v0.3 - 17 March, 2004
- Eligible Applicants
CUHK staff and students
- Certificate Classes
User identity (Client certificate): CUHK staff/student, associated with an e-mail address, CUHK department name.
Server identity (Server certificate): Host name of the server, department/unit name to which the server belongs.
Software developer identity (Object signing certificate): Department/unit nanme to which the program code being signed belongs.
The digital certificates issued by CUHK will not have other implications on the subject such as a person's character, a server's availability or security, a program code's quality (such as reliability, bugs/virus free).
- Certification Application
a. User certificates would be granted based on information from Registry and Personnel Office. Server certificates would need to be applied with department head's signature/approval.
b. Certificates would be granted upon requested.
- Validation of Certificate Applicants
a. Rely on the accuracy of the information from Registry and Personnel Office.
b. Server certificates application validation based on the information provided by the related departments.
c. Users much present their student/staff ID cards to ITSC for validation purpose.
- Certificate Issuance
a. Only a limited number of ITSC staff would be assigned in issuing CUHK Digital Certificates.
b. Staff of different sections from ITSC have to work together to complete the key issuing process. No single staff could master the key issuing process.
c. Extensive logging of the issuance process is enabled to ensure the certificates to be authoritative.
d. Key issuing task is divided into 3 parts:
Mail Address Confirmation- Users would receive email from CA system and need to confirm their email addresses by sending emails to the CA administrator.
Key Signing- Staff from 3 different sections of ITSC have to work together for this signing step.
Identity Validating-Users need to come to ITSC service counter. Users have to provide their staff/student ID cards for identity validating purpose.
- Certificate Expiration
Both Server Certificates and Client Certificates would expire in 1 year.
- Certificate Renewal
a. Expiration notice would be sent to certificate users one month before expiration.
b. Users should save their own key pairs in order to retrieve emails that were encrypted by expired certificates.
- Certificate Suspension/Revocation
Certificates are expected to be usable for its entire validity period. However, under some circumstances, such as detected or suspected compromise of the corresponding private key, change of personal data, change of relationship with organization, CA can revoke the certificates. Close communication between ITSC, Registry and Personnel Office is essential to monitor these situations.
It is the users responsibility to keep their private key securely.
- Information on Certificates
Client Certificate: Staff/Student name, email address, department name.
Server Certificate: Host name, department/unit name.
- Key Recovery/Escrow
a. Users can choose to allow ITSC to keep their private keys. Such private keys would be stored in machines located on private network and in secure physical environment. Users applying for key recovery have to provide justification and formal approval from their department heads. Users have to present their identity proof when obtaining the requested keys.
b. If users choose to generate the key pairs themselves, ITSC would not have their private keys and there is no way to recover the keys except by the user themselves. It is users responsibility to keep/backup their own private keys.
- Security Control
a. Physical Security
The CA machines are located in the secure production machine room where CCTV (close circuit television) system is available. These machines are locked in secured cabinet. Alarm connected to Security Unit of CUHK has been installed on the door of this cabinet.
b. Network Control
CA machines are located in a private network. Public access is not possible.
c. Procedure Control
Distinct administrative roles have been established to ensure a single ITSC staff cannot act alone to create/issue/sign unauthorized certificates.
- Certificate Revocation List Checking
Applications rely on the CUHK Digital Certificates have to check the updated CRL (certificate revocation list).