ENTERPRISE PUBLIC KEY INFRASTRUCTURE - U.S. Bankcrl.usbank.com/CP/USBankCP.pdf · This document is referred to as the US Bank Enterprise Public Key Infrastructure (PKI) Certificate

US BANK

ENTERPRISE PUBLIC KEY INFRASTRUCTURE

CERTIFICATE POLICY

June 2012

Version 1.0

Copyright © 2012, Entrust, Inc.

US Bank Enterprise Public Key Infrastructure Certificate Policy

Page - i

Version Control

Version Revision Date Revision Description Revised by

0.1 May 29, 2012 Initial release for internal

review.

Entrust Managed Service

Policy Authority

0.2 June 11, 2012 Initial release for review by

US Bank.

Entrust Managed Service

Policy Authority


Page - ii

Table of Contents

1 INTRODUCTION............................................................................................................................... 1 1.1 OVERVIEW ........................................................................................................................................ 1 1.2 DOCUMENT NAME AND IDENTIFICATION .......................................................................................... 1

1.2.1 Policy Object Identifiers ......................................................................................................... 1 1.3 PKI PARTICIPANTS ........................................................................................................................... 2

1.3.1 Certification Authorities ......................................................................................................... 2 1.3.2 Registration Authorities .......................................................................................................... 2 1.3.3 Subscribers ............................................................................................................................. 2 1.3.4 Relying Parties ....................................................................................................................... 3 1.3.5 Other Participants .................................................................................................................. 3

1.4 CERTIFICATE USAGE ......................................................................................................................... 4 1.4.1 Assurance Levels and Acceptable Use .................................................................................... 4 1.4.2 Prohibited Certificate Uses .................................................................................................... 4

1.5 POLICY ADMINISTRATION ................................................................................................................. 4 1.5.1 Organization Responsibilities for this Certificate Policy ....................................................... 4 1.5.2 Contact Information ............................................................................................................... 4 1.5.3 Person Determining CPS Suitability for The Policy ............................................................... 4 1.5.4 Certificate Policy Amendment ................................................................................................ 4

1.6 DEFINITIONS AND ACRONYMS .......................................................................................................... 4 1.6.1 List of Definitions ................................................................................................................... 4 1.6.2 List of Acronyms ..................................................................................................................... 5

2 PUBLICATION AND REPOSITORY RESPONSIBILITIES ....................................................... 7 2.1 REPOSITORIES ................................................................................................................................... 7 2.2 PUBLICATION OF CERTIFICATION INFORMATION .............................................................................. 7 2.3 TIME OR FREQUENCY OF PUBLICATION............................................................................................. 7 2.4 ACCESS CONTROLS ON REPOSITORIES .............................................................................................. 7

3 IDENTIFICATION AND AUTHENTICATION ............................................................................. 8 3.1 NAMING ............................................................................................................................................ 8 3.2 INITIAL IDENTITY VALIDATION ......................................................................................................... 8

3.2.1 Method to Prove Possession of Private Key ........................................................................... 8 3.2.2 Authentication of Organization Identity ................................................................................. 8 3.2.3 Authentication of Individual Identity ...................................................................................... 8 3.2.4 Non-verified Subscriber Information ...................................................................................... 8 3.2.5 Validation of Authority ........................................................................................................... 8 3.2.6 Criteria for Interoperation ..................................................................................................... 8

3.3 IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS ..................................................... 8 3.3.1 Identification and Authentication for Routine Re-key ............................................................. 8 3.3.2 Identification and Authentication for Re-key after Revocation ............................................... 8

3.4 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST .............................................. 8 4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ......................................... 9

4.1 CERTIFICATE APPLICATION............................................................................................................... 9 4.1.1 Who Can Submit a Certificate Application ............................................................................. 9 4.1.2 Enrollment Process and Responsibilities................................................................................ 9

4.2 CERTIFICATE APPLICATION PROCESSING .......................................................................................... 9 4.3 CERTIFICATE ISSUANCE .................................................................................................................... 9 4.4 CERTIFICATE ACCEPTANCE............................................................................................................... 9

4.4.1 Conduct Constituting Certificate Acceptance ......................................................................... 9 4.4.2 Publication of the Certificate by the CA ................................................................................. 9 4.4.3 Notification of Certificate Issuance by the CA to Other Entities ............................................ 9

4.5 KEY PAIR AND CERTIFICATE USAGE ................................................................................................. 9 4.6 CERTIFICATE RENEWAL .................................................................................................................... 9 4.7 CERTIFICATE RE-KEY ....................................................................................................................... 9

4.7.1 Circumstance for Certificate Re-key ....................................................................................... 9 4.7.2 Who May Request Certification of a New Public Key ...........................................................10


Page - iii

4.7.3 Processing Certificate Re-keying Requests ...........................................................................10 4.7.4 Notification of New Certificate Issuance to Subscriber .........................................................10 4.7.5 Conduct Constituting Acceptance of a Re-keyed Certificate .................................................10 4.7.6 Publication of the Re-keyed Certificate by the CA ................................................................10 4.7.7 Notification of Certificate Issuance by the CA to Other Entities ...........................................10

4.8 CERTIFICATE MODIFICATION ...........................................................................................................10 4.9 CERTIFICATE REVOCATION AND SUSPENSION ..................................................................................10

4.9.1 Circumstances for Revocation ...............................................................................................10 4.9.2 Who Can Request Revocation ................................................................................................10 4.9.3 Procedure for Revocation Request ........................................................................................10 4.9.4 Revocation Request Grace Period .........................................................................................10 4.9.5 Time within which CA Must Process the Revocation Request ...............................................10 4.9.6 Revocation Checking Requirement for Relying Parties .........................................................11 4.9.7 CRL Issuance Frequency .......................................................................................................11 4.9.8 Maximum Latency for CRLs ..................................................................................................11 4.9.9 On-line Revocation/Status Checking Availability ..................................................................11 4.9.10 On-line Revocation Checking Requirements ....................................................................11 4.9.11 Other Forms of Revocation Advertisements Available .....................................................11 4.9.12 Special Requirements re: Re-key Compromise .................................................................11 4.9.13 Circumstances for Suspension ..........................................................................................11 4.9.14 Who Can Request Suspension ...........................................................................................11 4.9.15 Procedure for Suspension Request ...................................................................................11 4.9.16 Limits on Suspension Period .............................................................................................11

4.10 CERTIFICATE STATUS SERVICES .................................................................................................11 4.10.1 Operational Characteristics .............................................................................................11 4.10.2 Service Availability ...........................................................................................................11 4.10.3 Optional Features .............................................................................................................11

4.11 END OF SUBSCRIPTION ................................................................................................................11 4.12 KEY ESCROW AND RECOVERY ....................................................................................................11

4.12.1 Key Escrow and Recovery Policy and Practices ..............................................................11 4.12.2 Session Key Encapsulation and Recovery Policy and Practices.......................................11

5 FACILITY MANAGEMENT, AND OPERATIONAL CONTROLS...........................................12 5.1 PHYSICAL CONTROLS ......................................................................................................................12 5.2 PROCEDURAL CONTROLS .................................................................................................................12 5.3 PERSONNEL CONTROLS ....................................................................................................................12 5.4 AUDIT LOGGING PROCEDURES ........................................................................................................12 5.5 RECORDS ARCHIVAL ........................................................................................................................12 5.6 KEY CHANGEOVER ..........................................................................................................................12 5.7 COMPROMISE AND DISASTER RECOVERY ........................................................................................12 5.8 CA TERMINATION ............................................................................................................................12

6 TECHNICAL SECURITY CONTROLS ........................................................................................13 6.1 KEY PAIR GENERATION ...................................................................................................................13

6.1.1 CA Key Pair Generation and Installation .............................................................................13 6.1.2 Key Delivery to Subscriber ....................................................................................................13 6.1.3 Public Key Delivery to Certificate Issuer ..............................................................................13 6.1.4 CA Public Key Delivery to Relying Parties ...........................................................................13 6.1.5 Key Sizes ................................................................................................................................13 6.1.6 Public Key Parameters Generation and Quality Checking ...................................................13 6.1.7 Key Usage Purposes ..............................................................................................................13

6.2 PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS ..................13 6.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT .................................................................................13

6.3.1 Public Key Archival ...............................................................................................................13 6.3.2 Certificate Operational Periods and Key Pair Usage Periods ..............................................13

6.4 ACTIVATION DATA ..........................................................................................................................14 6.5 COMPUTER SECURITY CONTROLS ....................................................................................................14 6.6 LIFE CYCLE TECHNICAL CONTROLS ................................................................................................14


Page - iv

6.7 NETWORK SECURITY CONTROLS .....................................................................................................14 6.8 TIME-STAMPING ...............................................................................................................................14

7 CERTIFICATE, CRL, AND OCSP PROFILES ............................................................................15 7.1 CERTIFICATE PROFILE ......................................................................................................................15 7.2 CRL PROFILE ...................................................................................................................................15

7.2.1 Version Number .....................................................................................................................15 7.2.2 CRL and CRL Entry Extensions.............................................................................................15

7.3 OCSP PROFILE ................................................................................................................................16 7.3.1 Version Number .....................................................................................................................16 7.3.2 OCSP Extensions ...................................................................................................................16

8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS ..............................................................17 8.1 FREQUENCY OR CIRCUMSTANCES OF ASSESSMENT .........................................................................17 8.2 IDENTITY/QUALIFICATIONS OF ASSESSOR .......................................................................................17 8.3 ASSESSOR’S RELATIONSHIP TO ASSESSED ENTITY ..........................................................................17 8.4 TOPICS COVERED BY ASSESSMENT ..................................................................................................17 8.5 ACTIONS TAKEN AS A RESULT OF DEFICIENCY ................................................................................17 8.6 COMMUNICATION OF RESULTS ........................................................................................................17

9 OTHER BUSINESS AND LEGAL MATTERS ..............................................................................18


©2012, Entrust. Inc.

Page - 1

1 Introduction

1.1 Overview

This document is referred to as the US Bank Enterprise Public Key Infrastructure (PKI)

Certificate Policy (CP). This describes US Bank’s policies involved in the issuance of

digital certificates by the US Bank Root and Issuing Certification Authorities

(collectively referred to as the “US Bank CAs”).

The US Bank Enterprise PKI CP is based on the Entrust Managed Services

Commercial Private CP. Any section listed in this CP, but having no contents

means the corresponding section and subsections in the Entrust Managed Services

(EMS) Commercial Private CP (CCP) apply. In other word, the US Bank PKI CP is

presented as a ‘delta’ document to the EMS CCP.

This document is organized in structure to be fully compliant with IETF RFC3647;

however sections are only supplied with text where relevant exceptions or differences

from the EMS CCP exist. Those sections without text automatically default to that

supplied in the EMS CCP.

This CP is applicable to all entities with relationships with US Bank Enterprise PKI,

including Subscribers, Relying Parties, and Registration Authorities (RA). This CP

provides those entities with a clear statement of the policies and responsibilities of US

Bank CAs, as well as the responsibilities of each entity in dealing with the CAs.

This CP consists of policy statements that outline the principles and requirements that

govern US Bank Enterprise PKI.

A CP specifies “what” the requirements are that will be implemented, while a

corresponding Certification Practices Statement (CPS) describes “how” those

requirements are met for a specific Certificate Authority. This Certificate Policy is

therefore not designed to detail the processes and procedures that are involved in the

management and governance of US Bank PKI; this information is entailed in the

document, US Bank Public Key Infrastructure Certification Practices Statement.

1.2 Document Name and Identification

Document Name: US Bank Enterprise PKI Certificate Policy

Document Version: 0.2 Draft

Document Date: June 11th, 2012

Document Policy

Object Identifier:

2.16.840.1.114027.200.3.10.15

joint-ISO-CCITT(2) countries(16) USA(840) organization(1) entrust

(114027) EMSPKI(200) policy(3) id-emspki-policy(10) id-emspki-

USBank(15)

1.2.1 Policy Object Identifiers

Certificates that are issued under this CP will assert one or more of the policy Object

Identifiers (OIDs) listed below, depending upon the type of certificate issued:



Page - 2

Certificate OID

id-emspki-usbank-basic-policy 2.16.840.1.114027.200.3.10.15.1

id-emspki- usbank-medium-policy 2.16.840.1.114027.200.3.10.15.2

id-emspki-usbank-high-policy 2.16.840.1.114027.200.3.10.15.3

1.3 PKI Participants

1.3.1 Certification Authorities

The US Bank Enterprise PKI is comprised of two Certification Authorities, as follows:

The US Bank Root CA, which shall issue certificates only to subordinate CAs. Its

purpose is to provide an anchor of trust within US Bank. The US Bank Root CA

shall be subject to the stipulations of the EMS CCP for the Commercial Private

Root CA, except where otherwise noted in this CP.

US Bank Issuing CA, which shall issue certificates to US Bank internal web sites,

internal users, business partners, customers, devices and applications. It shall not

issue certificates to subordinate Certification Authorities or perform cross-

certifications with other Certification Authorities. The US Bank Issuing CA shall

be subject to the stipulations of the EMS CCP for the Commercial Private SSP

CA, except where otherwise noted in this CP.

The US Bank CAs shall be operated as Entrust Managed Service Customer Dedicated

CAs. They shall not be subordinate to any of the Entrust Managed Service Root CAs.

Where necessary, the US Bank Enterprise PKI CP distinguishes the different users and

roles accessing the CA functions. Where this distinction is not required, the term

Certification Authority is used to refer to the total CA entity, including the hardware,

software, personnel, processes, and its operations.

1.3.2 Registration Authorities

A Registration Authority (RA) shall be designated as an individual, organization or entity

responsible for verifying the identity of a Subscriber. When required, the RA shall verify

a Subscriber’s authority to act on behalf of a client organization. Client organizations

include US Bank business units/departments and third party Business Partners. RAs shall

be formally nominated by the Management of the US Bank PKI.

1.3.2.1 Local Registration Authorities

Local RAs (LRAs) are US Bank staff appointed by the RA. They are responsible for the

identification and authentication of End Entities in accordance with this CP.

1.3.3 Subscribers

A Subscriber shall be the recipient of a public key certificate issued by the US Bank

Issuing CA. Subscribers may include US Bank internal employees and contractors,



Page - 3

Business Partners, customers or affiliated third party entities. With respect to the usage

of US Bank Enterprise PKI certificates, subscribing entities shall be limited to:

(1) US Bank full-time or part-time employees, contractors and temporaries;

(2) US Bank customer full-time or part-time employees, contractors and temporaries;

(3) Other individuals with whom US Bank has a business relationship;

(4) External cross-certified Certification Authorities.

(5) Services on digital processing entities, property of US Bank, or used for activities in

which US Bank is involved; and

By virtue of certificate subscription, the Subscriber agrees to adhere to this Certificate

Policy and all other applicable laws and regulations that govern the use of digital

certificates. The Subscriber shall also agree to provide true information to the best of

one’s knowledge at the time of certificate application. Should information provided by

the Subscriber or contained in the Subscriber certificate appear to be false or misleading,

the Subscriber shall notify the Contact Person listed in section 1.5.2 of this Certificate

Policy.

1.3.4 Relying Parties

With respect to certificates issued under this CP, a Relying Party is as follows:

An individual, entity or organization internal or external to US Bank that relies on

a certificate issued by the US Bank Issuing CA; and

All Subscribers of the US Bank Enterprise PKI are themselves Relying Parties.

Individuals or organizations, other than those listed above, shall not be entitled to rely

upon certificates issued by US Bank Enterprise PKI and, any such reliance is done at

their own risk. US Bank disclaims any and all liability that may arise out of any such

reliance.

Relying Parties shall be responsible for checking certificate expiration and revocation

status for verifying the validity of US Bank Enterprise PKI issued certificates. Relying

Parties shall agree to use these certificates in a manner consistent with the policies set

forth in this CP.

1.3.5 Other Participants

Other participants of US Bank PKI shall include:

Participant Role

Management of the US Bank

Enterprise PKI

The Management of the US Bank PKI Enterprise

shall consist of one or more US Bank

organizational units responsible for ensuring that

US Bank CAs operate as stated in the US Bank

Enterprise PKI Certification Practice Statement.

Entrust Managed Service Policy The Entrust Managed Service Policy Authority



Page - 4

Participant Role

Authority (EMS PA) shall be the custodian of this CP and

shall be responsible administration of this CP

including the approval of policy changes.

Support Services Support Services shall include other US Bank

departmental groups or third parties under contract

to US Bank that support the US Bank Enterprise

PKI.

1.4 Certificate Usage

1.4.1 Assurance Levels and Acceptable Use

1.4.2 Prohibited Certificate Uses

In general terms, applications for which US Bank Enterprise PKI issued public key

certificates are prohibited are those where:

Business activities are conducted, other than for US Bank or US Bank sponsored

Business Partner or third party;

Usage contravenes the US Bank Enterprise PKI Policy and other governing US

Bank policies or this CP; or

Usage contravenes relevant law.

1.5 Policy Administration

1.5.1 Organization Responsibilities for this Certificate Policy

1.5.2 Contact Information

1.5.3 Person Determining CPS Suitability for The Policy

1.5.4 Certificate Policy Amendment

1.6 Definitions and Acronyms

1.6.1 List of Definitions

In addition to the definitions in the EMS CCP, the following are defined:

Client Organization An organization within US Bank or an affiliate third party that is a

client, either Relying Party or Subscriber, of the US Bank PKI.

Cross-certificate A certificate issued by a Certification Authority to establish a trust

relationship between it and another Certification Authority.

US Bank Business A US Bank PKI subscriber who is issued a certificate through a



Page - 5

Partner Trusted Agent requesting a certificate on their behalf. A Business

Partner will typically be performing operations functions (e.g.,

administration of a web site) on behalf of US Bank.

US Bank Trusted

Agent

Employees of US Bank’s clients appointed by LRAs. Trusted Agents

are responsible for the identification and authentication of End Entities

within the client’s domain in accordance with the CP. A contact at a

client site can be appointed to act as a Trusted Agent and authenticate

users (examples are client, vendor and third-party employees) to help

simplify the registration process.

Enrollment A process by which an individual or an organization registers to

receive a certificate and/or cryptographic keys for use within the US

Bank PKI.

Entity Any autonomous element within the PKI. This may be a CA, a trusted

role within a CA, an RA or an End entity.

Non-repudiation Non-repudiation means sufficient evidence to persuade an adjudicator

as to the origin and data integrity of digitally signed data, despite an

attempted denial by the purported sender.

Digital signatures on electronic transactions provide evidentiary

support for non-repudiation.

PKI Policy

Authority

The Authority responsible for the maintenance of the CP and CPS.

PKI Administrator An individual who is responsible for the management of the

Subscriber initialization process; the creation, renewal or revocation of

certificates and the distribution of tokens (where applicable).

1.6.2 List of Acronyms

In addition to the acronyms in the EMS CCP, the following are defined:

CDP CRL Distribution Point

CN Common Name

CSA Certificate Subscriber Agreement

FQDN Fully Qualified Domain Name

HA High Availability

HTTP Hyper Text Transfer Protocol

HTTPS HTTP over SSL

HSM Hardware Security Module

IDS Intrusion Detection System

LAN Local Area Network

NIPS Network Intrusion Prevention System

RSA Rivest-Shamir-Adleman

SAN Storage Area Network

SSL Secure Sockets Layer



Page - 6

UPS Uninterruptible Power Supply

URI Uniform Resource Identifier



Page - 7

2 Publication and Repository Responsibilities

2.1 Repositories

The US Bank PKI data shall be published to the following LDAP Directories:

Entrust MSO MDSA servers. The US Bank CAs shall write the CA certificates,

policy certificates, Entrust MSO PKI administrator certificates and CRLs to the

Entrust MDSA servers.

Entrust SDSA servers. The US Bank CA data written to the Entrust MSO MDSA

servers shall be replicated to the Entrust MSO SDSA servers. The Entrust MSO

SDSA servers shall be available to PKI Subscribers and Relying Parties

connecting from the public Internet.

US Bank MDSA and SDSA servers. The US Bank PKI data written to the Entrust

MSO MDSA shall be replicated to the US Bank LDAP servers.

The US Bank CA certificates and CRLs shall be published on a Web server hosted on the

US Bank network. This Web server shall be available from the public Internet and the US

Bank corporate network.

Relying Parties shall access US Bank PKI CRLs published on the Certificate Distribution

Point (CDP) hosted on the Entrust MSO SDSA LDAP Directory, the US Bank LDAP

servers and on HTTP:/crl.usbank.com/CRLs/, which shall be accessible on the public

Internet. These CRLs shall be available 24/7 under normal conditions.

2.2 Publication of Certification Information

This CP shall also be publicly accessible at the following location:

HTTP://crl.usbank.com/CP/USBankCP.pdf

Business Partners and relying third parties shall be entitled to obtain a copy of the

Certificate Policy. They may do so by submitting a written request to US Bank. By

default, US Bank will not hand out its Certification Practice Statement to external

entities. Exceptions will require approval from the EMS PA.

2.3 Time or Frequency of Publication

The US Bank Root and Issuing CAs shall publish to the Repository certificate and CRL

information within one hour of generation.

The US Bank Root CA shall issue CRLs to the Repositories at least once per year or

more frequently if needed.

The US Bank Issuing CA shall issue CRLs to the Repositories at least every 8 hours with

a 72 hours lifetime or more frequently if needed.

2.4 Access Controls on Repositories



Page - 8

3 Identification and Authentication

3.1 Naming

3.2 Initial Identity Validation

3.2.1 Method to Prove Possession of Private Key

3.2.2 Authentication of Organization Identity

3.2.3 Authentication of Individual Identity

3.2.3.1 Applicants for Basic Assurance Certificates

3.2.3.2 Applicants for Medium Assurance Certificates

3.2.3.3 Applicants for High Assurance Certificates

3.2.3.4 Applicants for Group or Role Certificates

3.2.4 Non-verified Subscriber Information

3.2.5 Validation of Authority

3.2.6 Criteria for Interoperation

The US Bank Issuing CA shall interoperate only with the US Bank Root CA.

Interoperation with other Certification Authorities shall be provided through the US Bank

Root CA. The EMS PA shall determine the interoperability criteria for the CAs operating

under the US Bank PKI.

3.3 Identification and Authentication for Re-key Requests

3.3.1 Identification and Authentication for Routine Re-key

3.3.2 Identification and Authentication for Re-key after Revocation

3.4 Identification and Authentication for Revocation Request



Page - 9

4 Certificate Life-Cycle Operational Requirements

4.1 Certificate Application

4.1.1 Who Can Submit a Certificate Application

4.1.1.1 CA Certificates

4.1.1.2 User Certificates

4.1.1.3 Device Certificates

An application for a device certificate shall be submitted by either the human sponsor

(i.e. Designated Certificate Holder) or by the device itself upon positive authentication

and authorization of the device by an RA application against an approved data source

(e.g. Windows Domain Controller).

4.1.2 Enrollment Process and Responsibilities

4.2 Certificate Application Processing

4.3 Certificate Issuance

4.4 Certificate Acceptance

4.4.1 Conduct Constituting Certificate Acceptance

4.4.2 Publication of the Certificate by the CA

The US Bank CAs shall publish certificates to the US Bank PKI Repository (see section

2.1).

4.4.3 Notification of Certificate Issuance by the CA to Other Entities

The US Bank CAs shall not notify entities, other than the above mentioned Repository, of

certificate issuance.

4.5 Key Pair and Certificate Usage

4.6 Certificate Renewal

4.7 Certificate Re-key

4.7.1 Circumstance for Certificate Re-key

The US Bank Root CA shall permit certificate re-key under the following conditions:

Current certificate is in the process of expiring.



Page - 10

The US Bank Issuing CA shall permit certificate re-key under the following conditions:

Current certificate has expired or is in the process of expiring;

Current certificate is allowed re-instantiation after revocation;

Current certificate private keys has been compromised;

Current certificate private key has been lost or is irrecoverable; or

Current certificate requires an update or modification of information.

4.7.2 Who May Request Certification of a New Public Key

4.7.3 Processing Certificate Re-keying Requests

4.7.4 Notification of New Certificate Issuance to Subscriber

4.7.5 Conduct Constituting Acceptance of a Re-keyed Certificate

4.7.6 Publication of the Re-keyed Certificate by the CA

See Section 4.4.2.

4.7.7 Notification of Certificate Issuance by the CA to Other Entities

The US Bank CAs shall not notify entities, other than the above mentioned Repository, of

certificate re-key.

4.8 Certificate Modification

See Section 4.7 and subsections thereof.

4.9 Certificate Revocation and Suspension

4.9.1 Circumstances for Revocation

4.9.2 Who Can Request Revocation

4.9.3 Procedure for Revocation Request

4.9.4 Revocation Request Grace Period

Subscribers shall place a revocation request within four (4) hours of the time of discovery

of a key compromises or certificate usage abuse. For other reasons leading to the need

for revocation, the certificate revocation request shall be placed within 24 hours.

4.9.5 Time within which CA Must Process the Revocation Request



Page - 11

4.9.6 Revocation Checking Requirement for Relying Parties

Relying Parties shall perform revocation checking through the access of US Bank

published CRLs, which shall be made accessible as described in section 2.1.

4.9.7 CRL Issuance Frequency

See section 2.3.

4.9.8 Maximum Latency for CRLs

4.9.9 On-line Revocation/Status Checking Availability

4.9.10 On-line Revocation Checking Requirements

4.9.11 Other Forms of Revocation Advertisements Available

4.9.12 Special Requirements re: Re-key Compromise

4.9.13 Circumstances for Suspension

4.9.14 Who Can Request Suspension

4.9.15 Procedure for Suspension Request

4.9.16 Limits on Suspension Period

4.10 Certificate Status Services

4.10.1 Operational Characteristics

4.10.2 Service Availability

4.10.3 Optional Features

4.11 End of Subscription

4.12 Key Escrow and Recovery

4.12.1 Key Escrow and Recovery Policy and Practices

4.12.2 Session Key Encapsulation and Recovery Policy and Practices



Page - 12

5 Facility Management, and Operational Controls

The US Bank CAs shall be operated under the controls stipulated in the EMS CCP.

5.1 Physical Controls

5.2 Procedural Controls

5.3 Personnel Controls

5.4 Audit Logging Procedures

5.5 Records Archival

5.6 Key Changeover

5.7 Compromise and Disaster Recovery

5.8 CA Termination

The EMS PA shall designate an US Bank entity as the custodian of all US Bank PKI

archived data in the event of termination.



Page - 13

6 Technical Security Controls

6.1 Key Pair Generation

6.1.1 CA Key Pair Generation and Installation

6.1.2 Key Delivery to Subscriber

6.1.3 Public Key Delivery to Certificate Issuer

6.1.4 CA Public Key Delivery to Relying Parties

6.1.5 Key Sizes

US Bank CA and RA certificate key-pairs shall use 2048-bit RSA keys.

Subscriber certificate key-pairs shall use 2048-bit RSA keys.

Hashing algorithms used to generate signatures on certificates and CRLs shall be SHA-

256.

End-entity certificates issued under this policy shall contain RSA public keys that are at

least RSA 2048 in length.

Use of TLS or another protocol providing similar security to accomplish any of the

requirements of this CP shall require at a minimum triple-DES or equivalent for the

symmetric key, and at least 2048-bit RSA keys.

6.1.6 Public Key Parameters Generation and Quality Checking

6.1.7 Key Usage Purposes

6.2 Private Key Protection and Cryptographic Module Engineering Controls

6.3 Other Aspects of Key Pair Management

6.3.1 Public Key Archival

6.3.2 Certificate Operational Periods and Key Pair Usage Periods

The key-pair for a certificate issued by the US Bank PKI shall only be valid during the

operational lifetime of the certificate.

Certificates shall be issued with the following maximum lifetimes:

In line with NIST 800-57 Part 1 Rev 3, US Bank CA signing certificates with

2048-bit RSA keys shall have a lifetime that will not exceed December 2030.

RA and Subscriber signing certificates issued with 2048-bit RSA keys shall have

a maximum lifetime of three (3) years after the date of issuance.



Page - 14

6.4 Activation Data

6.5 Computer Security Controls

6.6 Life Cycle Technical Controls

6.7 Network Security Controls

6.8 Time-stamping



Page - 15

7 Certificate, CRL, and OCSP Profiles

7.1 Certificate Profile

Certificate profiles are defined in the US Bank Architecture Document.

7.2 CRL Profile

The US Bank CAs shall issue all Certificate Revocation Lists in the X.509 Version 2

certificate format. CRL fields supported by US Bank CAs shall abide by the following

requirements:

CRL Field Requirements

Version Version 2

Signature The signature algorithm shall use RSA with SHA-256.

Issuer US Bank Root CA Distinguished Name:

{cn=US Bank Root CA, ou=Certification Authorities, o=U.S. Bank,

National Association, c=US}

US Bank Issuing CA Distinguished Name:

{cn=US Bank Issuing CA, ou=Certification Authorities, o=U.S. Bank,

National Association, c=US}

This Update The effective date shall indicate the CRL’s time of issuance.

Next Update The next update date shall indicate the next expected CRL update which

shall be approximately 24 hours after the time of the last CRL issuance

for the CRL produced by the Issuing CA and 1 year for the CRL

produced by the Root CA.

Extensions Refer to section 7.2.2 below.

7.2.1 Version Number

The US Bank CAs shall only issue CRLs in the X.509 Version 2 format.

7.2.2 CRL and CRL Entry Extensions

The US Bank CAs shall use the following X.509 CRL extensions and entry extensions:

CRL Extension Criticality

CRL Number Non Critical

Authority Key Identifier Non Critical

Issuing Distribution Point Critical

CRL Entry Extension Criticality

Reason Code Non Critical

Invalidity Date Non Critical



Page - 16

7.3 OCSP Profile

7.3.1 Version Number

The US Bank PKI does not use OCSP.

7.3.2 OCSP Extensions

The US Bank PKI does not use OCSP.



Page - 17

8 Compliance Audit and Other Assessments

Audit of the US Bank PKI shall be subject to the audit requirements stated in the EMS

CCP.

8.1 Frequency or Circumstances of Assessment

8.2 Identity/Qualifications of Assessor

8.3 Assessor’s Relationship to Assessed Entity

8.4 Topics Covered by Assessment

8.5 Actions Taken as a Result of Deficiency

8.6 Communication of Results

The results of US Bank PKI compliance audits shall be classified as confidential and

communicated by the audit entity to the EMS PA. The EMS PA shall determine whether

or not further communications of the audit results are necessary.



Page - 18

9 Other Business and Legal Matters

Documents

ENTERPRISE PUBLIC KEY INFRASTRUCTURE - U.S. Bankcrl.usbank.com/CP/USBankCP.pdf · This document is referred to as the US Bank Enterprise Public Key Infrastructure (PKI) Certificate