Cross-Certification

Introduction

CAs, including principal CAs within and any CAs without Government PKI , that interoperate with GRCA through cross-certification are referred as interoperating CAs. To get grant from GRCA for cross-certification, the applicant CA must comply with the requirements of the Assurance level defined in the cited Certificate Policy. Additionally, the applicant CA must have the capabilities to establish and manage the following aspects:

  • Public Key Infrastructure;
  • digital signatures and certificate issuing technology;
  • the corresponding responsibilities and obligations among CA, RA, and the relying party.

Certification Applications

Phase 1: Initiation

  • Initial application

    A filled-in request form accompanied by applicant CA's CPS, CP, and PKCS#10 certificate application file shall be submitted to RDEC via formal official document delivery.

  • Identification and authentication

    RDEC will perform identification and authentication on the applicant CA in accordance with the procedures defined in Section 3.1.8 of GRCA's CPS.

  • GRCA carries out the following check-up procedure

    GRCA carries out the following check-up procedure

    - Confirm that there are no technical incompatibilities existing between GRCA and applicant CA.

    - Evaluate the mapping of the applicant CA's CP to GRCA's CP if different CP is cited.

    - Check the conformance of applicant CA's CPS to its cited CP.

    - Examine the submitted PKCS#10 certificate application file and ensure that the actual cross-certification can be achieved.

    - GRCA will give a summary report of the above procedure to RDEC.The process moves on to the next phase.

Phase 2: Examination

  • RDEC shall convene a Government Electronic Certificate Steering Committee meeting , in which the application together with the  supporting documents will be examined ant the summary report from GRCA will be reviewed in order to determine the feasibility of the  cross-certification. Depending on the committee's determination, the application may be

    (1) rejected,

    (2) required to submit additional supporting documents,

    (3) or moving on to the next phase.

Phase 3: Negotiation

RDEC shall convene a meeting, notify the applicant CA to attend, and proceed as follows.

  • Identification and authentication Before the meeting starts, RDEC shall identify and authenticate the identity of the applicant CA's representative in accordance with the procedures defined in Section 3.1.9 of GRCA's CPS.

  • RDEC and the applicant CA shall negotiate the provisions and terms to be followed.

  • RDEC shall decide whether to interoperate with the applicant CA or not. If yes, then both parties shall sign the Cross Certification Agreement.

  • The process moves on to the next phase.

Certificate Issuance

GRCA shall issue the certificate to the applicant CA if instructed by RDEC as such. After issuance, RDEC shall notify the applicant CA with formal official document, attached with the issued certificate.

If RDEC decides not to issue the cross-certificate, the applicant CA shall also be notified by a formal official document along with the reason(s) for the rejection.

GRCA shall have its self-signed certificate (verified by RDEC) delivered to the applicant CA in accordance with the procedures defined in Section 6.1.4 of GRCA's CPS.

Certificate Acceptance

Upon receiving the notification of the approval delivered via formal official document, the applicant CA shall examine the attached certificate to ensure the correctness of its content. After the applicant CA verifies the correctness, it must sign an confirmation document, which shall be sent back to GRCA and RDEC by a formal official document. When GRCA receive the confirmation document, it shall post the newly issued certificate to the repository.

If the applicant CA fails to respond within 30 days (upon receiving the approval notification), it is viewed as refusing to accept the certificate. RDEC shall then authorize GRCA to revoke that certificate after verifying. No additional announcement shall be made concerning the application.

  • Appropriate CAs now will issue other certificates issued by the GCA. This will complete a systematic PKI structure.