PIN Security Requirements:
19-12 Certificates used in conjunction with remote key-distribution functions must only be used for a single purpose.
- Certificates associated with encryption for remote key-distribution functions must not be used for any other purpose.
- Certificates associated with authentication of the KDH must not be used for any other purpose.
- Certificates associated with authentication of the POI must not be used for any other purpose.
- Certificates associated with authentication of POI firmware and POI applications must not be used for any other purpose.
If CA separation is used to ensure certificate segmentation:
- Sub-CAs used to produce certificates used for remote key-delivery functions must not be used to produce certificates used for any other purpose.
- Sub-CAs used to produce certificates for POI firmware and POI application authentication must not be used for any other purpose.
If policy-based certificate segmentation is used to achieve unique purpose certificates:
- The method of segmentation between certificates must be reflected in the certificate practice statement (CPS) for the CA.
- Certificates issued for remote key-distribution purposes must include a mechanism to identify designation for this purpose.
- Each SCD using a certificate in a remote key-delivery function must ensure there is a designation included in the certificate indicating that it is for use in the remote key-delivery function for which it is being used.
- Each SCD using a certificate in a remote key-delivery function must ensure that if there is a designation included in a certificate that indicates it is for use in a remote key-delivery function, the SCD does not use it for any other purpose.
Testing Procedures:
19-12.a Examine implementation schematics and other relevant documentation to identify PKI architecture and where certificates are used in the implementation.
19.12.b Identify mechanism(s) used to restrict certificates to a single-purpose use as either:
a) Separation of the Sub-CAs issuing the certificates, or
b) Policy-based certificate segmentation that depends upon a characteristic of the certificate.
19-12.c If CA separation is used to ensure certificate segmentation, confirm that the following are true:
a) The designation of each Sub-CA is documented.
b) Policies and procedures are in place to support and require appropriate use of each Sub-CA.
c) Any Sub-CA used to produce certificates used for remote key-delivery functions (i.e. encryption, POI authentication, or KDH authentication) is not used to produce certificates used for any other purpose.
d) Any Sub-CA used to produce certificates for POI firmware and POI application authentication is not used for any other purpose.
19-12.d If policy-based certificate segmentation is used to ensure certificate segmentation, confirm that all of the following are true:
a) The method of segmentation between certificates is clearly stated in the certificate practice statement (CPS) for the CA.
b) Certificates issued for all of the remote key-distribution functions (i.e. encryption, POI authentication, or KDH authentication) include a mechanism to identify designation for this purpose.
c) Policies and procedures are in place to support and require specific function designation for each certificate issued, and there is evidence that such procedures are followed.
d) The SCDs involved in the remote key-delivery functions ensure that the certificates used for these functions are designated for the purpose for which they are being used.
e) The SCDs involved in remote key delivery ensure that certificates with remote key-delivery designation are not used for some other purpose.
19-12.e Confirm that the mechanisms in place are effective in restricting the certificates to a single purpose use as noted below:
a) Certificates associated with encryption for remote key-distribution functions are not used for any other purpose.
b) Certificates associated with authentication of the KDH are not used for any other purpose.
c) Certificates associated with authentication of the POI are not used for any other purpose.
d) Certificates associated with authentication of POI firmware and POI applications are not used for any other purpose.
