version 1.1
June 2003
This is a document based on the structure suggested by the ``Internet
X.509 Public Key Infrastructure Certificate Policy and Certification
Practices Framework'' [RFC 2527]. Sections that are not included
have a default value of "No stipulation". This document
describes the set of rules and procedures established by the Academia
Sinica Grid Computing Certification Authority (ASGCCA), the Certification
Authority for the Academia Sinica Grid Computing Service.
(http://grid.sinica.edu.tw).
The document makes use of the following terms.
Academia Sinica Grid Computing Directory Service keeps the user's information. For example, name, e-mail, phone numbers, office, institute, work groups, working projects, who is the superior, etc. The information is not published.
Data values, other than keys, that are required to operate cryptographic modules and that need to be protected (e.g., a PIN, a pass phrase, or a manually-held key share).
The abbreviation of Academia Sinica Grid Computing Certification Authority.
A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range.
A statement of the practices, which a certification authority employs in issuing certificates.
In the context of a particular certificate, the issuing CA is the CA that issued the certificate (see also Subject certification authority).
Policy-dependent information that accompanies a certificate policy identifier in an X.509 certificate.
An entity that is responsible for identification and authentication of certificate subjects, but that does not sign or issue certificates (i.e. an RA is delegated certain tasks on behalf of a CA).
A recipient of a certificate who acts in reliance on that certificate and/or digital signatures verified using that certificate.
A collection of practice and/or policy statements, spanning a range of standard topics, for use in expressing a certificate policy definition or CPS employing the approach described in this framework.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Certificate Policy and Certification Practice Statement
1.1
The following ASN.1 Object Identifier (OID) has been assigned to this document: 1.3.6.1.4.1.5935.10.1.1.1. This OID is constructed as shown in the table below
| IANA | 1.3.6.1.4.1 |
| Academia Sinica Computing Centre | .5935 |
| ASGCCA | .10 |
| CP/CPS | .1 |
| Major Version | .1 |
| Minor Version | .1 |
June 2003
ASGCCA is managed by Acdemia Sinica Computing Centre.
Academia Sinica Computing Centre manages the functions of the ASGCCA Registration Authority under the rule of this CP-CPS.
ASGCCA issues certificates for the following subjects:
The certificates issued by ASGCCA must not be used for financial transaction.
The authorised uses of certificate issued by ASGCCA are:
The ASGCCA is managed by Academia Sinica Computing Centre (http://www.ascc.net). Contact person for questions related to this document or the ASGCCA in general:
Yuan, Tein Horng
Mail Box: Nankang PO BOX 1-8 Taipei, Taiwan 11529
Address: 128, Sec. 2, Academia Road, Nankang, Taipei, Taiwan 11529
Phone: +886-2-2789-9247
Mobile: +886-921-931977
Fax: +886-2-2783-6444
email: asgcca@grid.sinica.edu.tw
Subscribers must:
Relying parties must:
ASGCCA will publish certificates and CRLs as soon as issued.
ASGCCA only guarantees to control the identity of the subjects requesting a certificate according to the practices described in this document. No other liability, implicit or explicit, is accepted.
ASGCCA will not give any guarantees about the security or suitability of the service that is identified by a ASGCCA certificate. The certification service is run with a reasonable level of security, but it is provided on a best effort only basis. It does not warrant its procedures and it will take no responsibility for problems arising from its operation, or for the use made of the certificates it provides.
ASGCCA denies any financial or any other kind of responsibility for damages or impairments resulting from its operation.
No Financial responsibility is accepted.
Interpretation of this policy is according to R.O.C. laws.
No fees are charged for ASGCCA Certificates.
ASGCCA will operate a secure online repository that contains:
The online repository is available on a substantially 24 hours per day, 7 days per week basis, subject to reasonable scheduled maintenance.
ASGCCA doesn't impose any access control on its Policy, its Certificate and issued certificates and CRLs.
Repository of certificates is at http://ca.grid.sinica.edu.tw/ and CRLs is at http://ca.grid.sinica.edu.tw/CRL/ .
ASGCCA may be audited by other trusted CAs to verify its compliance with the rules and procedures specified in this document.
ASGCCA collects subscribers' full names , orgnization and e-mail addresses. Some of this information is used to construct unique, meaningful subject names in the issued certificates.
Information included in issued certificates and CRLs is not considered confidential.
ASGCCA does not collect any kind of confidential information.
Under no circumstances ASGCCA will have access to the private keys of any subscriber to whom it issues a certificate.
Parts of this document are inspired by [CERN CA], [DOE Grid PKI], [DATAGRID-ES CA].
Name components vary depending on the type of certificate. Names will be consistent with the name requirements specified in ``Internet X.509 Public Key Infrastructure Certificate and CRL profile'' [RFC 2459]. See section 7.1.4 for more details.
The Subject Name in a certificate must have a reasonable association with the authenticate name of the entity.
The Distinguished Name must be unique for each subject name certified by ASGCCA.
The public and private keys are generated on the user station when he/her fills the certificate request form with Netscape or Internet Explorer browser.
The RA verifies the organisation identity as member of a recognized orgnization by the ASGCCA.
Procedures differ if the subject is a user or a server/service:
Subscriber must be already registered at the Academia Sinica Grid Computing Directory Service as a user defined in end entities. RA staff will check account registered on ASGCDS and contact subscriber personally.
Requests must be signed with a valid personal ASGCCA user certificate.
Rekeying of certificates can be requested by an online procedure, which check the validity of certificates.
Rekey after revocation follows the same rules as an initial registration.
Certificate revocation request must be sent in the following ways:
Procedures are different if the subject is a person or a server. In every case the subject has to generate his/her own key pair. Minimum key length is 1024 bits.
ASGCCA issues the certificate if, and only if, the authentication of the subject is successful.
If the subject is a person, a messge is sent to his/her e-mail address with the instructions on how to download it from the ASGCCA web server. In the other case, the certificate itself is sent to the address specified in the request.
If the authentication is unsuccessful, the certificate is not issued and e-mail with the reason is sent to the subject.
No Stipulation.
A certificate will be revoked in the following circumstances:
The revocation of the certificate can be requested by:
The person requesting the revocation of certificate must authenticate himself in one of the following ways:
The ASGCCA does not support Certificate Suspension.
The lifetime of the CRL is 30 days.
The CRL is updated immediately after every revocation.
CRL is reissued 7 days before expiration even if there have been no revocations.
No stipulation
No stipulation.
No stipulation.
No Stipulation.
Logs will be kept for a minimum of 3 years.
The following event are stored and backed-up in safekeeping:
The minimum retention period is three years.
No stipulation.
If the CA's private key is (or suspected to be) compromised, the CA will:
Before ASGCCA terminates its services, it will:
The ASGCCA is located at Academia Sinica Computing Centre facilities in Taiwan.
Physical access to the ASGCCA is restricted to authorized personnel.
The CA signing machine and the CA web server are both protected by uninterruptible power supplies. Environment temperature in rooms containing CA related equipment is maintained at appropriate levels by suitable air conditioning systems.
Due to the location of the ASGCCA facilities floods are not expected.
ASGCCA facilities obey to the R.O.C. law regarding fire prevention and protection in buildings.
The ASGCCA key is kept in several removable storage. Backup copies of CA related information are kept in removable media.
Waste carring potentail confidential information such as old floppy disks are physically destroyed before being trashed.
No off-site backups are currently performed.
No Stipulations.
All access to the servers and applications that compromise the Academia Sinica Computing Centre.
CA personnel is recruited from the Academia Sinica Computing Centre.
No other personnel is authorized to access ASGCCA facilities without the physical presence of CA personnel.
Internal training is given to CA operators.
No Stipulation
Job rotation is not performed.
No Stipulation.
No Stipulation
Each subscriber must generate its own key pair. The ASGCCA does not generate private keys for subjects.
The ASGCCA does not generate private keys hence does not deliver private keys.
Entities' public keys are delivered to issuing CA in a secure and trustworthy manner.
CA certificate can be downloaded from the ASGCCA secure web site.
No Stipulation.
No Stipulation.
No Stipulation.
ASGCCA private key is the only key used for signing CRLs and Certificates for person, server and service.
The Certificate key Usage field must be used in accordance with the ``Internet X.509 Public Key Infrastructure Certificate and CRL profile'' [RFC 2459].
No Stipulation.
ASGCCA keys are not given in escrow. ASGCCA is not available for accepting escrow copies of keys of other parties.
The ASGCCA's private key is kept encrypted in multiple copies in floppy disks and CDROMs in safe places. For emergencies, the passphrase is in a sealed envelope kept in a safe.
The ASGCCA's private key is protected by a 15 characters passphrase.
No Stipulation.
No Stipulation.
No Stipulation.
X.509 v3.
Basic constraints:Not a CA.Key usage:Digital signature, non-repudiation, key encipherment, data encipherment.Subject key identifier
Authority key identifier
Subject alternative name
Issuer alternative name
CRL distribution points
Certificate policies
No Stipulation.
For Issuer:
C=TW, O=AS, CN=Academia Sinica Grid Computing Certification AuthorityFor User:
C=Country-Name, O=Organization-Name, OU=OrganizationUnit-Name, CN=Common-Name/ EMAIL=Personal-Email
example: C=TW, O=AS, OU=CC,For Host:
CN=Yuan Tein Horng/emailAddress=yth@beta.wsl.sinica.edu.tw
C=Country-Name, O=Organization-Name, OU=OrganizationUnit-Name, CN=Domain-Name
exmaple: C=TW, O=AS, OU=CC, CN=beta.wsl.sinica.edu.twFor Services:
C=Country-Name, O=Organization-Name, OU=OrganizationUnit-Name, CN=Service-Name / Domain-Name
example: C=TW, O=AS, OU=CC, CN=FTP/beta.wsl.sinica.edu.tw
No Stipulation.
See section 1.2.
No Stipulation.
No Stipulation.
x.509 v1.
No Stipulation.
Users will not be warned in advance of changes to ASGCCA's policy and CPS.
The policy is available at: http://ca.grid.sinica.edu.tw/CPS/ .
No stipulation.
This document was generated using the LaTeX2HTML translator Version 2002 (1.62)
Copyright