UNITED STATES DEPARTMENT OF THE TREASURY

UNCLASSIFIED

UNITED STATES The Department of the Treasury Public Key Infrastructure (PKI)

X.509 Certificate Policy

Version 3.6 December 15, 2022

Digitally signed by Daniel W.

Daniel W. Wood Wood Date: 2022.12.19 09:31:57 -05'00'

PKI Policy Management Authority (PMA) Daniel W. Wood

DATE

UNCLASSIFIED

Revision History

Version

Date

Author(s)

Description

Reason For Change

Bring the TreasuryPKI Policy into

Department of the Treasury compliance with FPKIPA change

2.0

January 2008 James Schminky

PKI Policy in RFC

proposal requiringall cross

3647 format.

certifiedPKI Policies to be in RFC

3647 format.

2.1

March 17, 2009

James Schminky

Errata changes to sections 2.2.1,

4.8, 4.912, 5.5, and 7.1.3.

As a result of mapping the Treasury PKI Policy to Federal Policy, a number of minor changes and omissions where identified

and corrected.

As a result of the PMA annual

Errata changes to sections review a number of minor

5.6, and 6.3.2. Change

corrections, Federal Bridge

2.2 March 11, 2010 James Schminky proposal changes to 2.4, CertificationAuthority (FBCA)

4.2.2, 5.1, 5.1.1 5.1.2.1, 5.4.4, Policy Change Proposal Number:

5.4.5, 6.1.6, 6.5.1, and 6.7. 2009-02 and 2010-01, and

Treasury Change Proposal

2.3

April 15, 2010

James Schminky

Change proposal changes to As a result of FBCA Policy Change

8.1 and 8.4.

Proposal Number: 2010-02.

Changes Proposal Changes to As a result of FBCA PolicyChange

2.4

March 22, 2011

James Schminky

1.3.1.8, 3.1.1&.2, 3.1.5, Proposal Numbers; 2010-3 thru 8 3.2.3.1, 4.7, 6.1.5, 8.1, and and CPCA policy Change Proposal

9.4.3.

Number: 2011-1

Made changes to align the

Treasury CP with the Common

2.5

September 11,2012

Daniel Wood

Changes Proposal Changes to Policy Framework(CPF), removed

3.2.3.2 and 4.9.7

all reference to the acronym

"DoT" and replaced with the

name "Treasury".

Changes Proposal Changes to

2.6 October 15, 2012 Daniel Wood

1.2, 3.2.3.2, 6.1.5, 6.2.3,

Made changes to align the Treasury CP with the CPF,

6.2.4.2, and 6.2.8.

2.7

August 22, 2013

Fred AsomaniAtinkah

1.3, 1.3.1, 1.3.1.1, 1.3.1.2, 1.3.1.3, 1.3.1.4, 1.3.1.5, 1.5.2,

and 3.2.3.2.

Made changes to align the Treasury CP with the CPF,

2.8

March 26, 2015

Daniel Wood, Terry McBride

Clarified Treasury's dual role as Federal Legacy and SSP;

Provide capabilities to customers and baseline update as requested

Added PIV-I, role-based, and group certificates

by FPKIPA

UNCLASSIFIED

Version

Date

2.9 March 25, 2017

2.91 November 20, 2018 3 February28, 2019 3.1 October 30, 1,2019 3.2 December 15, 2020

March 29, 2021

3.3

- Not Signed

- Not Released

3.4

April 27, 2021

3.5 December 7, 2021

3.6 December 1, 2022

Author(s) Daniel Wood

Daniel Wood Daniel Wood Daniel Wood Daniel Wood

Daniel Wood Daniel Wood Daniel Wood

Daniel Wood

Description

Reason For Change

Adds PIV-I, andInternal PKI

OIDs, changed criteria for

suspension, definedthe PKI Program Team, added the

internal PKI addendum,

Changes to TreasuryPKI basedon user needs

changes to Common/Federal

CPs and editorial updates

Update based on TOCA Compliance Audit and Correct minor errors and maintain

introductionof the Fed Key compliance withFedPKI (through

Recovery Policyandother

2018-

Common and Federal Bridge

06)

policy changes

Updated based on Comments Maintain conformancewith FBCA

from BFS

CP

Updated Section5.8 withnew language to cover CA terminations

Maintain conformancewith Federal/Common CPs

Updates in sections:

Responses to audit findings,

1, 1.1.1, 1.2, 1.4.1, 2.2.1, annual review findings, change

4.4.2, 5.2.1, 5.2.1.1, 5.2.1.2, proposals, and for separation of

5.3.1, 5.3.2, 5.3.7, 5.4.2, Key Recovery roles from clearance

5.5.1, and 6.1.5

requirements on CA roles

Removed the "offline"

requirement on OLT Root CAs

in section 1.3.1.2 of

To allow for remote administration on an OLT Root CA,

Addendum 1.

and to define implementation

Added Addendum 2 ? policies on SSL/TLS certificates for

Implementation of PKI

HTTPS

Certificates on Treasury

Systems

Punctuation & spelling updates throughout

Final editing for signature & release

Rebuilt Doc to eliminate file

Remove OLT & certificate implementation Addendums (and

corruption & formatting references to them) to maintain in

issues, and updates in

separate policy doc; Improve

sections: 1, 1.1, 1.2, 1.3.4,

descriptions of DDS & Key

1.3.5, 4.6.6, 4.7.6, 4.8.6, 5.1.2, 5.2.1, 6.4.3, and

Addendums 1 & 2

Recovery roles; Improve cert publishing language; and remove unnecessaryrequirement on CMS

activation data

Updates in sections: 1.3.4, 5.1.1, 5.2.1.2, and

Appendix B

Response to Auditor recommendations and implementation of FBCA CP Change Proposal 2022-02

UNCLASSIFIED

Table of Contents

1. INTRODUCTION .................................................................................................................... 13 1.1 OVERVIEW ..................................................................................................................... 14 1.1.1 Certificate Policy (CP)............................................................................................... 14 1.1.2 Relationship between the DoT PKI CP and the Dot PKI CA CPSs ...................................... 14 1.1.3 Relationship between the DoT PKI CP and the FBCA and Other Entity CPs........................ 14 1.1.4 Scope .................................................................................................................... 15 1.1.5 Interaction with PKIs External to the Federal Government............................................. 16 1.2 DOCUMENT IDENTIFICATION............................................................................................ 16 1.3 PKI ENTITIES ................................................................................................................... 17 1.3.1 Treasury PKI Program Team...................................................................................... 17 1.3.2 Registration Authority.............................................................................................. 19 1.3.3 Subscribers............................................................................................................. 20 1.3.4 Key Recovery Authorities.......................................................................................... 20 1.3.5 Key Recovery Requestors ......................................................................................... 21 1.3.6 Relying Parties ........................................................................................................ 21 1.3.7 Other Participants ................................................................................................... 22 1.4 CERTIFICATE USAGE......................................................................................................... 22 1.4.1 Appropriate Certificate Uses ..................................................................................... 22 1.4.2 Prohibited Certificate Uses ....................................................................................... 24 1.5 POLICY ADMINISTRATION................................................................................................. 24 1.5.1 Organization Administering the Document.................................................................. 24 1.5.2 Contact Person ....................................................................................................... 24 1.5.3 Person Determining CPS Suitability for the Policy ......................................................... 24 1.5.4 CPS Approval Procedures ......................................................................................... 25 1.6 DEFINITIONS AND ACRONYMS .......................................................................................... 25

2. PUBLICATION AND REPOSITORY RESPONSIBILITIES .................................................................... 26 2.1 REPOSITORIES................................................................................................................. 26 2.2 PUBLICATION OF CERTIFICATION INFORMATION ................................................................. 26 2.2.1 Publication of Certificates and Certificate Status .......................................................... 26 2.2.2 Publication of CA Information ................................................................................... 27 2.2.3 Interoperability....................................................................................................... 27 2.3 FREQUENCY OF PUBLICATION........................................................................................... 27

4

UNCLASSIFIED

2.4 ACCESS CONTROLS ON REPOSITORIES................................................................................ 27 3. IDENTIFICATION AND AUTHENTICATION .................................................................................. 28

3.1 NAMING........................................................................................................................ 28 3.1.1 Types of Names ...................................................................................................... 28 3.1.2 Need for Names to Be Meaningful............................................................................. 32 3.1.3 Anonymity or Pseudonymity of Subscribers................................................................. 33 3.1.4 Rules for Interpreting Various Name Forms................................................................. 33 3.1.5 Uniqueness of Names .............................................................................................. 33 3.1.6 Recognition, Authentication, and Role of Trademarks................................................... 33

3.2 INITIAL IDENTITY VALIDATION........................................................................................... 33 3.2.1 Method to Prove Possession of Private Key................................................................. 34 3.2.2 Authentication of Organization Identity...................................................................... 34 3.2.3 Authentication of Individual Identity .......................................................................... 35 3.2.4 Non-verified Subscriber Information .......................................................................... 39 3.2.5 Validation of Authority............................................................................................. 39 3.2.6 Criteria for Interoperation ........................................................................................ 40

3.3 IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS ............................................ 40 3.3.1 Identification and Authentication for Routine Re-key.................................................... 40 3.3.2 Identification and Authentication for Re-key after Revocation ....................................... 42

3.4 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST..................................... 42 4. CERTIFICATE LIFE-CYCLE......................................................................................................... 43

4.1 APPLICATION.................................................................................................................. 43 4.1.1 Submission of Certificate Application ......................................................................... 43 4.1.2 Enrollment Process and Responsibilities ..................................................................... 43

4.2 CERTIFICATE APPLICATION PROCESSING............................................................................. 43 4.2.1 Performing Identification and Authentication Functions................................................ 43 4.2.2 Approval or Rejection of Certificate Applications ......................................................... 44 4.2.3 Time to Process Certificate Applications ..................................................................... 44

4.3 ISSUANCE....................................................................................................................... 45 4.3.1 CA Actions During Certificate Issuance........................................................................ 45 4.3.2 Notification to Subscriber of Certificate Issuance ......................................................... 45

4.4 ACCEPTANCE.................................................................................................................. 45 4.4.1 Conduct Constituting Certificate Acceptance............................................................... 45

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download