Abstract
This document defines the Certification Policies and Practices in accordance with the X.509 standard under which the State of Maine will operate its Certification Authorities in support of the PKI project.
 |
Prepared by |
State of Maine
Office of Information Technology
This page intentionally left blank.
Certification Policies and Practices Statement
1.1.1 Roles and Responsibilities
1.3 Community and Applicability
1.3.1 Certification Authorities
1.3.2 Registration Authorities
1.3.4.3 Prohibited Applications
2.1.1 Warranties and Limitations
2.2.4 Relying Party Obligations
2.3.1 Indemnification by Relying Parties
2.4 Interpretations and Enforcement
2.4.2 Severability, Survival, Merger, Notice
2.4.3 Dispute Resolution Procedures
2.5.1 Certificate Issuance or Renewal Fees
2.5.3 Revocation or Status Information Access Fees
2.5.4 Fees for Other Services such as Policy Information
2.6 Publication and Repositories
2.6.1 Publication of CA Information
2.6.2 Frequency of Publication
2.7.1 Frequency of Entity Compliance Audit
2.7.2 Identity/Qualifications of Auditor
2.7.3 Auditor’s Relationship to Audited Party
2.7.5 Actions Taken as a Result of Deficiency
2.7.6 Communication of Results
2.8.1 Types of Information to be Kept Confidential
2.8.2 Types of Information not Considered Confidential
2.8.3 Disclosure of Certificate Revocation/Suspension Information
2.8.4 Release to Law Enforcement Officials
2.8.5 Release as Part of Civil Discovery
2.9 Intellectual Property Rights
3. Identification and Authentication
3.1.2 Need for Names to be Meaningful
3.1.3 Rules for Interpreting Various Name Forms
3.1.5 Name Claim Dispute Resolution Procedure
3.1.6 Recognition, Authentication and Role of Trademarks
3.1.7 Method to Prove Possession of Private Key
3.1.8 Authentication of Organization Identity
3.1.9 Authentication of Individual Identity
4.1.1 Delivery of Subscriber's public key to certificate issuer
4.2.2 CA public key delivery to users
4.4.1 Circumstances for revocation
4.4.1.1 Who can request a revocation
4.4.1.2 Procedure for Revocation Request
4.4.1.3 Revocation Grace Period
4.4.2 Certificate Revocation Lists
4.4.2.1 CRL issuance frequency
4.4.2.2 CRL checking requirements
4.5.1 Types of events recorded
4.5.2 Frequency of processing data
4.5.3 Retention period for security audit data
4.5.4 Protection of security audit data
4.5.5 Security audit data backup procedures
4.5.6 Security audit collection system
4.5.7 Notification to event-causing subject
4.5.8 Vulnerability assessments
4.6.4 Archive backup procedures
4.6.5 Archive collection system
4.6.6 Procedures to obtain archive information
4.8 Compromise and Disaster Recovery
5. Physical, Procedural, and Personnel Security Controls
5.2.2 Number of Persons Required per Task
5.2.3 Identification and Authentication for Each Role
5.3 Personnel Security Controls
5.3.1 Personnel Security Controls for Certification Authority
5.3.2 Personnel Security Controls for Registration Authority
5.3.3 Personnel Security Controls for End-Entities
6. Technical Security Controls
6.1 Key Pair Generation and Installation
6.1.2 Private and Public Key Delivery to Entity
6.1.3 CA Public Key Delivery to Users
6.2.1 Standards for Cryptographic Module
6.2.2 Private Key Multi-person Control
6.2.3 Private Key Escrow, Backup and Recovery
6.2.4 Private Key Activation and Entry into Cryptographic Module
6.2.5 Method of Deactivating Private Key
6.2.6 Method of Destroying Private Key
6.3 Other Aspects of Key Pair Management
6.3.2 Usage Periods for the Public and Private Keys
6.5 Computer Security Controls
6.6 Lifecycle Security Controls
7. Certificate and CRL Profile
8. Specification Administration
8.1 SPECIFICATION CHANGE PROCEDURES
8.2 Publication And Notification Policies
8.3 CPS and External Policy Approval Procedures