U.S. Higher Education Root Certificate Authority

Expected Practices [doc]

Subscriber Expected Practices

U.S. Higher Education Root Certification Authority
December 4, 2006

The U.S. Higher Education Root (USHER) Certification Authority service is operated by Internet2 as part of a community effort to establish a hierarchical Public Key Infrastructure (PKI) for use by the U.S. higher education community.  USHER facilitates higher education's ability to trust certificates issued by peer institutions1, effectively building a trust fabric that leverages a variety of inter-campus applications. USHER focuses on enabling those applications that require a level of trustworthy identity, operational integrity, and security for user authentication that matches the existing practices used on campuses for services such as central electronic mail and file storage.

USHER membership is available primarily to U.S. higher education institutions and entities sponsored by U.S. higher education institutions as defined by the USHER eligibility rules.  As a higher education, community-driven effort with known participants sharing a common goal, USHER is able to leverage the existing community standards and these Expected Practices as the basis for trust between institutions in lieu of the detailed formal certification policy that is usually part of a PKI.  Institutions that are not able to fully support all of the Expected Practices listed below are expected to not join USHER.  Likewise, if an institution that is already part of USHER finds that it is no longer able to meet the conditions described in these Expected Practices, the institution is expected to withdraw from USHER and cause its campus’s USHER authority certificate to be revoked.  The USHER Policy Authority (PA), if made aware of problems with a subscriber’s CA or practices, will discuss the problem with the subscriber’s appropriate official(s) to either have the problem resolved or to get the subscriber to withdraw from the USHER community.  If such problems can not be resolved via negotiation with the appropriate officials, the PA will initiate a process (defined elsewhere) that can lead to possible revocation of the subscriber's authority certificate.

USHER does not audit or otherwise attempt to verify each organization's compliance with these Expected Practices except in the case described above.  The USHER service is designed to support a community of like-minded higher education institutions and partners.  Organizations which subscribe to USHER agree to make trust decisions accordingly, based upon this level of community standard compliance.  Choosing to join this community implies that your institution intends to work within the framework of these Expected Practices.

Expected Practices

  1. The organization or institutional group that receives the USHER authority certificate will issue certificates to its users and other entities2 using a process that is at least as strong as its existing practice for managing accounts for central services such as electronic mail, calendaring, and access to central file storage.
  2. An organization may issue certificates to any person or entity affiliated with its institution.  The definition of such affiliation is at the sole discretion of the institution but should match its existing practice for the issuance of similar credentials.
  3. Organizations will not intentionally issue certificates intended or foreseeably likely to confuse or mislead relying parties about the identity of the Subject.  For example, issuing a certificate with the same subject name as a previous, different subscriber could allow the second person to gain access to information or services that should only be available to the first person.
  4. The subscribing CA will actively maintain all services that it asserts will exist per certain fields within its certificates.  For example, if a campus issues certificates containing Certificate Revocation List (CRL) pointers, then the campus CA will revoke certificates when needed and update CRLs in accordance with the next issue date in the CRL.  Likewise, if a campus places a Policy OID in its certificates, the campus is expected to operate its CA in a manner consistent with the identified policy.
  5. The operator of a subscribing CA should seriously consider developing some form of CA Policy and Operational Practices document and make this document available via a Certification Practices Statement (CPS) pointer in the certificates issued by the CA.  If a CA does not already have a Certification Policy and Practices document in place, it might choose to use the PKI-Lite model documents, if appropriate.   Having this documentation in place makes it easier for relying parties to make decisions about the level of trust they might place in certificates issued by your CA.
  6. Most institutions will have a single central IT services group and will operate a single USHER-rooted certification authority.  However, this does not preclude institutions with a delegated identity management model from either obtaining multiple authority certificates directly from USHER or from having one institutional CA issue subordinate authority certificates derived from USHER  to another institutional entity as long as these actions are consistent with existing institutional policy and maintain the intent of Expected Practice 1.
  7. Institutions will not issue authority certificates to external parties such as business partners or legal entities not directly under institutional management.  Instead, the institution should sponsor the external party to subscribe to USHER independently.
    However, an institution might issue end-entity certificates to business partner employees or other individuals if necessary for the business or administrative processes of the institution.
  8. The operator of a subscribing CA will consider the security issues associated with CA operations, including the protection of CA private key(s), and will protect the CA infrastructure at least as well as it does other major campus authentication system components.
  9. The operator of a subscribing CA will notify the USHER Operating Authority as quickly as possible in the event that the private key associated with their USHER authority certificate has been compromised.

Footnotes:

1. The peer institution must be a member of USHER or be part of a PKI that is rooted in or bridged to USHER.

2. Entities include devices, subordinate CAs, etc.  USHER places no restrictions on certificate Subjects.