This Annex to DSD002 ‘DIP Connection and Operation’ has been published as the DIP-PKI Policy to set out the requirements for the DIP-PKI. It sets out the rules and applicability of a Digital Certificate to the DIP. 

1.0.0

<div data-id="1.1" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">1.1 Scope and purpose</div>

<div data-id="2-2.1" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">2.1 <u class='defined-term'>DIP Manager</u></div>

<div data-id="2-2.2" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">2.2 <u class='defined-term'>DIP Verification Service Provider</u></div>

<div data-id="2-2.4" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">2.4 DIP Connection Providers (DCP)</div>

<div data-id="2-2.5" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">2.5 Replying Parties</div>

<div data-id="2" style="text-align: left">2 Key organisations</div>

<div data-id="3-3.1" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">3.1 DIP Repositories</div>

<div data-id="3-3.2" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">3.2 <u class='defined-term'>DIP-PKI Repository</u> responsibilities</div>

<div data-id="3" style="text-align: left">3 DIP Repositories and responsibilities</div>

<div data-id="4-4.1" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">4.1 Naming</div>

<div data-id="4-4.2" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">4.2 Identification and authentication for routine re-key</div>

<div data-id="4" style="text-align: left">4 Identification and Authentication</div>

<div data-id="5-5.1" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.1 <u class='defined-term'>Digital Certificate</u> application processing</div>

<div data-id="5-5.2" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.2 <u class='defined-term'>Digital Certificate</u> Issuance</div>

<div data-id="5-5.3" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.3 <u class='defined-term'>Digital Certificate</u> acceptance</div>

<div data-id="5-5.4" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.4 <u class='defined-term'>Key Pair</u> and <u class='defined-term'>Digital Certificate</u> usage</div>

<div data-id="5-5.5" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.5 <u class='defined-term'>Digital Certificate</u> renewal</div>

<div data-id="5-5.6" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.6 <u class='defined-term'>Digital Certificate</u> voluntary revocation</div>

<div data-id="5-5.6" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.6 Circumstances for revoking a <u class='defined-term'>Digital Certificate</u></div>

<div data-id="5-5.7" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.7 CRL issuance frequency</div>

<div data-id="5-5.8" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.8 On-line revocation/status checking</div>

<div data-id="5-5.9" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.9 Actions in the event of a <u class='defined-term'>Private Key</u> compromise</div>

<div data-id="5-5.10" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.10 End of subscription</div>

<div data-id="5-5.11" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">5.11 Key escrow and recovery statements and practices</div>

<div data-id="5" style="text-align: left">5 Certificate lifecycle Operational requirements</div>

<div data-id="6-6.1" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">6.1 Overview</div>

<div data-id="6-6.2" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">6.2 Physical Controls</div>

<div data-id="6-6.3" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">6.3 Procedural controls</div>

<div data-id="6-6.4" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">6.4 Personnel controls</div>

<div data-id="6-6.5" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">6.5 Audit Logging Procedures</div>

<div data-id="6-6.6" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">6.6 The IA shall ensure the RA shall record for audit purposes, at minimum, the event types listed below:</div>

<div data-id="6-6.7" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">6.7 Record archiving</div>

<div data-id="6-6.8" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">6.8 Key changeover</div>

<div data-id="6-6.9" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">6.9 Compromise and disaster recovery</div>

<div data-id="6" style="text-align: left">6 Facility, management, and operational controls</div>

<div data-id="7-7.1" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.1 Key pair generation and installation</div>

<div data-id="7-7.2" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.2 Key sizes and parameters</div>

<div data-id="7-7.3" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.3 Key usage purposes (as per x.509 v3 key usage field)</div>

<div data-id="7-7.4" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.4 <u class='defined-term'>Private Key</u> protection and cryptographic module engineering controls</div>

<div data-id="7-7.5" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.5 <u class='defined-term'>Private Key</u> transfer into or from a cryptographic module</div>

<div data-id="7-7.6" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.6 Method of activating <u class='defined-term'>Private Key</u>s</div>

<div data-id="7-7.7" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.7 Method of destroying private key</div>

<div data-id="7-7.8" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.8 Other aspects of key pair management</div>

<div data-id="7-7.9" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.9 Activation Data</div>

<div data-id="7-7.10" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.10 Computer security controls</div>

<div data-id="7-7.11" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.11 Life Cycle Technical Controls</div>

<div data-id="7-7.12" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">7.12 Network Security Controls</div>

<div data-id="7" style="text-align: left">7 Technical Security Controls</div>

<div data-id="8-8.1" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">8.1 <u class='defined-term'>Certificate Profile</u></div>

<div data-id="8-8.2" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">8.2 CRL Profile</div>

<div data-id="8-8.3" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">8.3 OCSP Profile</div>

<div data-id="8" style="text-align: left">8 Certificate, CRL, and OCSP Profiles</div>

<div data-id="9-9.1" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">9.1 Frequency or circumstances of assessment</div>

<div data-id="9-9.2" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">9.2 Identity/qualifications of assessor</div>

<div data-id="9-9.3" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">9.3 Assessor's relationship to assessed entity</div>

<div data-id="9-9.4" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">9.4 Topics covered by assessment</div>

<div data-id="9-9.5" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">9.5 Actions taken as a result of deficiency</div>

<div data-id="9-9.6" style="margin-left:0.59in;text-indent:-0.59in;text-align: left">9.6 Communication of results</div>

<div data-id="9" style="text-align: left">9 Compliance Audit and other assessments</div>

<div data-id="amendment-record" style="text-align: center">Amendment Record</div>

CONTENTS

DSD002 Annex 3 - The DIP PKI Policy V1.0.0