operated at the premises of University of Belgrade Computer Center.

This document is structured according to RFC 3647.

This document was issued on 04.03.2007, and took effect on 01.06.2007..

1.2 Document name and identification

Document title: AEGIS CA Certificate Policy and Certification Practice Statement

Document version: Version 1.21

Document date: 0410.03.~~2007~~2009.

ASN.1 Object Identifier (OID): 1.3.6.1.4.1.23658.10.1.1.21

The next table describes the meaning of the OID:

1.3.6.1.4.1	Prefix for IANA private enterprises
23658	University of Belgrade registered identifier
10	Certification Authorities
1	CP/CPS
1.02	Major and minor CP/CPS number.

1.3 PKI participants

1.3.1 Certification Authorities

AEGIS certificates are signed by AEGIS CA. AEGIS CA provides PKI services to the Serbian academics and research communities who participate in national or international Grid activities. The AEGIS CA does not issue nor sign certificates to subordinate CAs.

1.3.2 Registration authorities

The RA Operators are responsible for verifying Subscribers’ identities and approving their certificate requests. RA Operators do not issue certificates. The list of RAs is available on the AEGIS CA website. Each RA will have it’s own web interface.

1.3.3 Subscribers

The AEGIS CA issues user (personal), host and service certificates. Subscribers eligible for certification from AEGIS CA are:

· Users and site administrators of Academic and Educational Grid Initiative of Serbia (AEGIS).

· Computers used in activities of Academic and Educational Grid Initiative of Serbia (AEGIS).

· Services or host applications which are running on computers used in Academic and Educational Grid Initiative of Serbia (AEGIS).

1.3.4. Relying parties

Users of Grid computing infrastructures that are using the public keys, in certificates signed by the AEGIS CA for signature verification and/or encryption, will be considered as relying parties.

1.3.5 Other participants

No stipulation.

1.4 Certificate usage

1.4.1 Appropriate certificate uses

Personal certificates can be used to authenticate a user that would like to benefit from the Grid resources.

Host certificates can be used to identify computers that have special tasks related to the Grid activities.

Service certificates can be used to recognize the host applications and, data or communication encryption (SSL/TLS).

In addition, it is permissible to use certificates for email signing.

1.4.2 Prohibited certificate uses

Notwithstanding the above, using certificates for purposes contrary to Serbian law is explicitly prohibited.

1.5 Policy administration

1.5.1 Organization administering the document.

The AEGIS CA CP/CPS document was authored and is administered by the University of Belgrade Computer Center.

The AEGIS CA address for operations issues is:

AEGIS Certification authority

University of Belgrade Computer Center

Kumanovska bb

Belgrade 126119

Serbia

Phone: +381 11 3031257

Phone: +381 11 3031258

Fax: +381 11 3031259

e-mail: aegis-ca@aegis-ca.rcub.bg.ac~~.yu~~.rs

1.5.2 Contact person

Contact person for questions related to this document or any other AEGIS CA related issue is:

Dušan Radovanović

University of Belgrade Computer Center

Kumanovska bb

Belgrade 126119

Serbia

Phone: +381 11 3031257

Phone: +381 11 3031258

Fax: +381 11 3031259

e-mail: dusan.radovanovic@rcub.bg.ac~~.yu~~.rs

1.5.3 Person determining CPS suitability for the policy

Dušan Radovanović

University of Belgrade Computer Center

Kumanovska BB

Belgrade 126119

Serbia

Phone: +381 11 3031257

Phone: +381 11 3031258

Fax: +381 11 3031259

e-mail: dusan.radovanovic@rcub.bg.ac~~.yu~~.rs

1.5.4 CPS approval procedures

No stipulation.

1.6 Definitions and acronyms

AEGIS	Academic and Educational Grid Initiative of Serbia
ASN.1	Abstract Syntax Notation One (http://asn1.elibel.tm.fr/)
CA	Certification Authority
CP/CPS	Certificate Policy/Certification Practice Statement
CRL	Certificate Revocation List
DNS	Domain Name System
FQDN	Fully Qualified Domain Name
HTTP	Hypertext Transfer Protocol
IANA	Internet Assigned Numbers Authority
IP	Internet Protocol
OCSP	Online Certificate Status Protocol
OID	Object Identifier
PKI	Public Key Infrastructure
RA	Registration Authority
RFC	Request For Comment
S/MIME	Secure / Multipurpose Internet Mail Extensions
SEE-GRID	South East European GRid-enabled eInfrastructure Development
SSL	Secure Sockets Layer
URL	Uniform Resource Locator
USB	Universal Serial Bus

2 PUBLICATION AND REPOSITORY RESPONSIBILITIES

2.1 Repositories

The AEGIS CA operates an on-line repository that contains:

· The AEGIS CA root certificate

· User, Host and Service certificates issued by the CA.

· Certificate Revocation Lists (periodically updated)

· A copy of the most recent version of this CP/CPS and all previous versions

· A list of current operational Registration Authorities.

· Links to all trust anchor repositories where AEGIS CA info is published.

· Other relevant information http://aegis-ca.rcub.bg.ac~~.yu~~.rs/

The AEGIS CA communication information for information regarding repositories is:

AEGIS Certification authority

University of Belgrade Computer Center

Kumanovska BB

Belgrade 126119

Serbia

Phone: +381 11 3031257

Phone: +381 11 3031258

Fax: +381 11 3031259

e-mail: aegis-ca@aegis-ca.rcub.bg.ac~~.yu~~.rs

2.2 Publication of certification information

See section 2.1

2.3 Time or frequency of publication

· Certificates will be published as soon as they are issued.

· The published CRL will have a maximum lifetime of 30 days and it will be updated no later than 7 days before it’s expiration date. In case of certificate revocation, the CRL will be updated immediately following the revocation.

· This CP/CPS will be published whenever it is updated.

2.4 Access control on repositories

The online repository is maintained on best effort basis and is available substantially on a 24 hours per day, 7 days per week basis, subject to reasonable scheduled maintenance.

AEGIS CA may impose a more restricted access control policy to the repository at its discretion.

The AEGIS CA does not impose any access control on its CP/CPS, issued certificates or CRLs.

3 IDENTIFICATION AND AUTHENTICATION

3.1 Naming

3.1.1 Types of names

The subject names for the certificate applicants shall follow the X.500 standard:

1. in case of user certificate the subject name must include the persons name in the CN field;

2. in case of host certificate the subject name must include the DNS FQDN in the CN field;

3. in case service certificate the subject name must include the service name and the DNS FQDN separated by a „/“ in the CN field.

3.1.2 Need for names to be meaningful.

The subject name must represent the subscriber in a way that is easily understandable by humans and must have a reasonable association with the authenticated name of the subscriber.

3.1.3 Anonymity or pseudonimity of subscribers

AEGIS CA will neither issue nor sign pseudonymous or anonymous certificates.

3.1.4 Rules for interpreting various name forms

See section 3.1.1.

3.1.5 Uniqueness of names

The subject name included in the CN part of a certificate must be unique for all certificates issued by the AEGIS CA. These certificates belong to the same end entity. When essential, extra characters may be affixed to the original name to guarantee the uniqueness of the subject name.

Private keys must not be shared among end entities.

DNs cannot be recycled.

3.1.6 Recognition, authentication, and role of trademarks

No stipulation.

3.2 Initial identity validation

3.2.1 Method to prove possession of a key

The AEGIS CA proves possession of the private key that is the companion to the public key in AEGIS CA root certificate by issuing certificates and signing CRLs.

The AEGIS CA verifies the possession of the private key relating to certificates requests by out-of-band, non-technical means at the time of authentication. Such verification may take the form of a directly posed question to requester. A cryptographic challenge-response exchange may be used to prove possession of the private key at any point in time before certification of subscriber.

The AEGIS CA will not generate the key pair for subscribers and will not accept or retain private keys generated by subscribers.

3.2.2 Authentication of organization identity

The AEGIS CA authenticates organizations by:

· Checking that organization is affiliated with AEGIS Initiative;

· Contacting the person who represents the organization in the project.

3.2.3 Authentication of individual entity

Certificate of a person:

The subject should contact personally the RA or CA staff in order to validate his/her identity. The subject authentication is fulfilled by providing an official document for personal identification (ID-card, driving license or a passport), and a valid document proving subject’s relation with an institute or organization, declaring that the subject is a valid end entity.

Certificate of a host or service:

Host or service certificates can only be requested by the administrator responsible for the particular host. In order to request a host or service certificate the following conditions must be met:

1.The host must have a valid FQDN.

2.The administrator must already possess a valid personal AEGIS certificate.

3.The administrator must provide a proof of his or hers relation to the host itself.

The subscriber requesting service from the AEGIS CA must present valid documents for personal identification (ID-card, driving license or a passport), and a valid document proving subject’s relation with an institute or organization.

AEGIS CA or RA will archive photocopies of ID documents in case of user certificates and digitally signed e-mails in case of host or service certificates.

3.2.4 Non-verified subscriber information

During the initial identity validation the requester's e-mail is not verified. This is done during the processing of the certificate application as described in section 4.2.2.

3.2.5 Validation of Authority

No stipulation.

3.2.6 Criteria of interoperation

No stipulation.

3.3 Identification and authentication for re-key requests

3.3.1 Identification and authentication for routine re-key

Expiration warnings will be sent to subscribers before it is re-key time. Re-key before expiration can be executed by stating a re-key request signed with the personal certificate of the subscriber. Re-key after expiration uses completely the same authentication procedure as new certificate. For the first time and after that once every 3 years, a subscriber must be authenticated by the RA or CA serving his/her location following the procedure described in section 3.2.3.

3.3.2 Identification and authentication for re-key after revocation

The procedure for re-key after revocation is exactly the same with an initial registration.

3.4 Identification and authentication for revocation request

Certificate revocation requests should be authenticated in one of the following ways:

· By signing a revocation request e-mail via a valid personal key corresponding to the certificate that is requested to be revoked which must be a valid, non-expired and non-revoked AEGIS certificate.

· For persons who do not have a valid AEGIS certificate, but hold an evidence of a revocation circumstance: by personal authentication as described in 3.2.3

· If the revocation request is for a host or service certificate, then the e-mail must be signed by the private key corresponding to the certificate of the person responsible of the host or service. When e-mail is not an option, the request will be authenticated using the procedure described in section 3.2.3.

· Revocation request by the RA should be done by e-mail, signed with valid RA operator key.

4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS

4.1 Certificate application

4.1.1 Who can submit a certificate application

The applicant must:

1. be an acceptable subscriber as stated in section 1.3.3

2. read and adhere to all of the statements of this document

3. generate a key-pair using a trustworthy method. The private key must be at least 1024 bits and the exponent must be greater than 3.

4. use a strong passphrase of at least 12 characters

5. User certificate: For the first time and after that once every 3 years, a subscriber must be authenticated by the RA or CA serving his/her location following the procedure described in section 3.2.3. The submission of the certificate requests will be done via an SSL secured web form or via e-mail. If the subscriber wants to re key his/her certificate, then he/she must follow the procedures described in section 4.7.

6. Host or service certificate: The subject must already have a valid AEGIS CA certificate before requesting a server or service certificate. The submission of the certificate request can be done either via a web interface or via e-mail. In the first case the subject will have first to import his/her AEGIS CA certificate in the browser in order to be authenticated automatically by the AEGIS CA or RA web interface. Upon successful authentication the user will be able to submit the certificate request via a SSL secured web based form or via digitally signed e-mail. In the second case the subject will have to send an e-mail signed with his/her AEGIS CA key to aegis-ca@aegis-ca.rcub.bg.ac~~.yu~~.rs with the certificate requests attached and stating in the body of the e-mail that he is the person responsible for the server/service. In both cases the certificate request will be forwarded to the appropriate RA or CA, who will approve or disapprove the request according to sections 4.2.1 and 4.2.2

4.2 Certificate application processing

4.2.1 Performing identification and authentication functions

All the certificate applications will be authenticated and validated by the AEGIS CA and RAs as stated in section 3.2.3. In the cases of re-key of user certificate or request for host or service certificate, the authentication of the certificate application will take place by checking that the requester has a valid AEGIS CA certificate. Upon successful authentication, the information included in the certificate request will be validated by RA or CA.

4.2.2 Approval or rejection of certificate applications

The essential procedures that must be conformed in a certificate application request are as follows:

1.the subscriber must be authenticated by RA or CA;

2.the subject must be an acceptable subscriber entity, as defined by this Policy (section 1.3.3);

3.the request must obey the AEGIS CA distinguished name scheme (section 7.1.4);

4.the distinguished name must be unique;

5.the key must be 1024 or 2048 bits;

6.each applicant generates his/her own key by using OpenSSL or similar software;

7.host and service certificate requests must be submitted via SSL secured web form or via e-mail signed by a valid AEGIS CA certificate;

8.user certificate requests must be submitted via SSL secured web form or via e-mail.

9.the requests for certification keys with exponent == 3 will be rejected.

If the certificate request does not meet one or more of the above criteria, it will be rejected and signed notification e-mail will be sent by the RA or CA to the requester with carbon copy to aegis-ca@aegis-ca.rcub.bg.ac~~.yu~~.rs

4.2.3 Time to process certificate applications

Each certificate application will take no more that 3 working days to be processed.

4.3 Certificate issuance

4.3.1 CA actions during certificate issuance

If the certificate was requested through RA, the CA will validate the RA signature and RA authority and then issue the certificate.

If the user requested the certificate from the CA, the user must be validated as described in section 3.2.3 and then the certificate will be issued.

Right after the subscriber’s certificate is issued, an e-mail will be sent to the relevant RA manager or to the subscriber informing him/her about the action.

Communication between CA and RA will be done via encrypted and digitally signed e-mails using S/MIME.

4.3.2 Notification to subscriber by the CA of issuance of certificate

If the RA handled the communication between Subscriber and CA, the RA will send an e-mail, informing about certificate issuance. If Subscriber contacted CA directly, the CA will send an e-mail, informing about certificate issuance. User can then download His or Her certificate from CA on-line repository.

4.4 Certificate acceptance

If the user wants to accept the certificate, he or she must follow the procedure in section 4.4.1.

If a user wants to reject a certificate, he or she must submit a revocation request as described in section 4.9.

4.4.1 Conduct constituting certificate acceptance

The subscriber must send an e-mail, within 5 working days from the day that his/her certificate was issued, in which he will be stating that:

1.He or She accepts his/her certificate signed by the AEGIS CA;

2.He or She assumes the responsibility to notify the AEGIS CA immediately:

• in case of possible private key compromise;

• when the certificate is no longer required;

• when the information in the certificate becomes invalid.

The e-mail which the user sends to the CA has to be signed with the key corresponding to the public key in certificate he or she received from the CA.

If the subscriber does not send the e-mail within 5 working days, the certificate becomes the subject for revocation.

4.4.2 Publication of the certificate by the CA

All the certificates issued by the AEGIS CA will be published in the on-line repository operated by the AEGIS CA.

4.4.3 Notification of certificate issuance by the CA to other entities

If the RA has handled the communication with the subscriber, then it will be notified of the certificate issuance.

The RA will be informed about any certificate signatures and re-keys before expiration that were submitted through it.

4.5 Key pair and certificate usage

4.5.1 Subscriber private key and certificate usage

The subscribers' private keys along with the certificates issued by the AEGIS CA can be used for:

· email signing/verifying and encryption/decryption (S/MIME);

· server authentication and encryption of communications;

· authentication purposes in Grid Infrastructures.

· non-repuditation

4.5.2 Relying party public key and certificate usage

Relying parties can use the public keys and certificates of the subscribers for:

· email encryption and signature verification (S/MIME);

· server authentication and encryption of communications;

· authentication purposes in Grid infrastructures.

Relying parties must download the CRL at least once a day and implement its restrictions while validating certificates.