Internet Draft D. Pinkas Bull Target Category: INFORMATIONAL N. Pope August 2002 Security & Standards Expires in six months J. Ross Security & Standards Policy Requirements for Time-Stamping Authorities Status of this Memo This document is an Internet-Draft and is NOT offered in accordance with Section 10 of RFC 2026, and the authors do not provide the IETF with any rights other than to publish as an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This document defines requirements for a baseline time-stamp policy for TSAs issuing time-stamp tokens, supported by public key certificates, with an accuracy of one second or better. A TSA may define its own policy which enhances the policy defined in the current document. Such a policy shall incorporate or further constrain the requirements identified in the current document. The contents of this Informational RFC is technically equivalent to ETSI TS 102 023 [TS 102023]. The ETSI TS is under the ETSI Copyright (C). Individual copies of this ETSI deliverable can be downloaded from http://www.etsi.org Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC 2119]. Pinkas, Pope, Ross Informational [Page 1] Policy Requirements for Time-Stamping Authorities August 2002 Table of Contents 1. Introduction 4 2. Overview 5 3. Definitions and abbreviations 5 3.1. Definitions 5 3.2. Abbreviations 7 4. General concepts 7 4.1. Time-stamping services 7 4.2. Time-stamping authority 7 4.3. Subscriber 8 4.4. Time-stamp policy and TSA practice statement 8 4.4.1. Purpose 8 4.4.2. Level of specificity 8 4.4.3. Approach 9 5. Time-stamp Policies 9 5.1. Overview 9 5.2. Identification 9 5.3. User Community and applicability 10 5.4. Conformance 10 6. Obligations and liability 10 6.1. TSA obligations 10 6.1.1. General 10 6.1.2. TSA obligations towards subscribers 11 6.2. Subscriber obligations 11 6.3. Relying party obligations 11 6.4. Liability 11 7. Requirements on TSA practices 11 7.1. Practice and Disclosure Statements 12 7.1.1. TSA Practice statement 12 7.1.2. TSA disclosure Statement 13 7.2. Key management life cycle 14 7.2.1. TSU key generation 14 7.2.2. TSU private key protection 15 7.2.3. TSU public key Distribution 15 7.2.4. Rekeying TSU's Key 16 7.2.5. End of TSU key life cycle 16 7.2.6. Life cycle management of the cryptographic module used to sign time-stamps 17 Pinkas, Pope, Ross Informational [Page 2] Policy Requirements for Time-Stamping Authorities August 2002 7.3. Time-stamping 17 7.3.1. Time-stamp token 17 7.3.2. Clock Synchronization with UTC 18 7.4. TSA management and operation 19 7.4.1. Security management 19 7.4.2. Asset classification and management 20 7.4.3. Personnel security 20 7.4.4. Physical and environmental security 22 7.4.5. Operations management 23 7.4.6. System Access Management 24 7.4.7. Trustworthy Systems Deployment and Maintenance 25 7.4.8. Compromise of TSA Services 25 7.4.9. TSA termination 26 7.4.10. Compliance with Legal Requirements 27 7.4.11. Recording of Information Concerning Operation of Time-stamping Services 27 7.5. Organizational 28 8. Acknowledgments 29 9. References 29 10. Authors' addresses 31 Annex A (informative): Coordinated Universal Time 32 Annex B (informative): Possible for Implementation Architectures
