6. Technical security controls

6.1 Key pair generation and installation

6.1.1 Key pair generation

Root CA and Issuing CA keys are generated in a cryptographic module certified to FIPS 140-2 Level 3 or higher (equivalent Common Criteria EAL 4+ with applicable Protection Profile). The specific HSM vendor is documented in the security plan (US-CA-02).

Pending. Subscriber key pair generation.

6.1.5 Key sizes

Root CA: ECDSA P-384 or RSA 4096.
Issuing CA: ECDSA P-384 or RSA 4096.
Subscriber: ECDSA P-256 or RSA 2048 minimum.

6.1.7 Key usage purposes (X.509 v3 `keyUsage` field)

See individual CPs (docs/cp/*).

6.2 Private key protection and module engineering controls

Pending. M-of-N activation, multi-party control, multi-party backup.

6.3 Other aspects of key pair management

Pending.

6.4 Activation data

Pending.

6.5 Computer security controls

Pending.

6.6 Lifecycle technical controls

Pending.

6.7 Network security controls

Pending.

6.8 Time-stamping

When in production, the TSA service complies with RFC 3161 and operates under the tsa-responder profile (see /cp/tsa-responder).

6.1 Key pair generation and installation​

6.1.1 Key pair generation​

6.1.5 Key sizes​

6.1.7 Key usage purposes (X.509 v3 keyUsage field)​

6.2 Private key protection and module engineering controls​

6.3 Other aspects of key pair management​

6.4 Activation data​

6.5 Computer security controls​

6.6 Lifecycle technical controls​

6.7 Network security controls​

6.8 Time-stamping​

6.1 Key pair generation and installation

6.1.1 Key pair generation

6.1.5 Key sizes

6.1.7 Key usage purposes (X.509 v3 `keyUsage` field)

6.2 Private key protection and module engineering controls

6.3 Other aspects of key pair management

6.4 Activation data

6.5 Computer security controls

6.6 Lifecycle technical controls

6.7 Network security controls

6.8 Time-stamping