|
|
|
|
CAs, including principal CAs within and any CAs without ePKI, that interoperate with eCA through cross-certification are referred to as subject CAs. To get a grant from eCA for cross-certification, the applicant CA must comply with the requirements of the Assurance level defined in the cited Certificate Policy. Additionally, the applicant CA must have the capabilities to establish and manage the following aspects:
(1)Public Key Infrastructure
(2)Digital signatures and certificate issuing technology
(3)The corresponding responsibilities and obligations among CA, RA, and the relying party |
|
|
|
Phase 1: Initiation |
|
ˇEInitial application |
|
Cross-certification request form shall be accompanied by the Certification Practice Statement and Certification request file in PKCS#10 format shall be post mailed via formal official document.
If the Certification Authority adopts Certificate Policy other than ePKI-CP, then its complying Certificate Policy shall also be included.
|
|
ˇEIdentification and authentication |
|
|
Identification and authentication of the applicants shall be performed in accordance with procedures defined in ePKI Root Certification Authority Certification Practice Statement (eCA CPS) section 3.1.8.
|
|
ˇEVerification |
|
|
It shall be confirmed that there is no technological incompatibility between applicant Agency and eCA. If ePKI-CP is not adopted, the policy mapping shall be examined. It shall be verified that CPS of applicant Agency complies with its adopting CP. Certification request file in PKCS#10 shall be verified to ensure that the actual cross-certification can be carried out.
|
|
Phase 2: Examination |
|
|
The ePKI Policy Management Committee shall be convened in which the submitted documents together with the eCA verifying summary shall be evaluated. Based on the evaluation, this Committee shall make a determination regarding whether or not to enter into next stage, to demand additional supporting documents, or to reject the request.
|
|
Phase 3: Arrangement |
|
|
An arrangement meeting shall be convened which the applicant agency shall be notified to attend.
It shall proceed as follows: |
|
|
|
ˇEIdentification and authentication |
|
|
Before the commencement of the meeting, the delegate of the applicant agency shall be identified and authenticated in accordance with eCA CPS section 3.1.9. |
|
|
|
|
ˇE |
The terms and conditions to be followed shall be negotiated with the applicant agency. |
|
|
|
|
ˇE |
If the cross-certification is deemed feasible, than it is ratified by signing the Cross-Certification Agreement |
|
|
|
|
ˇE |
Proceed to certificate issuance process. |
|
|
|
|
|
|
Based upon the ratification result of the cross-certification, eCA shall determine whether or not to issue the requested certificate(s).
When the issuance is done, the applicant agency shall be notified by formal official document with its issued certificate(s) included.
If the request of certificate is rejected, the applicant agency shall be notified by formal official document, with explanation as to why the request was rejected.
A Self-Signed Certificate shall be signed by eCA and shall deliver to the relying parties in accordance with eCA CPS Section 6.1.4. |
|
|
|
|
Upon receiving the formal official document for granting the application request, the applicant agency (now Subscriber) shall check the correctness of the content of included certificate(s). If the content is correct, the Subscriber shall sign and send back (in the formal official document) the acceptance document to complete the acceptance procedure. Upon receiving the acceptance document, eCA shall publish the corresponding issued certificate(s) in the depository. If the Subscriber fails to send back the signed acceptance document, it is deemed a refusal of acceptance. In this case, eCA shall revoke the corresponding certificates(s) without further announcement.
If the Subscriber fails to send back the signed acceptance document in thirty calendar days, it is deemed a refusal of acceptance. In this case, eCA shall revoke the corresponding certificates(s) without further announcement. |
|
|
|
|