@@ -278,57 +278,50 @@ _Explain the overall architecture and relationship among the parts of the produc
<mark>PSC: Suggest removing as this will be specific to each individual product context.</mark>
## 4.2 Security Profile 1 (SP1) - Enterprise PKI
### 4.2.1 SP1 - Assets
## 4.2 Small and Medium Enterprise PKI context
### 4.2.2 SP1 - Essential Functions
### 4.2.1 Use
#### 4.2.2.1 Services
The product supports one or more of the following component services (see ETSI EN 319 411-1):
- Registration service: registers and receives certificate requests from subscribers; verifies the identity and, if applicable, attributes of a subject; and passes verified certificate requests to the certificate generation service.
EXAMPLE 1: This service verifies ownership of the domain in requests for public web site certificates.
EXAMPLE 2: This service verifies ownership of the email account in requests for email encryption and signing certificates.
NOTE 1: This service includes proof of possession of, or control over, subject private keys when these are not generated by the certificate generation service.
The reasonably foreseeable use of the PKI product is to support certification services within a small or medium sized enterprise where the direct impact of a compromise would typically be limited to the enterprise's own networks, services or users.
NOTE 2: If subject private keys are generated and stored by the certificate generation service to allow key recovery, this service receives and verifies key recovery requests from subscribers.
EXAMPLE 1: Software used to issue certificates for signing code developed and deployed within the enterprise.
EXAMPLE 2: Software used to issue certificates for authenticating access to services within the enterprise.
NOTE 3: Registration and verification of subject identities can involve personal data such as contact details and passport information.
EXAMPLE 3: Software used to issue certificates for securing email sent within the enterprise.
- Certificate generation service: generates and manages the CA keys; creates and signs subject certificates based on the identity and other attributes verified by the registration service; and passes the signed subject certificates to the dissemination service.
NOTE 4: The certificate profile used in certificate creation, including the signature algorithm, certificate lifetime and key usage restrictions, is determined by the CA's Certificate Policy (CP) or an equivalent document.
### 4.2.2 Functionality
NOTE 5: This service will typically use a secure cryptographic device to generate, store and use the CA keys.
#### 4.2.2.1 Services
NOTE 6: This service can include generation of subject keys and, if used for decryption, storage of subject private keys to allow key recovery.
The product supports one or more of the following component services (see ETSI EN 319 411-1):
-<strong>Registration service:</strong> registers and receives certificate requests from subscribers; verifies the identity and, if applicable, attributes of a subject; and passes verified certificate requests to the certificate generation service.
- Dissemination service: disseminates signed certificates to subscribers; and, if the subscriber consents, stores and makes them available to relying parties.
NOTE 1: This service includes proof of possession of, or control over, subject private keys when these are not generated by the certificate generation service.
NOTE 7: This service can make available the CA's terms and conditions, policy and practice information to subscribers and relying parties.
NOTE 2: If subject private keys are generated and stored by the certificate generation service to allow key recovery, this service receives and verifies key recovery requests from subscribers.
NOTE 8: This service can disseminate subject private keys to subscribers if the subject keys are generated by the certificate generation service.
-<strong>Certificate generation service:</strong> generates and manages the CA keys; creates and signs subject certificates based on the identity and other attributes verified by the registration service; and passes the signed subject certificates to the dissemination service.
- Revocation management service: processes requests and reports relating to revocation to determine the necessary action to be taken; and provides updates to the certificate status service.
NOTE 3: This service can use a secure cryptographic device to generate, store and use the CA keys.
EXAMPLE 4:This service verifies that revocation requests are submitted by authorised parties.
NOTE 4:This service can include generation of subject keys and, if used for decryption, storage of subject private keys to allow key recovery.
EXAMPLE 5: This service obtains confirmation from the subscriber if a compromise is reported by a third party.
-<strong>Dissemination service:</strong> disseminates signed certificates to subscribers; and, if the subscriber consents, stores and makes them available to relying parties.
NOTE 5: This service can disseminate subject private keys to subscribers if the subject keys are generated by the certificate generation service.
- Certificate status service: provides certificate revocation status information to relying parties.
-<strong>Revocation management service:</strong> processes requests and reports relating to revocation to determine the necessary action to be taken; and provides updates to the certificate status service.
EXAMPLE 6: This service publishes Certificate Revocation Lists (CRLs) and responds to Online Certificate Status Protocol (OCSP) queries.
-<strong>Certificate status service:</strong> provides certificate revocation status information to relying parties.
Each component service will require configuration and maintenance by system administrators.
#### 4.2.2.2 Logging
In both contexts, the product will support logging of security events such as account access attempts, product configuration changes, and system warnings or errors.
The product will support logging of security events such as account access attempts, product configuration changes, and system warnings or errors.
The product will typically support some logging of events relevant to each of the component service it provides:
@@ -339,55 +332,51 @@ The product will typically support some logging of events relevant to each of th
- Revocation management service events such as revocation requests and results.
#### 4.2.2.3 Accounts
In both contexts, the product will support one or more of the following user accounts:
- System administrator account: authorized to install, configure and update the product.
The product will support one or more of the following user accounts:
-System operator account: authorized to operate the PKI services and perform system backups.
-<strong>System administrator account:</strong> authorized to install, configure and update the product.
NOTE: This might consist of separate registration service operator, certificate generation service operator and revocation service operator accounts.
-<strong>System operator account:</strong> authorized to operate the PKI services.
- System auditor account: authorized to view audit logs and other system data.
### 4.2.3 Architecture
#### 4.2.3 SP1 - Operational environment
#### 4.2.2.1 Overview
#### 4.2.3.1 Deployment
Figure 4.1 gives a high-level overview of a PKI architecture.
In the general context, the enterprise will have a production system for issuing certificates and can be expected to have a separate test system for checking configuration changes and software updates before they are deployed.
<divalign="center">
The PKI software can be expected to be deployed on servers within the enterprise's server rooms or data centre, or on a platform hosted by the enterprise's cloud service provider.
NOTE 1: Software-as-a-service is out of scope of the present document.
If the certificate generation service in the production system uses a secure cryptographic device to manage the CA keys, this can be a physical device located in the enterprise's data centre or a virtual device hosted by the enterprise's cloud service provider.
</div>
NOTE 2: Security requirements for secure cryptographic devices are out of scope of the present document.
### 4.2.4 Operational environment
#### 4.2.3.2 Physical security
An enterprise server room or data centre can be expected to have some physical access controls.
#### 4.2.4.1 Deployment
A cloud service provider can be expected to have strong physical security measures in place, but the servers hosting the PKI software are unlikely to be physically separated from other infrastructure.
The enterprise will have a production system for issuing certificates and can be expected to have a separate test system for checking configuration changes and software updates before they are deployed.
#### 4.2.3.3 Network security
The enterprise can be expected to implement security controls such as firewalls on the edge of their network and deploy malware detection and removal software on their infrastructure.
The PKI software will be deployed on servers within the enterprise's server rooms or data centre, or on a platform hosted by the enterprise's cloud service provider.
NOTE 1: Software-as-a-service is out of scope of the present document.
If the certificate generation service in the production system uses a secure cryptographic device to manage the CA keys, this can be a physical device located in the enterprise's data centre or a virtual device hosted by the enterprise's cloud service provider.
NOTE 2: Security requirements for secure cryptographic devices are out of scope of the present document.
#### 4.2.4.2 Physical security
An enterprise server room or data centre will have some physical access controls.
### 4.2.4 SP1 - Users
A cloud service provider will have strong physical security measures in place, but the servers hosting the PKI software will not be physically separated from other infrastructure.
| Administrator | Personnel authorized to install, configure, and maintain the CIMC; establish and maintain user accounts; configure profiles and audit parameters; and generate Component keys.|
| Operator | Personnel authorized to perform system backup and recovery. |
| Officer | Personnel authorized to request or approve certificates or certificate revocations.
| Auditor | Personnel authorized to view and maintain audit logs.|
||
#### 4.2.4.3 Network security
The enterprise will implement security controls such as firewalls on the edge of their network and deploy malware detection and removal software on their infrastructure.
