The title page Version 2.2 > Version 2. September, 2009 >May 15, 2014 (This date will be updated after this CP/CPS is approved by EUGridPMA Table of Content Table of content of the CP/CPS document is regenerated 1.1 Overview: ...CP/CPS as of October 15, 2009, 09:00 UTC > ...CP/CPS as of May 15, 2014, 09:00 UTC (This date will be updated after this CP/CPS is approved by EUGridPMA) 1.2 Document Name and Identification Document Version: 2.2 > Document Version: 2.3 Document Date: October 15, 2009 > Document Date: May 15, 2014 ...(OID): 1.3.6.1.4.1.23658.10.1.2.2 > ...(OID): 1.3.6.1.4.1.23658.10.1.2.3 1.5.2 Contact Person Our institute changed the domain of our email addresses. Email: feyza@ulakbim.gov.tr > Email: feyza.eryol@tubitak.gov.tr 3.2.1 Method to Prove Possession of a Private Key The title of the section is corrected. Method to Prove Possession of a Key > Method to Prove Possession of a Private Key 3.2.3 Authentication of Individual Identity The title of the section is corrected. Authentication of Individual Entity > Authentication of Individual Identity 4.1.1 Who can Submit a Certificate Application The key length of a certificate must be 1024 or 2048 bits.> The key length of a certificate must be at least 2048 bits. Message digests of the certificates are generated by SHA256 since December, 2013. Message digests of the certificates must be generated by SHA1 algorithm.> Message digests of the certificates must be generated by SHA256 algorithm 4.1.2 Enrollment Process and Resposibilities This section is not exist in the previous version of the CP/CPS. It has been corrected. "As the essential procedures that must be conformed in an end-entity certificate application procedure stated in section 3.2.3, the enrollment processes are as follows: * User enrollment: The subject should fill the membership form which could be seen both CA and RA operators. Then the subject should contact personally the RA staff in order to validate his/her identity. The subject is authenticated with his/her official identity document by RA. RA communicates with CA operator that authenticates user via SSL protected HTTP transport for the membership application or with signed e-mail. After successful membership application, the CA operator sends an active HTTPS request link which includes randomly generated hash string that uniquely identifies the user with the following details: first and last name, organization, e-mail address, name of institution and department. The subject should use this link for certificate request. The subject is connected to online CA web site with the given link and should need to fill a minimum eight character pin before submitting the requests. The subject private key is generated on the browser of the user and the request is taken by online CA. Upon successful submission of certificate request, RA operator authenticates his/her submission by personal application of the user with his/her official identity card and the pin which is given in the request form. CA operator checks the authentication procedures of the subject and issues the certificate and informs the RA and the requester via e-mail which describes how to download the certificate from the online CA website with the browser from which the request is submitted. * Host enrollment: Host certificates can only be requested by the administrator responsible for the particular host. In order to request a host certificate, the administrator must already possess a valid personal TR-GRID CA certificate. Applicants can make host/service certificate requests to the RA via e-mail signed by a valid TR-GRID CA certificate. Applicant's public keys are delivered to the RA in an email containing the certificate request. RA should ensure that the applicant is appropriately authorized by the owner of the associated FQDN. The public key arrives at the TR-GRID CA in an email signed by the RA. CA operator checks the authentication procedures of the subject and issues the certificate and informs the RA and the applicant via e-mail. Applicants can make host/service certificate requests via SSL protected HTTP certification request service provided by the RA." 4.9.9 On-line Revocation/status Checking Availability At present, no on line service for this purpose is available. > "At present, no on line service for this purpose is available. CRL will be published immediately after a revocation is issued and it will be updated at least 7 days before the expiration date of the CRL where CRL life time is 30 days." 5.5.1 Types of Event Recorded The title of the section is corrected. Types of Records Archived > Types of Event Recorded The following line is added to the list of records : "The official identity documents (ID-card, driving license or a passport) of end entities." 5.7.1 Incident and Compromised Handling Procedures The title of the section is absent and added. 5.7.2 Computing Resources, Software, and/or Data are Corrupted No stipulation > The CA software or any data are corrupted in the CA machine or CA machine hardware failure, the system will be restored from the kept bakcups. 6.1.6 Public Key Parameters Generation and Quality Checking The title of the section is corrected. Public Key Parameters Generation > Public Key Parameters Generation and Quality Checking 6.2.1 Cryptographic Module Standards and Controls The TR-GRID CA uses sha1 with RSA encryption as a signature algorithm.> The TR-GRID CA uses SHA256 with RSA encryption as a signature algorithm. 6.2.5 Private Key Archival TR-GRID CA does not archive private keys apart... > TR-GRID CA does not archive end entities private keys... 6.5.1 Specific Computer Security Technical Requirements The following line is added to the list. "The CA server is a dedicated machine and it is not connected to any type of network." 7.1.3 Algorithm Object Identifiers The following hash/digest algorithm is:> The following hash/digest algorithm is used for CA: For end-entity certificates the following two lines are added: "The following hash/digest algorithm is used for end-entities: * Secure Hash Algorithm-256 (x500 oid:2.16.840.1.101.3.4.2.1)" RSA (x500 oid: 1.2.840.113549.1.1.1) > RSA (x500 oid: 1.2.840.113549.1.1.5) 7.2.1 Version Number(s) ... compliant with RFC 3280 ... > ... compliant with RFC 5280 ... 9.16.5 Force Majeures This section is not exist in the previous version of the CP/CPS. It has been corrected. "No stipulation"