Dsr cp/cps version 11 Effective Date: November 18, 2022
Download 0.58 Mb. Pdf ko'rish
|
Microsoft DSR PKI CP-CPS for TLS Ver 2.11 November 2022
|
Set Threshold
Required Administrator Card Set Threshold High Assurance 1 Operator Card 3 Administrator Cards Exceptions to these policies require the approval of the DSR PKI Policy Management Authority. Furthermore, DSR PKI production security worlds shall not be shared with non-DSR PKI groups or used to perform signing activities for test CAs. CA key pairs, managed and hosted by DSR PKI group shall comply with private key multi-person access control requirements defined in this CP/CPS. 6.2.3 Private Key Escrow The escrow of CA and Subscriber private keys is not supported by DSR PKI. 6.2.4 Private Key Backup Backups of CA private keys are created to facilitate disaster recovery and business continuity capabilities. Backups of key files are stored in encrypted form and protected in accordance with media handling practices stated in §5.1.6. DSR PKI does not provide private key backup for end-entity Subscriber private keys. 6.2.5 Private Key Archival DSR TLS CA and Subscriber private keys are not archived. 6.2.6 Private Key Transfer Into or From a Cryptographic Module CA private keys are generated, stored, and backed up in an encrypted form, and used only within industry-standard hardware cryptographic modules meeting the requirements of §6.2.1. 6.2.7 Private Key Storage on Cryptographic Module See §6.2.6. 6.2.8 Method of Activating Private Key Cryptographic modules used for CA private key protection utilize a smart card-based activation mechanism (Operator Card) as described in CP/CPS §6.2.2. 6.2.9 Method of Deactivating Private Key Cryptographic modules that have been activated shall be secured from unauthorized access. After use, the cryptographic module shall be deactivated by removal of the inserted OCS from the card reader. Hardware cryptographic modules are removed and stored in a secure container when not in use. 6.2.10 Method of Destroying Private Key CA private keys shall be destroyed when they are no longer needed, or when the Certificates to which they correspond expire or are revoked, in the presence of multiple trusted personnel after approval from the PKI Policy Management Authority (PMA). When CA key destruction is required, CA private keys shall be destroyed through zeroization and/or physical destruction of the device in accordance with manufacturers’ guidelines. 6.2.11 Cryptographic Module Rating See §6.2.1. 6.3 Other Aspects of Key Pair Management 6.3.1 Public Key Archival Copies of CA and Subscriber TLS Certificates shall be archived in accordance with Download 0.58 Mb. Do'stlaringiz bilan baham: 
|