Cisco Root CA 2048
Certification Practice Statement
Corporate Security Programs Office
Version 1.1 - Jan. 29, 2006
Table of Contents
Cisco Root CA 2048 1
Certification Practice Statement 1
Corporate Security Programs Office 1
Version 1.1 - Jan. 29, 2006 1
1 Introduction 2
2 Certification Practices 4
3 Certificate Status Information 6
4 Contact Details 8
5 Appendix A - Definitions 8
The purpose of this document is to describe the practices that Cisco Systems (“Cisco”) follows in issuing and managing Sub-CA Certificates signed by the PKI Root Certificate Authority “Cisco Root CA 2048” (“The Root CA” or “Issuing CA”), and to inform potential users of Sub-CA Certificates issued by the Root CA about what they need to know prior to benefiting from the Certificates.
1.1What Is a Certification Practice Statement?
A Certification Practice Statement or (“CPS”) explains background information for use by Benefiting Parties who utilize Certificates. A Certificate may contain a reference to a Certificate Policy (“CP”) or CPS in order to enable Benefiting Parties and other interested persons to locate further information about the Certificate and the entity that issued it. This CPS is a statement of the general practices that The Root CA follows in issuing Certificates and explains what a Certificate provides and means, what a Benefiting Party and other interested persons need to do to rely reasonably on the Certificate, and how to obtain help and resolve problems regarding the Certificate. For information about particular certificates issued by The Root CA, review the applicable Certificate Policy at http://www.cisco.com/security/pki/policies/index.html.
The Root CA, the subscribers of the certificates it issues (“Sub-CAs”, “Subscribers” or "Certificate Holders"), and those who want to utilize Certificates (“Benefiting Parties”) must have a mutual understanding, usually by express agreement, concerning their rights, duties and expectations of one to another. This CPS is not a contract but rather a description and overview of what Benefiting Parties and other interested persons need to know and do to utilize Certificates issued by The Root CA. This CPS does not in and of itself specify any legally binding rights or obligations, although it may discuss contractual obligations that are set out more authoritatively in a contract or Certificate Policy. Because this document is only a simple summary of highlights from contracts and other documents regarding reliance on The Root CA Certificates, those contracts take precedence over this document.
If you do not agree to the terms and conditions of the Certificate Policy applicable to a given certificate, you may not utilize The Root CA for a determination of the certificate's validity and Cisco Systems disclaims any and all liability should you utilize the certificate.
See subsection “3.4 Enrolling as a Benefiting Party" for more information about how to enter into a contract for reliance services.
1.3Detailed Practice Specifications
This document is a simple, user-friendly description of how to use Certificates issued from The Root CA. It is not a legal contract, nor is it a technical specification of everything The Root CA does with regard to Certificates. For most Benefiting Parties, the technical details of how a Certificate works are not relevant or helpful. Specific contracts with Benefiting Parties usually provide the information and assurances that make it unnecessary for those parties to familiarize themselves with the details of The Root CA’s certification practices, technical security measures or the operation of certification and Public Key Cryptography technology.
Cisco’s certification processes are examined and approved by disinterested and widely-respected auditors and technical security experts. The findings of these experts, which are based on extensive site visits and actual observation, attest that Cisco Systems follows PKI industry practices in securing and performing its operations with regard to the Cisco Root CA 2048.
1.4Checking the Authenticity of This Document
Documents retrieved from World Wide Web sites are generally vulnerable to tampering while in transit and do not include proof of authenticity. The document you are reading now is most likely authentic and unaltered, but there is a chance that it may have been tampered with. Upon request, Cisco Systems can provide a digitally signed electronic version of this document and/or a written version.
2.1Trustworthiness and Operative Personnel
As a Certification Authority, Cisco’s goal is to provide a trustworthy infrastructure to ensure the reliability of Digital Certificates.
In furtherance of this goal, Cisco only hires "Operative Personnel" who are trustworthy. Operative Personnel are Cisco employees who operate the systems used to issue certificates, create The Root CA’s private keys and administer The Root CA’s computing facilities. Cisco takes special steps to assure that these persons are qualified to act as Operative Personnel. The Root CA performs background checks on all of its Operative Personnel. The Root CA’s Operative Personnel must also have sufficient knowledge of Public Key Infrastructures, asymmetric cryptosystems and the laws applicable to Certification Authorities.
2.2Audits and Regulatory Oversight
Cisco Systems is an experienced, worldwide provider of services facilitating trustworthy electronic commerce, and is subject to regulatory oversight by federal and state authorities. The Root CA operates under the regulatory oversight and auditing of the Internal Controls Services group of Cisco Systems, reporting to the senior management of Cisco Systems, Inc. The Root CA is also audited on an annual basis by an external auditor who is certified to perform the AIPCA CA WebTrust audit on the Root CA.
The Root CA systems log security-related events in an audit log, which is regularly archived and reviewed by security personnel. The Root CA is also audited annually by a well-respected accounting and information security organization. On a regular basis, Cisco examines The Root CA’s computer facilities and operations for security, fault tolerance and the service commitments. These reviews, including on-site inspections, of The Root CA’s operations and facilities all help to ensure high quality and reliability in certification services.
2.3Root Key & Certificate Generation
Cisco’s practices in creating The Root CA Certificate, in signing and issuing Sub-CA Certificates with The Root CA's Private Key, and in revoking invalid Certificates are crucial to the reliability and trustworthiness of Cisco’s Public Key Infrastructure ("PKI"). This section explains in greater detail the technical certification practices performed by The Root CA.
2.3.1Root Certificate and Key Pair Creation
Generation of The Root CA’s Certificate and Key Pair were performed using only approved cryptographic standards published by the National Institute of Standards and Technology in Federal Information Processing Standards Publication, FIPS PUB No. 140-1, "Security Requirements for Cryptographic Modules" (“FIPS 140-1”). The protocol and procedure for Root Certificate and Key Pair generation is confidential and based on the need to ensure that Key Generation and Private Key delivery takes place in a secure and trustworthy environment. The Key Generation event is documented in writing and by other means to enable the parties to determine afterwards in a provable manner that the key generation and certificate creation occurred in a secure and trustworthy manner. All parts of the record are marked by witnesses for authentication purposes, and the record is stored in a secure location.
2.3.2Secure Facility and System Security
All of The Root CA computer systems are located in a secure facility, are operated in an offline (non-networked) mode, and are physically secured separately from the rest of the Cisco Systems’ computing assets. The Cisco Corporate Information Security group is responsible for the physical access controls protecting the offline Root CA.
The Root CA Private Key is heavily protected and stored in cryptographic modules that meet or exceed FIPS 140-1 Level 3 standards. The Root CA makes copies of its private Certificate-signing keys solely for backup and disaster-recovery purposes and stores all copies of The Root CA’s Private Keys in a secure and trustworthy environment. Also, The Root CA makes periodic system backups and securely stores system recovery data offsite in order to recover from a system failure. System backups are tested for their integrity at least annually. The Root CA also maintains a geographically separate secure site for system failover and a Business Continuity Plan ("BCP") to maintain and recover system resources and functionality in the event of a catastrophe.
2.3.4Root Key Compromise
Cisco has undertaken the previously stated security measures to ensure that The Root CA’s Private Key is not compromised. However, in the event that such compromise occurs, a contingency plan provides that Certificate Holders will be notified, notice will be posted on Cisco Systems’ Web site and in the Root CA’s Certificate Revocation List (“CRL”), and contingency measures will be immediately taken to address the compromise. The Root CA’s Private Key is retired after 25 years from its creation date. Once a key is retired or if the key is compromised, the hardware token storing The Root CA Private Key will be re-initialized using a FIPS 140-1 approved zeroization mechanism or be physically destroyed using FIPS 140-1 methods to prevent the key from being recovered or reused.
2.3.5Certificate and Validation Message Signing
The Root CA’s Private Key is only used for signing Sub-CA Certificates and Certificate Revocation Lists (CRLs). The strength of The Root CA’s Signing Key is equal to or greater than a 2048-bit RSA key. RSA is a public-key cryptosystem published by Ron Rivest, Adi Shamir, and Leonard Adleman.
2.3.6Private Key Security
Cisco takes great precautions to protect The Root CA’s Private Key and the Private Keys of Sub-CAs. In all cases, a Root or Sub-CA’s Private Key will be generated and all copies shall remain in a hardware security module (“HSM”) that meets or exceeds FIPS 140-1 Level 3 standards.
2.4Identification and Authentication (“I&A”) Practices
The Cisco Root CA 2048 issues only Subordinate CA (“Sub-CA”) certificates. No end-entity certificates will be issued from the Cisco Root CA 2048.
2.4.1Subordinate CA Certificates
The issuance process for a Sub-CA Certificate requires, at a minimum, two agents, or “Root CA Administrators” who are authorized to access the offline Root CA. These Root CA Administrators must perform a series of physical and logical I&A procedures which provide The Root CA with acceptable levels of identification and authentication. During each procedure, the respective authentication system verifies and confirms that the information provided is consistent with pre-established authentication and authorization data.
In order to become a Root CA Administrator, an employee is required to have undergone Cisco’s standard Human Resources (“HR”) procedures for new hires which includes verification of the following identification information: (i) government-issued photographic identification such as a driver's license, passport, or military ID; (ii) full legal name; (iii) birth date; (iv) street address; (v) home telephone number; and (vi) Social Security or other similar governmental identification number. Root CA Administrators are also put through an extensive background check for criminal history.
Sub-CAs are required to request Revocation in the event that their Private Key has been, or is suspected to have been, compromised or if any information contained in the Certificate changes or becomes false or misleading. The Root CA revokes Sub-CA Certificates and gives notice of such Revocation within a reasonable time after receipt of a verifiable Revocation request from the Sub-CA. Revocation requests may be made directly to The Root CA for Sub-CA Certificates. Notices of Revocation are published in The Root CA’s Repository. Even if there are no newly revoked Sub-CA Certificates, The Root CA publishes a Certificate Revocation List (CRL) at least on an annual basis. If a Sub-CA Certificate is revoked, The Root CA publishes a new CRL within three business days. Once published, the new CRL replaces the previous CRL. The Root CA provides CRLs solely for the convenience of Benefiting Parties who desire to use CRLs for business reasons particular to them, and does not recommend the use of a cached CRL to verify the validity of a Certificate because it does not always provide the most timely revocation information.
3.1Determine what a Certificate Says and Means
You can use your Web Browser to view the contents of The Root CA Certificate in order to find out what the Sub-CA Certificate says and means. You can use your Web Browser to find out whether the Sub-CA Certificate has expired, and to find the location of the Repository to check for Revocation.
The Root CA Certificate and Sub-CA Certificates issued from The Root CA, take a form prescribed in Internet technical standards, such as X.509 version 3 of the International Telecommunications Union. The X.509 format provides a specification for certain fields to contain human-readable information. For example, the X.509 format contains a field listing the CA’s name and another field listing the CA’s Public Key. Because standards such as X.509 do not define the meaning of Certificate data with sufficient clarity and precision, you cannot know exactly what the Certificate means just by looking at the Certificate. Therefore, you should also refer to http://www.cisco.com/security/pki/policies/index.html to review the relevant Certificate Policy applicable to The Root CA.
3.2Checking Certificate Status
Cisco assures that the Sub-CA Certificates it issues are accurate as of the time they are issued. However, events that occur after issuance may cause some fact listed in the Certificate to be no longer true. When you receive an unexpired Sub-CA Certificate, it will not be apparent from the Certificate whether it is still valid. The Root CA revokes a Sub-CA Certificate when the Sub-CA requests Revocation or when some other worthy reason for Revocation exists, such as when the Private Key has been lost or stolen. Once revoked, a Sub-CA Certificate is permanently invalid and unreliable. To discover whether a Sub-CA Certificate has been revoked, you can check the CRL in The Root CA’s Repository. It is imperative that you use, and make a record of using, a CRL to check whether a Sub-CA Certificate is still valid or has been revoked at the time of reliance on the Certificate. To make that check, you must inquire about the current validity or Revocation of the Sub-CA Certificate using the CRL distribution point identified in the Sub-CA Certificate (or as provided in your Benefiting Party Agreement).
If you choose to utilize a Sub-CA Certificate without checking the Repository for a Sub-CA Certificate's validity, you do so at your own risk.
Merely verifying the Digital Signature and validating a Sub-CA Certificate does not protect you from all of the risks of utilizing digitally-signed data. You are still required to use common sense in utilizing Sub-CA Certificates. This is called "Reasonable Reliance." If you have reason to doubt the authenticity of a Sub-CA, or if you suspect that anything is otherwise amiss with the Sub-CA Certificate, DO NOT utilize the Sub-CA Certificate. Instead, obtain help from The Root CA as described below. Moreover, because you must never utilize a Sub-CA Certificate that has expired or has been revoked, always check the validity of a Sub-CA Certificate. Whatever else may be required, you have an overriding obligation to act reasonably under the circumstances when you utilize a The Root CA and/or a Sub-CA Certificate from The Root CA.
3.4Enrolling as a Benefiting Party
You may obtain information on becoming a Benefiting Party by contacting the CA Policy Authority listed in section 4 below.
3.5DISCLAIMER OF LIABILITY
EXCEPT AS OTHERWISE SPECIFIED HEREIN, CISCO SYSTEMS, INC. DISCLAIMS ANY AND ALL REPRESENTATIONS AND WARRANTIES OF ANY TYPE WITH RESPECT TO ANY SUB-CA CERTIFICATE ON WHICH YOU MAY RELY, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT.
IF YOU CHOOSE TO UTILIZE A CERTIFICATE WITHOUT ACCEPTING AND HONORING THE TERMS AND CONDITIONS OF SUCH USE (AS SPECIFIED IN A CERTIFICATE, CERTIFICATE POLICY OR RELYING PARTY AGREEMENT), YOU DO SO AT YOUR OWN PERIL AND ASSUME ALL ASSOCIATED RISK, AND IN NO CIRCUMSTANCE SHALL CISCO SYSTEMS, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, SPECIAL, OR INCIDENTAL DAMAGES, WHETHER IN CONTRACT OR IN TORT, EVEN IF CICSO SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
This Policy is administered by the Corporate Information Security group of Cisco Systems, Inc.:
Cisco Systems Inc
170 West Tasman
San Jose, CA 95134
PKI Operations Manager:
Cisco Systems Inc.
7025 Kit Creek Road
P.O. Box 14987
Research Triangle Park, NC 27709-4987
Attn: Alex Wight
E-mail address: firstname.lastname@example.org
CA Policy Authority:
Cisco Systems Inc.
7025 Kit Creek Road
P.O. Box 14987
Research Triangle Park, NC 27709-4987
Attn: J.P. Hamilton
E-mail address: email@example.com
5Appendix A - Definitions
Activation Data: Data that is required to access or operate cryptographic modules (e.g., Personal Identification Numbers or "PINs").
Applicant: A Person who initiates the Registration Process in order to obtain a digital certificate.
Application: A designated software program or set of programs.
Authentication Policy: A document specifying the Identification & Authentication (I&A) process to be followed before creating a certificate from a particular CA.
CA: See Certification Authority.
CA Services: Services relating to the creation, issuance, or management of certificates by CAs. These services are set forth in this CPS and in the applicable PKI documents.
Certificate: An electronic record which represents the identity of an entity by providing a subject name, an issuer name, the entity’s public key associated with the entity’s private key, the Certificate’s period of validity, a Certificate serial number, and optionally additional pertinent information. All of this information is digitally signed by the issuing CA. In the case of a Root CA, the issuer and subject are the same entity, and therefore a Root CA certificate is referred to as a “self-signed” certificate.
Certificate Policy: A set of rules which indicates the applicability of a named Certificate to a particular community and/or PKI implementation.
Certificate Revocation List (CRL): A regularly updated list of revoked
Certificates that is created and digitally signed by the CA that issued the revoked certificates.
Certification Authority (CA): An authority that is authorized by the PKI Review Board to create, issue, and manage digital Certificates in accordance with the terms of this CPS and the applicable PKI documents, and that otherwise satisfies the requirements of one of the sub-sections of Section 1.3.1.
Digital Signature: The data produced by transforming an electronic record using Public Key Cryptography and the Private Key of the signer of the record, so that a Benefiting Party, having the original electronic record, the data produced by the transformation process, and the signer’s Public Key, can accurately determine: (i) whether the data produced by the transformation process was generated using the Private Key that corresponds to the signer’s Public Key; and (i) whether the original electronic record has been altered since the transformation.
Distinguished Name (DN): Distinguished Names (DNs) are used in Certificates and in an X.500-based Repository to uniquely represent Subjects identified in Certificates.
End-Entity: The entity that controls the private key corresponding to the public key embedded in a digital certificate that is not a CA certificate.
HSM: See Hardware Security Module
Hardware Security Module (HSM): A hardware device used to provide secure cryptographic processing capabilities and secure storage of cryptographic private keys.
I&A: See Identification and Authentication.
Identification and Authentication (“I&A”): The process set forth in an applicable Authentication Policy, this CPS, and/or the applicable Certificate
Policy for ascertaining and confirming the identity of any Applicant requesting a certificate through appropriate inquiry and investigation.
Issuing CA: The CA identified in the “Issuer Distinguished Name” field of a particular Certificate.
Key Pair: A Public Key and its corresponding Private Key such that (i) the Public Key may be used to verify a Digital Signature created using the corresponding Private Key; and/or (i)the Public Key may be used to encrypt data that can only be decrypted with the corresponding Private Key.
Object Identifier (OID): The unique numeric identifier registered under the International Standards Organization standard to reference a specific object or object class.
Organization: A legal entity, a group of Persons working for a common business purpose, or a sole proprietorship.
Organizational Unit: A sub-group or unit within an Organization.
Person: A living human being.
PKI Implementation: An application or other system involving the use of Public Key Cryptography and X.509 digital Certificates.
Private Key: The key of a Key Pair that is kept secret by the holder of the Key Pair, and that is used to create Digital Signatures and/or to decrypt electronic records or files that were encrypted with the corresponding Public Key.
Program Participants: This term includes all CAs, RAs, Repositories, Sub-CAs, Benefiting Parties, and the PKI Review Board. It does not include Applicants.
Public Key: The key of a Key Pair that may be publicly disclosed by the holder of the corresponding Private Key and that is used by a Benefiting Party to verify Digital Signatures created with the holder's corresponding Private Key and/or to encrypt messages so that they can be decrypted only with the holder's corresponding Private Key.
Public Key Cryptography: A type of cryptography, also known as asymmetric cryptography, which uses a unique Public/Private Key Pair of mathematically related numbers. The holder of the Key Pair may make the Public Key available to anyone who wishes to use it, while the holder must keep the Private Key secret. One of the keys can be used to encrypt information or generate a Digital Signature, but only the other corresponding key can decrypt that information or verify that Digital Signature.
Public Key Infrastructure (PKI): A set of hardware, software, people, procedures, rules, policies, and obligations used to facilitate the trustworthy creation, issuance, management, and use of Certificates and keys based on Public Key Cryptography.
RA: See Registration Authority.
Registration Authority (RA): An Organization or specific entity within an organization that is authorized by the PKI Review Board to process applications for Certificates and requests for Certificate Revocation by conducting the required I&A of Applicants and Certificate Subjects in accordance with the terms of this CPS and the applicable PKI documents, and that otherwise satisfies the requirements of Section 1.3.2. An RA does not create or issue Certificates, but rather provides an authorization to the Certificate Authority that a particular certificate is approved to be issued.
Registration Process: The process, for obtaining a Certificate, implemented by the RA in accordance with the obligations imposed on the RA in this CPS and the applicable PKI documents.
Benefiting Party: An entity that is in a position to benefit from the use of a Certificate or a Digital Signature by utilizing the Certificate to identify an end-entity and a corresponding Subject by satisfying the requirements of Section 188.8.131.52.
Repository: The online system operated and maintained by the CA that stores information concerning Certificates and Certificate status.
Subordinate Certificate Authority (Sub-CA): A Certificate Authority whose behavior is constrained by a more authoritative CA, and whose key pair key is certified by that more authoritative CA.
Subscriber: An entity possessing a digital certificate issued from the Root CA and the associated Private Key. Specifically, Subordinate CAs are the sole Subscribers to the Cisco Root CA 2048.
Subject: The Person, Device, System, or Application named in the Subject Distinguished Name “SubjectDN” field of a Certificate.
System: A physically distinct hardware processing platform.