ATIS 1000084
Technical Report on Operational and Management Considerations for SHAKEN STI Certification Authorities and Policy Administrators
| Organization: | ATIS |
| Publication Date: | 1 August 2018 |
| Status: | active |
| Page Count: | 23 |
scope:
This technical report introduces operational and management considerations for STI Certification Authorities (STICAs) within the context of the SHAKEN framework (ATIS-1000074) and the SHAKEN: Governance Model and Certificate Management framework (ATIS-1000080). This document focuses on the operational and management aspects that impact the authentication and verification services, as well as general Certification Authority (CA) practices and policies. The document addresses the STI-PA operational aspects of managing the list of STI-CAs and authorization of Service Providers to obtain STI certificates. This document does not address any additional policy aspects defined by the STI Governance Authority (STI-GA), and applied by the STI Policy Administrator (STIPA), in determining whether a CA is qualified to serve as an STI-CA nor whether a service provider is a valid service provider. The guidelines and recommendations provided in this document are based on an STI-PA starting with a list of trusted STI-CAs and a list of valid Service Providers.
Purpose
The SHAKEN: Governance Model and Certificate Management framework uses standard Public Key Infrastructure (PKI) for creating and distributing STI certificates. As such PKI Certification Practice Statement (CPS) and Certificate Policy (CP), documents per RFC 3647, are an operational requirement for the STI-CAs. This document outlines the role of the STI-PA in defining and administering required certificate policies to support SHAKEN.
The SHAKEN Governance Model and Certificate Management framework introduces a model whereby the STI-PA maintains a list of trusted STI-CAs. This list is distributed to Service Providers and used during the verification process to ensure that the public key certificate associated with a specific SIP Identity header field has been issued by a valid STI-CA. This document specifies the form of the information stored in the list and the mechanism for distributing that list to the Service Providers.
The Service Provider obtains STI certificates from the STI-CA to create signatures authenticating the identity of originators of Session Initiation Protocol (SIP) requests. The SP can obtain STI certificates from any approved STICA in the list of trusted STI-CAs received from the STI-PA. During account registration with the STI-PA, as detailed in ATIS-1000080, the SP selects the preferred STI-CA(s).
The SHAKEN certificate management framework is based on using a signed Service Provider Code token for validation when requesting an STI certificate. Prior to requesting a certificate, the Service Provider requests a Service Provider Code token from the STI-PA as described in ATIS-1000080. When a Service Provider initiates a Certificate Signing Request (CSR), the Service Provider proves to the STI-CA that it has been validated and is eligible to receive an STI certificate via the use of the Service Provider Code token. This document describes the STI-PA management of the Service Provider Code tokens.
Document History
