@@ -341,9 +341,9 @@ EXAMPLE 3: The dissemination service is not needed as an enterprise directory se
# 5 Security Profiles
## 5.1 Private PKI for SME
### 5.1.4 Operational environment
### 5.1.1 Operational environment
#### 5.1.4.1 Deployment
#### 5.1.1.1 Deployment
The enterprise will have a production system for issuing certificates and can be expected to have a separate test system for checking configuration changes and software updates before they are deployed.
@@ -355,13 +355,13 @@ If the certificate generation service in the production system uses a secure cry
NOTE 2: Security requirements for secure cryptographic devices are out of scope of the present document.
#### 5.1.4.2 Physical security
#### 5.1.1.2 Physical security
An enterprise server room or data centre will have some physical access controls.
A cloud service provider will have strong physical security measures in place, but the servers hosting the PKI software will not be physically separated from other infrastructure.
#### 5.1.4.3 Network security
#### 5.1.1.3 Network security
The enterprise will implement security controls such as firewalls on the edge of their network.
@@ -375,9 +375,9 @@ The enterprise will employ competent system administrators to install, configure
However, system operators might have limited experience running critical component services and might have only received basic training in cybersecurity or data protection.
### 5.1.6 Assets
### 5.1.2 Assets
#### 5.1.6.1 System administration
#### 5.1.2.1 System administration
Table 5.1 provides a list of system administration assets for the PKI product.
@@ -399,7 +399,7 @@ Table 5.1 provides a list of system administration assets for the PKI product.
</div>
#### 5.1.6.2 Registration service
#### 5.1.2.2 Registration service
Table 5.2 provides a list of assets for a PKI product that supports registration services.
@@ -419,7 +419,7 @@ Table 5.2 provides a list of assets for a PKI product that supports registration
If the PKI product does not provide support for subscriber management as part of its registration services, then the subscriber data (REG01) and subscriber management function (REG11) assets will not be present.
#### 5.1.6.3 Certificate generation service
#### 5.1.2.3 Certificate generation service
Table 5.3 provides a list of assets for a PKI product that supports certificate generation services.
@@ -445,7 +445,7 @@ If the PKI product does not support the use of subject key generation or subject
If the PKI product does not support registration services, then certificate requests can either be submitted directly via the certificate generation service user interface (GEN21) or via a related logical interface.
#### 5.1.6.4 Dissemination service
#### 5.1.2.4 Dissemination service
Table 5.4 provides a list of assets for a PKI product that supports dissemination services.
@@ -465,7 +465,7 @@ Table 5.4 provides a list of assets for a PKI product that supports disseminatio
If the PKI product does not support dissemination services, then the dissemination assets will be replaced by a logical interface to a third-party enterprise directory service.
#### 5.1.6.5 Revocation management service
#### 5.1.2.5 Revocation management service
Table 5.5 provides a list of assets for a PKI product that supports revocation management services.
@@ -483,7 +483,7 @@ Table 5.5 provides a list of assets for a PKI product that supports revocation m
The PKI product can support limited revocation management services even if it does not support a certificate status service. In such cases, the revocation management function (REV11) and user interface (REV21) assets can be considered part of the corresponding certificate generation function (GEN12) and user interface (GEN21) assets.
#### 5.1.6.6 Certificate status service
#### 5.1.2.6 Certificate status service
Table 5.5 provides a list of assets for a PKI product that supports certificate status services.
@@ -500,9 +500,9 @@ Table 5.5 provides a list of assets for a PKI product that supports certificate
</div>
### 5.1.7 Threats
### 5.1.3 Threats
#### 5.1.7.1 System administration
#### 5.1.3.1 System administration
<divalign="center">
@@ -529,7 +529,7 @@ Table 5.5 provides a list of assets for a PKI product that supports certificate
</div>
#### 5.1.7.2 Registration service
#### 5.1.3.2 Registration service
<divalign="center">
@@ -552,7 +552,7 @@ Table 5.5 provides a list of assets for a PKI product that supports certificate
If the PKI product does not provide support for subscriber management as part of its registration services, then the threats to the subscriber data (T_REG01 and T_REG02) and subscriber management function (T_REG04) are not present.
#### 5.1.7.3 Certificate generation service
#### 5.1.3.3 Certificate generation service
<divalign="center">
@@ -584,7 +584,7 @@ If the PKI product does not support the use of a secure cryptographic device, th
If the product does not support subject key generation or key recovery, the threats to the subject key data (T_GEN04, T_GEN05 and T_GEN06) will not be present and the threat to the key management function (T_GEN07) will only cover the CA key data.
#### 5.1.7.4 Dissemination service
#### 5.1.3.4 Dissemination service
<divalign="center">
@@ -605,7 +605,7 @@ If the product does not support subject key generation or key recovery, the thre
If the PKI product does not support dissemination services and provides a logical interface to a third-party directory service, then the the threats to the subscriber dissemination interface (T_DIS05 and T_DIS06) apply to the directory service interface instead.
#### 5.1.7.5 Revocation management service
#### 5.1.3.5 Revocation management service
<divalign="center">
@@ -625,7 +625,7 @@ If the PKI product does not support dissemination services and provides a logica
The PKI product can support limited revocation management services even if it does not support a certificate status service. In such cases, the threats to the revocation management function (T_REV03) and user interface (T_REV04, T_REV05, T_REV06 and T_REV07) apply to the corresponding certificate generation function and user interface.
#### 5.1.7.6 Certificate status service
#### 5.1.3.6 Certificate status service
<divalign="center">
@@ -642,11 +642,11 @@ The PKI product can support limited revocation management services even if it do
