This document is organized according to the specifications proposed by the RFC 3647. It describes the procedure followed by MD-Grid (National Grid Initiative of Moldova) Certification Authority and is the combination of Certificate Policy and Certification Practice Statement (CP/CPS).

This document is a valid CP/CPS as of March 04, 2008, 09:00 UTC.

1.2 Document name and identification

Document title: MD-Grid Certification Authority Certificate Policy and Certification Practice Statement

Document version: 1.4

Document date: 01.10.2014.

ASN.1 Object Identifier (OID): 1.3.6.1.4.1.31194.10.1.1.4

The next table describes the meaning of the OID:

1.3.6.1.4.1	Prefix for IANA private enterprises
31194	RENAM registered identifier
10	Certification Authorities
1	CP/CPS
1.4	Major and minor CP/CPS number.

1.3 PKI participants

1.3.1 Certification Authorities

MD-Grid CA provides PKI services to the Moldavian academics and research communities who participate in national or international Grid activities. The MD-Grid CA does not issue or sign certificates to subordinate CAs.

1.3.2 Registration authorities

The RA Operators are responsible for verifying Subscribers’ identities and approving their certificate requests. RA Operators do not issue certificates. The list of RAs is available on the MD-Grid CA website.

1.3.3 Subscribers

The MD-Grid CA issues user (personal), host and service certificates. Subscribers eligible for certification from MD-Grid CA must be:

· Users (people).

· Computers (hosts).

· Services (host applications).

1.3.4. Relying parties

All entities that use public keys of certificates, issued by MD-Grid CA, for signature verification and/or encryption, will be considered as relying parties.

1.3.5 Other participants

No stipulation.

1.4 Certificate usage

1.4.1 Appropriate certificate uses

Personal certificates can be used to authenticate a user that would like to benefit from the Grid resources.

Host certificates can be used to identify computers that have special tasks related to the Grid activities.

Service certificates can be used to recognize the host applications and data or communication encryption (SSL/TLS).

In addition, it is permissible to use certificates for email signing.

1.4.2 Prohibited certificate uses

Notwithstanding the above, using certificates for purposes contrary to Moldavian law is explicitly prohibited.

1.5 Policy administration

1.5.1 Organization administering the document.

MD-Grid Security Group at RENAM is in charge of the management of MD-Grid CA.

Phone: +373 22 288006 or +373 22 234635

Fax: +373 22 288006

e-mail: ca@renam.md

Address:

5 Academiei str., of. 331

MD-2028, Chisinau

Moldova, Republic of

1.5.2 Contact person

The contact person that can deal with any questions related to this document or operational issues:

Valentin Pocotilenco

Address:

RENAM Association

5 Academiei str., of. 331

MD-2028, Chisinau

Moldova, republic of

Phone: +373 22 288006 or +373 22 234635

Fax: +373 22 288006

e-mail: pvv@renam.md

1.5.3 Person determining CPS suitability for the policy

Valentin Pocotilenco

Address:

RENAM Association

5 Academiei str. of. 331

MD-2028, Chisinau

Moldova, republic of

Phone: +373 22 288006 or +373 22 234635

Fax: +373 22 288006

e-mail: pvv@renam.md

Website: http://ca.grid.md/

1.5.4 CPS approval procedures

The CP/CPS document and all CPS modifications should be approved by the EuGridPMA before being applied.

1.6 Definitions and acronyms

RENAM	Research and Educational Networking Association of Moldova
ASN.1	Abstract Syntax Notation One (http://asn1.elibel.tm.fr/)
CA	Certification Authority
CP/CPS	Certificate Policy/Certification Practice Statement
CRL	Certificate Revocation List
DNS	Domain Name System
FQDN	Fully Qualified Domain Name
HTTP	Hypertext Transfer Protocol
IANA	Internet Assigned Numbers Authority
IP	Internet Protocol
OCSP	Online Certificate Status Protocol
OID	Object Identifier
PKI	Public Key Infrastructure
RA	Registration Authority
RFC	Request For Comment
S/MIME	Secure / Multipurpose Internet Mail Extensions
SEE-GRID	South East European GRid-enabled eInfrastructure Development
SSL	Secure Sockets Layer
URL	Uniform Resource Locator
USB	Universal Serial Bus

2 PUBLICATION AND REPOSITORY RESPONSIBILITIES

2.1 Repositories

The MD-Grid CA operates an on-line repository that contains:

· The MD-Grid CA root certificate

· User, Host and Service certificates issued by the CA

· Certificate Revocation Lists (periodically updated)

· A copy of the most recent version of this CP/CPS and all previous versions

· A list of current operational Registration Authorities

· Links to all trust anchor repositories where MD-Grid CA info is published

· Other relevant information http://ca.grid.md/

The MD-Grid CA communication information for information regarding repositories is:

RENAM Certification authority

RENAM Association

5 Academiei str. of. 331

MD-2028, Chisinau

Moldova, republic of

Phone: +373 22 288006 or +373 22 234635

Fax: +373 22 288006

e-mail: ca@renam.md

2.2 Publication of certification information

See section 2.1

2.3 Time or frequency of publication

Certificates will be put to the MD-Grid CA website as soon as they are issued.

· CRL publication will be updated immediately after a revocation is issued and it will be updated at least 7 days before the expiration date of the CRL where CRL life time is 30 days.

· New versions of all MD-Grid CA documents will be published on the website as soon as they are updated.

· New versions of this CP/CPS document will be published soon after they are validated and former versions will be kept as a record in the repository.

2.4 Access control on repositories

The MD-Grid CA does not impose any access control on its CP/CPS, issued certificates or CRLs available on website.

3 IDENTIFICATION AND AUTHENTICATION

3.1 Naming

3.1.1 Types of names

The subject names for the certificate applicants shall follow the X.500 standard:

1. in case of user certificate the subject name must include the persons name in the CN field;

2. in case of host certificate the subject name must include the DNS FQDN in the CN field;

3. in case service certificate the subject name must include the service name and the DNS FQDN separated by a „/“ in the CN field.

3.1.2 Need for names to be meaningful

The subject name must represent the subscriber in a way that is easily understandable by humans and must have a reasonable association with the authenticated name of the subscriber. Each host certificate must be linked to a single network entity.

3.1.3 Anonymity or pseudonimity of subscribers

MD-Grid CA will neither issue nor sign pseudonymous or anonymous certificates.

3.1.4 Rules for interpreting various name forms

See section 3.1.1.

3.1.5 Uniqueness of names

The subject name included in the CN part of a certificate must be unique for all certificates issued by the MD-Grid CA. When essential, extra characters may be affixed to the original name to guarantee the uniqueness of the subject name.

Private keys must not be shared among end entities.

DNs must retain the uniquity for whole CA lifetime.

3.1.6 Recognition, authentication, and role of trademarks

No stipulation.

3.2 Initial identity validation

3.2.1 Method to prove possession of a key

The MD-Grid CA proves possession of the private key that is the companion to the public key in MD-Grid CA root certificate by issuing certificates and signing CRLs.

The MD-Grid CA verifies the possession of the private key relating to certificates requests by out-of-band, non-technical means at the time of authentication. Such verification may take the form of a directly posed question to requester. A cryptographic challenge-response exchange may be used to prove possession of the private key at any point in time before certification of subscriber.

The MD-Grid CA will not generate the key pair for subscribers and will not accept or retain private keys generated by subscribers.

3.2.2 Authentication of organization identity

The MD-Grid CA authenticates organizations by:

· Checking that organization is affiliated with RENAM Initiative;

· Contacting the person who represents the organization in the project.

· Contacting the person who represents the organization or other legal entity that is not affiliated to RENAM initiative or not involved in project.

3.2.3 Authentication of individual entity

The subscriber should contact personally the RA or CA staff in order to validate his/her identity. The subscriber’s authentication is fulfilled by providing an official document for personal identification (ID-card, driving license or a passport), and a valid document proving subscriber’s relation with an institute or organization, declaring that the subject is a valid end entity.

Certificate of a host or service:

Host or service certificates can only be requested by the administrator responsible for the particular host. In order to request a host or service certificate the following conditions must be met:

1.The host must have a valid FQDN.

2.The administrator must already possess a valid personal MD-Grid certificate.

3.The administrator must provide a proof of his or hers relation to the host itself.

The subscriber requesting service from the MD-Grid CA should contact personally the RA or CA staff in order to validate his/her identity.

MD-Grid CA or RA will archive photocopies of ID documents in case of user certificates and digitally signed e-mails in case of host or service certificates.

3.2.4 Non-verified subscriber information

During the initial identity validation the requester's e-mail is not verified. This is done during the processing of the certificate application as described in section 4.2.2.

3.2.5 Validation of Authority

No stipulation.

3.2.6 Criteria of interoperation

No stipulation.

3.3 Identification and authentication for re-key requests

3.3.1 Identification and authentication for routine re-key

Expiration warnings will be sent to subscribers before it is re-key time. Re-key before expiration can be executed by stating a re-key request signed with the personal certificate of the subscriber but after 4 years face-to-face identity validation is required as described in 3.2.3. Re-key after expiration uses completely the same authentication procedure as new certificate.

3.3.2 Identification and authentication for re-key after revocation

The procedure for re-key after revocation is exactly the same with an initial registration.

3.4 Identification and authentication for revocation request

Certificate revocation requests should be authenticated in one of the following ways:

· By signing a revocation request e-mail via a valid personal key corresponding to the certificate that is requested to be revoked which must be a valid, non-expired and non-revoked RENAM certificate.

· For persons who do not have a valid RENAM certificate, but hold an evidence of a revocation circumstance: by personal authentication as described in 3.2.3

· If the revocation request is for a host or service certificate, then the e-mail must be signed by the private key corresponding to the certificate of the person responsible of the host or service. When e-mail is not an option, the request will be authenticated using the procedure described in section 3.2.3.

· Revocation request by the RA should be done by e-mail, signed with valid RA operator key.

4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS

4.1 Certificate application

4.1.1 Who can submit a certificate application

The essential procedures that must be conformed in a certificate application request are as follows:

· The subject must be appropriate to the specifications stated in this policy.

· The key length of a generated certificate must be 2048 or 4096 bits.

· For personal private keys use a strong passphrase of at least 12 characters.

4.1.2 Enrollment process and responsibilities

MD-Grid CA issues the certificate only if, the authentication of the subject is successful. The applicant will be notified about the issuance by signed e-mail. If the authentication is not successful, the certiﬁcate is not issued and the applicant will also be notiﬁed by signed e-mail.

4.2 Certificate application processing

4.2.1 Performing identification and authentication functions

All the certificate applications will be authenticated and validated by the MD-Grid CA and RAs as stated in section 3.2.3. In the cases of re-key of user certificate or request for host or service certificate, the authentication of the certificate application will take place by checking that the requester has a valid MD-Grid CA certificate. Upon successful authentication, the information included in the certificate request will be validated by RA or CA.

4.2.2 Approval or rejection of certificate applications

If the certificate request does not meet one or more of the criteria in 4.1.1, it will be rejected and the requester will be informed via signed e-mail.

4.2.3 Time to process certificate applications

Each certificate application will take no more that 5 working days to be processed.

4.3 Certificate issuance

4.3.1 CA actions during certificate issuance

CA will check that identity validation is properly performed as described in 3.2.3.

CA will ensure secure communication with RAs by signed e-mails or voice conversations.

4.3.2 Notification to subscriber by the CA of issuance of certificate

Applicants will be notified via e-mail when the certificate is issued and the issued certificate will be hosted at the online CA repository.

4.4 Certificate acceptance

If the user wants to accept the certificate, he or she must follow the procedure in section 4.4.1.

If a user wants to reject a certificate, he or she must submit a revocation request as described in section 4.9.

4.4.1 Conduct constituting certificate acceptance

Subscribers of MD-Grid CA are required to agree with the following issues:

· acknowledgment of conditions and loyalty to the procedures interpreted in this document

· permanent provision of correct information to the MD-Grid CA and avoidance of unnecessary information out of purposes of this document

· use of the certificate for only authorized purposes that are stated in this document

· admission of restrictions to liability defined in section 9.8

· admission of statements about confidentiality of information emphasized in section 9.4

· key pair (public key and private key) generation using a secure method

· acceptable precautions against loss, disclosure or illegal use of the private key

· notifying MD-Grid CA in case private key is compromised or lost

· notifying MD-Grid CA in case of information change in the certificate

· notifying MD-Grid CA in case the subscriber requests to revoke the certificate

4.4.2 Publication of the certificate by the CA

MD-Grid CA operates an on-line repository that contains all valid user certificates.

4.4.3 Notification of certificate issuance by the CA to other entities

If the RA has handled the communication with the subscriber, then it will be notified of the certificate issuance.

The RA will be informed about any certificate signatures and re-keys before expiration that were submitted through it.

4.5 Key pair and certificate usage

4.5.1 Subscriber private key and certificate usage

The subscribers' private keys along with the certificates issued by the MD-Grid CA can be used for:

· email signing/verifying and encryption/decryption (S/MIME);

· server authentication and encryption of communications;

· authentication purposes in Grid Infrastructures;

· non-repudiation.

4.5.2 Relying party public key and certificate usage

Relying parties can use the public keys and certificates of the subscribers for:

· email encryption and signature verification (S/MIME);

· server authentication and encryption of communications;

· authentication purposes in Grid infrastructures.

Before using a certificate the relying party must validate it against the CRL (or, later, using the

planned OCSP facility) most recently published in the MD-Grid CA repository.