PKI Framework

Evaluation of Functionalities in Technology as it supports CA operations

 

Key Life Cycle Management

  • CA key pair generation, including:
  • What key sizes are required
  • What key generation algorithm is required
  • Whether key generation is performed in hardware or software
  • What standards are required for the module used to generate the keys (for example, the required ISO 15782-1/FIPS 140-1/ANSI X9.66 level of the module)
  • For what purposes the key may be used
  • For what purposes usage of the key should be restricted
  • The usage periods or active lifetimes for the CA public and the private key, respectively

CA private key protection including:

  • What standards are required for the module used to store the CA private signature key (for example, the required ISO 15782-1/FIPS 140-1/ANSI X9.66 level of the module)
  • Whether the CA private key is maintained under m out of n multiperson control
  • Whether the CA private signature key is escrowed
  • Whether the CA private signing key is backed up
  • Whether the CA private and public signature keys are archived

Whether the CA provides subscriber key management services and a description of the services provided CA public key distribution, including a description of how the CA's public key is provided securely to subscribers and relying parties Key changeover, including a description of the procedures used to provide a new public key to a CA's users.

 

Subscriber key pair generation (if the CA provides subscriber key pair generation services), including:

  • How the subscriber's private key is provided securely to the subscriber
  • What key sizes are required
  • What key generation algorithm is required
  • Whether key pair generation is performed in hardware or software
  • What standards are required for the module used to generate the keys (for example, the required ISO 15782-1/FIPS 140-1/ANSI X9.66 level of the module)
  • For what purposes the key may be used
  • For what purposes usage of the key should be restricted

Subscriber private key protection (if the CA provides subscriber key management services), including:

  • Whether the subscriber's decryption private key is backed up
  • Whether the subscriber's decryption private key is archived
  • Under what conditions a subscriber's private key can be destroyed
  • Whether subscriber private decryption keys are escrowed by the CA.

Routine rekey, including a description of the identification and authentication and rekey request verification procedures

Rekey after revocation or expiration, including a description of the identification and authentication and rekey request verification procedures for rekey after the subject certificate has been revoked.

Certificate distribution, including a description of the CA's established mechanism (for example, a repository such as a directory) for making available to relying parties the certificates and Certificate Revocation Lists that it issues

 

Provision of certificate status information, including:

  • On-line revocation/status checking availability
  • If an online status mechanism is used (for example, OCSP), certificate status request content requirements
  • If an online status mechanism is used (for example, OCSP), definitive response message data content requirements
  • What key is used to digitally sign definitive response messages

Event logging, including the following:

  • How frequently the CA archives event journal data
  • How frequently event journals are reviewed