[ Pobierz całość w formacie PDF ]

Management of these special purpose administrative certificates will be described in the
CPS. These certificates may not be used for controlled substance orders.
Computing and communications components (routers, firewalls, servers, Web servers,
etc.) may be issued special purpose device certificates in order to secure communications
with the CA. These certificates shall not contain the CSOS OIDs or authorized schedule
extension data referenced in this policy. In such cases, each component shall be named
as the certificate subject and must have a human sponsor. The PKI sponsor is responsible
for providing the following information:
Equipment identification (e.g., serial number) or service name (e.g., Domain
Name System (DNS) name);
Equipment public keys;
Equipment authorizations and attributes (if any are to be included in the
certificate);
Contact information to enable the CA or RA to communicate with the sponsor
when required.
3.2.6 Criteria for Interoperation
The FPKIPA shall determine the criteria for cross-certification with the FBCA. See also
the U.S. Government Public Key Infrastructure Cross-Certification Methodology and
Criteria. (see http://www.cio.gov/fbca/documents/crosscert_method_criteria.pdf)
3.3 Identification and Authentication for Re-Key Requests
3.3.1 Identification and Authentication for Routine Re-Key
The longer and more often a key is used, the more susceptible it is to loss or discovery.
Therefore, it is important that a Subscriber periodically obtains new keys and re-
establishes identity. Re-keying a certificate means that a new certificate is created that
has the same characteristics and level as the old one, except that the new certificate has a
23
FOR OFFICIAL USE ONLY (FOUO)
CSOS Certificate Policy Version 4.0
new, different public key (corresponding to a new, different private key) and a different
serial number, and it may be assigned a different validity period.
CSOS Subscriber renewal shall always result in a new certificate with a different serial
number and new associated public and private keys. CSOS Subscriber certificates will
not be re-keyed.
The CA shall notify the Subscriber 45 days prior to the expiration date of the
Subscriber s certificate. The Subscriber s CSOS Coordinator may request that the CA
issue a new certificate for a new key pair, provided that the original certificate has not
been revoked, the Subscriber name and attributes are unchanged, and the Subscriber is in
good standing with the CA, continuing to qualify as a DEA registrant, CSOS POA, or
agent of a DEA registrant as defined in Section 1. Electronic requests must be digitally
signed using the Subscriber s or CSOS Coordinator s CSOS-issued certificate and shall
be authenticated on the basis of the Subscriber s or Coordinator s digital signature using
the private key for a total of two certificate re-keys. The third request shall require
Subscribers to establish identity using the initial registration process described in
Sections 3.2 and 4. Identity shall be established through the initial registration process at
least once every nine years from the time of initial registration.
CAs shall ensure that the Subscriber s identity information and public key are properly
bound on all digital requests. Changes to a Subscriber s name, prescribing or ordering
authority, or affiliation shall result in certificate revocation as specified in Section 4.
CAs must go through the original registration process to obtain a new certificate. That
CA shall notify all CAs, RAs, and Subscribers who rely on the CA s certificate that it has
been changed. For self-signed ( Root ) certificates, such certificates shall be conveyed
to users in a secure fashion to preclude malicious substitution attacks.
The DEA CA key pair and certificate will not exceed the lifetimes stated in this CP. At
re-key, the DEA CA will post the new public key on the web site at
http://www.DEAecom.gov.
CAs will document their re-key procedures in their CPS.
3.3.2 Identification and Authentication for Re-Key After Revocation
In the event of certificate revocation due to key compromise, cessation of operation or as
a result of negative action taken against the Registrant or Subscriber by DEA, issuance of
a new certificate shall require that the Subscriber go through the initial registration
process as specified in Sections 3.2 and 4.
24
FOR OFFICIAL USE ONLY (FOUO)
CSOS Certificate Policy Version 4.0
3.4 Identification and Authentication for Revocation Request
Revocation requests must be authenticated by the CA. Requests to revoke a certificate
may be authenticated via manual signature, telephone call-back or by using that
certificate s associated private key to digitally sign the request, regardless of whether the
private key has been compromised. Request authentication procedures must be described
in the CPS. Revocation request procedures are described in Section 4.
25
FOR OFFICIAL USE ONLY (FOUO)
CSOS Certificate Policy Version 4.0
Section 4  Certificate Life-Cycle Operational Requirements
4.1 Certificate Application
4.1.1 Who Can Submit a Certificate Application
Eligible Subscribers are those who hold a valid DEA registration as defined in Title 21
CFR Part 1300. All Subscriber applicants shall submit a completed Subscriber
application obtained from the CSOS CA in accordance with this CP, entering into an
initial agreement with the CA. Upon successful completion of the Subscriber
identification and authentication process in accordance with this CP, the applicant shall
generate a key pair and demonstrate to the CA that it is a functioning key pair as defined
in the CPS.
4.1.2 Enrollment Process and Responsibility
CSOS Subscribers may obtain Certificate application forms and instructions from
http://www.deaecom.gov. The applicant will follow the procedures in the Subscriber
Manual posted on the CSOS web site at http://www.deaecom.gov, mailing completed
applications to the Drug Enforcement Administration, Sterling Park Technology
Center/CSOS, 8701 Morrissette Drive, Springfield, VA 22152.
4.2 Certificate Application Processing
4.2.1 Performing Identification and Authentication Functions
Upon receipt of a Subscriber s application for certificate, the CA shall confirm the
Subscriber s identity against the CSA database extract supplied by DEA. The CA must
ensure that this extract content is protected from unauthorized modification. To the extent
practical, certificates, once created, shall be checked to ensure that all certificate fields
and extensions are properly populated with the data obtained from the CSA database
extract. This may be done through software that scans the fields and extensions looking
for any evidence that a certificate was improperly manufactured.
Upon completion of the certificate application process, the CA shall issue the requested
Subscriber certificate and notify the applicant in accordance with procedures specified in
its CPS. The CA shall make the certificate available to the applicant pursuant to a
procedure whereby the certificate is initially delivered to, or made available for pickup
26
FOR OFFICIAL USE ONLY (FOUO)
CSOS Certificate Policy Version 4.0
by, the approved certificate applicant only. All Subscribers shall generate their own
private keys, and shall not require delivery of their private keys.
4.2.2 Approval or Rejection of Certificate Applications
Using the information provided with the application, and verification against the CSA
database, the CSOS RA either approves or denies the application. The CSOS RA will
notify the Registrant and the Registrant s CSOS Coordinator when the application is
received via email when the application is received. Should the application be denied, the
CSOS RA will provide notification of the application denial to the applicant and the
applicant s CSOS Coordinator.
4.2.3 Time to Process Certificate Applications
No stipulation.
4.3 Certificate Issuance [ Pobierz całość w formacie PDF ]