Closed lachellel closed 7 years ago
Common Policy Framework:
6.1.1.1 CA Key Pair Generation Cryptographic keying material used by CAs to sign certificates, CRLs or status information shall be generated in FIPS 140 validated cryptographic modules. For CAs that issue certificates under id-fpki-common-High, the module(s) shall meet or exceed FIPS 140 Level 3. For CAs that do not issue certificates under id-fpki-common-High, the module(s) shall meet or exceed FIPS 140 Level 2. Multiparty control is required for CA key pair generation, as specified in section 6.2.2. CA key pair generation must create a verifiable audit trail that the security requirements for procedures were followed. The documentation of the procedure must be detailed enough to show that appropriate role separation was used. An independent third party shall validate the execution of the key generation procedures either by witnessing the key generation or by examining the signed and documented record of the key generation
Questions and thoughts:
Maintain the BRD lexicon which is more detailed in writing style than Common
? FIPS 140 Level 2 and / or FIPS 140 Level 3
Referencing the BRD - key storage is FIPS 140-2 Level 3 or an appropriate Common Criteria (etc) EAL 4+.
Additional reference:
As written in BRD, it is loose enough to drive a truck through. E.G., "1.prepare and follow a Key Generation Script." Based on WHAT requirements? Similar to requiring that they have a CPS that says how they do something without specifying any requirements - worthless from a security.
and (if applicable) its Key Generation Script
When is it "not applicable" since both roots and issuing CAs require a script?
My understanding is that DoD uses level 3 modules - but current policy only requires 2 (DoD doesn't issue "Fed PKI HIGH")
Keep:
FIPS 140-2 Level 3 obviously
Review Common Criteria EAL 4+ clause; keep in draft
Add
FIPS 140-2 Level 3 obviously
Agree.
Review Common Criteria EAL 4+ clause; keep in draft
Can be dropped - US no longer uses "EAL" - now only accepts CC evaluation against approved protection profiles. For a crypto module - FIPS 140 is the only choice for US government - so EAL is not applicable even if it was still used.
•Multiparty control is required for CA key pair generation,
Pet peeve - this should be stated in Section 6.2.2 (multi party control) not here. But understand we will likely repeat requirements because CA/.B does...
Multiparty control is required for CA key pair generation,
covered in this statement:
An independent third party shall validate the execution of the key generation procedures either by witnessing the key generation or by examining the signed and documented record of the key generation
covered in this statement:
witness or video in BRD; current Common CP states - "witness or examining audit record" to align, need to not include the "or examining audit record"
In draft pull request (can be changed - up for discussion!), removing the "SHOULD" statements from BRD and applying the SHALL to all CAs
I don't think we need to distinguish Root vs Subrodinte/Intermediate CA - for this CP they all need to adhere to the same key generation/protection, so I suggest the following wording for 6.1.1.1:
In all cases, the CA SHALL:
The CA keys shall be:
The documentation of the procedure must be detailed enough to show that appropriate role separation was used and the CA key pair generation must create a verifiable audit trail that the security requirements for procedures were followed.
missed this one @techliaison - adding new commits and pull request
Comparing the Federal Common Policy Framework, Section 6.1.1.1 to the BRD Section 6.1.1.1
BRD: