USHER CPS

Last modified: Wed Oct 6 13:27:14 MDT 2004

• The USHER Level 1 private key will be protected in a FIPS 140 validated Hardware Security Moduld (HSM). It will be backed up, encrypted, under multi-person control.

  USHER will use OpenSSL to manage the HSM. The FIPS validation of the HSM itself is expected to be sufficient for compliance with the FIPS requirements of HEBCA and FBCA, should that be necessary.

  HSM options:

  • nCipher nForce 150 PCI HSM/SSL Accelerator nC3022P-150 (used by Univ. Virginia) or nShield HSM.
  • Axalto Cryptoflex 32K e-gate card - USB with 2048-bit RSA and OpenCS/OpenSSL support(?).
  • Rainbow/Safenet iKey 2000
  • Aladdin eToken NG
• The USHER Level 1 server will be offline.
• Level 1 CA operations which involve the private key require the cooperation of two authorized individuals. The CA software will require authentication via pki tokens issued to qualified personnel. In addition, the HSM and a laptop for running the CA will be locked in a safe which requires two locks to be opened. The key for one lock will be shared by one pool of personnel, and the key for the other lock will be shared by another pool of personnel.
• USHER will use separate self-signed CAs for each deployment (USHER Level 1 vs. USHER Level 2), rather than using an uberroot and/or distinguishing between them via the policy oid asserted on institutional CAs.
• USHER Level 1 will use its own flexible Certificate Policy, not based on the FBCA/HEBCA, in order to allow institutions to follow the HEPKI-lite model for their own CPs.
• When an institutional CA certificate is issued, a second, spare certificate will optionally be provided for use in case the original certificate needs to be revoked.
• Institutional certificates issued by USHER will be published on a web server.
• Still in flux.... Certificate Revocation Support during major holiday periods may be delayed.
• CRLs will be served from two highly available, widely separated web servers, which may be shared with other web services. The primary web server will be the CRL signing server. The secondary server will be provided by Internet2.
• CA operations that require intervention by trusted CA operators may be delayed until the next "business day". There may be an end-of-the-year holiday of 9 or 10 days and 5 days for Thanksgiving.
• Logs and records will be kept to allow the following activities to be audited (taken from the "Rudimentary" requirements in section 4.5.1 of the FBCA CP dated 2002-09-10.)
  • Whenever the CA generates a key. (Not mandatory for single session or one-time use symmetric keys)
  • The loading of Component private keys
  • All access to certificate subject private keys retained within the CA for key recovery purposes
  • All changes to the trusted public keys, including additions and deletions
  • The export of private keys (keys used for a single session or message are excluded)
  • All certificate requests
  • Roles and users are added or deleted
  • The access control privileges of a user account or a role are modified
  • All changes to the certificate profile
  • All changes to the certificate revocation list profile
  • Rekey of the CA
  • Violations of Certificate Policy
  • Violations of Certification Practice Statement
  • Resetting Operating System clock

See also:

• USHER Root Certificate Profile
• PKI-lite CA Certificate Profile
• PKI-lite End Entity Certificate Profile

• InCommon Technical Documents
• CREN CAt/USHER notes