Merge pull request #581 from uspki/finaldraftv1

Updates for Final v1.0 (draft)

_config.yml

@@ -1,4 +1,4 @@
-title: U.S. Federal Public Trust TLS Certificate Policy (Version 0.4 Draft)
+title: U.S. Federal Public Trust TLS Certificate Policy (Version 1.0 Final for Vote)
 small_title: U.S. Federal Public Trust TLS PKI
 smallest_title: U.S. Federal Public Trust TLS PKI
 description: Certificate Policy for a new public key infrastructure for TLS certificates for public .gov and .mil websites.
@@ -13,7 +13,7 @@ branch: policy-pages
 # we want the dynamic links to send users to the the primary editing branch.  editbranch is the new site variable to ensure Edit Page sends users to the correct branch for pull requests.
 editbranch: master
 
-report_url: "assets/docs/US_Federal_Public_Trust_TLS_Certificate_Policy_v0_4.pdf"
+report_url: "assets/docs/US_Federal_Public_Trust_TLS_Certificate_Policy_v1_0_draft.pdf"
 
 google_analytics_ua:
 repo: https://github.com/uspki/policies

_data/navigation.yml

@@ -6,6 +6,8 @@ primary:
     href: /certificatepolicy/
   - text: "Certificate Profiles"
     href: /certificateprofiles/
+#  - text: "Frequently Asked Questions"
+#    href: /faq/
   - text: "Submit Comments"
     href: /comment/
 
@@ -16,6 +18,7 @@ mobile:
     href: /certificatepolicy/
   - text: "Certificate Profiles"
     href: /certificateprofiles/
+#  - text: "Frequently Asked Questions"
+#    href: /faq/
   - text: "Submit Comments"
     href: /comment/
-

_includes/fpki-document-header.html

@@ -5,9 +5,9 @@
 
 ## Certificate Policy
 
-**DRAFT FOR REVIEW**
+**DRAFT FOR FINAL REVIEW**
 
-**Version 0.4**
+**Version 1.0**
 
-**February 25, 2019**
+**March 26, 2019**
 </div>

certificate-profile-OCSP-responder.md

@@ -21,4 +21,4 @@
 | id-pkix-ocsp-nocheck {1.3.6.1.5.5.7.48.1.5} | Mandatory | False | Null |
 | Extended Key Usage   |   Mandatory  | True | **Required Extended Key Usage:** <br> id-kp-OCSPSigning {1.3.6.1.5.5.7.3.9} <br><br> **Prohibited Extended Key Usage:** <br> All others, including anyEKU EKU {2.5.29.37.0} |
 | Certificate Policies   |  Mandatory  | False | **Required Certificate Policy Fields:** <br>See Section 7.1.6.4. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA and covered by the OCSP responses. <br><br>**Optional Certificate Policy Fields:** <br> certificatePolicies:policyQualifiers <br> policyQualifierId   id-qt 1 <br> qualifier:cPSuri |
-| Authority Information Access   | Optional | False | **Required AIA Fields:** <br><br> **Id-ad-caIssuers** <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC5272].
+| Authority Information Access   | Optional | False | **Required AIA Fields:** <br><br> **Id-ad-caIssuers** <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC 5272].

certificate-profile-root-CA.md

@@ -12,7 +12,7 @@
 
 | **Extension** |  **Required**   | **Critical** | **Value and Requirements** |
 | :-------- | :----------------|:----------------|:----------------|
-| subjectInfoAccess  | Mandatory | False |  id-ad-caRepository (1.3.6.1.5.5.7.48.5):<br>At least one instance of this access method shall be included.  All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing a BER or DER encoded “certs-only” CMS message as specified in [RFC5272]. |
+| subjectInfoAccess  | Mandatory | False |  id-ad-caRepository (1.3.6.1.5.5.7.48.5):<br>At least one instance of this access method shall be included.  All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing a BER or DER encoded “certs-only” CMS message as specified in [RFC 5272]. |
 | basicConstraints   | Mandatory | True |  cA=True <br> The pathLenConstraint field shall not be present. |
 | subjectKeyIdentifier | Mandatory | False |  Octet String <br> Derived using SHA-1 hash of the public key  |
 | keyUsage   | Mandatory | True | Bit positions for keyCertSign and cRLSign shall be set. <br> If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit shall also be set.|   

certificate-profile-server-authentication.md

@@ -10,7 +10,7 @@ There are two (2) differences in the certificate profile implementations between
 | **Field or Extension** | **Domain Validation** | **Organization Validation**  |
 | :-------- | :---: | :---: |
 | Subject Identity Information  | cn=\<one domain name>,c=US | cn=\<one domain name>,S=District of Columbia,O=U.S.Government,c=US |
-| Certificate Policies   | Asserts both the US Government and CAB Forum policy OIDs for Domain Validation      | Asserts both the the US Government and CAB Forum policy OIDs for Organization Validation  |
+| Certificate Policies   | Asserts both the U.S. Government and CAB Forum policy OIDs for Domain Validation      | Asserts both the U.S. Government and CAB Forum policy OIDs for Organization Validation  |
 
 Below is the full server authentication certificate profile with _all_ fields and extensions.
 
@@ -33,7 +33,7 @@ Below is the full server authentication certificate profile with _all_ fields an
 | Extended Key Usage   | Mandatory | False | **Required Extended Key Usage:** <br> Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1} <br><br> **Optional Extended Key Usage:** <br> Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2} <br> <br>**Prohibited Extended Key Usage:** <br> anyEKU EKU {2.5.29.37.0} <br> all others |
 | Certificate Policies   |  Mandatory  | False | **Required Certificate Policy Fields:** <br>See Section 7.1.6.4. One US Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements.  <br><br>**Optional Certificate Policy Fields:** <br> certificatePolicies:policyQualifiers <br> policyQualifierId   id-qt 1 <br> qualifier:cPSuri |
 | Subject Alternative Name   | Mandatory | False  | This extension shall contain at least one entry. Each entry shall be a dNSName containing the Fully-Qualified Domain Name of a server. This extension shall not include any Internal Name values. <br> All entries shall be validated in accordance with Section 3.2.2.4. <br>Underscore characters (“_”) shall not be present in dNSName entries.  |
-| Authority Information Access   | Mandatory | False | **Required AIA Fields:** <br> **OCSP** <br> Publicly accessible URI of Issuing CA's OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1} <br><br> **Id-ad-caIssuers** <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC5272]. |
+| Authority Information Access   | Mandatory | False | **Required AIA Fields:** <br> **OCSP** <br> Publicly accessible URI of Issuing CA's OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1} <br><br> **Id-ad-caIssuers** <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC 5272]. |
 | CRL Distribution Points   | Optional | False | If included, shall include at least one HTTP URI to the location of a publicly accessible, full and complete CRL. The reasons and cRLIssuer fields shall be omitted.  |
 | Private Extensions        | Optional | False | Only extensions that have context for use on the public Internet are allowed.  Private extensions must not cause interoperability issues.  CA shall be aware of and defend reason for including in the certificate, and use of Private Extensions shall be approved by the FPKI Policy Authority. |
 | Transparency Information  | Optional | False | If included, shall include two or more SCTs or inclusion proofs. <br> From RFC 6962, contains one or more "TransItem" structures in a "TransItemList".|

certificate-profile-subordinate-CA.md

@@ -6,7 +6,7 @@
 | Issuer Signature Algorithm   | sha256 WithRSAEncryption {1 2 840 113549 1 1 11}  |
 | Issuer Distinguished Name   | Unique X.500 issuing CA DN as specified in Section 7.1.4 of this CP |
 | Validity Period   | Validity Period dates shall be encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter <br> Validity Period shall be no longer than 10 years from date of issue. |
-| Subject Distinguished Name   | Subordinate CA Certificate Subject Distiguished Name (DN) shall be a unique X.500 DN as specified in Section 7.1.4 of this CP.  Distinguished Name shall conform to PrintableString string type in ASN.1 notation. <br><br>The Subordinate CA Certificate DN shall be of the following format: <br>cn=US Federal TLS CA x, o=U.S. Government, c=US<br>Where _x_ starts at 1 and is incremented by 1 for each Subordinate CA signed by the Root CA.<br><br>No other attributes shall be included in the Certificate Subject DN.  <br><br> Non-production Subordinate CAs signed by non-production Root CA certificates shall include "Test" in the DN. <br>A non-production DN example is: <br>cn=US Federal Test TLS CA 1, o=U.S. Government, c=US<br> <br>Subject name shall be encoded exactly as it is encoded in the issuer field of certificates issued by the subject. |
+| Subject Distinguished Name   | Subordinate CA Certificate Subject Distinguished Name (DN) shall be a unique X.500 DN as specified in Section 7.1.4 of this CP.  Distinguished Name shall conform to PrintableString string type in ASN.1 notation. <br><br>The Subordinate CA Certificate DN shall be of the following format: <br>cn=US Federal TLS CA x, o=U.S. Government, c=US<br>Where _x_ starts at 1 and is incremented by 1 for each Subordinate CA signed by the Root CA.<br><br>No other attributes shall be included in the Certificate Subject DN.  <br><br> Non-production Subordinate CAs signed by non-production Root CA certificates shall include "Test" in the DN. <br>A non-production DN example is: <br>cn=US Federal Test TLS CA 1, o=U.S. Government, c=US<br> <br>Subject name shall be encoded exactly as it is encoded in the issuer field of certificates issued by the subject. |
 | Subject Public Key Information   | At least 2048 bit modulus, rsaEncryption {1 2 840 113549 1 1 1} |
 | Issuer Signature   | sha256 WithRSAEncryption {1 2 840 113549 1 1 11}    |
 
@@ -18,8 +18,7 @@
 | subjectKeyIdentifier   | Mandatory | False |  Octet String <br> Derived using SHA-1 hash of the public key  |
 | keyUsage  | Mandatory | True | Bit positions for keyCertSign and cRLSign shall be set. <br> If the Subordinate CA Private Key is used for signing OCSP responses, then the digitalSignature bit shall also be set. |
 | extkeyUsage |  Mandatory  | False | This extension is required for Technically Constrained Subordinate CAs per Section 7.1.5. <br> Required Extended Key Usage: <br> Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1} <br><br> Optional Extended Key Usage: <br> Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2} <br>id-kp-OCSPSigning {1.3.6.1.5.5.7.3.9} <br> Other values may be present consistent with use for server authentication, with approval by the FPKIPA. |
-| certificatePolicies |  Mandatory  | False | See Section 7.1.6.3. At least one US Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA.  |
-| subjectAltName | Optional | False  | Underscore characters (“_”) shall not be present in dNSName entries. |
-| authorityInformationAccess | Mandatory | False | OCSP: <br> Publicly accessible URI of Issuing CA's OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1} <br>At least one instance of the OCSP responder access method shall be included. All instances of this access method shall include the HTTP URI name form.<br><br> id-ad-caIssuers: <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC5272]. |
+| certificatePolicies |  Mandatory  | False | See Section 7.1.6.3. At least one U.S. Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA.  |
+| authorityInformationAccess | Mandatory | False | OCSP: <br> Publicly accessible URI of Issuing CA's OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1} <br>At least one instance of the OCSP responder access method shall be included. All instances of this access method shall include the HTTP URI name form.<br><br> id-ad-caIssuers: <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC 5272]. |
 | cRLDistributionPoints | Mandatory | False | At least one instance shall be included and shall specify a HTTP URI to the location of a publicly accessible CRL. All URIs included shall be publicly accessible and shall specify the HTTP protocol only.  The reasons and cRLIssuer fields shall be omitted. |
 | nameConstraints | Mandatory | True | See Section 7.1.5.  |

crl-profile.md

@@ -7,7 +7,7 @@
 | Issuer Distinguished Name  |  Distinguished Name of the CA Issuer |
 | thisUpdate   | Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter <br> See Section 4.9.7 for publishing intervals.  |
 | nextUpdate   | Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter <br> See Section 4.9.7 for validity period intervals. |
-| Revoked Certificates List   |  0 or more 2-tuple of certificate serial number and revocation date (Expressed in UTCTime for dates until end of 2049 and GeneralizedTime for dates thereafter )  |
+| Revoked Certificates List   |  0 or more 2-tuple of certificate serial number and revocation date (Expressed in UTCTime for dates until end of 2049 and GeneralizedTime for dates thereafter)  |
 | Issuer Signature  |   sha256 WithRSAEncryption {1 2 840 113549 1 1 11}    |
 
 

ocsp-response-profile.md

@@ -1,5 +1,5 @@
 ### OCSP Response Profile
-OCSP Responders under this profile are expected to operate using the Static Response model described in RFC 6960 and thus will not support nonce.
+OCSP responders under this profile are expected to operate using the Static Response model described in RFC 6960 and thus will not support nonce.
 
 | **Field** | **Value and Requirements** |
 | :-------- | :------------------------------- |
@@ -21,7 +21,7 @@ OCSP Responders under this profile are expected to operate using the Static Resp
 | **Field** | **Value and Requirements** |
 | :-------- | :------------------------------- |
 | CertID | hashAlgorithm shall be SHA-1<br>The issuerKeyHash and issuerNameHash pair must be identical within all Single Responses appearing in an OCSP Response |
-| Certificate Status | Determined by CRL<br>If revoked, revocationReason is included if present on the CRL |
-| This Update | Identical to the thisUpdate of the CRL used for determining revocation status |
-| Next Update | Before or identical to the nextUpdate field of the CRL used for determining revocation status |
+| Certificate Status | See Section 4.9.10 |
+| This Update | See Section 4.9.10 for validity period intervals. <br> Status information for DV/OV Server certificates: at least once every 24 hours. <br>Status information for Subordinate CA certificates: Every 31 days, or within 24 hours of revoking a Subordinate CA certificate. |
+| Next Update | See Section 4.9.10 for validity period intervals.<br>Status information for DV/OV Server certificates: not more than seven days beyond the value of the thisUpdate field. <br>Status information for Subordinate CA certificates: not more than 32 days beyond the value of the thisUpdate field. |
 | Single Extensions | Optional: <br>Transparency Information X.509v3 Extension {1 3 101 75} |

pages/05-submit-comment.md

@@ -19,9 +19,13 @@ Comments are always welcome and can be submitted via **[this web form]({{ site.r
 - [PDF copy of Version 0.2](https://github.com/uspki/policies/blob/v0.2/assets/docs/US_Federal_Public_Trust_TLS_Certificate_Policy_v0_2.pdf){:target="_blank"}
 - [Source files for Version 0.2 including all website content](https://github.com/uspki/policies/releases/tag/v0.2){:target="_blank"}
 
-**Version 0.3** of this Certificate Policy was update for internal team reviews against the practice statements and development.  Version 0.3 was only published in a preview mode.
+**Version 0.3** of this Certificate Policy was updated for internal team reviews against the practice statements and development.  Version 0.3 was only published in a preview mode.
 
 - [PDF copy of Version 0.3](https://github.com/uspki/policies/blob/master/assets/docs/US_Federal_Public_Trust_TLS_Certificate_Policy_v0_3.pdf){:target="_blank"}
 
+**Version 0.4** of this Certificate Policy was updated for team reviews against the practice statements and development.  
 
-A final 1.0 version will be posted when available after submission for final vote from the Federal PKI Policy Authority.
+- [PDF copy of Version 0.4](https://github.com/uspki/policies/blob/v0.4/assets/docs/US_Federal_Public_Trust_TLS_Certificate_Policy_v0_4.pdf){:target="_blank"}
+- [Source files for Version 0.4 including all website content](https://github.com/uspki/policies/releases/tag/v0.4){:target="_blank"}
+
+A draft 1.0 version is posted for final vote from the Federal PKI Policy Authority and stakeholders.