Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering
  3. Telecommunications

(ACP) 16th WEBMEETING OF THE WORKING GROUP S

advertisement 
ACP-WG S/WP-XX
International Civil Aviation Organization
13/01/16
WORKING PAPER
AERONAUTICAL COMMUNICATIONS PANEL (ACP)
16th WEBMEETING OF THE WORKING GROUP S (Surface)
14 January, 2016
Agenda Item xx: Xxx
TOPICS OF PKI CERTIFICATE PROFILE & POLICY FOR AERONAUTICAL MOBILE
AIRPORT COMMUNICATIONS SYSTEM (AEROMACS)
(Presented by Brian Crowe and Rich Hawkins, WiMAX Forum)
SUMMARY
The WiMAX Forum Aviation Working Group PKI Task Group is comprised
of subject matter experts from the aviation industry and security providers.
Leveraging this combined experience, this group is developing an AeroMACS
PKI Certificate Profile and Certificate Practices Statement
ACTION
Consider and evaluate the PKI Certificate Profile and Policy Requirement
elements developed by the WiMAX Forum AWG PKI Task Group in defining
the AeroMACS PKI Certificate Policy & Practices requirements for inclusion
in the ICAO IPS Technical Manual and Guidance Material
1.
INTRODUCTION
1.1
The WiMAX Forum Aviation Working Group (AWG) formed a PKI Task Group to
leverage the experience of the Forum, Symantec and subject matter experts from the aviation community
to identify topics of consideration for determining the policy practices for issuing certificates to the
various devices and servers in the AeroMACS ecosystem. The AWG has previously presented Working
Papers to WG-S and asked the group to consider and evaluate the finding of the WiMAX Forum AWG
PKI Task Group and include the AeroMACS PKI Certificate Policy (CP) in the ICAO Technical Manual
and Guidance Material. As a follow up, the AWG has extracted a list of requirements from the PKI CP.
(4 pages)
Document1
-2-
ACP-WGW S-7/WPXX
In developing this list the AWG used RFC definitions of “Shall”, “Should”, “May” etc., and the definition
will is included as a reference in section 4 to suggest a standard method to define required elements
2.
2.1
DISCUSSION
Definitions
2.1.1
Subscriber (Certificate Requester) Requirements
Certificate Enrolment Process and Responsibilities
Shall agree to be bound by a relevant Subscriber Agreement that contains representations and
warranties described in Section Error! Reference source not found. of the CP
Shall complete a Certificate Application and providing true and correct information.
Shall generate, or arrange to have generated, a key pair, in accordance with Section Error! Reference
source not found. of the CP.
Shall deliver his, her, or its public key, directly or through an RA, to the CA's facility.
Shall demonstrate possession of the private key corresponding to the public key as described in Section
Error! Reference source not found. of the CP.
Shall sign a document stating that the Subscriber shall protect the Private Key and use the Certificate and
Private Key for authorized purposes only.
Conduct Constituting Certificate Acceptance
Shall accept a certificate by downloading, installing, or using the certificate.
Shall be able to use the Private Key corresponding to the Public Key in the Certificate once the Subscriber
has agreed to the Subscriber Agreement and accepted the Certificate.
Shall protect their Private Keys from unauthorized use and shall discontinue use of the Private Key
following expiration or revocation of the Certificate.
Shall use the certificate lawfully in accordance with the Subscriber Agreement and the terms of the CP.
Shall use the certificate for functions as defined by the keyUsage and extendedKeyUsage extensions
within the certificate.
Processing Certificate Renewal Requests
Shall provide proof of possession of the Private Key in order to renew a Certificate as specified in section
3.3 of the CP.
Certificate Re-key
Shall identify themselves for the purpose of re-keying.
Shall provide proof of possession of the newly generated key pair's Private Key.
Certificate Revocation
If a subscriber is ceasing its relationship with an organization that sponsored a Certificate, they shall,
prior to departure, surrender to the organization (through any accountable mechanism) all such
-3-
ACP-WGW S-7/WPXX
hardware tokens that were issued by or on behalf of the sponsoring organization.
Subscriber Private Key Compromise
Shall report any suspected or real compromise of their Private Key to their issuing CA or RA.
Subscriber Key Pair Generation
When requesting a medium-assurance hardware certificate, the Subscriber shall generate the keys in a
hardware cryptographic module rated at least FIPS 140-2 Level 2.
Private Key Delivery to Subscriber
Shall acknowledge receipt of the private key(s).
Cryptographic Module Standards and Controls
Subscribers with low- or medium-assurance software certificates shall use a FIPS 140-2 Level 1 or higher
approved cryptographic module for their cryptographic operations.
Aircraft avionics Subscribers (e.g. an AMS Aircraft Entity) shall use hardware or software cryptographic
modules that are consistent with jurisdictional regulations concerning avionics.
Private Key Escrow
Subscriber private signatures keys shall not be escrowed.
Private Key Backup
If required by applicable jurisdictional regulatory law to support key recovery, backed up private keys
must be held under the control of the Subscriber or other authorized administrator.
Subscriber medium-assurance (hardware) private keys shall not be backed up.
Private Key Archival
Subscriber private signatures keys shall not be archived.
Subscriber Private Keys
Subscriber must be authenticated to the cryptographic module before the activation of any Private Keys.
Entry of subscriber activation data shall be protected from disclosure (i.e. not displayed while entering).
Certificate Operational Periods and Key Pair Usage Periods
Subscribers’ private signing keys shall be valid for a maximum of three (3) years.
Subscribers’ public verification keys and certificates shall be valid for a maximum of three (3) years.
Activation Data Transmission
To the extent desktop computer or network logon user name/password combination is used as
activation data for an end-user Subscriber, the passwords transferred across a network shall be
protected against access by unauthorized users.
Certificate Profile
Subscriber Certificates shall not include the subjectKeyIdentifier extension.
Subscriber Certificates shall not include the basicConstraints extension.
The countryName shall be the two-letter ISO 3166-1 country code for the country in which the
ACP-WGW S-7/WPXX
-4-
Subscriber’s place of business is located.
The organizationName shall contain the Subscriber organization name (or abbreviation thereof),
trademark, or other meaningful identifier
When the organizationalUnitName is included, one or more OUs shall contain additional identifying
information.
The commonName shall contain the device MAC Address that will bind the certificate’s public key to the
device.
3.
ACTION BY THE MEETING
3.1
The ACP WG-S is invited to:
3.1.1
as outlined.
Consider and evaluate the AeroMACS PKI Certificate Profile elements and requirements
3.1.2
Provide input to the WiMAX Forum AWG PKI Task Group on any questions that remain
to be answered in an effort to better define requirements or PKI Certificate Profile elements.
3.1.3
Once the evaluation is complete, consider the list of requirement defined herein for
inclusion in the ICAO Technical Manual and/or Guidance Material. The WiMAX Forum AWG can
provide introductory or summary information to accompany this section that positions the content into the
ICAO documents.
4.
4.1
REFERENCE:
IETF Request for Comments 2119
Related documents
Child Protection study day 12th June 2007
Child Protection study day 12th June 2007
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
PAFCPIC "We Care Abuloy"
PAFCPIC "We Care Abuloy"
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
Enhancing Research Practice Programme
Enhancing Research Practice Programme
Diploma Order Verification Form
Diploma Order Verification Form
Download
advertisement