Cross-Certification
Introduction
CAs, including principal CAs within and any CAs without Government PKI , that interoperate with GRCA through cross-certification are referred as interoperating CAs. To get grant from GRCA for cross-certification, the applicant CA must comply with the requirements of the Assurance level defined in the cited Certificate Policy. Additionally, the applicant CA must have the capabilities to establish and manage the following aspects:
- Public Key Infrastructure;
- digital signatures and certificate issuing technology;
- the corresponding responsibilities and obligations among CA, RA, and the relying party.
Certification Applications
Phase 1: Initiation
- Initial application
A filled-in request form accompanied by applicant CA's CPS, CP, and PKCS#10 certificate application file shall be submitted to MODA via formal official document delivery.
- Identification and authentication
MODA will perform identification and authentication on the applicant CA in accordance with the procedures defined in Section 3.1.8 of GRCA's CPS.
- GRCA carries out the following check-up procedure
GRCA carries out the following check-up procedure
- Confirm that there are no technical incompatibilities existing between GRCA and applicant CA.
- Evaluate the mapping of the applicant CA's CP to GRCA's CP if different CP is cited.
- Check the conformance of applicant CA's CPS to its cited CP.
- Examine the submitted PKCS#10 certificate application file and ensure that the actual cross-certification can be achieved.
- GRCA will give a summary report of the above procedure to MODA.The process moves on to the next phase.
Phase 2: Examination
-
MODA shall convene a Government Electronic Certificate Steering Committee meeting , in which the application together with the supporting documents will be examined ant the summary report from GRCA will be reviewed in order to determine the feasibility of the cross-certification. Depending on the committee's determination, the application may be
(1) rejected,
(2) required to submit additional supporting documents,
(3) or moving on to the next phase.
Phase 3: Negotiation
MODA shall convene a meeting, notify the applicant CA to attend, and proceed as follows.
-
Identification and authentication Before the meeting starts, MODA shall identify and authenticate the identity of the applicant CA's representative in accordance with the procedures defined in Section 3.1.9 of GRCA's CPS.
-
MODA and the applicant CA shall negotiate the provisions and terms to be followed.
-
MODA shall decide whether to interoperate with the applicant CA or not. If yes, then both parties shall sign the Cross Certification Agreement.
-
The process moves on to the next phase.
Certificate Issuance
GRCA shall issue the certificate to the applicant CA if instructed by MODA as such. After issuance, MODA shall notify the applicant CA with formal official document, attached with the issued certificate.
If MODA decides not to issue the cross-certificate, the applicant CA shall also be notified by a formal official document along with the reason(s) for the rejection.
GRCA shall have its self-signed certificate (verified by MODA) delivered to the applicant CA in accordance with the procedures defined in Section 6.1.4 of GRCA's CPS.
Certificate Acceptance
Upon receiving the notification of the approval delivered via formal official document, the applicant CA shall examine the attached certificate to ensure the correctness of its content. After the applicant CA verifies the correctness, it must sign an confirmation document, which shall be sent back to GRCA and MODA by a formal official document. When GRCA receive the confirmation document, it shall post the newly issued certificate to the repository.
If the applicant CA fails to respond within 30 days (upon receiving the approval notification), it is viewed as refusing to accept the certificate. MODA shall then authorize GRCA to revoke that certificate after verifying. No additional announcement shall be made concerning the application.
-
Appropriate CAs now will issue other certificates issued by the GCA. This will complete a systematic PKI structure.
