1. Introduction

1.1 Overview

The High Performance Computing Virtual Laboratory has implemented a Public Key Infrastructure (PKI), based on Entrust Authority™ Security Manager®, to increase the security posture of the organization and to support secure communications. The PKI consists of products and services that provide and manage X.509 public key certificates. The PKI binds its Subscribers (Subscriber is defined in §1.3.3.1) to public/private key pairs through the use of these X.509 certificates. Public key certificates identify the Subscriber named in the certificate and bind that identity to a public key embedded in the certificate. Every public key certificate issued by the High Performance Computing Virtual Laboratory Certification Authority (CA) and asserting one of the policies listed in §1.2 shall be issued under the applicable requirements of this Certificate Policy (CP).

The PKI consists of a self-signed CA, a repository, and the Registration Authorities (RAs), Local Registration Authorities (LRAs) and Subscribers associated with the CA. The CA will act as the Principal CA for cross certification with other CAs to achieve interoperability with other entity PKIs.

The PKI has a Board of Trustees herein referred to as the Policy Management Authority (PMA) who is responsible for the selection/definition of certificate policies for the organization, approval of any cross-certification agreements with external CAs and review of the High Performance Computing Virtual Laboratory Certification Practice Statement (CPS) to ensure consistency with the certificate policies.

The PKI has an Operations Authority (OA) that is overseen by the Executive Director. The OA is responsible for interpretation of the certificate policies as stated by the PMA, creation and management of the CPS, and the correct operation of the CA. The OA manages the overall operations of the CA and is responsible for the day-to-day operation of the CA.

This CP is managed by the Policy Authority (PA) and adheres to the High Performance Computing Virtual Laboratory Security Policy. Overall responsibility for the PKI is assigned to the High Performance Computing Virtual Laboratory PKI Management Authority (PMA).

Throughout this document, references to:

· “the PKI” mean the High Performance Computing Virtual Laboratory Public Key Infrastructure;

· “the CA” mean the High Performance Computing Virtual Laboratory Certification Authority;

· “the Repository” mean the High Performance Computing Virtual Laboratory Repository;

· “the RA” mean the High Performance Computing Virtual Laboratory Registration Authority;

· “the LRA” mean a authorized Local Registration Authority of the High Performance Computing Virtual Laboratory CA;

· “the PMA” mean the High Performance Computing Virtual Laboratory PKI Management Authority;

· “the PA” mean the High Performance Computing Virtual Laboratory Policy Authority;

· “the OA” mean the High Performance Computing Virtual Laboratory Operations Authority;

· “the CP” mean the High Performance Computing Virtual Laboratory Certificate Policy;

· “the CPS” mean the High Performance Computing Virtual Laboratory Certification Practice Statement;

· “certificate” mean a certificate issued by the High Performance Computing Virtual Laboratory CA; and

· “Subscriber” mean the holder of a certificate issued by the High Performance Computing Virtual Laboratory CA.

This CP is for use by all entities with relationships with the CA, including End-Entities and Registration Authorities undertaking to adhere to this CP.

This CP is binding on the CA, and governs its performance with respect to all Certificates it issues. Specific practices and procedures by which the CA implements the requirements of this CP are maintained in a Certification Practice Statement (CPS), which is approved by the PA and made available to Subscribers and Relying Parties.

This CP is consistent with the Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (IETF PKIX) RFC 2527 “Certificate Policy and Certification Practice Statement Framework”.

1.2 Identification

This document is called the “High Performance Computing Virtual Laboratory Entrust CA Certificate Policy Version 1.0”

1.3 Community and Applicability

This CP describes the terms and conditions under which High Performance Computing Virtual Laboratory makes CA and RA services available in respect to certificates; it is applicable to all persons, entities, and organizations that have a relationship with

· High Performance Computing Virtual Laboratory in respect to certificates and/or any services provided by High Performance Computing Virtual Laboratory in respect to certificates; and

· RAs operating under the High Performance Computing Virtual Laboratory CA.

This CP provides a statement of the rights and obligations of High Performance Computing Virtual Laboratory, any third parties that are operating RAs under the CA, and any other persons, entities, or organizations that may use or rely on certificates or have a relationship with the CA or a RA operating under the CA in respect to certificates and/or any services in respect to certificates.

The following table illustrates the relationships of the High Performance Computing Virtual Laboratory individuals to PKI and Entrust roles:

Table 1.1 PKI and Entrust Roles

Individual	PKI Role	Entrust Role
*Chair, Board of Trustees*	PMA	N/A
*Security Policy Advisory Committee*	PA	First Security Officer
*Executive Director*	OA	Master User
*Security Manager*	Entrust CA Administrator	Security Officer
*Security Specialist / Systems Administrator*	RA	Entrust Administrator
*Help Desk / Customer Service Representative*	LRA	Subset of Entrust Administrator
*HPCVL User / Certificate Subscriber*	Subscriber/Relying party	Subscriber

1.3.1 PKI Authorities

1.3.1.1 PKI Management Authority

The PKI Management Authority (PMA) is the Board of Trustees. The PMA is responsible for:

· Approval and sign-off of all CPs and CPSs pertaining to the CA;

· Approval and sign-off of all cross certifications by the CA with external entity CAs; and

· Execution of a Memorandum of Agreement (MOA) between the CA and an external entity CA. The MOA will set forth the respective responsibilities and obligations of both parties, and the mappings between the certificate levels of assurance contained in this CP and those in the entity CA CP. Thus, the term “MOA” as used in this CP shall always refer to the Memorandum of Agreement cited in this paragraph.

1.3.1.2 Policy Authority

The Policy Authority (PA) is the Security Policy Advisory Committee. The PA is responsible for:

· Creation, maintenance, submission to the PMA, and publication of all CPs pertaining to the CA;

· Review for CP compliance and submission to the PMA of all CPSs pertaining to the CA;

· Review of the CA operations and assurance of continued conformance with the CPs and CPSs pertaining to the CA.

· Review and submission to the PMA of all recommended cross certifications by the CA with external entity CAs;

· Negotiation of a Memorandum of Agreement (MOA) between the CA and an external entity CA. The MOA will set forth the respective responsibilities and obligations of both parties, and the mappings between the certificate levels of assurance contained in this CP and those in the entity CA CP. Thus, the term “MOA” as used in this CP shall always refer to the Memorandum of Agreement cited in this paragraph; and

· Review and assurance of continued conformance of all cross-certified entities with applicable requirements as set forth in the MOA as a condition for allowing continued cross certification with the CA.

1.3.1.3 Operations Authority

The Operations Authority (OA) is the organization that operates the CA and reports to the Executive Director. The OA is responsible for:

· Creation, submission to the PA, and maintenance of all CPSs pertaining to the CA;

· Creation and management of CA Operating Procedures ensuring that the practices that the CA employs in issuing certificates, as described in the CPS, are consistent with this CP; and

· Management of CA Operations, including all aspects of the issuance and management of a certificate, such as:

o Control over the registration process;

o The certificate manufacturing process;

o Publication of certificates;

o Revocation of certificates;

o Generation and destruction of CA signing keys;

o Rekey of CA; and

o Ensuring that all aspects of CA services, operations and infrastructure related to certificates issued under this CP are in accordance with the requirements, representations, and warranties of this CP.

1.3.1.4 Certification Authority

The Certification Authority (CA) is responsible for:

· Creation, signing, distribution, and revocation of certificates binding the X.500 Distinguished Name of Subscribers and Registration Authorities with their respective signature verification key and their public encryption key;

· Delegation of limited authority to one or more Registration Authorities;

· Promulgation of certificate status through Certificate Revocation Lists (CRLs) and Authority Revocation Lists (ARLs); and

· Implementation and operation of its certification practices to achieve the requirements of this CP.

Only CAs approved by the PMA shall issue certificates under this CP. In the event that more than one CA is authorized to issue certificates, High Performance Computing Virtual Laboratory shall post a list of authorized CAs in the Repository.

Where necessary, this CP distinguishes the different users and roles accessing the CA functions. Where this distinction is not required, the term Certification Authority is used to refer to the total CA entity, including the hardware, software, personnel, processes, and its operations.

1.3.2 Registration Authorities

Registration Authorities (RAs) are appointed by the OA and are responsible for the verification and processing of subscriber applications received from the LRAs in accordance with this CP.

Only RAs authorized by the OA shall submit requests to the CA for the issuance of certificates. In the event that more than one RA is authorized to perform this function, High Performance Computing Virtual Laboratory shall post a list of authorized RAs in the Repository.

1.3.2.1 Local Registration Authorities

Local RA (LRAs) are appointed by the RA and are responsible for the identification and authentication of End Entities in accordance with this CP.

1.3.3 End Entities

End Entities in the PKI consist of Subscribers, Relying Parties, hardware devices and/or specific applications. All End Entities are Subscribers. End Entities use certificates issued by the CA to encrypt information for and verify the digital signatures of other End Entities within the PKI for legitimate High Performance Computing Virtual Laboratory business use. As such, End Entities are also Relying Parties.

This CP is binding on each End Entity that applies for and obtains or relies certificates by virtue of a Subscriber Agreement or equivalent conditions in a contract. The CP governs each applicant's performance with respect to their application for, use of, and reliance on certificates.

1.3.3.1 Subscribers

To become a Subscriber of the CA a person, entity, or organization must apply for a certificate, during which time they are referred to as an Applicant. Subscribers to the CA include:

· High Performance Computing Virtual Laboratory full-time employees, part-time employees, contractors and temporaries;

· High Performance Computing Virtual Laboratory Customer full-time employees, part-time employees, contractors and temporaries;

· Other individuals with whom High Performance Computing Virtual Laboratory has a business relationship; and

· External cross-certified Certificate Authorities.

1.3.3.2 Relying Parties

The right to reasonably rely on certificates is limited to the following persons:

· Subscribers that are using approved applications, as defined in §1.3.4;

· Devices or applications utilizing certificates for authentication or to protect sensitive information; and

· External cross-certified CAs that have been approved by the PMA.

1.3.4 Applicability

Certificates issued under this CP are intended to support low to medium value data/transactions in high-risk network environments or data/transactions of moderate to high organizational or financial value in secure low risk network environments.

Certificates issued under this CP are appropriate for transactions that are official in nature, and for which there is a need for high confidence in the asserted electronic identity of the transacting party. In particular, an authentication error of a user’s identity might result in:

· Significant inconvenience to any party; or

· Significant financial loss to any party; or

· Significant damage to any party’s standing or reputation; or

· Significant distress being caused to any party; or

· Release of some personal information, High Performance Computing Virtual Laboratory sensitive information, or information commercially sensitive to third parties; and

· Significant risk that an egregious criminal act will occur in the transaction or that the transaction will assist materially in the commission or concealment of an egregious criminal act.

1.3.4.1 Authorized Applications

The certificates issued by the CA under this CP are to be used exclusively for applications authorized by the PMA.

1.3.4.2 Prohibited Applications

All applications not explicitly authorized for use with certificates by the PMA are prohibited.

1.4 Contact Details

1.4.1 Specification Administration Organization

This CP is administered by the PA and is approved by the PMA.

1.4.2 Contact Person

The contact information for the PA is:

Costa Dafnas, CISSP

Research Computing Security Officer

High Performance Computing Virtual Laboratory

Queen's University

993 Princess Street, Suite 115

PO Box 5

Kingston, Ontario

Canada K7L 1H3

Tel: (613) 533-2561

Fax: (613) 533-2015

Email: dafnasc@post.queensu.ca

Web: http://www.hpcvl.org/

1.4.3 Person Determining CPS Suitability for the Policy

The CPS is administered by the OA and is approved by the PMA. Suitability is determined by the PA prior to presentation to the PMA for approval

2. General Provisions

2.1 Obligations

2.1.1 Certification Authority Obligations

The CA shall conform to the stipulations of this CP, including:

· Providing to the PMA a CPS, as well as any subsequent changes, for conformance assessment;

· Conforming to the stipulations of the approved CPS;

· Make best effort to provide CA services on a 7 day per week, 24 hour per day basis in accordance with this CP and the CPS;

· Ensuring that registration information is accepted only from properly authenticated RAs and or LRAs who understand and are obligated to comply with this CP;

· Issue certificates to Subscribers in accordance with this CP as well as the procedures and practices described in the CPS;

· Including only valid and appropriate information in certificates and maintaining evidence that due diligence was exercised in validating the information contained in the certificates;

· Revoke certificates that are issued by this CA in accordance with the stipulations of this CP as well as those in the CPS;

· Issue and publish CRLs on a regular schedule as per the CPS;

· Notify Subscribers that certificates have been issued to them or that their digital signature verification certificate has been revoked via secure exchanges between the CA and the client application representing that Subscriber;

· Notify others (e.g. Relying Parties) of certificate issuance/revocation by provision of access to certificates and CRLs in the Repository;

· Provide renewal, suspension, and replacement of certificates; and

· Operating or providing for the services of an on-line Repository.

Some obligations that are defined as the CA’s may actually be carried out by an RA, on behalf of the CA, but the CA remains ultimately responsible for such obligations.

2.1.2 Registration Authority Obligations

An RA or LRA who performs registration functions as described in this CP shall comply with the stipulations of this CP and comply with the CPS. An RA or LRA who is found to have acted in a manner inconsistent with these obligations shall be subject to revocation of RA responsibilities and possible disciplinary action.

The RA and LRA is obliged to verify the accuracy and authenticity of the information provided by LRAs for the acceptance of Subscriber certificate applications. The RA may make use of existing High Performance Computing Virtual Laboratory databases as an agent to verify the application data by comparing it with information in the databases. The RA provides this verification on behalf of the CA.

A RA and LRA represents and warrants to the CA that it shall:

· receive certificate applications in accordance with the terms and conditions of the CPS;

· perform limited verification of information submitted by Applicants when applying for certificates, and if such verification is successful, submit a request to the CA for the issuance of an certificate, all in accordance with the terms and conditions of the CPS;

· receive and verify requests from Subscribers for the revocation of certificates, and if the verification of a revocation request is successful, submit a request to the CA for the revocation of such certificate, all in accordance with the terms and conditions of the CPS;

· notify Subscribers, in accordance with the terms and conditions of the CPS, that a certificate has been issued to them; and

· notify Subscribers, in accordance with the terms and conditions of the CPS, that a certificate issued to them has been revoked or will soon expire.

2.1.3 Subscriber Obligations

A Subscriber shall:

· Provide correct information to the LRA/RA without errors, omissions, or misrepresentations;

· Generate a new and secure key pair to be used in association with the Subscriber's certificate;

· Refrain from modifying the certificate contents;

· Request revocation of a certificate if a key is no longer needed;

· Memorize and not record any passwords or PINs associated with accessing or using private keys or cryptographic tokens;

· Exercise diligence in protecting their private keys and cryptographic tokens at all times against loss, theft or tampering;

· Inform the LRA/RA within 48 hours of a change to any information included in it’s certificate or certificate application request;

· Inform the High Performance Computing Virtual Laboratory Customer Service Center / Help Desk within 24 hours of a suspected or actual compromise of one or all of it’s private keys, activation data, or security module;

· Immediately cease to use the Subscriber's certificate upon expiration or revocation of such HPCVL Certificate, or any suspected or actual compromise of the private key corresponding to the public key in such certificate, and remove such certificate from the devices and/or software in which it has been installed;

· Understand the basic principles of Public Key certificates and their use within the business / application;

· Use certificates exclusively for legal and authorized purposes in accordance with the terms and conditions of this CP and applicable laws;

· Only use certificates on behalf of the person, entity, or organization listed as the subject of the certificate; and

· Read, understand and abide by all the terms, conditions, and restrictions in the Subscriber Agreement or contract.

Certificates and related information may be subject to export, import, and/or use restrictions. Subscribers shall comply with all laws and regulations applicable to a Subscriber's right to export, import, and/or use certificates or related information. Subscribers shall be responsible for procuring all required licenses and permissions for any export, import, and/or use of certificates or related information. Certain cryptographic techniques, software, hardware, and firmware ("Technology") that may be used in processing or in conjunction with certificates may be subject to export, import, and/or use restrictions. Subscribers shall comply with all laws and regulations applicable to a Subscriber's right to export, import, and/or use such Technology or related information. Subscribers shall be responsible for procuring all required licenses and permissions for any export, import, and/or use of such Technology or related information.

2.1.3.1 Subscriber and Applicant Representations and Warranties

Subscribers and Applicants represent and warrant to High Performance Computing Virtual Laboratory that:

· all information provided by the Subscriber or Applicant to High Performance Computing Virtual Laboratory or to any independent third-party RA is correct and does not contain any errors, omissions, or misrepresentations;

· the private key corresponding to the public key submitted by the Subscriber and/or Applicant in connection with a certificate application was created using sound cryptographic techniques and has not been compromised;

· any information provided to High Performance Computing Virtual Laboratory or to any independent third-party RAs by the Subscriber and/or Applicant in connection with an certificate application does not infringe, misappropriate, dilute, unfairly compete with, or otherwise violate the intellectual property, or other rights of any person, entity, or organization in any jurisdiction;

· the Applicant shall notify High Performance Computing Virtual Laboratory or, if the Applicant submitted its certificate application to an independent third-party RA, such independent third-party RA, as soon as practicable if any information included in the Applicant's certificate application changes or if any change in any circumstances would make the information in the Applicant's certificate application misleading or inaccurate;

· the Subscriber shall immediately cease to use the Subscriber's certificate if any information included in the Subscriber's certificate changes or if any change in any circumstances would make the information in the Subscriber's certificate misleading or inaccurate;

· the Subscriber shall immediately cease to use the Subscriber's certificate upon

o expiration or revocation of such certificate, or

o any suspected or actual compromise of the private key corresponding to the public key in such certificate, and shall remove such certificate from the devices and/or software in which it has been installed; and

· the Subscriber and/or Applicant will not use certificates for any hazardous or unlawful (including tortuous) activities.

2.1.4 Relying Party Obligations

Each Relying Party shall:

· Use certificates exclusively for legal and authorized purposes in accordance with the terms and conditions of this CP and applicable laws;

· Perform cryptographic operations properly;

· Verify certificates, including the use of CRLs, in accordance with the certification path validation procedure specified in ITU-T Rec. X.509, taking into consideration any critical extensions;

· Trust and make use of a certificate issued under this CP only if the certificate has not expired nor been revoked and only if a proper chain of trust can be established to an acceptable root CA;

· Make their own judgment and rely on a certificate only if such reliance is reasonable in the circumstances, including determining whether such reliance is reasonable given the nature of the security and trust provided by a certificate and the value of any transaction that may involve the use of a certificate;

· Preserve the original signed data, the applications necessary to read and process the data, and the cryptographic applications needed to verify the digital signatures on that data as long as it may be necessary to verify the signature on the data; and

· Understand the basic principles of Public key certificates and their use within the business / application.

Certificates and related information may be subject to export, import, and/or use restrictions. Relying Parties shall comply with all laws and regulations applicable to a Relying Party's right to use certificates and/or related information. Relying Parties shall be responsible for procuring all required licenses and permissions for any export, import, and/or use of certificates and/or related information. Certain cryptographic techniques, software, hardware, and firmware ("Technology") that may be used in processing or in conjunction with certificates may be subject to export, import, and/or use restrictions. Relying Parties shall comply with all laws and regulations applicable to a Relying Party's right to export, import, and/or use such Technology or related information. Relying Parties shall be responsible for procuring all required licenses and permissions for any export, import, and/or use of such Technology or related information.

2.1.4.1 Relying Party Representations and Warranties

Relying Parties represent and warrant to High Performance Computing Virtual Laboratory that:

· the Relying Party shall properly validate a certificate before making a determination about whether to rely on such certificate, including confirmation that the certificate has not expired or been revoked and that a proper chain of trust can be established to a trustworthy root CA;

· the Relying Party shall not rely on a revoked or expired certificate;

· the Relying Party shall not rely on a certificate that cannot be validated back to a trustworthy root CA;

· the Relying Party shall exercise its own judgment in determining whether it is reasonable under the circumstances to rely on a certificate, including determining whether such reliance is reasonable given the nature of the security and trust provided by a certificate and the value of any transaction that may involve the use of a certificate; and

· the Relying Party shall not use a certificate for any hazardous or unlawful (including tortuous) activities.

2.1.5 Repository Obligations

The Repository is obligated to:

· Post to an X.500 Directory Server System that is also accessible through the Lightweight Directory Access Protocol;

· Publish and archive certificates;

· Publish and archive CRLs/ARLs;

· Publish and archive the CP;

· Post all CA provided information in a timely manner;

· Maintain security to prevent unauthorized access and tampering.

· Maintain the availability of the information as required by the certificate information posting and retrieval stipulations of this CP; and

· Provide access control mechanisms when needed to protect Repository information as described in this CP.

2.2 Liability

As the CA and RA functions are provided by the High Performance Computing Virtual Laboratory, the liability issues related to both functions are combined in this CP.

Nothing in this CP shall create, alter, or eliminate any other obligation, responsibility, or liability that may be imposed on the High Performance Computing Virtual Laboratory by virtue of any contract or obligation that is otherwise determined by applicable law.

The maximum cumulative liability of the High Performance Computing Virtual Laboratory to all Subscribers, Relying Parties and any other entities for losses, costs, expenses, liabilities, damages, claims, or settlement amounts arising out of or relating to use of an certificate or any services provided by the High Performance Computing Virtual Laboratory in respect to any certificate is limited by this CP. This CP also contains limited warranties and disclaimers of representations, warranties and conditions.

Each Relying Party acknowledges that to the extent that its reliance on any certificate causes itself or its customer damages, of any type, in excess of the liability limits described in this CP and the Subscriber Agreement, such reliance is unreasonable.

2.2.1 Certification Authority and Registration Authority Liability

2.2.1.1 Warranties and Limitations on Warranties

The High Performance Computing Virtual Laboratory warrants and promises to:

· Provide certification and repository services consistent with this CP;

· Perform the identification and authentication procedures set forth in §3 of this CP and the procedures defined in §3 of the CPS;

· Provide key management services including certificate issuance, publication, revocation and update in accordance with this CP and with the CPS; and

· Comply with all legal provisions in this CP.

The High Performance Computing Virtual Laboratory makes no representations or warranties with respect to:

· The techniques used in the generation and storage of the Private Key corresponding to the Public Key in certificate, including, whether such Private Key has been compromised or was generated using sound cryptographic techniques;

· The reliability of any cryptographic techniques or methods used in conducting any act, transaction, or process involving or utilizing a certificate;

· Any software whatsoever; or

· Non-repudiation of any certificate or digital signature verified using a certificate, since determination of non-repudiation is a matter of applicable law.

2.2.1.2 NOTICE OF LIMITED LIABILITY

No stipulation.

2.2.1.3 Disclaimers

The High Performance Computing Virtual Laboratory is not liable for loss due to any of the following:

· Loss of CA or RA service due to war, natural disasters or other uncontrollable forces.

· Incurred between the time that a certificate is revoked and the next scheduled issuance of a Certificate Revocation List.

· Due to unauthorized use of certificates issued by the CA.

· Use of certificates beyond the prescribed use defined by the CP under which the certificate is issued and the related CPS. Caused by fraudulent or negligent use of certificates and/or CRLs and/or ARLs issued by the CA.

VERSION	DATE	AUTHOR(S)	DESCRIPTION	REASON FOR CHANGE
0.1	12 September 2003	T. Sexsmith, Entrust	Initial draft
0.2	21 April 2004	M. Staveley HPCVL	HPCVL details / customization	Update
0.3	27 September 2004	C. Dafnas HPCVL	HPCVL details / customization	Update
1.0	8 October 2004	C. Dafnas HPCVL	HPCVL details / customization	Update