Policy to Govern PKI Security Requirements and Certification Policies

I. Statement

The development and implementation of the public key infrastructure (PKI) within Maine state government shall conform to the requirements set forth in the “State of Maine PKI Security Policy Requirements”, included in Attachment A. This policy expands upon the State of Maine Information Technology Security Policy adopted by the Information Services Policy Board 12/19/2002.

II. Purpose

The purpose of this policy is to establish the implementation and use of the public key infrastructure within Maine state government, to secure wireless networks, to provide secure electronic transactions, to protect confidential information and the enable ability to sign electronic documents with digital signatures in a secure environment.

III. Applicability

This policy is intended to govern the administration, management, acquisition and use of all certificates by

1) Executive Branch and semi-autonomous State agencies and

2) Agencies from other Maine State government branches.

The implementation of the State of Maine PKI Security Requirements is reflected in the State of Maine X.509 Certification Policies and Practices Statement, included in Attachment B.

IV. Guidelines & Procedures

1. State of Maine PKI Security Policy Requirements Appendix A

2. State of Maine X.509 Certification Policy and Practices Statement Appendix B

V. Responsibilities

A. Chief Information Officer (CIO) - Title 5, Maine Revised Statutes, Chapter 163 §1973, Section 1, Paragraph B authorizes the CIO to “set policies and standards for the implementation and use of information and telecommunications technologies,” et seq.

B. The Enterprise Information Security Director has overall responsibility to assure for certificate services operations are carried out in accordance with this policy.

C. The Chief Technology Officer (CTO) has responsibility over the day-to-day certificate services operations including Certification Authority (CA) Administration and Certificate Management. The CTO is responsible for implementation standards and standard operating procedures in support of this policy.

D. Agency Information Technology Directors (AITD) have the responsibility of providing agency management with the appropriate information and notice to facilitate user account and certificate creation, or, disablement and revocation in accordance with established OIT procedures relative to this policy.

VI. Definitions

Certificate

A digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service.

A digital representation of a user’s or computer’s identity that includes a public key and information about who the certificate was issued to. Certificates are issued by a CA, which guarantees the user’s or computer’s identity.

Certification Authority (CA)

An entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other certification authorities. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and certificate revocation.

A computer that is recognized as an authority trusted by one or more users or processes to issue and manage X.509 public key certificates, a revocation list of CAs that are no longer valid, and a revocation list of certificates that have been revoked.

Certification Policy

A document describing the measures taken to validate a certificate’s subject prior to certificate issuance.

Certificate Practices Statement (CPS)

A document defining the measures taken to secure CA operations and the management of CA-issued certificates.

Key

In encryption and digital signatures, a string of bits used for encrypting and decrypting information to be transmitted. Encryption commonly relies on two different types of keys, a public key known to more than one person (say, both the sender and the receiver) and a private key known only to one person (typically, the sender).

Private Key

The component of a key pair that is kept secret by the owner of the key pair.

Public Key

The component of a key pair that is shared by the owner of the key pair.

The non-secret half of a cryptographic key pair that is used with a public key algorithm. Public keys are typically used when encrypting a session key, verifying a digital signature, or encrypting data that can be decrypted with the corresponding private key.

Public Key Infrastructure (PKI)

The component of a structure that issues certificates, uses certificates, and manages the certificate life cycle.

The laws, policies, standards, and software that regulate or manipulate certificates and public and private keys. In practice, it is a system of digital certificates, certification authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction.

VII. References

1. State of Maine Certificate Services Design Document Appendices a through K

2. State of Maine Office of Information Technology Standard Operating Procedures

VIII. Document Information

1. Document Reference Number: 25

2. Category: Security and Privacy

3. Adoption Date: 11/28/2007

4. Effective Date: 11/28/2007

5. Review Date: 11/28/2007

6. Point of Contact: Mark Kemmerle, Enterprise Information Security Director, Office of Information Technology, telephone: 207-624-8892.

7. Approved By: Richard B. Thompson, Chief Information Officer

8. Position Title(s) or Agency Responsible for Enforcement: Mark Kemmerle, Enterprise Information Security Director, Office of Information Technology, telephone: 207-624-8892.

9. Legal Citation: Title 5, Maine Revised Statutes, Chapter 163 §1973, Section 1, Paragraph B authorizes the CIO to “set policies and standards for the implementation and use of information and telecommunications technologies”

10. Waiver Process: Waiver requests must be submitted in writing to the Chief Information Officer.