1.1 Overview: ...proposed by the RFC 2527 > ...proposed by the RFC 3647 Addition: This document is a valid CP/CPS as of February 15, 2008, 09:00 UTC. 1.3.3 Subscribers: Change in statement: TR-GRID CA provides PKI services to meet the requirements of Turkish academics and research communities including national or international Grid activities. TR-GRID CA issues certificates to the following entities: Users (people) Computers (hosts) Services (host applications) 1.3.4 Relying Parties (New section) All entities that use public keys of certificates, issued by TR-GRID CA, for signature verification and/or encryption, will be considered as relying parties. 1.4 Certificate Usage - Generalization of certificate usage (in addition to grid resources) Addition: In addition, user certificates can be used for e-mail signing and encryption (S/MIME). Addition: User certificates must not be shared. 1.4.2 Prohibited certificate usage (New section) Notwithstanding the above, using certificates for purposes contrary to Turkish law is explicitly prohibited. 2.1 Repositories (Modified) Addition: The on-line repository runs on best-effort basis with an availability of 24x7, liable to reasonable scheduled maintenance. The TR-GRID CA root certificate A http URL of the PEM-formatted CA certificate A periodically updated http URL of the PEM formatted CRL A periodically updated http URL of the DER formatted CRL User and host certificates issued by the CA All versions (current and past) of its verified CP/CPS document An official contact e-mail address A physical contact address Other information that can be regarded as relevant to TR-GRID CA 3.1.2 Need for Names to be Meaningful Addition: Each host certificate must be linked to a single network entity. 3.2.3 Authentication of Individual Entity Addition:In exceptional cases such as remote geographical location of the subject, identity validation may be performed by video conference. In this case, an authenticated photocopy of the required document (ID-card, driving license or a passport) must be delivered by mail or courier to the RA staff prior to this online meeting. Authenticated photocopy refers to the verification made by a legally accepted notary public under Turkish law. 3.3.1 Identification and Authentication for Routine Re-key (modification) Expiration warnings will be sent to subscribers before it is re-key time. Re-key before expiration can be executed by stating a re-key request signed with the personal certificate of the subscriber but after 3 years face-to-face identity validation is required as described in 3.2.3. Re-key after expiration uses completely the same authentication procedure as new certificate. 4.1.1 Addition: For host and service certificates, the requester must be appropriately authorized by the owner of the FQDN. 4.2.2 Approval or rejection of certificate applications (New section) If the certificate request does not meet one or more of the criteria in 4.1.1, it will be rejected and the requester will be informed via e-mail. 4.2.3 Time to process certificate applications (New section) Each certificate application will take no more than 5 working days to be processed. 4.3.1 CA actions during certificate issuance (New section) CA will check that identity validation is properly performed as described in 3.2.3. CA will ensure secure communication with RAs by signed e-mails, SSL protected private web pages and voice conversations with a known person. 4.9.1 Circumstances for Revocation Addition: In one of the conditions above, end entity must request revocation of the certificate as soon as possible but within one working day. 4.10.1 Operational characteristics (new section) TR-GRID CA online repository contains list of valid certificates and list of revoked certificates (CRL). Both lists are continuously updated. 5.3.3 Training requirements (New section) Internal training is available and applied to the TR-GRID CA and RA operators. 5.3.4 Retraining frequency and requirements (New section) TR-GRID CA will perform operational audit of the CA and RA operators once a year. Retraining is applied if the audit results are not satisfactory. 5.3.8 Documentation supplied to personnel Operational manual for CA and RA operators is supplied to the new TR-GRID CA personnel. 5.4.1 Types of Events Recorded (addition) The login/logout/reboot information of the issuing machine is archived. In addition, annual operational audits of CA/RA staff must be performed. 5.4.6 Audit collection system (internal vs. external) (New section) Audit log collection system is internal to TR-GRID CA. 5.5.3 Protection of Archive (new section) Archives are kept in an auditable form with limited access. 5.5.6 Archive collection system (internal or external) (New section) The archive collection system is internal to the TR-GRID CA. 5.6 Key Changeover (modified) Lifetime of TR-GRID CA is 5 years and lifetime of end entity certificates is 1 year. The CA's private key is changed periodically; from that time on, the new key will be valid in order to sign new certificates or CRL lists of new certificates. The overlap of the old and new key must be at least one year. The older but still valid certificate must be available to verify old signatures and its private key must be used to sign CRLs until all the certificates signed using the associated key have expired or been revoked. 6.1.7 Key usage purposes (as per X.509 v3 key usage field) (modified) TR-GRID certificates may be used only for authentication and signing proxy certificates, e-mail signing and encryption. TR-GRID CA private key will only be used to issue CRLs and new certificates and to revoke certificates. 6.2.5 Private key archival (New section) TR-GRID CA does not archive private keys apart from the private key corresponding to the root certificate of TR-GRID CA. TR-GRID CA does not use cryptographic module. 6.2.7 Private key storage on cryptographic module (New section) See section 6.2.6. 6.2.8 Method of Activating Private Key (modified) TR-GRID CA private key is protected by a passphrase of at least 15 characters and only known by authorized CA personnel. The subscriber is required to generate a secure pass phrase, at least 12 characters long for the private key. Private key cannot be shared and it is subscriber�s responsibility to protect the private key properly. 6.4.1 Activation data generation and installation (Modified) TR-GRID CA does not generate activation data for subscribers. The subscriber is required to generate a secure pass phrase, at least 12 characters long as activation data for the private key. TR-GRID CA private key is protected by a passphrase of at least 15 characters. 6.4.2 Activation data protection (new section) The TR-GRID CA does not have access to or generate the private keys of a subscriber. The key pair is generated and managed by the client and it is subscriber's responsibility to keep the private key secure. The passphrase for the private key of CA root certificate is kept separately in paper form with an access limited to CA personnel. 7.2.1 Version Number(s) (modified) CRLs are in X.509 v2 format, compliant with RFC 3280. SHA1 algorithm is used to generate CRLs. 9.4 Privacy of personal information (modified) TR-GRID CA does not collect any confidential or private information except for the case when CA or RA archives copies of ID documents for identity validation of a user certificate request. TR-GRID CA guarantees that this personal information will not be used for any other purposes. 9.4.3 Information not deemed private (new section) TR-GRID CA collects the following information, which is not deemed as private, from the subscriber: Organizational e-mail address Name and surname Organization 9.12.1 Procedure for Amendment (modified) Subscribers will not be informed in advance if the CP / CPS document is changed. Changes are announced to EUGridPMA and get approved before the new CP/CPS is declared on the website as defined in section 2.3. Changes are published on the website as well. 9.12.3 Circumstances under which OID must be changed (new section) OID must change whenever the version of CP/CPS document is updated.