1. Introduction

1.1 Overview

This document is based on the structure suggested by the ''Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework'' [RFC 3647]. Sections that are not included have a default value of "No stipulation". This document describes the set of rules and procedures established by the Academia Sinica Grid Computing Certification Authority (ASGCCA).
(http://ca.grid.sinica.edu.tw).

1.2 Document Name and Identification

Document title:

Academia Sinica Grid Computing Certification Authority (ASGCCA) Certificate Policy and Certification Practice Statement

Document version:

3.0

OID:

The following ASN.1 Object Identifier (OID) has been assigned to this document: 1.3.6.1.4.1.5935.10.1.3.0. This OID is constructed as shown in the table below

IANA	1.3.6.1.4.1
Academia Sinica Computing Centre	.5935
ASGCCA	.10
CP/CPS	.1
Major Version	.3
Minor Version	.0

Document date:

June 2013

1.3 PKI Participants

1.3.1 Certification Authorities

ASGCCA is managed by Academia Sinica Grid Computing Centre.

1.3.2 Registration Authorities

The ASGCCA delegates the authentication of individual identity to Registration Authorities. RAs must sign an agreement with the ASGCCA, stating their adherence to the procedures described in this document. RAs are not allowed to issue certificates under this CP/CPS. The list of RAs is available from the ASGCA website. (http://ca.grid.sinica.edu.tw/contact.html)

Every organization has at least one Registration Authority who is in charge of an organization. Only permanent staff members are eligible to become an ASGCCA RA for their organizations.

The following is the ASGCCA RA registration procedure:

RA candidate must accept the CP/CPS and agree to all RA responsibilities.
RA candidate must be an employee of the institution or organization and provide work ID or proof of work.
Complete the RA application form and fax it to ASGCCA.
Send a verification e-mail to ASGCCA.
ASGCCA will then arrange a face to face meeting with RA candidate.
After completing the request, ASGCCA will publish the RA contact information on ASGC website and reserve the right to issue the name space for the institution.

1.3.3 Subscribers

ASGCCA issues certificates to person (user certificate), computers and services (host certificates).

The entities eligible for certification by the ASGCCA are:

Users of Academia Sinica.
Users of domestic Grid-based Application/Projects.
Collaborators related to Academia Sinica Grid Computing research.
Users and hosts/services involved in LCG/EGI Project without CA support in Asia.

1.3.4 Relying Parties

A recipient of a certificate who acts in reliance on that certificate and/or digital signatures verified using that certificate.

1.3.5 Other Participants

No stipulation

1.4 Certificate Usage

1.4.1 Appropriate Certificate Uses

The authorized uses of certificate issued by ASGCCA are:

E-mail signing and encryption (S/MIME).
Authentication and encryption of communication (SSL/TLS).
Object-signing.

1.4.2 Prohibited Certificate Uses

The certificates issued by ASGCCA must not be used for financial transaction.

1.5 Policy Administration

1.5.1 Organization Administering the Document

The ASGCCA is managed by Academia Sinica Grid Computing Centre.

128, Sec. 2, Academia Road, Nankang, Taipei, Taiwan 11529

http://www.twgrid.org, http://ca.grid.sinica.edu.tw

1.5.2 Contact Person

Yen, Eric

Address: 128, Sec. 2, Academia Road, Nankang, and Taipei, Taiwan 11529

Phone: +886-2-2789-9494

Mobile: +886-922-959211

Fax: +886-2-2783-7653

A mailing list containing ASGCCA managers has been setup to ensure quick response :

Email: asgcca@grid.sinica.edu.tw

1.5.3 Person Determing CPS Suitability for the Policy

ASGCCA managers (see 1.5.2) determine CPS suitability for the policy.

1.5.4 CPS Approval Procedures

The document shall be submitted to APGridPMA (Asia Pacific Grid Policy Management Authority) for acceptance and accreditation. All major changes must be approved by APGridPMA.

1.6 Definitions and Acronyms

The following definitions and associated abbreviations are used in this document.

ASGCCA

The Academia Sinica Grid Computing Certification Authority.

Certificate Policy (CP)

A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range.

Certification Practice Statement (CPS)

A statement of the practices, which a certification authority employs in issuing certificates.

Certification Authority (CA)

An entity trusted by one or more users to create and assign public key certificates and be responsible for them during their whole lifetime.

Certificate Revocation List (CRL)

A time stamped list identifying revoked certificates which is signed by a CA and made freely available in a public repository.

Policy Qualifier

Policy-dependent information that accompanies a certificate policy identifier in an X.509 certificate.

Registration Authority (RA)

An entity that is responsible for identification and authentication of certificate subjects, but that does not sign or issue certificates (i.e. an RA is delegated certain tasks on behalf of a CA).

Relying Party

A recipient of a certificate who acts in reliance on that certificate and/or digital signatures verified using that certificate.

Public Key Infrastructure

A term generally used to describe the laws, policies, standards, and software that regulated or manipulate certificates and public and private keys. All of this implies a set of standards for applications that use encryption.

Policy Management Authority (PMA)

An entity establishing requirements and best practices for public Key Infrastructure.

2. Publication and Repository Responsibilities

2.1 Repositories

A website is maintained by ASGCCA. It contains all the information published by ASGCCA specified in section 2.2. The website can be reached at the following address: http://ca.grid.sinica.edu.tw

2.2 Publication of Certification Information

ASGCCA operates a secure online repository that contains:

ASGCCA's certificate;
All certificates issued by ASGCCA;
A Certificate Revocation List (CRL) signed by ASGCCA;
A copy of this policy;
Other information relevant to the ASGCCA.

2.3 Time or Frequency of Publication

Certificates will be published as soon as issued.
The frequency of CRL publication is specified in subsection 4.9.7.
New version of CP/CPS is published as soon as they have been approved.

2.4 Access Controls on Repositories

The online repository is available 24 hours a day, 7 days a week, subject to reasonable scheduled maintenance.

ASGCCA doesn't impose any access control on its CP/CPS, its Certificate and issued certificates and CRLs.

The CRL list is signed by ASGCCA private key.

3. Identification and Authentication

3.1 Naming

3.1.1 Types of Names

Name components vary depending on the type of certificate. Names will be consistent with the name requirements specified in “Internet X.509 Public Key Infrastructure Certificate and CRL profile'' [RFC 3280].

l In case of personal certificate the subject name must include the person’s full name. C=Country, O=Organization, OU=Unit, CN=First Name Last Name

l In case of host certificate the subject name must include the FQDN of the host. C=Country, O=Organization, OU=Unit, CN=DNS server name(FQDN)

3.1.2 Need for Names to be Meaningful

For a user certificate, the CN must be the full name of the subscriber. For a host certificate, the CN must be functional fully qualified domain name.

3.1.3 Anonymity or pseudonymity of Subscribers

ASGCCA will neither issue nor sign pseudonymous or anonymous certificates. The ASGCCA RA validates identity of subscribers.

3.1.4 Rules for Interpreting Various Name Forms

l Each entity has a clear and unique Distinguished Name in the certificate subject field.

l For a host certificate, the common name(CN) must be functional fully qualified domain name.

l Any name under this CPCPS defined as the form “OU=GRID”.

l To select your organization, please choose “AP” if your organization is outside of Taiwan.

3.1.5 Uniqueness of Names

The Distinguished Name must be unique for each subject name certified by ASGCCA.

3.1.6 Recognition, Authentication, and Role of Trademarks

No stipulation

3.2 Initial Identity Validation

3.2.1 Method to Prove Possession of Private Key

The public and private keys are generated on the user station when he/she fills the certificate request form with Mozilla, Internet Explorer and Google Chrome browser.

3.2.2 Authentication of Organization Identity

If the name of an organization is requested to be part of subject name, ASGCCA may take steps to ascertain that the organization consent to such use. The organization is outside of Taiwan, the name of an organization must be “AP”. The information of authenticated organization is published on
http://ca.grid.sinica.edu.tw/contact.html.

3.2.3 Authentication of Individual Identity

Procedures differ if the subject is a user or host:

User certificate:

Users request user certificates must have face to face meetings with the RA and show their work IDs. If the ID card is valid and the photo image corresponds to the bearer, the RA shall consider that the user is correctly identified. The RA will sign the user’s application form. Then the user will complete the online application form to the CA. Once the user's identification is verified, ASGCCA will authenticate the subscriber and issue a certificate without namespace clash with other CAs in APGridPMA, EUGridPMA and TAGPMA.

Host certificate:

Requests must be signed with a valid personal ASGCCA user certificate.

3.2.4 Non-verified Subscriber Information

No stipulation.

3.2.5 Validation of Authority

See the provisions of section 3.2.2 and 3.2.3.

3.2.6 Criteria of Interoperation

No stipulation.

3.3 Identification and Authentication for Re-key Requests

3.3.1 Identification and Authentication for Routine Re-key

Expiration notifications are sent to subscribers before re-key time. Rekeying of certificates can be requested by an online procedure, which checks the validity of certificates.

3.3.2 Identification and Authentication for Re-key after Revocation

Rekey after revocation follows the same rules as an initial registration.

3.4 Identification and Authentication for Revocation Request

Certificate revocation request must be sent in the following ways:

l Send e-mail to asgcca@grid.sinica.edu.tw signed with a valid and trusted certificate.

l Contact personally the CA/RA staff in order to verify his/her identity and the validity of the request.

4. Certificate Life-Cycle Operational Requirements

4.1 Certificate Application

4.1.1 Who Can Submit a Certificate Application

Users of Academia Sinica.
Users of domestic Grid-based Application/Projects.
Collaborators related to Academia Sinica Grid Computing research.
Users and hosts/services involved in LCG/EGI Project without CA support in Asia.

Procedures are different if the subject is a person or a server. For every certificate application, the subject has to generate his/her own key pair. Minimum key length is 1024 bits.

User: Certificate requests are submitted by an online procedure, using a Mozilla or Internet Explorer browser.
Host: Certificate requests are submitted by an online procedure, using a Mozilla or Internet Explorer browser with a valid personal ASGCCA user certificate.

4.1.2 Enrollment Process and Responsibilities

Certificates requests are submitted by an online procedure on ASGCCA website (http://ca.grid.sinica.edu.tw), using a web browser. Authentication using a user certificate mandatory to request a host certificate.

For user certificates, the subject requests an appointment with the CA/RA (in person). The authentication according to sections 1.3.3, 3.2.2 and 3.2.3 must be processed in a face to face meeting. After a successful authentication, the CA/RA process and sign the request.

For host certificate, the request is through the secure online portal. The authentication is performed according to sections 1.3.3, 3.2.2 and 3.2.3.

4.2 Certificate Application Processing

4.2.1 Performing Identification and Authentication Functions

The certificate applications will be validated by the CA/RA. For new user certificate request, the CA/RA will authenticate the request according to sections 3.2.2 and 3.2.3. The host administrator must already have a valid personal ASGCCA certificate, required to authenticate to ASGCCA secure website and request host certificates.

4.2.2 Approval or Rejection of Certificate Applications

A certificate request is only allowed to users who do not already have a valid certificate assigned, otherwise rekey or revocation will be proposed. Provided the users as defined in section 4.1.1 and already verified by CA/RA. The certificate issuing is allowed.

4.2.3 Time to Process Certificate Applications

The process of issuing certificates is done immediately: identity verification has been made previously by the ASGCCA RA, and is mandatory to proceed with the request for a certificate.

4.3 Certificate Issuance

4.3.1 CA Actions During Certificate Issuance

ASGCCA issues the certificate if, and only if, the authentication of the subject is successful.

If the subject is a person, a message is sent to his/her e-mail address with the instructions on how to download it from the ASGCCA web server. If the subject is a host or a service entity, the certificate itself is sent to the address specified in the request email.

If the authentication is unsuccessful, the certificate is not issued and e-mail with the reason is sent to the subject.

4.3.2 Notifications to Subscriber by the CA of Issuance of Certificate

After issuance of the certificate, ASGCCA will send a notification and guide to the subscriber how to download the certificate from ASGCCA online website.

4.4 Certificate Acceptance

4.4.1 Conduct Constituting Certificate Acceptance

No Stipulation.

4.4.2 Publication of the Certificate by the CA

All valid certificates are published in an online repository available at the URL: http://ca.grid.sinica.edu.tw/publication/newCRT/newcerts/crt.php

4.4.3 Notification of Certificates Issuance by the CA to Other Entities

During the period of issuance, ASGCCA manager sends the notification to the entity. Also forwards this message to RA.

4.5 Key Pair and Certificate Usage

4.5.1 Subscriber Private Key and Certificate Usage

In requesting a certificate, subscribers agree to:

Read and adhere to the procedures published in this document;
Generate a key pair using a trustworthy method;
Take reasonable precautions to prevent any loss, disclosure or unauthorized use of the private key associated with the certificate, including:

Selecting a pass phrase of at minimum 12 characters
Protecting the pass phrase from others

Provide correct personal information and authorize the publication of the certificate.
Notify immediately ASGCCA in case of private key loss or compromise.
User must not share his/her certificate.
Request host certificate with valid FQDN (Fully Qualified Domain Name).

4.5.2 Relying Party Public Key and Certificate Usage

In requesting a certificate, subscribers agree to:

Read the procedures published in this document.
Verify the certificate by checking whether the validity period has expired and whether the certificate is on the latest CRL.
Use the certificates for the permitted uses only.