Minimum CA Requirements
Due to certain idiosyncrasies of the Grid
middleware, the PKI structure within each country
should not follow the
conventional , where there is a chain of CAs. The model followed
simulates the hierarchical model by having one Certification
Authority (CA) per country or large region (5-20M people) and a wide network of Registration Authorities
(RA) for each CA. The RAs will handle the tasks of validating the identity of
the end entities and authenticating their requests, which will then be
forwarded at the national/regional CA.
The CA will handle the actual tasks of issuing CRLs, signing Certificates/CRLS
and revoking Certificates when necessary.
The CA computer,
where the signing of the certificates will take place,
Each CA must
sign only a well defined namespace that does not clash with any other
Every CA must have a Certification Policy and Certificate
Practice Statement (CP/CPS Document) and assign it an O.I.D. Whenever there is
a change in the CP/CPS the O.I.D. of the document must change and the changes must be announced to the
for approv al before
signing any certs under the new CP/CPs. All the CP/CPS under which valid certs are issued MUST be
available on the web.
The CA Key must have a minimum length of 2048 bits and
a lifetime no longer of 5 years and no less than
two times of the maximum life time of an end entity certificate.
The private key of the CA must be protected with a pass phrase of at least 15 elements which is known only by specific personnel of the Certification Authority. Copies of the encrypted private key must be kept on offline mediums in secure places where access is controlled.
The pass phrase of the encrypted private must be kept also on an offline medium, separated from the encrypted keys and guarded in a safe place where only the autorized personnel of the Certification Authority have access.
The CA certificate must have the extensions keyUsage and basicConstraints marked as critical.
The maximum CRL lifetime must be at most 30 days and the CA must issue a new CRL at least 7 days before expiration and immediatelly after a revocation. The CRLS must be published in a repository at least accessible via the World Wide Web, as soon as issued.
The CA must record and archive all requests for certificates, along with all the issued certificates, all the request for revocation, all the issued CRLs and the login/logout/reboot of the issuing machine.
The CA's private signing key must be changed
periodically; from that time on only the new key will be used for certificate
The period of changing the CA’s private key must
not be longer than the CA Key lifetime minus the maximum life time of an end entity
certificate. The older , but
still valid certificate , must be available to verify old
The repository must be run at least on a best-effort basis, with an intended availability of 24x7.
Each CA must accept being audited by other
CAs to verify its compliance with the rules and procedures specified in
its CP/CPS document.
The CA must perform operational audits of the CA/RA staff at least once per year.
In order for an
RA to validate the identity of a person, the subject must contact the RA
personally and present photo-id
In case of host or service certificate requests, the CSR be delivered to the RA by the person in charge of the specific entities using a secure method.
The subject name listed in a certificate must be unambiguous and unique for all certificates issued by the CA.
The RAs must record and archive all requests and confirmations.
The RA must communicate with the CA with secure methods that are clearly defined in the CP/CPS. (e.g. Signed emails, voice conversations with a known person, SSL protected private web pages)
The EE keys must be at least 1024 bits long and must not be generated by the CA or the RA. The EE certificates must have a maximum lifetime of 1 year and must not be shared among end entities. The EE certificate must contain information to identify which CP/CPS was used to issue the certificate. The extensions basicConstraints and keyUsage must be marked as critical and the basicConstraints must be set to CA: False
It’s upon the user to protect his private key with a pass phrase at least 12 characters long.