Wimax Forum Device Certificate

WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.
3 1 2 3 4 5 6
WiMAX Forum Device PKI Certificate Policy Approved Specification

Version 1.0.3 May 6th, 2008
WiMAX Forum Proprietary

Copyright 2008 WiMAX Forum. All Rights Reserved.
WiMAX FORUM PROPRIETARY AND CONFIDENTIAL SUBJECT TO CHANGE WITHOUT NOTICE
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 Copyright Notice, Use Restrictions, Disclaimer, and Limitation of Liability.
Copyright 2007-2008 WiMAX Forum. All rights reserved. The WiMAX Forum owns the copyright in this document and reserves all rights herein. This document is available for download from the WiMAX Forum and may be duplicated for internal use, provided that all copies contain all proprietary notices and disclaimers included herein. Except for the foregoing, this document may not be duplicated, in whole or in part, or distributed without the express written authorization of the WiMAX Forum. Use of this document is subject to the disclaimers and limitations described below. Use of this document constitutes acceptance of the following terms and conditions: THIS DOCUMENT IS PROVIDED AS IS AND WITHOUT WARRANTY OF ANY KIND. TO THE GREATEST EXTENT PERMITTED BY LAW, THE WiMAX FORUM DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE WiMAX FORUM DOES NOT WARRANT THAT THIS DOCUMENT IS COMPLETE OR WITHOUT ERROR AND DISCLAIMS ANY WARRANTIES TO THE CONTRARY. Any products or services provided using technology described in or implemented in connection with this document may be subject to various regulatory controls under the laws and regulations of various governments worldwide. The user is solely responsible for the compliance of its products and/or services with any such laws and regulations and for obtaining any and all required authorizations, permits, or licenses for its products and/or services as a result of such regulations within the applicable jurisdiction. NOTHING IN THIS DOCUMENT CREATES ANY WARRANTIES WHATSOEVER REGARDING THE APPLICABILITY OR NON-APPLICABILITY OF ANY SUCH LAWS OR REGULATIONS OR THE SUITABILITY OR NON-SUITABILITY OF ANY SUCH PRODUCT OR SERVICE FOR USE IN ANY JURISDICTION. NOTHING IN THIS DOCUMENT CREATES ANY WARRANTIES WHATSOEVER REGARDING THE SUITABILITY OR NON-SUITABILITY OF A PRODUCT OR A SERVICE FOR CERTIFICATION UNDER ANY CERTIFICATION PROGRAM OF THE WiMAX FORUM OR ANY THIRD PARTY. The WiMAX Forum has not investigated or made an independent determination regarding title or noninfringement of anytechnologies that may be incorporated, described or referenced in this document. Use of this document or implementation of any technologies described or referenced herein may therefore infringe undisclosed third-party patent rights or other intellectual property rights. The user is solely responsible for making all assessments relating to title and noninfringement of any technology, standard, or specification referenced in this document and for obtaining appropriate authorization to use such technologies, technologies, standards, and specifications, including through the payment of any required license fees. NOTHING IN THIS DOCUMENT CREATES ANY WARRANTIES OF TITLE OR NONINFRINGEMENT WITH RESPECT TO ANY TECHNOLOGIES, STANDARDS OR SPECIFICATIONS REFERENCED OR INCORPORATED INTO THIS DOCUMENT. IN NO EVENT SHALL THE WiMAX FORUM OR ANY MEMBER BE LIABLE TO THE USER OR TO A THIRD PARTY FOR ANY CLAIM ARISING FROM OR RELATING TO THE USE OF THIS DOCUMENT, INCLUDING, WITHOUT LIMITATION, A CLAIM THAT SUCH USE INFRINGES A THIRD PARTYS INTELLECTUAL PROPERTY RIGHTS OR THAT IT FAILS TO COMPLY WITH APPLICABLE LAWS OR REGULATIONS. BY USE OF THIS DOCUMENT, THE USER WAIVES ANY SUCH CLAIM AGAINST THE WiMAX FORUM AND ITS MEMBERS RELATING TO THE USE OF THIS DOCUMENT. The WiMAX Forum reserves the right to modify or amend this document without notice and in its sole discretion. The user is solely responsible for determining whether this document has been superseded by a later version or a different document. WiMAX, Mobile WiMAX, Fixed WiMAX, WiMAX Forum, WiMAX Certified, WiMAX Forum Certified, the WiMAX Forum logo and the WiMAX Forum Certified logo are trademarks of the WiMAX Forum. Third-party trademarks contained in this document are the property of their respective owners.
Page - ii WiMAX FORUM PROPRIETARY AND CONFIDENTIAL SUBJECT TO CHANGE WITHOUT NOTICE
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 4. 3. 2. TABLE OF CONTENTS 1. INTRODUCTION ..............................................................................................................................................1 1.1 1.2 1.3 1.3.1 1.3.2 1.3.3 1.3.4 1.3.5 1.3.6 1.3.7 1.4 1.5 1.6 2.1 2.2 2.3 2.4 3.1 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.2 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 3.2.6 3.3 3.3.1 3.3.2 3.4 OVERVIEW ..................................................................................................................................................1 DOCUMENT NAME AND IDENTIFICATION.....................................................................................................1 PKI PARTICIPANTS ......................................................................................................................................1 Policy Authority .....................................................................................................................................1 Certification Authorities ........................................................................................................................ 1 Registration Authority............................................................................................................................ 3 Certificate Subjects ................................................................................................................................ 3 Relying Parties.......................................................................................................................................3 OCSP Responder ...................................................................................................................................4 Other Participants .................................................................................................................................4 CERTIFICATE USAGE ...................................................................................................................................4 POLICY ADMINISTRATION ........................................................................................................................... 4 DEFINITIONS AND ACRONYMS..................................................................................................................... 5 REPOSITORIES .............................................................................................................................................7 PUBLICATION OF CERTIFICATION INFORMATION ......................................................................................... 7 TIME OR FREQUENCY OF PUBLICATION .......................................................................................................7 ACCESS CONTROLS ON REPOSITORIES.........................................................................................................7 NAMING ...................................................................................................................................................... 8 Types of Names ......................................................................................................................................8 Meaningfulness ......................................................................................................................................8 Anonymity or Pseudonymity of Certificate Subjects ..............................................................................8 Rules for Interpreting Various Name Forms ......................................................................................... 9 Uniqueness of Names ............................................................................................................................. 9 Recognition, Authentication, and Role of Trademarks ..........................................................................9 INITIAL IDENTITY VALIDATION ...................................................................................................................9 Method to Prove Possession of Private Key .......................................................................................... 9 Authentication of Organization Identity ................................................................................................ 9 Authentication of Individual Identity ................................................................................................... 10 Non-verified Certificate Subject Information ...................................................................................... 10 Validation of Authority ........................................................................................................................ 10 Criteria for Interoperation................................................................................................................... 10 IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS.............................................................. 10 Identification and Authentication of Re-Key and Renewal Requests ................................................... 10 Identification and Authentication of Re-Key and Renewal After Revocation ...................................... 10 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST....................................................... 11
PUBLICATION AND REPOSITORY RESPONSIBILITIES .......................................................................7
IDENTIFICATION AND AUTHENTICATION ............................................................................................ 8
CERTIFICATE LIFE-CYCLE ....................................................................................................................... 12 4.1 CERTIFICATE APPLICATION ....................................................................................................................... 12 4.1.1 Who Can Submit a Certificate Application .......................................................................................... 12 4.1.2 Enrollment Process and Responsibilities ............................................................................................. 12 4.2 CERTIFICATE APPLICATION PROCESSING .................................................................................................. 12 4.2.1 Performing Identification and Authentication Functions .................................................................... 12 4.2.2 Approval or Rejection of Certificate Applications ............................................................................... 12 4.2.3 Time to Process Certificate Applications............................................................................................. 12 4.3 CERTIFICATE ISSUANCE............................................................................................................................. 12 4.3.1 CA Actions During Certificate Issuance .............................................................................................. 12 4.3.2 Notification to Certificate Subject of Certificate Issuance................................................................... 13
Page - iii WiMAX FORUM PROPRIETARY AND CONFIDENTIAL SUBJECT TO CHANGE WITHOUT NOTICE
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 4.4 CERTIFICATE ACCEPTANCE ....................................................................................................................... 13 4.4.1 Conduct Constituting Certificate Acceptance ...................................................................................... 13 4.4.2 Publication of the Certificate by the CA .............................................................................................. 13 4.4.3 Notification of Certificate Issuance by the CA to Other Entities ......................................................... 13 4.5 KEY PAIR AND CERTIFICATE USAGE ......................................................................................................... 13 4.5.1 Certificate Subject Private Key and Certificate Usage ........................................................................ 13 4.5.2 Relying Party Public Key and Certificate Usage ................................................................................. 13 4.6 CERTIFICATE RENEWAL ............................................................................................................................ 13 4.6.1 Circumstance for Certificate Renewal ................................................................................................. 13 4.6.2 Who May Request Renewal .................................................................................................................. 13 4.6.3 Processing Certificate Renewal Requests ............................................................................................ 13 4.6.4 Notification of New Certificate Issuance to Certificate Subject........................................................... 14 4.6.5 Conduct Constituting Acceptance of a Renewal Certificate ................................................................ 14 4.6.6 Publication of the Renewal Certificate by the CA ............................................................................... 14 4.6.7 Notification of Certificate Issuance by the CA to Other Entities ......................................................... 14 4.7 CERTIFICATE RE-KEY ............................................................................................................................... 14 4.7.1 Circumstance for Certificate Re-key .................................................................................................... 14 4.7.2 Who May Request Certification of a New Public Key ......................................................................... 14 4.7.3 Processing Certificate Re-keying Requests.......................................................................................... 14 4.7.4 Notification of New Certificate Issuance to Certificate Subject........................................................... 14 4.7.5 Conduct Constituting Acceptance of a Re-keyed Certificate ............................................................... 14 4.7.6 Publication of the Re-keyed Certificate by the CA............................................................................... 14 4.7.7 Notification of Certificate Issuance by the CA to Other Entities ......................................................... 15 4.8 MODIFICATION .......................................................................................................................................... 15 4.8.1 Circumstance for Certificate Modification .......................................................................................... 15 4.8.2 Who May Request Certificate Modification ......................................................................................... 15 4.8.3 Processing Certificate Modification Requests ..................................................................................... 15 4.8.4 Notification of New Certificate Issuance to Certificate Subject........................................................... 15 4.8.5 Conduct Constituting Acceptance of Modified Certificate .................................................................. 15 4.8.6 Publication of the Modified Certificate by the CA ............................................................................... 15 4.8.7 Notification of Certificate Issuance by the CA to Other Entities ......................................................... 15 4.9 CERTIFICATE REVOCATION AND SUSPENSION ........................................................................................... 15 4.9.1 Circumstances for Revocation ............................................................................................................. 16 4.9.2 Who Can Request Revocation .............................................................................................................. 16 4.9.3 Procedure for Revocation Request ...................................................................................................... 16 4.9.4 Revocation Request Grace Period ....................................................................................................... 16 4.9.5 Time within which CA Must Process the Revocation Request ............................................................. 16 4.9.6 Revocation Checking Requirements for Relying Parties ..................................................................... 17 4.9.7 CRL Issuance Frequency ..................................................................................................................... 17 4.9.8 Maximum Latency for CRLs ................................................................................................................ 17 4.9.9 On-line Revocation/Status Checking Availability ................................................................................ 17 4.9.10 On-line Revocation Checking Requirements ................................................................................... 17 4.9.11 Other Forms of Revocation Advertisements Available ................................................................... 17 4.9.12 Special Requirements Re Key Compromise .................................................................................... 17 4.9.13 Circumstances for Suspension ........................................................................................................ 17 4.9.14 Who can Request Suspension .......................................................................................................... 17 4.9.15 Procedure for Suspension Request .................................................................................................. 17 4.9.16 Limits on Suspension Period ........................................................................................................... 17 4.10 CERTIFICATE STATUS SERVICES................................................................................................................ 17 4.10.1 Operational Characteristics............................................................................................................ 17 4.10.2 Service Availability ......................................................................................................................... 17 4.10.3 Optional Features ........................................................................................................................... 18 4.11 END OF SUBSCRIPTION .............................................................................................................................. 18 4.12 KEY ESCROW AND RECOVERY .................................................................................................................. 18 4.12.1 Key Escrow and Recovery Policy and Practices............................................................................. 18 4.12.2 Session Key Encapsulation and Recovery Policy and Practices ..................................................... 18
Page - iv WiMAX FORUM PROPRIETARY AND CONFIDENTIAL SUBJECT TO CHANGE WITHOUT NOTICE
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 6. 5. MANAGEMENT, OPERATIONAL, AND PHYSICAL CONTROLS ....................................................... 19 5.1 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.2 5.2.1 5.2.2 5.2.3 5.2.4 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 5.3.8 5.4 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7 5.4.8 5.5 5.5.1 5.5.2 5.5.3 5.5.4 5.5.5 5.5.6 5.5.7 5.6 5.7 5.7.1 5.7.2 5.7.3 5.7.4 5.8 PHYSICAL CONTROLS ................................................................................................................................ 19 Site Location and Construction ........................................................................................................... 19 Physical Access .................................................................................................................................... 19 Power and Air Conditioning ................................................................................................................ 19 Water Exposures .................................................................................................................................. 20 Fire Prevention and Protection ........................................................................................................... 20 Media Storage ...................................................................................................................................... 20 Waste Disposal .................................................................................................................................... 20 Off-Site backup .................................................................................................................................... 20 PROCEDURAL CONTROLS .......................................................................................................................... 20 Trusted Roles ....................................................................................................................................... 20 Number of Persons Required Per Task ................................................................................................ 21 Identification and Authentication for Each Role ................................................................................. 21 Roles Requiring Separation of Duties .................................................................................................. 21 PERSONNEL CONTROLS ............................................................................................................................. 21 Qualifications, Experience, and Clearance Requirements .................................................................. 21 Background Check Procedures............................................................................................................ 21 Training Requirements ........................................................................................................................ 21 Retraining Frequency and Requirements ............................................................................................ 21 Job Rotation Frequency and Sequence ................................................................................................ 21 Sanctions for Unauthorized Actions .................................................................................................... 22 Independent Contractor Requirements ................................................................................................ 22 Documentation Supplied to Personnel ................................................................................................. 22 AUDIT LOGGING PROCEDURES .................................................................................................................. 22 Types of Events Recorded .................................................................................................................... 22 Frequency of Processing Log .............................................................................................................. 23 Retention Period for Audit Log ............................................................................................................ 23 Protection of Audit Log........................................................................................................................ 23 Audit Log Backup Procedures ............................................................................................................. 23 Audit Collection System (Internal vs. External)................................................................................... 23 Notification to Event-Causing Subject ................................................................................................. 23 Vulnerability Assessments .................................................................................................................... 23 RECORDS ARCHIVE ................................................................................................................................... 24 Types of Events Archived ..................................................................................................................... 24 Retention Period for Archive ............................................................................................................... 24 Protection of Archive ........................................................................................................................... 24 Archive Backup Procedures ................................................................................................................. 24 Requirements for Time-Stamping of Records ...................................................................................... 24 Archive Collection System (Internal or External) ................................................................................ 24 Procedures to Obtain and Verify Archive Information ........................................................................ 24 KEY CHANGEOVER .................................................................................................................................... 25 COMPROMISE AND DISASTER RECOVERY .................................................................................................. 25 Incident and Compromise Handling Procedures ................................................................................. 25 Computing Resources, Software, and/or Data Are Corrupted ............................................................ 25 CA Private Key Compromise Procedures ............................................................................................ 25 Business Continuity Capabilities After a Disaster ............................................................................... 25 CA AND RA TERMINATION ....................................................................................................................... 25
TECHNICAL SECURITY CONTROLS ....................................................................................................... 26 6.1 KEY PAIR GENERATION AND INSTALLATION ............................................................................................. 26 6.1.1 Key Pair Generation ............................................................................................................................ 26 6.1.2 Private Key Delivery to Certificate Subject ......................................................................................... 26 6.1.3 Public Key Delivery to Certificate Issuer ............................................................................................ 26 6.1.4 CA Public Key Delivery to Relying Parties ......................................................................................... 26
Page - v WiMAX FORUM PROPRIETARY AND CONFIDENTIAL SUBJECT TO CHANGE WITHOUT NOTICE
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 9. 8. 7. 6.1.5 Key Sizes .............................................................................................................................................. 26 6.1.6 Public Key Parameters Generation and Quality Checking ................................................................. 26 6.1.7 Key Usage Purposes (as per X.509v3 key usage field) ........................................................................ 26 6.2 PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS ............................ 27 6.2.1 Cryptographic Module Standards and Controls .................................................................................. 27 6.2.2 Private Key Multi-Person Control ....................................................................................................... 27 6.2.3 Private Key Escrow ............................................................................................................................. 27 6.2.4 Private Key Backup ............................................................................................................................. 27 6.2.5 Private Key Archival ............................................................................................................................ 27 6.2.6 Private Key Transfer into or from a Cryptographic Module ............................................................... 27 6.2.7 Private Key Storage on Cryptographic Module................................................................................... 27 6.2.8 Method of Activating Private Keys ...................................................................................................... 27 6.2.9 Methods of Deactivating Private Keys................................................................................................. 28 6.2.10 Method of Destroying Private Key .................................................................................................. 28 6.2.11 Cryptographic Module Rating ........................................................................................................ 28 6.3 OTHER ASPECTS OF KEY MANAGEMENT................................................................................................... 28 6.3.1 Public Key Archival ............................................................................................................................. 28 6.3.2 Certificate Operational Periods/Key Usage Periods ........................................................................... 28 6.4 ACTIVATION DATA.................................................................................................................................... 28 6.4.1 Activation Data Generation and Installation ....................................................................................... 28 6.4.2 Activation Data Protection .................................................................................................................. 28 6.4.3 Other Aspects of Activation Data ........................................................................................................ 28 6.5 COMPUTER SECURITY CONTROLS ............................................................................................................. 29 6.5.1 Specific Computer Security Technical Requirements .......................................................................... 29 6.5.2 Computer Security Rating .................................................................................................................... 29 6.6 LIFE-CYCLE SECURITY CONTROLS ............................................................................................................ 30 6.6.1 System Development Controls ............................................................................................................. 30 6.6.2 Security Management Controls............................................................................................................ 30 6.6.3 Life Cycle Security Ratings .................................................................................................................. 30 6.7 NETWORK SECURITY CONTROLS ............................................................................................................... 30 6.8 TIME STAMPING ........................................................................................................................................ 31 CERTIFICATE, CARL/CRL, AND OCSP PROFILES FORMAT ............................................................ 32 7.1 7.2 7.3 7.4 8.1 8.2 8.3 8.4 8.5 8.6 CERTIFICATE PROFILE ............................................................................................................................... 32 CRL PROFILE ............................................................................................................................................ 32 OCSP PROFILE .......................................................................................................................................... 32 SCVP PROFILE .......................................................................................................................................... 32 FREQUENCY OF AUDIT OR ASSESSMENTS .................................................................................................. 33 IDENTITY & QUALIFICATIONS OF ASSESSOR ............................................................................................. 33 ASSESSORS RELATIONSHIP TO ASSESSED ENTITY .................................................................................... 33 TOPICS COVERED BY ASSESSMENT ........................................................................................................... 33 ACTIONS TAKEN AS A RESULT OF DEFICIENCY ........................................................................................ 33 COMMUNICATION OF RESULTS .................................................................................................................. 33
COMPLIANCE AUDIT AND OTHER ASSESSMENTS ............................................................................ 33
OTHER BUSINESS AND LEGAL MATTERS ............................................................................................ 34 9.1 FEES .......................................................................................................................................................... 34 9.1.1 Certificate Issuance/Renewal Fees ...................................................................................................... 34 9.1.2 Certificate Access Fees ........................................................................................................................ 34 9.1.3 Revocation or Status Information Access Fee ..................................................................................... 34 9.1.4 Fees for other Services ........................................................................................................................ 34 9.1.5 Refund Policy ....................................................................................................................................... 34
Page - vi WiMAX FORUM PROPRIETARY AND CONFIDENTIAL SUBJECT TO CHANGE WITHOUT NOTICE
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 9.2 FINANCIAL RESPONSIBILITY ...................................................................................................................... 34 9.2.1 Insurance Coverage ............................................................................................................................. 34 9.2.2 Other Assets ......................................................................................................................................... 34 9.2.3 Insurance/warranty Coverage for End-Entities ................................................................................... 34 9.3 CONFIDENTIALITY OF BUSINESS INFORMATION ........................................................................................ 35 9.3.1 Scope of Confidential Information ....................................................................................................... 35 9.3.2 Information Not Within the Scope of Confidential Information ........................................................... 35 9.3.3 Responsibility to Protect Confidential Information ............................................................................. 35 9.4 PRIVACY OF PERSONAL INFORMATION ...................................................................................................... 35 9.4.1 Privacy Plan ........................................................................................................................................ 35 9.4.2 Information Treated as Private ............................................................................................................ 35 9.4.3 Information Not Deemed Private ......................................................................................................... 35 9.4.4 Responsibility to Protect Private Information ..................................................................................... 35 9.4.5 Notice and Consent to use Private Information ................................................................................... 35 9.4.6 Disclosure Pursuant to Judicial/Administrative Process..................................................................... 35 9.4.7 Other Information Disclosure Circumstances ..................................................................................... 36 9.5 INTELLECTUAL PROPERTY RIGHTS ............................................................................................................ 36 9.6 REPRESENTATIONS AND WARRANTIES ...................................................................................................... 36 9.6.1 PA / WiMAX Forum ............................................................................................................................. 36 9.6.2 Generally Applicable Representations and Warranties ....................................................................... 37 9.6.3 CA Representations and Warranties .................................................................................................... 37 9.6.4 RA Representations and Warranties .................................................................................................... 37 9.6.5 Certificate Subject Representations and Warranties ........................................................................... 38 9.6.6 Relying Parties Representations and Warranties ................................................................................ 38 9.6.7 Representations and Warranties of Other Participants ....................................................................... 38 9.7 DISCLAIMERS OF WARRANTIES ................................................................................................................. 38 9.8 LIMITATIONS OF LIABILITY ....................................................................................................................... 38 9.8.1 PA / WiMAX Forum ............................................................................................................................. 38 9.8.2 Other Participants. .............................................................................................................................. 38 9.9 INDEMNITIES ............................................................................................................................................. 38 9.9.1 PA / WiMAX Forum ............................................................................................................................. 38 9.9.2 Other Participants. .............................................................................................................................. 38 9.10 TERM AND TERMINATION .......................................................................................................................... 39 9.10.1 Term ................................................................................................................................................ 39 9.10.2 Termination ..................................................................................................................................... 39 9.10.3 Effect of Termination and Survival ................................................................................................. 39 9.11 INDIVIDUAL NOTICES & COMMUNICATIONS WITH PARTICIPANTS ............................................................. 39 9.12 AMENDMENTS ........................................................................................................................................... 39 9.12.1 Procedure for Amendment .............................................................................................................. 39 9.12.2 Notification Mechanism and Period ............................................................................................... 40 9.12.3 Circumstances Under which OID Must Be Changed ...................................................................... 40 9.13 DISPUTE RESOLUTION PROVISIONS ........................................................................................................... 40 9.14 GOVERNING LAW ...................................................................................................................................... 40 9.15 COMPLIANCE WITH APPLICABLE LAW....................................................................................................... 40 9.16 MISCELLANEOUS PROVISIONS ................................................................................................................... 40 9.16.1 Document Incorporated into CP ..................................................................................................... 40 9.16.2 Entire agreement ............................................................................................................................. 40 9.16.3 Assignment ...................................................................................................................................... 41 9.16.4 Severability ..................................................................................................................................... 41 9.16.5 Waiver ............................................................................................................................................. 41 9.16.6 Attorneys Fees ............................................................................................................................... 41 9.16.7 Force Majeure ................................................................................................................................ 41 9.17 OTHER PROVISIONS ................................................................................................................................... 41
Page - vii WiMAX FORUM PROPRIETARY AND CONFIDENTIAL SUBJECT TO CHANGE WITHOUT NOTICE
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 317 318 319 320 TABLE OF FIGURES Figure 1 - Device PKI ....................................................................................................................................................2 Figure 2 - Server PKI..................................................................................................................................................... 3
Page - viii WiMAX FORUM PROPRIETARY AND CONFIDENTIAL SUBJECT TO CHANGE WITHOUT NOTICE
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3
321 322 323 324 325 326
1. Introduction
This chapter identifies and introduces the set of provisions, and indicates the types of entities and applications for which the WiMAX Certificate Policy (CP) is targeted. The WiMAX CP is written for WiMAX Forum products. The WiMAX CP is consistent with the Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (PKIX) Certificate Policy and Certification Practices Framework as described in RFC 3647.
327 328 329 330 331 332
1.1
Overview
The WiMAX CP is written for WiMAX Forum products. The WiMAX CP defines the policy under which the WiMAX Public Key Infrastructure (PKI) issues Public Key Certificates (PKCs) to Manufacturer CAs, their Device Sub-CAs, and finally Devices. This CP also addresses PKCs issued to support Server CAs and Server certificates. The WiMAX PKI enables mutual authentication of devices and networks via EAP. Digital signatures as well as encryption are employed.
333 334 335
1.2
Document Name and Identification
This CP is known as the WiMAX Device CP. The Device PKI will use the OID { 1.3.6.1.4.1.24757.1.1 } to indicate the certificates issued under this CP.
336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351
1.3
PKI Participants
The following are roles relevant to the administration and operation of the WiMAX PKI.
1.3.1
Policy Authority
The Policy Authority (PA) is the entity that approves this device certificate policy. The PA is the WiMAX Forum Board. The WiMAX Forum PA also approves all agreements (i.e., CP, Certification Practice Statement (CPS), relying party agreements, and Certificate Subject agreements) that affect the Server PKI (see sections 1.3.2, 1.3.4, and 1.3.5). The WiMAX Forum PA MAY delegate these functions to a committee or a specific individual or individuals.
1.3.2
Certification Authorities
Registration, Identification and authentication, Issuance, and Ensuring that all aspects of the CA services and CA operations and infrastructure related to PKCs issued under the WiMAX CP are performed in accordance with the requirements, representations, and warranties of their WiMAX CPS.
The CA is responsible for all aspects of the issuance and management of a PKC including:
Page - 1 WiMAX FORUM PROPRIETARY AND CONFIDENTIAL SUBJECT TO CHANGE WITHOUT NOTICE
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 CAs that support WiMAX can be divided into two categories: Device CAs are those that are part of the Certification Path that issues Device PKCs (see Figure 1): o Device Root CA is the entity that creates, signs, and issues PKCs to Manufacturer CAs. Device Root CAs are identified by the WiMAX Forum PA, and there MAY be more than one Device Root CA. Device Manufacturer CAs are entities that create, sign, and issue PKCs to Devices. Manufacturer CAs can also create, sign, and issue PKCs to Device Sub-CAs. (optional) Device Sub-CA, when they are used, are entities that create, sign, and issue PKCs to Devices. Server Root CA is the entity that creates, signs, and issues PKCs to Server CAs. There will be at least one Server Root CA. Server CAs are the entities that create, sign, and issue PKCs to Servers. Server CAs can also create, sign, and issue PKCs to server Sub-CAs. (optional) Server Sub-CA, when they are used, are entities that create, sign, and issue PKCs to Servers.
o o
Server CAs are those that are part of the Certification Path that issues Server PKCs (see Figure 2): o o o
Server CAs SHALL NOT issue Device PKCs. Device CAs and Device Sub-CAs SHALL NOT issue Server PKCs.
Device Certificate Chain Device Root CA Certificate Issue Manufacturer CA Certificate Issue Device Certificate
Length 3 Chain 2 Level CA Tree
Device Root CA Certificate Issue
Manufacturer CA Certificate Issue
Device SubCA Certificate Issue
Device Certificate
369 370 Figure 1 - Device PKI
Server Certificate Chain Server Root CA Certificate Issue Server CA Certificate Issue Server Certificate
Server Root CA Certificate Issue
Server CA Certificate Issue
Server SubCA Certificate Issue
Server Certificate
371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398
Figure 2 - Server PKI In the remainder of this document, the term CA only applies to Device CAs and it does not apply to Server CAs. Distinction between Device Root CA, Device Manufacturer CA, and Device Sub-CA is only made when the requirements are different for a type of CA. Agreements (i.e., CP, CPS, relying party agreements, and Certificate Subject agreements) that apply to Device CAs MUST be approved by the WiMAX Forum PA. The approved CP will be publicly available by the WiMAX Forum PA. The CPS may be kept private or made publicly available at the discretion of WiMAX Forum PA.
1.3.3
Registration Authority
No stipulation. If procedures and practices make use of a Registration Authority (RA), then the CPS MUST specify the manner in which the RA is used.
1.3.4
Certificate Subjects
A Certificate Subject is the entitys whose name appears in the subject in a PKC and who asserts that the PKC and the keying material will be used in accordance with the WiMAX CP. Like the CAs, they are categorized in one of two ways: Devices are issued PKCs from the Device PKI to gain access to Servers following device authentication via EAP-TLS or EAP-TTLS methods as specified in [NWG Rel 1.0 Stage 3 Specification]. Servers are issued PKCs from the Server PKI to grant access to Devices via EAP-TLS or EAP-TTLS methods as specified in [NWG Rel 1.0 Stage 3 Specification]. In this CP, none of the various types of CAs or OCSP responders is referred to as Certificate Subjects. Only endentity certificate holders are referred to as Certificate Subjects. In the remainder of this document, the term Certificate Subject refers to Devices. Agreements (i.e., CP, CPS, relying party agreements, and Certificate Subject agreements) that apply to a Servers PKC MUST be approved by the WiMAX Forum PA.
1.3.5
Relying Parties
In WiMAX environment, Servers are Relying Parties of the Device PKI, and Devices are Relying Parties of the Server PKI. In the remainder of this document, the term Relying Parties only applies to Servers that validate certificates issued to Devices in conformance with this certificate policy.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 399 400 401 402 403 404 405 406 407 Agreements (i.e., CP, CPS, relying party agreements, and Certificate Subject agreements) that apply to a Servers PKC MUST be approved by the WiMAX Forum PA.
1.3.6
OCSP Responder
The CA operator runs the OCSP responder or arranges for a third party to do so on its behalf. OCSP responders act on behalf of CAs for a single purpose - signing OCSP response. Therefore, in the remainder of this document, OCSP responders are not addresses as separate entities from the CAs that they support unless the requirements differ.
1.3.7
Other Participants
No stipulation.
408 409 410 411 412 413 414 415 416 417
1.4
Certificate Usage
The WiMAX CP object identifier (OID) defined in this document (see Section 1.2) SHALL only be used for the following purposes: WiMAX Device Manufacturer CAs and Device Sub-CAs SHALL issue PKCs only to support WiMAX Devices, to issue revocation information, and to issue OCSP responder certificates. All other uses of WiMAX Device Manufacturer CA PKCs or Device Sub-CA PKCs are expressly prohibited. WiMAX Devices SHALL use their PKC only to establish a connection with WiMAX Servers. All other uses of a WiMAX Device PKC are expressly prohibited. WiMAX OCSP responders SHALL use their PKC only to generate OCSP responses for WiMAX Devices and/or Servers.
418 419 420 421 422 423 424
1.5
Policy Administration
The WiMAX Forum is responsible for all aspects of this CP and approval of all Server PKI related agreements. One important aspect of this policy administration will be the identification of Device Root CAs. All communications regarding this CP should be directed to: WiMAX Forum 2495 Leghorn Street Mountain View, CA 94043
425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446
1.6
Definitions and Acronyms

American Bar Association Digital Signature Guidelines Certification Authority Certificate Policy Certification Practice Statement Certificate Revocation List Distinguished Name Extensible Authentication Protocol Extensible Authentication Protocol - Transport Layer Security Identification and Authentication Internet Engineering Task Force Online Certificate Status Protocol Object Identifier Policy Authority Public Key Certificate Public Key Infrastructure Relying Party Registration Authority Server-based Certificate Verification Protocol Service Party Transport Layer Security Long-term, physically separate storage. A trusted role that installs, configures, and maintains the CA. Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. A trusted role that performs the Audit. Chronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event. Copy of files and programs made to facilitate recovery if necessary. The CA is responsible for all aspects of the issuance and management of a PKC including: registration, identification and authentication, issuance, and ensuring that all aspects of the CA services and CA operations and infrastructure related to PKCs issued under the WiMAX CP are performed in accordance with the requirements, representations, and warranties of their WiMAX CPS. A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Certificate Subject, (3) contains the Certificate Subject's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it [ABADSG]. The set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the cryptographic boundary of the module [FIPS140]. An entity that uses EAP with a Server for authentication prior to gaining network access.
ABADSG CA CP CPS CRL DN EAP EAP-TLS I&A IETF OCSP OID PA PKC PKI RP RA SCVP SP TLS Archive Administrator Audit
Auditor Audit Data Backup Certification Authority (CA)
Certificate (or Public Key Certificate)
Cryptographic Module
Device
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 Extensible Authentication Protocol - Transport Layer Security The Extensible Authentication Protocol (EAP) provides a standard mechanism for support of multiple authentication methods. The use of EAP allows support for a number of authentication schemes. The WiMAX Forum plans to use EAP-TLS, EAP-TTLS and IEEE 802.16, as specified in [NWG Rel 1.0 Stage 3 Specification]. An entity that is control of the private key associated with a PKC. US Federal Agency responsible for identifying federal records management and retention policies. An entity that uses EAP to grant a Device network access.
PKC holder National Archive and Records Administration (NARA) Server
447 448
2. Publication and Repository Responsibilities

This chapter specifies requirements for publication of PKCs and CRLs in a repository.
449 450 451 452 453 454 455 456
2.1
Repositories
Server accessible repositories MUST be maintained. Device CA and Device Sub-CA PKCs and their revocation information are published in this repository.
2.2
Publication of Certification Information
Device CA and Device Sub-CA PKCs MUST be published in the repository. No stipulation for Device PKCs. Revocation information SHALL be published in a Certificate Revocation List (CRL) and SHALL also be available via the Online-Certificate Status Protocol (OCSP).1 It MAY also be available via the Server-based Certificate Verification Protocol (SCVP).2
457 458 459 460 461 462
2.3
Time or Frequency of Publication
CAs SHALL promptly publish Device CA and Device Sub-CA PKCs after they are generated. No stipulation for Device PKCs. CAs SHALL promptly publish CRLs after they are generated. In the absence of a revocation event, update CRLs SHALL be published at least quarterly by Device Root CAs and Manufacturer CAs and at least monthly by Device Sub-CAs.
463 464
2.4
Access Controls on Repositories
No stipulation.
1 2
Profiles for WiMAX Forum CRLs and OCSP requests and responses are in section 7. Profiles for WiMAX Forum SCVP requests and responses are in section 7.
465 466 467
3. Identification and Authentication

This chapter specifies the requirements for Identification and Authentication (I&A) of the Certificate Subject and CA.
468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502
3.1
3.1.1
Naming
Types of Names
Within the Device PKI, the Certificate Subject Name MUST be an X.501 Distinguished Name (DN) carried in the PKC. The following SHALL be the name forms: Device Root CA: C=US, O=WiMAX Forum(R), CN=WiMAX Forum(R) Device Root-CA<n> Device Manufacturer CA: C=<country>, O=<Manufacturer>, OU=WiMAX Forum(R) Devices, CN=<defined by Manufacturer> Device Sub-CA: C=<country>, O=<Manufacturer>, OU=WiMAX Forum(R) Devices, OU=<defined by Manufacturer>, CN=<defined by manufacturer> or Device Sub-CA: C=<country>, O=<manufacturer>, OU=WiMAX Forum(R) Devices, L=<defined by Manufacturer>, CN=<defined by Manufacturer> Device: C=<country>, O=<manufacturer>, OU=WiMAX Forum(R) Devices, CN=<mac address><single space (i.e., " ")><modem model name> o The following optional naming elements MAY be included between the OU=WiMAX Forum(R) Devices and CN= naming elements. They MAY appear in any order: OU=chipsetID: <chipsetID>, OU=modelIndex:<modelIndex>, OU=revision:<revision>, OU=sku:<sku>, OU=productID:<productID>, OU=prodManufacturer:<prodManufacturer>. For Root CAs: C=US, O=WiMAX Forum(R), CN=Device OCSP Responder-<x> For Device Manufacturer CAs: C=<country>, O=<Manufacturer>, OU=WiMAX Forum(R) Devices, CN=OCSP Responder-<y>
OCSP Responder: o o
When the naming element is DirectoryString (i.e., O=, OU=, and L=) either PrintableString or UTF8String MUST be used. The following determines which choice is used: PrintableString only if it is limited to the following subset of US ASCII characters (as required by ASN.1): A, B, , Z a, b, , z 0, 1, 9, (space) ( ) + , - . / : = ? UTF8String for all other cases, e.g., subject name attributes with any other characters or for international character sets.
3.1.2
Meaningfulness
Names SHALL be meaningful and unambiguously identify all entities with PKCs.
3.1.3
Anonymity or Pseudonymity of Certificate Subjects
Names SHALL NOT be anonymous or be a pseudonym.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519
3.1.4
Rules for Interpreting Various Name Forms
See Section 3.1.1.
3.1.5
Uniqueness of Names
Names SHALL be unique across the whole WiMAX Device PKI.
3.1.6
Recognition, Authentication, and Role of Trademarks
CAs SHALL NOT knowingly issue a PKC with a name that a court of competent jurisdiction has determined infringes on the trademark of another. Device Root CAs, Manufacturer Device CAs, Sub-CAs, and Device PKCs all include the string WiMAX Forum (R) in their name. A written agreement with the WiMAX Forum is needed to obtain authorization to use this trademark-protected string. Device Root CAs issue PKCs to Device Manufacturer CAs that includes trademark-protected names, namely, the manufacturers name. The Device Root CAs MUST verify that applicant is authorized to request on behalf of the manufacturer. Device Manufacturer CAs MAY issue PKCs to Device Sub-CAs that include trademark-protected names; however, Device Manufacturer CAs SHALL only issue PKCs with subject names that use the same organization as the device manufacturer's CA name.. If the Device Manufacturer CAs includes a second organizational unit name that is trademarked, then the trademark MUST be owned by the Device Manufacturer.
520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541
3.2
3.2.1
Initial Identity Validation

Method to Prove Possession of Private Key
CAs SHALL generate their own keys. They MUST prove to the issuing CA that they possess the private keys that corresponds to the public keys in PKC requests. Devices MAY or MAY NOT generate their own keys: If a Device generates its own key, then they MUST prove that they possess the private key that corresponds to the public key in PKC requests. If a Device does not generate its own private key, then the key generation process and distribution process MUST be explained in the CPS. These processes MUST ensure that the private key is provided to the proper Device Manufacturer in a manner that protects the key from unauthorized disclosure and modification. The Device Manufacturer MUST ensure that the proper key and certificate is installed in the corresponding Device in a manner that protects the key from unauthorized disclosure and modification. The Device Manufacturer process MUST be documented.
3.2.2
Authentication of Organization Identity
Confirm that the organization has authorized the application and that the person submitting the application is authorized to do so. At a minimum, a letter from the manufacturers Chief Legal Officer (or other authorized representative recognized by WiMAX Forum's PA) required for authorization. At a minimum, the following MUST occur: Use a third party to confirm the organization exists; and Confirm that the organization has authorized the application and that the person submitting the application is authorized to do so. At a minimum, a letter from the manufacturers Chief Legal Officer (or other authorized legal representative recognized by the WiMAX Forum) is required for authorization.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 Manufacturer CAs that issue PKCs to Device Sub-CAs and Devices are exempt from these rules only when they issue PKCs to Device Sub-CAs they control and Devices they manufacture.
3.2.3
Authentication of Individual Identity
Issuing CA SHALL validate at least the identity in the "Manufacturer" field of device certificate issued. CA names SHALL be validated by the issuing CA.
3.2.4
Non-verified Certificate Subject Information
All information SHALL be verified. Non-verified information SHALL NOT be included in PKCs.
3.2.5
Validation of Authority
Device Root CAs SHALL verify that the manufacturer is a WiMAX Forum's PA's recognized manufacturer, and the letter from the manufacturers Chief Legal Officer (or other authorized representative recognized by WiMAX Forum's PA) is valid. The Root CA SHALL have access to a list of approved Manufacturer maintained by the WiMAX Forum. This list SHALL be consulted prior to issuing a Device Manufacturer CAs PKC. All the CAs in the device certificate chain SHALL take steps to ensure (and explain in their CPS) that there is only one valid device certificate for a particular MAC address. The Manufacturer MUST assert that it has ownership for the MAC address. This section also applies to Manufacturer CA issuing sub-CA certificates outside of their control.
3.2.6
Criteria for Interoperation
WiMAX Device Manufacturer CAs and Device Sub-CAs SHALL issue PKCs only to support WiMAX Devices, issue revocation information, and to issue OCSP responder certificates. All other uses of WiMAX Device Manufacturer CA PKCs or Device Sub-CA PKCs are expressly prohibited. WiMAX Devices SHALL use their PKC only to establish a connection with WiMAX Servers. All other uses of a WiMAX Device PKC are expressly prohibited.
564 565 566 567 568 569 570 571 572 573 574 575 576 577 578
3.3
Identification and Authentication for Re-key Requests
Prior to the expiration of an existing PKC, it is necessary to re-key or renew the PKC to maintain continuity of PKC usage. An overlap period is recommended to ensure continuity. This continuity is supported for Device Manufacturer CAs and Sub-CAs with re-key (see Section 4.7).
3.3.1
Identification and Authentication of Re-Key and Renewal Requests
The superior CA SHALL be responsible for authentication a request for re-key. Re-key procedures ensure the entity requesting the re-key is in fact the entity that is named in the PKC. The procedures for a re-key procedures are the same those for the original certificate.
3.3.2
Identification and Authentication of Re-Key and Renewal After Revocation

The PKC was issued to an entity other than the one named as the Subject of the PKC. The PKC was issued without the authorization of the entity named as the Subject of the PKC. The entity approving the PKC application has reason to believe that a material fact in the PKC application is false. The PKC was deemed by the WiMAX Forum PA to be harmful to the WiMAX Forum.
Re-key after revocation is not permitted if the revocation occurred for any of the following reasons:
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 579 580 Subject to the above bullets, re-key following revocation of the PKC is permissible as long as re-key procedures ensures that the entity seeking re-key is in fact the entity named in the PKC.
581 582 583 584 585 586 587
3.4
Identification and Authentication for Revocation Request
WiMAX Forum PA, or recognized representative, or an authorized process from the manufacturer can request revocation and SHALL use their credentials to authenticate the request. The form of credential accepted by the revoking CA is based on CA CPS. A revocation request authentication MUST be properly verified before an approval decision is made. The revocation of any CA requires authorization from the WiMAX Forum PA. See 4.9 for more information revocation.
588 589
4. Certificate Life-Cycle
This chapter specifies the requirements for PKC life-cycle management by all entities in the PKI.
590 591 592 593 594 595 596 597 598 599 600 601 602 603
4.1
4.1.1
Certificate Application
Who Can Submit a Certificate Application
A recognized manufacturer representative can submit CA PKC applications. An authorized manufacturer representative, an authorized manufacturer process, or a Device can submit Device PKC applications.
4.1.2
Enrollment Process and Responsibilities
A recognized Device Manufacturer CAs SHALL provide their credentials to Device Root CAs to demonstrate their identity, to demonstrate their authority, and to provide contact information. Device Manufacturers receive and approve requests from a recognized Device Sub-CAs representative and from an authorized manufacturer representative, an authorized manufacturer process, or a Device. A recognized Device Sub-CAs representative SHALL provide their credentials to Device Manufacturer CAs to demonstrate their identity, to demonstrate their authority, and to provide contact information. Device Sub-CAs receive and approve enrollments from an authorized manufacturer representative, an authorized manufacturer process, or a Device. There is no stipulation for Devices.
604 605 606 607 608 609 610 611 612 613
4.2
4.2.1
Certificate Application Processing

Performing Identification and Authentication Functions
CAs SHALL verify and authenticate the identity of each applicant, as described in Section 3.2.
4.2.2
Approval or Rejection of Certificate Applications
The CA MAY approve or reject a certification request. Approval is granted if the applicants identity has been authenticated as described in Section 3.2, and payment, if required, has been received. Rejection is based inability to successfully authenticate the applicant, not receiving required information from the applicant, not paying for PKC (if required).
4.2.3
Time to Process Certificate Applications
PKC requests SHALL be processed in a timely manner.
614 615 616 617 618
4.3
4.3.1
Certificate Issuance
CA Actions During Certificate Issuance
The CA SHALL verify and authenticate the source of each PKC request, ensure that the public key is bound to the correct applicant, obtain a proof of possession of the private key, generate a properly formed PKC, and provide the PKC to the applicant.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 619 620 621
4.3.2
Notification to Certificate Subject of Certificate Issuance
The CA SHALL Notify the applicant of PKC issuance by returning the PKC (and the corresponding private key, if the key was generated by the CA) to the applicant.
622 623 624 625 626 627 628 629
4.4
4.4.1
Certificate Acceptance
Conduct Constituting Certificate Acceptance
Failure to object to the PKC or its contents prior to use constitutes acceptance of the PKC.
4.4.2
Publication of the Certificate by the CA
Device Manufacturer CA and Device Sub-CA PKCs are published in a Server available repository. No stipulation for Device PKCs.
4.4.3
Notification of Certificate Issuance by the CA to Other Entities
No stipulation.
630 631 632 633 634 635 636 637 638
4.5
4.5.1
Key Pair and Certificate Usage

Certificate Subject Private Key and Certificate Usage
Certificates and private keys SHALL be stored in Certificate Subjects in a secure manner. Only the Certificate subject SHALL have the Certificate Subject private key. Certificate Subjects SHALL be responsible for and SHALL protect their private keys from access by other parties. Certificate Subjects SHALL only use private keys for purposes identified in Section 1.4.
4.5.2
Relying Party Public Key and Certificate Usage
Relying parties SHALL ensure that the public key in a PKC is used only for appropriate purposes as identified in critical certificate extensions (See Section 7).
639 640 641 642 643 644 645 646 647
4.6
Certificate Renewal
PKC renewal is the issuance of a new PKC without changing the public key or any other information other than the validity dates and serial number in the PKC. PKC renewal is not supported.
4.6.1
Circumstance for Certificate Renewal
No stipulation.
4.6.2
Who May Request Renewal
No stipulation.
4.6.3
Processing Certificate Renewal Requests
No stipulation.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 648 649 650 651 652 653 654 655
4.6.4
Notification of New Certificate Issuance to Certificate Subject
No stipulation.
4.6.5
Conduct Constituting Acceptance of a Renewal Certificate
No stipulation.
4.6.6
Publication of the Renewal Certificate by the CA
No stipulation.
4.6.7
No stipulation.
656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679
4.7
Certificate Re-Key
PKC re-key is the application for the issuance of a new PKC that certifies a new public key. PKC re-key is supported for Device Manufacturer CAs and Device Sub-CAs. Device PKC rekeys are not supported.
4.7.1
Circumstance for Certificate Re-key
When a Device Manufacturer CA PKC re-key is desired, it is necessary for the re-key to take place prior to the expiration of an existing Device Manufacturer CAs PKC to maintain continuity of PKC usage. An overlap period is recommended to ensure continuity. When a Device Sub-CA PKC re-key is desired, it is necessary for the re-key to take place prior to the expiration of an existing Device Sub-CAs PKC to maintain continuity of PKC usage. An overlap period is recommended to ensure continuity. Device Manufacturer CA PKCs and Device Sub-CA PKCs MAY also be rekeyed after expiration.
4.7.2
Who May Request Certification of a New Public Key
A recognized manufacturer representative can submit Device Manufacturer CA and Device Sub-CA PKC re-key requests. This is a multiparty procedure as specified in Section 5.2.2 and requires a "Key Ceremony" as specified in Section 6.1.1. Device PKC rekeys are not supported.
4.7.3
Processing Certificate Re-keying Requests
In accordance with Section 4.2.
4.7.4
In accordance with Section 4.3.2.
4.7.5
Conduct Constituting Acceptance of a Re-keyed Certificate
4.7.6
Publication of the Re-keyed Certificate by the CA
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 680 681
4.7.7
No stipulation.
682 683 684 685 686 687 688 689 690 691 692 693 694 695 696
4.8
4.8.1
Modification
Circumstance for Certificate Modification
PKC Modification is prohibited.
4.8.2
Who May Request Certificate Modification
No stipulation.
4.8.3
Processing Certificate Modification Requests
No stipulation.
4.8.4
No stipulation.
4.8.5
Conduct Constituting Acceptance of Modified Certificate
No stipulation.
4.8.6
Publication of the Modified Certificate by the CA
No stipulation.
4.8.7
No stipulation.
697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714
4.9
Certificate Revocation and Suspension
In an event when certificates further use is deemed detrimental (e.g. when private key is lost or compromised), the certificate can be declared invalid, or revoked. This section begins with a brief informative overview of revocation, and then formally describes corresponding operational procedures. PKC revocation information must be authenticated by the issuing CA to prevent DoS attacks, since inappropriate PKC revocation prevents the PKC owner from connecting to the network. The choice of the method of dissemination of revocation information to relying parties is only the matter of efficiency. The WiMAX Forum uses two of the most popular methods -- CRL and OCSP protocols. CRL is a CA-signed dated list of revoked certificates which is published regularly. OCSP is a protocol that relies on an online OCSP server, which provides signed dated statements indicating whether a particular PKC is revoked. CRL and OCSP response are signed objects. Relying parties can verify the signature on the CRL/OCSP response to determine whether it is valid. Because of connectivity and hardware specifics, device revocation information is more efficiently distributed by CRL. Indeed, servers have large storage and a fast persistent Internet connection. At the same time, server talks to many devices, and much of the information included in the CRL is actually used. On the other hand, any particular device might usually connect to only a few servers. Moreover, the devices network connectivity is achieved via the server, and is slow. Downloading a potentially large CRL is often less efficient than a short OCSP message, with which the device is convinced that the server is not revoked. In the WiMAX Forum environment, both OCSP and CRLs are needed. When OCSP is used, the OCSP message may be periodically obtained by the server, and
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 forwarded to the device as part of EAP. In this case, the Device need not ever interact with the OCSP server. However, direct interaction with the OCSP responder is also allowed. When OCSP is not used, the Device obtains the CRL via an unspecified method. There are many ways to implement OCSP. One example of a typical sequence of events following a decision to revoke a servers PKC would be as follows. CA includes the PKC in the next CRL update, and updates its OCSP server within the timeframe specified in the CAs CPS. From that point on, the revoked server would not be able to obtain a new OCSP response that indicates the certificate is valid. The server would still be able to use the old one until it expires (expiry periods will be specified in the CAs CPS). After the OCSP response expiry, devices will not accept the old OCSP response, and will reject EAP-(T)TLS sessions. Another example, a typical sequence of events following a decision to revoke a devices PKC would be as follows. CA includes the PKC in the next CRL update, posted at its CRL URL. This update is downloaded by a server according to its update schedule. From that point on, the servers will be aware that the PKC is revoked, and will reject EAP-(T)TLS session attempts. The following specifies formal operational requirements of PKC revocation procedures.
4.9.1
Circumstances for Revocation
A PKC SHALL be revoked when the binding between the subject and the subjects public key within the PKC is no longer considered valid (e.g., loss or comprise of the private key). PKCs will be revoked when the WiMAX Forum PA requests that a PKC be revoked, when the PKC holder submits an authenticated revocation request, and when the CA determines a situation has occurred that MAY affect the integrity of the PKCs.
4.9.2
Who Can Request Revocation

Device Manufacturer operators MAY request revocation of their Device Manufacturer CA PKCs, Device Sub-CA PKCs they issued, and Device PKCs they issued. Device Sub-CA operators MAY request revocation of their Device Sub-CA PKCs and the Device PKCs they issued. Device PKCs MAY be revoked at the request of the Device Sub-CA operator when a situation has occurred that MAY affect the integrity of the PKCs. Certificate Subject PKCs MAY be revoked at the request of the WiMAX Forum PA, issuing CA, or certificate holder.
Any PKC can be revoked upon the direction of the WiMAX Forum PA. Additionally:
4.9.3
Procedure for Revocation Request
PKCs SHALL be revoked upon receipt of sufficient evidence of compromise or loss of the corresponding private key. A request to revoke a PKC SHALL identify the PKC to be revoked, explain the reason for revocation, and allow the request to be authenticated (e.g., manually signed). Prior to revocation of Device CA or Device Sub-CA the WiMAX Forum PA MUST authorize the revocation.
4.9.4
Revocation Request Grace Period
The revocation request grace period is the time available to the PKC holder within which the PKC holder MUST make a revocation request after reasons for revocation have been identified.
4.9.5
Time within which CA Must Process the Revocation Request
CAs MUST process revocation requests in a timely manner.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776
4.9.6
Revocation Checking Requirements for Relying Parties
If the device is checking revocation of server certificate, it SHOULD use OCSP. If the server is checking revocation of device certificate, it MAY use OCSP.
4.9.7
CRL Issuance Frequency
CRLs to be issued as described in Section 2.3.
4.9.8
Maximum Latency for CRLs
No stipulation.
4.9.9
On-line Revocation/Status Checking Availability
An OCSP responder MUST be available 24x7 with minimal scheduled interruptions.
4.9.10
On-line Revocation Checking Requirements
No stipulation.
4.9.11
Other Forms of Revocation Advertisements Available
No stipulation.
4.9.12
Special Requirements Re Key Compromise
No stipulation.
4.9.13
Circumstances for Suspension
PKC suspension is prohibited.
4.9.14
Who can Request Suspension
No stipulation.
4.9.15
Procedure for Suspension Request
No stipulation.
4.9.16
Limits on Suspension Period
No stipulation.
777 778 779 780 781 782
4.10
4.10.1
Certificate Status Services

Operational Characteristics
The status of PKCs is available via CRL through a Server available online repository. Server available OCSP responders MUST also be provided.
4.10.2
Service Availability
An OCSP responder MUST be available 24x7 with scheduled interruptions.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 783 784
4.10.3
Optional Features
An SCVP responder MAY be provided.
785 786
4.11
End of Subscription
Subscriptions SHALL end when a PKC is revoked or the PKC expiry time passes.
787 788 789 790 791
4.12
4.12.1
Key Escrow and Recovery

Key Escrow and Recovery Policy and Practices
No stipulation.
4.12.2
Session Key Encapsulation and Recovery Policy and Practices
No stipulation.
792 793 794
5. Management, Operational, and Physical Controls

This chapter specifies the requirements for non-technical security controls used by the CA to securely perform the functions of key generation, subject authentication, PKC issuance, and PKC revocation.
795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829
5.1
5.1.1
Physical Controls
Site Location and Construction
The location and construction of the facility that will house CA equipment and operations SHALL be in accordance with that afforded the most sensitive business and financial information. CA operations SHALL be conducted within a physically protected environment that deters, prevents, and detects unauthorized use of, access to, or disclosure of sensitive information and systems.
5.1.2
Physical Access
Ensure no unauthorized access to the hardware is permitted; Ensure manual or electronic monitoring for unauthorized intrusion at all times; Ensure an access log is maintained and inspected periodically; and, Require two person physical access control to both the cryptographic module and computer system.
The physical security requirements pertaining to CAs are:
When not in use: Paper containing sensitive plain-text information SHALL be stored in secure containers; Media storing Device Root CA private key material SHALL be deactivated. The media and the activation information (see Section 6.4) for the Device Root CA private keys SHALL be stored in a secure container. Activation data SHALL either be memorized, or recorded and stored in a manner commensurate with the security afforded the cryptographic module, and SHALL NOT be stored with the cryptographic module. Media storing CA private key material SHALL be deactivated. The media SHALL be encrypted. The activation information (see Section 6.4) for the CA private key SHALL be stored in a secure container. Activation data SHALL either be memorized, or recorded and stored in a manner commensurate with the security afforded the cryptographic module, and SHALL NOT be stored with the cryptographic module. If the facility is not continuously attended, the last person to depart SHALL initial a sign-out sheet that indicates the date and time, and asserts that all necessary physical protection mechanisms are in place and activated. A security check of the facility housing the CA equipment SHALL occur if the facility is to be left unattended. At a minimum, the check SHALL verify the following: The equipment is in a state appropriate to the current mode of operation (e.g., that cryptographic modules are in place when open, and secured when closed; and for the CA, that all equipment other than the repository is shut down); Any security containers are properly secured; Physical security systems (e.g., door locks, vent covers) are functioning properly; and, The area is secured against unauthorized access.
5.1.3
Power and Air Conditioning
The facility that houses the CA equipment SHALL be supplied with power and air conditioning sufficient to create a reliable operating environment.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853
5.1.4
Water Exposures
Facilities that house CAs SHALL be installed such that it is not in danger of exposure to water (e.g., on tables or elevated floors). Moisture detectors SHALL be installed in areas susceptible to flooding. CA operators who have sprinklers for fire control SHALL have a contingency plan for recovery should the sprinklers malfunction, or cause water damage outside of the fire area.
5.1.5
Fire Prevention and Protection
Facilities that house CAs SHALL be constructed and equipped, and procedures SHALL be implemented, to prevent and extinguish fires or other damaging exposure to flame or smoke. These measures SHALL meet all local applicable safety regulations. A description of the CMAs approach for recovery from a fire disaster SHALL be included in the Disaster Recovery Plan as specified in Section 5.7.4.
5.1.6
Media Storage
When not in operation, the cryptographic modules storing the Device Root CA private key SHALL be stored in a secure container. When not in operation, the cryptographic modules storing the CA private key SHALL be stored in a secure room in encrypted form. Media that contains security audit and backup information SHALL be stored in a separate location from the CA equipment.
5.1.7
Waste Disposal
CAs SHALL implement procedures for the disposal of waste (paper, media, or any other waste) to prevent the unauthorized use of, access to, or disclosure of waste containing Confidential/Private Information.
5.1.8
Off-Site backup
System backups, sufficient to recover from system failure, SHALL be made on a periodic schedule. Backups SHALL be performed and stored off-site not less than quarterly or when the CA is operational, whichever is less frequent. At least one backup copy SHALL be stored at an offsite location (separate from the CA equipment). Only the latest backup need be retained. The backup SHALL be stored at a site with physical and procedural controls commensurate to that of the operational CA system.
854 855 856 857 858 859 860 861 862 863 864 865 866 867 868
5.2
5.2.1
Procedural Controls
Trusted Roles
A trusted role is one whose incumbent performs functions that can introduce security problems if not carried out properly, whether accidentally or maliciously. The people selected to fill these roles MUST be extraordinarily responsible or the integrity of the CA is weakened. The functions performed in these roles form the basis of trust for all uses of the CA. Two approaches are taken to increase the likelihood that these roles can be successfully carried out. The first ensures that the person filling the role is trustworthy and properly trained. The second distributes the functions among more than one person, so that any malicious activity would require collusion. The following are the trusted Roles within the PKI: CA Administrator: installs, configures, and maintains the CA; configures PKC profiles and parameters; generates and performs backup of CA keys; CA Officer: approves/rejects certification requests and PKC revocations; Auditor: maintains and reviews audit logs; and, Backup Operator: performs routine system backup and recovery. Multi-Person control requirements are specified in Section 6.2.2.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886
5.2.2
Number of Persons Required Per Task

Generation of CA keys; Access to CA keys; Backup of CA keys; and, Access to backup CA keys.
CA private key actions require at least two-party control:
Where multiparty control is required, at least one of the participants SHALL be an Administrator. All participants MUST serve in a trusted role as defined in Section 5.2.1. Multiparty control SHALL NOT be achieved using personnel that serve in the Auditor Trusted Role.
5.2.3
Identification and Authentication for Each Role
A person occupying a trusted role SHALL have their identity and authorization verified, before being permitted to perform any action for that role or identity.
5.2.4
Roles Requiring Separation of Duties
Individuals MAY only assume one of the Officer, Administrator, and Auditor roles, but any individual MAY assume the Operator role. The CA software and hardware SHALL identify and authenticate its users and SHALL ensure that no user identity can assume both an Administrator and an Officer role, assume both the Administrator and Auditor roles, and assume both the Auditor and Officer roles. No individual SHALL have more than one identity.
887 888 889 890 891 892 893 894 895 896 897 898 899 900
5.3
5.3.1
Personnel Controls
Qualifications, Experience, and Clearance Requirements
Personnel engaged in the PKI SHALL be suitable qualified and experienced.
5.3.2
Background Check Procedures
Vetting process used for trusted personnel engaged in the PKI SHALL be described in the CPS.
5.3.3
Training Requirements
Prior to operation of the CA, the CA operator SHALL be appropriately trained. Topics SHALL include the operation of the CMA software and hardware, operational and security procedures, and the stipulations of this policy and local guidance.
5.3.4
Retraining Frequency and Requirements
Refresher training will be provided to the extent and frequency required to ensure the required level of proficiency to perform job responsibilities competently.
5.3.5
Job Rotation Frequency and Sequence
No stipulation.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 901 902 903 904 905 906 907 908 909 910
5.3.6
Sanctions for Unauthorized Actions
If an unauthorized action takes place than an appropriate action SHALL be taken to ensure disciplinary or other appropriate action is taken. In cases where an unauthorized action brings into question the security of the system, then recovery procedures will be followed (see Section 5.7).
5.3.7
Independent Contractor Requirements
Contractor personnel employed to perform functions pertaining to the CA SHALL meet the personnel requirements set forth in this CP.
5.3.8
Documentation Supplied to Personnel
Documentation sufficient to define duties and procedures for each role SHALL be provided to their personnel filling that role.
911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936
5.4
5.4.1
Audit Logging Procedures

Types of Events Recorded
Any security auditing capabilities of the underlying CA equipment operating system SHALL be enabled during installation and operation. At a minimum, the following events SHALL be recorded: CA equipment access; Operating system logon/logoff; CA application access; CA private key generation; CA private key use; Certification request; PKC issuance; PKC revocation request; PKC revocation; Software and/or configuration updates to CA and account management; Clock Adjustments; Anomalies, error conditions, software integrity check failures, receipt of improper or misrouted messages; and, Any known or suspected violations of physical security, suspected or known attempts to attack the CA equipment via network attacks, equipment failures, power outages, network failures, or violations of this certificate policy. At a minimum, for each auditable event the record SHALL include: The type of event; The time the event occurred; A success or failure indication for signing; The identity of the equipment operator who initiated the action; and,
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 Audit logs SHALL be generated automatically and periodically backed up.
5.4.2
Frequency of Processing Log
Offline CA audit logs SHALL be reviewed at least annually or any time the CA is brought online. Online CA audit logs SHALL be reviewed quarterly. The review is to include searches for anomalous patterns. Action taken as a result of this review SHALL be documented. Audit log reviews SHALL also be conducted when requested by the WiMAX Forum PA.
5.4.3
Retention Period for Audit Log
The information generated on the CA equipment SHALL be kept on the CA equipment until the information is moved to an appropriate archive facility. Audit logs SHALL be available for three months, at a minimum, then offsite as archive records (See Section 5.5).
5.4.4
Protection of Audit Log
Only personnel assigned to a trusted role have read access to the logs. Only authorized personnel MAY archive audit logs. Audit logs MUST be protected against unauthorized viewing, modification, and deletion. Audit logs SHALL only be deleted from a system after it has been archived.
5.4.5
Audit Log Backup Procedures
Audit logs SHALL be backed up. A copy of the audit log SHALL be stored at a separate facility from the active audit log as required.
5.4.6
Audit Collection System (Internal vs. External)
Automated audit processes SHALL be invoked at system (or application) startup, and cease only at system (or application) shutdown.
5.4.7
Notification to Event-Causing Subject
No stipulation.
5.4.8
Vulnerability Assessments
Trusted Roles SHALL routinely asses the CA system and its components for malicious activity.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993
5.5
5.5.1
Records Archive
Types of Events Archived
CA archive records SHALL be detailed enough to establish the validity of a signature and of the operation of the PKI. The following MUST be recorded at a minimum: CA accreditation; CPS; System equipment configuration; Modification and updates to system or configuration; Contractual obligations; Key Signing Ceremony video footage; Certificate Subject identity authentication data from 3.1.9; Documentation of receipt and acceptance of certificates; Audit logs from Section 5.4.1; All PKCs issued; Other data or applications to verify archive contents; and, Documentation required by compliance auditors.
5.5.2
Retention Period for Archive
Archive data SHALL be maintained for a minimum of the period of validity of all Certificates issued by CA plus seven (7) years or such longer period as MAY be required by National Archive and Records Administration (NARA).
5.5.3
Protection of Archive
Archive data SHALL be protected to ensure there is no unauthorized disclosure or modification. Archive media SHALL be stored in a safe, secure storage facility separate from the CA itself.
5.5.4
Archive Backup Procedures
Archive facility SHALL support backups.
5.5.5
Requirements for Time-Stamping of Records
Archive data SHALL indicate the date on which the archive was created.
5.5.6
Archive Collection System (Internal or External)
No stipulation.
5.5.7
Procedures to Obtain and Verify Archive Information
WiMAX Forum PA or designated representative MUST be granted timely access to archive information when requested.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 994 995 996 997 998 999 1000
5.6
Key Changeover
Device Manufacturer CAs and Device Sub-CAs MAY be renewed (Section 4.6) or re-keyed (Section 4.7) if the superior CA reconfirms the identity of the CA, which the superior CA either accepts or rejects. Re-keying is a multiparty procedure as specified in Section 5.2.2 and requires a "Key Ceremony" as specified in Section 6.1.1. New Device Manufacturer CA PKCs and Device Sub-CA PKCs SHALL be published in accordance with Section 4.2.2.
1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018
5.7
5.7.1
Compromise and Disaster Recovery

Incident and Compromise Handling Procedures
In the event of suspected compromise of a CA, it SHALL be investigated in order to determine the nature and the degree of damage. If the CA PKC is compromised and the CA PKC is revoked, a new CA PKC MUST be issued and the old CA PKC in RP trust stores MUST be replaced with a newly issued CA PKC. Device Root CA PKCs will be distributed via secure out-of-band mechanism.
5.7.2
Computing Resources, Software, and/or Data Are Corrupted
Backup or Archived data MUST be used when computing resources, software, and data are corrupted.
5.7.3
CA Private Key Compromise Procedures
Compromised CA private keys MUST be revoked. Compromised CA private keys MUST NOT be used to sign new PKCs. CA with compromised private keys MUST generate new private keys. Follow procedures in Section 5.3.6 if the CA operator is suspected of compromising the CAs public key.
5.7.4
Business Continuity Capabilities After a Disaster

The Device Root CA operations SHALL be established as quickly as possible, giving priority to the ability to issue CA PKCs. The CA operations SHALL be reestablished as quickly as possible, giving priority to the ability to issue Certificate Subject PKCs.
In the case of a disaster in which the CA equipment is damaged and inoperative:
1019 1020 1021 1022 1023 1024 1025
5.8
CA and RA Termination
In the event a Root CA terminates, or ceases operation, the Root CA ships its HSM, which contains the Root CAs private key, and any backup copies and archival copies to the WiMAX Forum PA. In the event a Manufacturer or Manufacturer Sub CA terminates, or ceases operation, the CA ships its HSM, which contains the CAs private key, and any backup copies and archival copies to the parent CA and the parent CA MUST only use this key to issue CRLs. There is no stipulation for RAs.
1026 1027 1028
6. Technical Security Controls

This chapter specifies the requirements for technical security controls to securely perform the functions of key generation, subject authentication, PKC issuance, and PKC revocation.
1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054
6.1
6.1.1
Key Pair Generation and Installation

Key Pair Generation
CA keys are generated in FIPS 140-2 validated cryptographic module. Modules SHALL meet security level 2 or above and keys are generated as part of a multiparty operation. If the keys are generated outside the module, then they SHALL be loaded into the module during a key ceremony. Any unencrypted copies of the keys SHALL be destroyed after the key ceremony, while encrypted backups MAY exist at secured locations. Subscriber keys are generated in a FIPS 140-2 level 1 or higher module. The module MAY be implemented in either hardware or software. When the keys are handled they MUST be protected from unauthorized disclosure and modification.
6.1.2
Private Key Delivery to Certificate Subject
Device certificates and private keys SHALL be inserted and stored in devices in a secure manner. Only the Certificate subject device SHALL have the Certificate Subject private key. If the Device does not generate its private key, then the private key MUST be delivered to the Device in a manner that protects the private key from unauthorized disclosure and modification. See Section 3.2.1 and 6.2.1.
6.1.3
Public Key Delivery to Certificate Issuer
A Certificate Subjects public key and identity SHALL be delivered securely to the CA in certification request.
6.1.4
CA Public Key Delivery to Relying Parties
CA public keys SHALL be delivered to the RP as part of the certification response. The self-signed Root CA PKC SHALL be conveyed to relying parties in a secure fashion to preclude substitution attacks.
6.1.5
Key Sizes
Keys MUST be 2048 bits or longer. Shorter keys MUST NOT be used to certify PKCs that contain longer keys.
6.1.6
Public Key Parameters Generation and Quality Checking
See PKCS #1 for key generation requirements.
6.1.7
Key Usage Purposes (as per X.509v3 key usage field)
See Section 7.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089
6.2
6.2.1
Private Key Protection and Cryptographic Module Engineering Controls

Cryptographic Module Standards and Controls
The relevant standard for cryptographic modules is FIPS PUB 140-2, Security Requirements for Cryptographic Modules.
6.2.2
Private Key Multi-Person Control
Use of CA private keys requires action by multiple persons as set forth in Section 5.2.2 of this CP. There is no stipulation for Certificate Subject private keys.
6.2.3
Private Key Escrow
No stipulation.
6.2.4
Private Key Backup
CA private keys SHALL be backed up under multi-person control, as required in Section 5.2.2. No more than a single copy of the signature key SHALL be stored at the CAs location (i.e., only the operational and backup key MAY be stored at the CAs location). Additional copies MAY exist off-site provided that accountability for them is maintained. This does not preclude the ability of the operator of a CA to explain in the CPS and get explicit approval for a secure high-availability high-throughput system which parallelizes the operation among several machines. Certificate Subject private keys SHALL NOT be backed up. If a copy of the Certificate Subject private key is created, the copy SHALL be encrypted such that only the subject device can decrypt it, and the copy SHALL NOT be usable in any other device. If a copy of the Certificate Subject private key is created by the CA to facilitate delivery from the CA to the device, this SHALL be in accordance with sections 3.2.1 and 6.1.2 and such copies SHALL be destroyed as soon as the delivery of the private keys and certificates from the CA to the requesting organization is considered complete.
6.2.5
Private Key Archival
No stipulation.
6.2.6
Private Key Transfer into or from a Cryptographic Module
CA private keys never leave the cryptographic module. Certificate Subject private keys that are not generated by the Certificate Subject MUST be transferred to Certificate Subject in a manner that protects the key from unauthorized disclosure and modification. See Section 3.2.1.
6.2.7
Private Key Storage on Cryptographic Module
CA private keys SHALL be encrypted on removable memory storage devices. There is no stipulation for Certificate Subject private keys.
6.2.8
Method of Activating Private Keys
Activation of the CA signing key requires multiparty control, as specified in Section 5.2.2. The CA private key media SHALL NOT be left unattended when active. There is no stipulation for activation of Certificate Subject private keys.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100
6.2.9
Methods of Deactivating Private Keys
Root CA private keys SHALL be deactivated and the media holding the Root CA private key SHALL be stored in a secure container (see Section 5.1.6). CA private keys SHALL be deactivated and stored in encrypted form in a secure room when not in use (see Section 5.1.6). These actions requires multiparty control, as specified in Section 5 2.2. The Root CA and CA private key media SHALL NOT be left unattended when not in use. There is no stipulation for deactivation of Certificate Subject private keys.
6.2.10
Method of Destroying Private Key
Private keys SHALL be destroyed when they are no longer needed or when the PKC to which they corresponds expires or is revoked.
6.2.11
Cryptographic Module Rating
See Section 6.2.1.
1101 1102 1103 1104 1105 1106
6.3
6.3.1
Other Aspects of Key Management

Public Key Archival
Public keys SHALL be archived as part of the PKC archival.
6.3.2
Certificate Operational Periods/Key Usage Periods
Device Root CA, Device Certificate Manufacturer, Device Sub-CA, and Device certificates shall be limited to December 31st, 2049.3
1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120
6.4
6.4.1
Activation Data
Activation Data Generation and Installation
Activation data generation and installation for CA private keys SHALL use methods that protect the activation data to the extent necessary to prevent the loss, theft, modification, unauthorized disclosure, or unauthorized use of such private keys. There is no stipulation for Certificate Subject private keys.
6.4.2
Activation Data Protection
Activation data to invoke private keys SHALL be protected from disclosure by a combination of cryptographic and physical access control mechanisms. The protection mechanism SHALL include a facility to temporarily lock the account, or terminate the application, after 3 failed login attempts.
6.4.3
Other Aspects of Activation Data
Before the Root CA private key activation data MAY be enter, the media storing the Root CAs private key MUST be retrieved from the locked container. No stipulation for Device Manufacturer CAs, Device Sub-CAs, or Certificate Subjects.
It is expected that this policy will need to be modified once the standards for dates beyond 2049 are widely implemented.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137
6.5
6.5.1
Computer Security Controls

Specific Computer Security Technical Requirements
For the CA, the computer security functions listed below are required. These functions MAY be provided by the operating system, or through a combination of operating system, software, and physical safeguards. The CA and its ancillary parts SHALL include the following functionality: Require authenticated logins; Provide Discretionary Access Control; Provide a security audit capability; Restrict access control to Trusted Roles; Enforce separation of Trusted Roles; Require identification and authentication; Restrict CA application to be the only application running on computer; Require use of cryptography for session communications and database security; Archive CA history and audit data; and, Require a recovery mechanism for keys, CA system, and CA application.
6.5.2
Computer Security Rating
No Stipulation.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166
6.6
6.6.1
Life-Cycle Security Controls

System Development Controls
For commercial off-the-shelf software, the software SHALL be designed and developed under a formal, documented development methodology. For hardware and software developed specifically for a particular CA, the applicant SHALL demonstrate that security requirements were achieved through a combination of software verification & validation, structure. Where open source software has been utilized, the applicant SHALL demonstrate that security requirements were achieved through software verification & validation and structured development/lifecycle management. Hardware and software procured to operate the CA SHALL be purchased and shipped in a fashion to reduce the likelihood that any particular component was tampered with (e.g., by ensuring the equipment was randomly selected at time of purchase). The CA software SHALL be dedicated to performing one task: the CA. There SHALL be no other applications; hardware devices, network connections, or component software installed which are not part of the CA operation. Proper care SHALL be taken to prevent malicious software from being loaded onto the CA equipment. Hardware and software SHALL be scanned for malicious code on first use and periodically thereafter. Hardware and software updates SHALL be purchased or developed in the same manner as original equipment, and be installed by trusted and trained personnel in a defined manner. Any code return to open source community does not disclose security relevant information.
The System Development Controls for the CA are as follows:
6.6.2
Security Management Controls
The configuration of the CA system as well as any modifications and upgrades SHALL be documented and controlled. There SHALL be a mechanism for detecting unauthorized modification to the CA software or configuration. A formal configuration management methodology SHALL be used for installation and ongoing maintenance of the CA system.
6.6.3
Life Cycle Security Ratings
No stipulation.
1167 1168 1169 1170 1171 1172
6.7
Network Security Controls
CAs SHALL be protected prevent unauthorized access, tampering, and denial-of-service. Communications of sensitive information SHALL be protected using point-to-point encryption for confidentiality and digital signatures for non-repudiation and authentication. Server Root CAs SHOULD be offline. Permanently online Server Root CAs will need to explain why they are always online in their CPS.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1173 1174 1175 1176
6.8
Time Stamping
Times asserted in PKCs SHALL be accurate to within three minutes. Electronic or manual procedures MAY be used to maintain system time. Clock adjustments are auditable events (See Section 5.4.1). There is no trusted time source.
1177 1178
7. Certificate, CARL/CRL, and OCSP Profiles Format

This Chapter specifies the requirements for the PKC, CRL, and OCSP format.
1179 1180
7.1
Certificate Profile
See WiMAX Forum PKC Profile Release 1.0.
1181 1182
7.2
CRL Profile
See WiMAX Forum CRL Profile Release 1.0.
1183 1184
7.3
OCSP Profile
See WiMAX Forum OCSP Profile Release 1.0.
1185 1186
7.4
SCVP Profile
A WiMAX SCVP profile will be developed when the need arises.
1187 1188
8. Compliance Audit and Other Assessments

This chapter specifies the requirements for audits.
1189 1190
8.1
Frequency of Audit or Assessments
CAs are subject to a compliance audit at least once per year.
1191 1192 1193
8.2
Identity & Qualifications of Assessor
The auditor MUST demonstrate competence in the field of compliance audits. The WiMAX Forum PA SHALL identify the compliance auditor for the CA.
1194 1195 1196 1197
8.3
Assessors Relationship to Assessed Entity
The compliance auditor either SHALL be a private firm, that is independent from the entity being audited, or it SHALL be sufficiently organizationally separated from that entity to provide an unbiased, independent evaluation. The WiMAX Forum PA SHALL determine whether a compliance auditor meets this requirement.
1198 1199 1200
8.4
Topics Covered By Assessment
The compliance audit of the CA SHALL verify that the CA is implementing all provisions of a CP approved by the WiMAX Forum PA.
1201 1202 1203
8.5
Actions Taken As A Result of Deficiency
Any discrepancies between how the CA is designed to or is being operated or maintained and the requirements of this CP will result in the compliance auditor documenting the discrepancy.
1204 1205 1206
8.6
Communication of Results
Upon completion, the audit compliance report will be returned to the WiMAX Forum PA. The report SHALL be treated as company confidential. The report SHALL identify the versions of the CP used in the assessment.
1207 1208
9. Other Business and Legal Matters

This chapter specifies requirements on general business and legal matters.
1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221
9.1
Fees
Any fees MUST be approved by the WiMAX Forum PA. Fees may be different for WiMAX Forum members and WiMAX Forum non-members.
9.1.1
Certificate Issuance/Renewal Fees
Any fees MUST be approved by the WiMAX Forum PA.
9.1.2
Certificate Access Fees
9.1.3
Revocation or Status Information Access Fee
9.1.4
Fees for other Services
9.1.5
Refund Policy
Any refund policy MUST be approved by the WiMAX Forum PA.
1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234
9.2
Financial Responsibility
CA MUST have assets and resources that ensure an ability to provide meet all operational requirements as a CA on an uninterrupted basis and to pay damages that could reasonably occur as a result of CA operations. Levels MUST be reasonably acceptable to WiMAX Forum PA.
9.2.1
Insurance Coverage
Device Root CA must obtain insurance coverage obtained from a reputable financially sound insurer with appropriate policy limits that is equal to or exceeds industry norms. The WiMAX Forum will be named as an additional insured. Insurance carrier and coverage MUST be acceptable to WiMAX Forum PA. No stipulation regarding insurance requirements for Device Manufacturer CA and Device Sub-CA.
9.2.2
Other Assets
No stipulation.
9.2.3
Insurance/warranty Coverage for End-Entities
No stipulation.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247
9.3
Confidentiality of Business Information
Sensitive and confidential information will be exchanged and provided under this CP. Written confidential information SHALL be adequately marked in writing as confidential. Oral confidential information SHALL be identified as confidential.
9.3.1
Scope of Confidential Information
Confidential Information means all information in written or oral form that the disclosing party identifies as confidential, and any trade secret or other proprietary information that the recipient knows or reasonably ought to know should be treated as confidential.
9.3.2
Information Not Within the Scope of Confidential Information
Information that is generally known to the public or properly known by the receiving party at the time of disclosure and other typical exceptions.
9.3.3
Responsibility to Protect Confidential Information
The WiMAX Forum PA and CAs MUST protect confidential information from unauthorized disclosure.
1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266
9.4
Privacy of Personal Information
It is the responsibility of all parties to ensure privacy of personal information under their control. No personal information is registered or certified. Information about subordinate CA operators is retained by the CA as part of certification request, which is subsequently logged and later archived. Manufacturer point of contact information is also retained by the Root CAs. If a party collects, transmits or stores personal information, its practices will comply with all applicable laws.
9.4.1
Privacy Plan
A privacy plan SHALL manage relevant information. Sponsor contact information SHALL be stored in a secure container.
9.4.2
Information Treated as Private
CA operators name, organizational affiliation, and phone number and other information within that definition.
9.4.3
Information Not Deemed Private
CP, CPS, PKCs, and revocation information are not considered private information.
9.4.4
Responsibility to Protect Private Information
All parties will protect private information when it is within their control.
9.4.5
Notice and Consent to use Private Information
Notice and consent practices regarding private information MUST comply with any applicable law..
9.4.6
Disclosure Pursuant to Judicial/Administrative Process
Disclosure in response to a valid judicial or administrative order MUST be permitted.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1267 1268 1269 1270
9.4.7
Other Information Disclosure Circumstances
Except as required for operation of the PKI system, as expressly permitted or required under the CP, or as required by applicable law, no private information will be disclosed without the express written consent of the party to which that private information pertains.
1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291
9.5
Intellectual Property Rights
The CP, CPS, each root certificate and all certificates issued under the root certificate are the property of the WiMAX Forum. No party will use any property of the WiMAX Forum, including, without limitation, any trademark, copyright, trade secret or other proprietary right of the WiMAX Forum, unless the WiMAX Forum has licensed that use. No party will infringe the intellectual property rights of any third party or the WiMAX Forum. Without limitation, except as the WiMAX Forum MAY expressly authorize in writing, it is prohibited to: Reverse engineer, translate, disassemble, decompile the whole or any part of any software or system or any part therefore or otherwise attempt to access any software source code embedded in or operating using any system; Assign, transfer, sell, license, sub-license, lease, rent, charge or otherwise deal in or encumber, any software or system or any part thereof or use same on behalf of or for the benefit of any third party, or make available the same in any way whatsoever to any third party without the WiMAX Forums prior written consent; Remove or alter any trademark or any copyright or other proprietary notice on any software, system or any other materials; Distribute, create derivative works of or modify the any materials, software or systems or any part thereof in anyway, or use, copy, duplicate or display same on a commercial or development basis. Provide any service using a certificate provided under this CP except as authorized and provided in this CP and an approved CPS. These restrictions SHALL NOT be construed in a manner that would violate any applicable law.
1292 1293 1294 1295 1296 1297
9.6
Representations and Warranties
The obligations described below pertain to the WiMAX PKI Participants. The obligations applying to CAs pertain to their activities as issuers of PKCs.
9.6.1
PA / WiMAX Forum
The WiMAX Forum and the WiMAX Forum PA make no representations and disclaim all warranties, however characterized, to the maximum extent permitted by law. The CP notice and disclaimer terms on page [i] above.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319
9.6.2
Generally Applicable Representations and Warranties
Agreements involving CAs, RAs, Subcribers, and Relying Parties will include standard representations and warranties: It has full right, power and authority to enter into the agreement and there is nothing that would prevent it from performing its obligations under the terms and conditions imposed on it by the agreement. The agreement has been duly authorized by all necessary corporate action and constitutes a valid and binding obligation on it, enforceable in accordance with the terms hereof (except to the extent of any relief that MAY be afforded under the laws of bankruptcy or under general principles of equity). If it is an entity: It is a [corporation] duly organized and validly existing and in good standing under the laws of its jurisdiction of incorporation and is duly qualified and authorized to do business wherever the nature of its activities or properties requires such qualification or authorization. No registration with or approval of any government agency or commission of any jurisdiction is necessary for the execution, delivery or performance by it of any of the terms of the agreement, or for the validity and enforceability hereof or with respect to its obligations under the agreement. There is no provision in its company or corporate charter, articles of incorporation, Bylaws or equivalent governing documents, and no provision in any existing mortgage, indenture, contract or agreement binding on it, which would be contravened by the execution, delivery or performance by it of the agreement. No consent of any third party or holder of any of its indebtedness is or SHALL be required as a condition to the validity of the agreement. Neither its execution nor its delivery of the agreement nor its fulfillment of or compliance with the terms and provisions hereof SHALL contravene any provision of the laws of any jurisdiction including, without limitation, any statute, rule, regulation, judgment, decree, order, franchise or permit applicable to it.
1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331
9.6.3
CA Representations and Warranties

There are no material misrepresentations of fact in the PKC known to or originating from the entities approving the Certificate Application or issuing the Certificate, There are no errors in the information in the PKC that were introduced by the entities approving the Certificate Application or issuing the PKC as a result of a failure to exercise reasonable care in managing the Certificate Application or creating the PKC, Their PKCs meet all material requirements of this CP and the applicable CPS, and Revocation services and use of a repository conform to all material requirements of this CP and the applicable CPS in all material aspects. It will perform all services in a professional and workmanlike manner and in conformity with standards that equal or exceed industry norms for the services that it is providing.
CAs warrant that:
1332 1333 1334
9.6.4
RA Representations and Warranties
In addition to the generally applicable representations and warranties in Section 9.6.2, RAs MUST make the same warranties as CAs with respect to any service that is delegated from the CA.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1335 1336 1337 1338 1339 1340 1341 1342 1343
9.6.5
Certificate Subject Representations and Warranties

Use their private key and PKC for uses, in accordance with this CP (see Section 1.4). Protect the confidentiality of their private keys at all times, in accordance with this CP.
Certificate Subjects SHALL:
9.6.6
Relying Parties Representations and Warranties

Use the PKC for uses, in accordance with this CP (see Section 1.4).
Relying Parties SHALL:
9.6.7
Representations and Warranties of Other Participants
No stipulation.
1344 1345
9.7
Disclaimers of Warranties
Disclaimers of implied warranties MAY be included. No disclaimer MAY contradict a required express warranty.
1346 1347 1348 1349 1350 1351 1352 1353
9.8
9.8.1
Limitations of Liability
PA / WiMAX Forum
In no event is the WiMAX Forum PA or WiMAX Forum liable for any losses, liabilities, or damages, whether direct or indirect and however characterized.
9.8.2
Other Participants.
Mutual limitations of liability that exclude liability for special, indirect, incidental and consequential damages MAY be included. An agreement MAY NOT impose a specific liability limit such as, for example, limiting a partys liability to the value of the fees paid or some multiple thereof.
1354 1355 1356 1357 1358 1359 1360 1361
9.9
9.9.1
Indemnities
PA / WiMAX Forum
The WiMAX will not indemnify any party. The WiMAX Forum will be indemnified against third-party claims arising from or relating to use of the PKI system and any related services, systems, software or materials.
9.9.2
Other Participants.
The agreements MUST have standard commercial indemnities covering the breach of the CP or an applicable CPS, infringement of third-party proprietary rights, breaches of nondisclosure obligations, and damages resulting from a partys breach of a representation, warranty, or material obligation under the agreement
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387
9.10
9.10.1
Term and Termination

Term
9.10.1.1 CP Term The CP becomes effective when the WiMAX Forum PA approves it and SHALL continue until the WiMAX Forum PA terminates it. 9.10.1.2 Other Agreements No stipulation provided that the term is reasonable for the services to be provided. The WiMAX Forum PA will resolve any disagreement.
9.10.2
Termination
9.10.2.1 CP Termination Termination of the CP is at the discretion of the WiMAX Forum PA. The CP remains in force until such time as WiMAX Forum PA terminates it. 9.10.2.2 Other Agreements Termination for material breach, bankruptcy or insolvency, and upon expiration of a fixed term is permitted. A service provider MAY NOT terminate for convenience. Termination of this CP is at the discretion of the WiMAX Forum PA. The CP remains in force until such time as it is replaced by a new version or it is terminated by the WiMAX Forum PA.
9.10.3
Effect of Termination and Survival
9.10.3.1 CP Upon termination of this CP, WiMAX PKI participants are nevertheless bound by the terms of the CP for all PKCs issued for the remainder of the validity periods of such PKCs. 9.10.3.2 Other Agreements No stipulation except that provisions relating to the following CP provisions MUST survive: 9.3, 9.4, 9.5, 9.7, 9.8, 9.9, and 9.10.3.1. Upon termination of this CP, WiMAX PKI participants are participants are nevertheless bound by the terms of this CP for all PKCs issued for the remainder of the validity periods of such PKCs.
1388 1389
9.11
Individual Notices & Communications with participants
No stipulation.
1390 1391 1392 1393 1394
9.12
9.12.1
Amendments
Procedure for Amendment
9.12.1.1 CP The WiMAX Forum PA MAY amend the CP in its sole discretion. The WiMAX Forum PA MAY issue amendments, clarifications, or an update.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1395 1396 1397 1398 1399 1400 1401 1402 1403 9.12.1.2 CPS and Participant Agreements. Other participants will amend the CPS, which is provided by the CA operator, and other agreements to conform them to amendments to the CP.
9.12.2
Notification Mechanism and Period
The CP and any subsequent changes SHALL be made available the WiMAX PKI participants via the publically available repository.
9.12.3
Circumstances Under which OID Must Be Changed
The object identifier representing the CP will be changed if significant changes are made to the CP portions of this document.
1404 1405 1406
9.13
Dispute Resolution Provisions
Any dispute arising with respect to this policy or PKCs issued under this policy is addressed by the WiMAX Forum PA. All determinations of the WiMAX Forum PA are final.
1407 1408
9.14
Governing Law
All parties SHALL comply with all laws, rules, regulations and orders that are applicable to them.
1409 1410
9.15
Compliance with Applicable Law
This CP SHALL comply with the laws of the State of California Law and the United States of America.
1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426
9.16
9.16.1
Miscellaneous Provisions
Document Incorporated into CP
NWG Rel 1.0 Stage 3 Specification: http://www.wimaxforum.org/technology/documents/WiMAX_End-toEnd_Network_Systems_Architecture_Stage_2-3_Release_1.1.0.zip RFC 3647 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework http://www.ietf.org/rfc/rfc3647.txt FIPS 140-2 SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf IEEE 802.16e-2005 March 2006, Physical and Medium Access Control Layers for Combined Fixed and Mobile Operation in Licensed Bands WiMAX Forum Device Certificate Profile Version 1.0.0 WiMAX Forum CRL Profile Version 1.0.0 WiMAX Forum OCSP Profile Version 1.0.0
The following documents also apply:
9.16.2
Entire agreement
No stipulation.
WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.3 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439
9.16.3
Assignment
The CPS and any agreement to provide services MAY NOT be assigned (including through a merger, acquisition or other corporate transaction that results in an effective change of control of a participant) or delegated without the prior written consent of the WiMAX Forum PA.
9.16.4
Severability
No stipulation.
9.16.5
Waiver
No stipulation.
9.16.6
Attorneys Fees
Participants SHALL reimburse the WiMAX Forum for all fees, expenses, and costs that it incurs in enforcing the terms of the CP.
9.16.7
Force Majeure
Optional. If included, force majeure period should not exceed 60 days.
1440 1441
9.17
Other Provisions
No stipulation

Wimax Forum Device Certificate

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Wimax Forum Device Certificate

Încărcat de

Drepturi de autor:

Formate disponibile

WiMAX Forum Network Architecture WiMAX Forum Device PKI Certificate Policy Approved Specification. Version 1.0.

WiMAX Forum Device PKI Certificate Policy Approved Specification

WiMAX Forum Proprietary

WiMAX FORUM PROPRIETARY AND CONFIDENTIAL SUBJECT TO CHANGE WITHOUT NOTICE

PUBLICATION AND REPOSITORY RESPONSIBILITIES .......................................................................7

IDENTIFICATION AND AUTHENTICATION ............................................................................................ 8

COMPLIANCE AUDIT AND OTHER ASSESSMENTS ............................................................................ 33

321 322 323 324 325 326

327 328 329 330 331 332

333 334 335

Document Name and Identification

Length 3 Chain 2 Level CA Tree

Length 4 Chain 3 Level CA Tree

Device Root CA Certificate Issue

Manufacturer CA Certificate Issue

Device SubCA Certificate Issue

369 370 Figure 1 - Device PKI

Length 3 Chain 2 Level CA Tree

Length 4 Chain 3 Level CA Tree

Server Root CA Certificate Issue

Server CA Certificate Issue

Server SubCA Certificate Issue

418 419 420 421 422 423 424

Definitions and Acronyms

Auditor Audit Data Backup Certification Authority (CA)

Certificate (or Public Key Certificate)

PKC holder National Archive and Records Administration (NARA) Server

2. Publication and Repository Responsibilities

449 450 451 452 453 454 455 456

Publication of Certification Information

457 458 459 460 461 462

Time or Frequency of Publication

Access Controls on Repositories

465 466 467

3. Identification and Authentication

Anonymity or Pseudonymity of Certificate Subjects

Names SHALL NOT be anonymous or be a pseudonym.

Rules for Interpreting Various Name Forms

See Section 3.1.1.

Names SHALL be unique across the whole WiMAX Device PKI.

Recognition, Authentication, and Role of Trademarks

Initial Identity Validation

Authentication of Organization Identity

Authentication of Individual Identity

Non-verified Certificate Subject Information

Criteria for Interoperation

Identification and Authentication for Re-key Requests

Identification and Authentication of Re-Key and Renewal Requests

Identification and Authentication of Re-Key and Renewal After Revocation

581 582 583 584 585 586 587

Identification and Authentication for Revocation Request

Enrollment Process and Responsibilities

Certificate Application Processing

Approval or Rejection of Certificate Applications

Time to Process Certificate Applications

PKC requests SHALL be processed in a timely manner.

614 615 616 617 618

Notification to Certificate Subject of Certificate Issuance

622 623 624 625 626 627 628 629

Publication of the Certificate by the CA

Notification of Certificate Issuance by the CA to Other Entities

630 631 632 633 634 635 636 637 638

Key Pair and Certificate Usage