-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
6.1.1.1 CA Key Pair Generation #34
Comments
Common Policy Framework:
|
Questions and thoughts:
|
Referencing the BRD - key storage is FIPS 140-2 Level 3 or an appropriate Common Criteria (etc) EAL 4+. |
Additional reference:
|
As written in BRD, it is loose enough to drive a truck through. E.G., "1.prepare and follow a Key Generation Script." Based on WHAT requirements? Similar to requiring that they have a CPS that says how they do something without specifying any requirements - worthless from a security.
When is it "not applicable" since both roots and issuing CAs require a script? My understanding is that DoD uses level 3 modules - but current policy only requires 2 (DoD doesn't issue "Fed PKI HIGH") |
Keep: FIPS 140-2 Level 3 obviously Review Common Criteria EAL 4+ clause; keep in draft |
Add
|
Agree.
Can be dropped - US no longer uses "EAL" - now only accepts CC evaluation against approved protection profiles. For a crypto module - FIPS 140 is the only choice for US government - so EAL is not applicable even if it was still used. |
Pet peeve - this should be stated in Section 6.2.2 (multi party control) not here. But understand we will likely repeat requirements because CA/.B does... |
covered in this statement:
covered in this statement:
witness or video in BRD; current Common CP states - "witness or examining audit record" |
In draft pull request (can be changed - up for discussion!), removing the "SHOULD" statements from BRD and applying the SHALL to all CAs |
I don't think we need to distinguish Root vs Subrodinte/Intermediate CA - for this CP they all need to adhere to the same key generation/protection, so I suggest the following wording for 6.1.1.1: In all cases, the CA SHALL:
The CA keys shall be:
The documentation of the procedure must be detailed enough to show that appropriate role separation was used and the CA key pair generation must create a verifiable audit trail that the security requirements for procedures were followed. |
missed this one @techliaison - adding new commits and pull request |
Comparing the Federal Common Policy Framework, Section 6.1.1.1 to the BRD Section 6.1.1.1
BRD:
The text was updated successfully, but these errors were encountered: