Rootca Cps

8/13/2019 Rootca Cps

1/58

Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public

Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 1 of 58

Huawei Equipment CA

Certification Practice Statement

Release v1.0.0

Huawei Technologies Co., Ltd.

Copyright reserved


2/58



Contents

1Introduction .......................................................................................................................................................... 71.1Overview ........................................................................................................................................................ 71.2Document Name and Identification ................................................................................................................ 81.3PKI Participants .............................................................................................................................................. 8

1.3.1Certification authorities ............................................................................................................................ 81.3.2Registration authorities ............................................................................................................................ 91.3.3Subscribers ............................................................................................................................................... 91.3.4Relying parties ......................................................................................................................................... 91.3.5Certificates Applicant ............................................................................................................................... 91.3.6Sponsor ................................................................................................................................................... 101.3.7Other Participants ................................................................................................................................... 10

1.4Certificate Usage .......................................................................................................................................... 101.4.1Appropriate certificate uses .................................................................................................................... 101.4.2Prohibited certificate uses ...................................................................................................................... 10

1.5Policy Administration ................................................................................................................................... 111.6Definitions and Acronyms ............................................................................................................................ 11

2Information publication and management .......................................................................................................... 132.1Repositories .................................................................................................................................................. 132.2Publication of certification information ........................................................................................................ 132.3Time or frequency of publication ................................................................................................................. 13

2.3.1Time or frequency of publication of electronic certification service rule .............................................. 132.3.2Time or frequency of publication of certificate and CRL ...................................................................... 132.3.3Time or frequency of publication of HWCA public information ........................................................... 13

2.4Access controls on repositories..................................................................................................................... 133Identification and Authentication ....................................................................................................................... 15

3.1Naming ......................................................................................................................................................... 153.1.1Types of names ...................................................................................................................................... 153.1.2Need for names to be meaningful........................................................................................................... 153.1.3Anonymity or pseudonymity of subscribers........................................................................................... 153.1.4Rules for interpreting various name forms ............................................................................................. 153.1.5Uniqueness of names .............................................................................................................................. 153.1.6Recognition, authentication, and role of trademarks .............................................................................. 15

3.2Initial Identity Validation ............................................................................................................................. 163.2.1Method to prove possession of private key ............................................................................................ 163.2.2Authentication of organization identity .................................................................................................. 163.2.3Authentication of individual identity ..................................................................................................... 173.2.4Identification and authentication of domain name (or IP address) ......................................................... 173.2.5Validation of authority ........................................................................................................................... 18

3.3Identification and Authentication for Re-key Requests ................................................................................ 183.3.1Identification and authentication for routine re-key ............................................................................... 183.3.2Identification and authentication for re-key after revocation ................................................................. 18


3/58



3.4Identification and authentication for Revocation Requests .......................................................................... 184Certificate Life-Cycle Operational Requirements .............................................................................................. 20

4.1Certificate Application .................................................................................................................................. 204.1.1Who can submit a certificate application ............................................................................................... 204.1.2Enrollment process and responsibilities ................................................................................................. 20

4.2Certificate Application Processing ............................................................................................................... 204.2.1Performing identification and authentication ......................................................................................... 204.2.2Approval or rejection of certificate applications .................................................................................... 204.2.3Time to process certificate applications ................................................................................................. 21

4.3Certificate Issuance ....................................................................................................................................... 214.3.1CA actions during certificate issuance ................................................................................................... 214.3.2Notification to subscriber by the CA of issuance of certificate .............................................................. 21

4.4Certificate Acceptance .................................................................................................................................. 214.4.1Conduct constituting certificate acceptance ........................................................................................... 214.4.2Publication of the certificate by the CA ................................................................................................. 214.4.3Notification of certificate issuance by the CA to other entities .............................................................. 22

4.5Key Pair and Certificate Usage ..................................................................................................................... 224.5.1Subscriber private key and certificate usage .......................................................................................... 224.5.2Signature and validation ......................................................................................................................... 234.5.3Relying party public key and certificate usage....................................................................................... 23

4.6Certificate Renewal ...................................................................................................................................... 234.7Certificate key renewal ................................................................................................................................. 234.8Certificate change ......................................................................................................................................... 244.9Certificate revocation and hang up ............................................................................................................... 24

4.9.1Circumstance for certificate renewal ...................................................................................................... 244.9.2Who may request renewal ...................................................................................................................... 244.9.3Processing certificate renewal requests .................................................................................................. 24

4.10 Certificate state service .......................................................................................................................... 254.11 End of Subscription ................................................................................................................................ 254.12 Key Escrow and Recovery ..................................................................................................................... 25

5Facility, Management, and Operational Controls ............................................................................................... 275.1Physical Security Controls ............................................................................................................................ 27

5.1.1Site location and construction ................................................................................................................ 275.1.2Physical access ....................................................................................................................................... 275.1.3Power and air conditioning .................................................................................................................... 275.1.4Water exposures ..................................................................................................................................... 275.1.5Fire prevention and protection ............................................................................................................... 275.1.6Media storage ......................................................................................................................................... 285.1.7Waste disposal ........................................................................................................................................ 28

5.2Procedural Controls ...................................................................................................................................... 285.2.1Trusted roles ........................................................................................................................................... 285.2.2Number of persons required per task ..................................................................................................... 295.2.3Identification and authentication for each role ....................................................................................... 29


4/58



5.2.4Roles requiring separation of duties ....................................................................................................... 295.3Personnel Controls ........................................................................................................................................ 29

5.3.1Qualifications, experience, and clearance requirements ........................................................................ 295.3.2Background check procedures................................................................................................................ 305.3.3Training requirements ............................................................................................................................ 305.3.4Retraining frequency and requirements ................................................................................................. 305.3.5Job rotation frequency and sequence ...................................................................................................... 305.3.6Sanctions for unauthorized actions......................................................................................................... 315.3.7Independent contractor requirements ..................................................................................................... 315.3.8Documentation supplied to personnel .................................................................................................... 31

5.4Audit Logging Procedures ............................................................................................................................ 315.4.1Types of events recorded ........................................................................................................................ 315.4.2Frequency of processing log .................................................................................................................. 325.4.3Retention period for audit log ................................................................................................................ 325.4.4Protection of audit log ............................................................................................................................ 325.4.5Audit log backup procedures .................................................................................................................. 325.4.6Audit collection system .......................................................................................................................... 325.4.7Notification to event-causing subject ..................................................................................................... 32

5.5Records Archival .......................................................................................................................................... 335.5.1Types of records archived ...................................................................................................................... 335.5.2Retention period for archive ................................................................................................................... 335.5.3Protection of archive .............................................................................................................................. 335.5.4Archive backup procedures .................................................................................................................... 335.5.5Requirements for time-stamping of records ........................................................................................... 335.5.6Archive collection system ...................................................................................................................... 335.5.7Procedures to obtain and verify archive information ............................................................................. 33

5.6Key Changeover ........................................................................................................................................... 335.7Compromise and Disaster Recovery ............................................................................................................. 34

5.7.1Compromise handling procedures .......................................................................................................... 345.7.2Computing resources, software, and/or data are corrupted .................................................................... 345.7.3Entity private key compromise procedures ............................................................................................ 345.7.4Business continuity capabilities after a disaster ..................................................................................... 34

5.8CA or RA Termination ................................................................................................................................. 346Technical Security Controls ............................................................................................................................... 36

6.1Key Pair Generation and Installation ............................................................................................................ 366.1.1Key pair generation ................................................................................................................................ 366.1.2Private key delivery to subscriber .......................................................................................................... 366.1.3Public key delivery to subscriber ........................................................................................................... 366.1.4Key sizes ................................................................................................................................................ 366.1.5Public key parameters generation and quality checking ........................................................................ 366.1.6Key usage purposes ................................................................................................................................ 36

6.2Private Key Protection and Cryptographic Module Engineering Controls ................................................... 376.2.1Private key escrow ................................................................................................................................. 37


5/58



6.2.2Private key backup ................................................................................................................................. 376.2.3Private key transfer into or from a cryptographic module...................................................................... 376.2.4Private key storage on cryptographic module ........................................................................................ 376.2.5Method of destroying private key .......................................................................................................... 37

6.3Other Aspects of Key Pair Management ...................................................................................................... 386.3.1Public key archival ................................................................................................................................. 386.3.2Certificate operational periods and key pair usage periods .................................................................... 38

6.4Activation Data ............................................................................................................................................. 386.4.1Activation data generation and installation ............................................................................................ 386.4.2Activation data protection ...................................................................................................................... 386.4.3Other aspects of activation data.............................................................................................................. 38

6.5Computer Security Controls ......................................................................................................................... 386.5.1Specific computer security technical requirements ................................................................................ 386.5.2Life Cycle Security Controls .................................................................................................................. 396.5.3System development controls ................................................................................................................. 396.5.4Security management controls ............................................................................................................... 396.5.5Life cycle security controls .................................................................................................................... 39

6.6Network Security Controls ........................................................................................................................... 397Certificate, CRL, and OCSP Profiles ................................................................................................................. 40

7.1Certificate Profile.......................................................................................................................................... 407.1.1Huawei Root CA Certificate Profile ...................................................................................................... 407.1.2Huawei Issuing CA Certificate Profile ................................................................................................... 407.1.3Equipment Certificate Profile ................................................................................................................. 41

7.2CRLCertificate revocation list.............................................................................................................. 427.3OCSP ............................................................................................................................................................ 42

8Compliance Audit and Other Assessment .......................................................................................................... 438.1Assessment frequency and conditions .......................................................................................................... 438.2Assessor qualification ................................................................................................................................... 438.3Relation between assessor and assessed object ............................................................................................ 438.4Assessment contents ..................................................................................................................................... 438.5Measures taken for problems and weaknesses .............................................................................................. 448.6Assessment result notification and publication............................................................................................. 44

9Other Business and Legal Matters ...................................................................................................................... 459.1Fees ............................................................................................................................................................... 45

9.1.1Certificate issuance or renewal fees ....................................................................................................... 459.1.2Certificate access fees ............................................................................................................................ 459.1.3Revocation or status information access fees ......................................................................................... 459.1.4Fees for other services ............................................................................................................................ 459.1.5Refund policy ......................................................................................................................................... 45

9.2Financial Responsibility ............................................................................................................................... 459.2.1Insurance coverage ................................................................................................................................. 459.2.2Insurance or warranty coverage for end-entities .................................................................................... 45

9.3Confidentiality of Business Information ....................................................................................................... 46


6/58



9.3.1Scope of confidential information .......................................................................................................... 469.3.2Information not within the scope of confidential information ............................................................... 469.3.3Responsibility to protect confidential information ................................................................................. 46

9.4Privacy of Personal Information ................................................................................................................... 479.4.1Privacy plan ............................................................................................................................................ 479.4.2Information treated as privacy ................................................................................................................ 479.4.3Information not deemed privacy ............................................................................................................ 479.4.4Responsibility to protect private information ......................................................................................... 479.4.5Notice and consent to use private information ....................................................................................... 489.4.6Disclosure pursuant to judicial or administrative process ...................................................................... 489.4.7Other information disclosure circumstances .......................................................................................... 48

9.5Intellectual Property Rights .......................................................................................................................... 489.6Representations and Warranties.................................................................................................................... 49

9.6.1CA representations and warranties ......................................................................................................... 499.6.2RA representations and warranties ......................................................................................................... 519.6.3Subscriber representations and warranties ............................................................................................. 519.6.4Relying party representations and warranties......................................................................................... 539.6.5Representations and warranties of other participants ............................................................................. 53

9.7Disclaimers of Warranties ............................................................................................................................ 539.8Limitations of Liability ................................................................................................................................. 549.9Indemnities ................................................................................................................................................... 549.10 Term and Termination ............................................................................................................................ 55

9.10.1 Term ................................................................................................................................................. 559.10.2 Termination ...................................................................................................................................... 559.10.3 Effect of termination and survival ................................................................................................... 55

9.11 Individual notices and communications with participants ..................................................................... 559.12 Amendments .......................................................................................................................................... 55

9.12.1 Procedure for amendment ................................................................................................................ 559.12.2 Notification mechanism and period ................................................................................................. 559.12.3 Amendment agreement .................................................................................................................... 569.12.4 Circumstances under which OID must be changed ......................................................................... 56

9.13 Dispute Resolution Procedures .............................................................................................................. 569.14 Governing Law ....................................................................................................................................... 579.15 Compliance with Applicable Law .......................................................................................................... 579.16 Miscellaneous Provisions ....................................................................................................................... 57

9.16.1 Entire agreement .............................................................................................................................. 579.16.2 Assignment ...................................................................................................................................... 579.16.3 Severability ...................................................................................................................................... 589.16.4 Enforcement (attorneys' fees and waiver of rights) ......................................................................... 589.16.5 Force Majeure .................................................................................................................................. 58

9.17 Other Provisions ..................................................................................................................................... 58


7/58



1 Introduction

This Certification Practice Statement (hereinafter, CPS) describes the practices of Huawei Equipment Certification

Authority (hereinafter called as HWCA) and the activities in HWCA issuance, and certificate management, operation

and maintenance service, provides the regulations on actual operation for supervision and implementation. This CPS

provides the lawful constraints for the related parties and reminders the related parties to produce and use a digital

certificate within the range regulated in this CPS and validate the digital certificate.

This CPS document will be updated and revised with CA change and will be published at the Web site

http://support.huawei.com/support/pki.

The document structure and content requirement of this CPS should comply with the format in the chapter 4 of RFC

3647.

1.1 Overview

This CPS publishes the basic standpoint and view of the HWCA on the electronic certification service, which is basis

for actual application and operation document and applies to all entities with relationships with the HWCA, including

Certification Authorities (CAs), Registration Authorities (RAs), Staff, Subscribers, and Relying Parties. All

participants must completely understand and perform the articles in the CPS to enjoy rights and assume liabilities.

The Huawei Equipment CA is divided into root CA and issuing CA. the CA hierarchy is shown as follows:

Currently, the HWCA hierarchy consists of the following CAs:

CA type CA name Description of Function

Root CA Huawei Equipment CA Serves as the trust anchor

Huawei Equipment CA

Huawei Issuing CA Huawei Issuing CA

Self-signed


8/58



for the HWCA hierarchy.

Issuing CA Huawei Wireless Network

Product CA

Issues certificates to Huawei

wireless network products.

1.2 Document Name and Identification

The name of this document is HWCA Certification Practice Statementand gives comprehensive description of the

digital certificate and related services provided by the Huawei. HWCACPS, Huawei CA HWCA Certification

Practice Statement, Huawei CACPS, Huawei CA center CPSand Huawei CA center electronic certification

service ruleand other similar expressions should be regarded as this document and reference to this document at any

site.

1.3 PKI Participants

1.3.1 Certification authorities

All CAs within the HWCA hierarchy are called as the certification authority. The CA is an organization to issue the

digital certificate and provides the digital certificate to the electronic certification service. HWCA is the first CA of

the Huawei and provided the electronic digital certificate service to the Huawei devices.

HWCA will deploy CA by the product family. The root CA is the self-signed digital certificate generated by Huawei.

This root CA can be only used by Huawei to sign and issue sub-CA certificate to all Huawei products. the sub-CA of

the product family signs and issues digital certificates for different products.

Now the Huawei CA will not sign and issue CA certificate to outside temporarily and only provides the digital

certificate service to the equipment provided and delivered by Huawei to customers and copartners.

HWCA provides the following digital certificate lifecycle management.

Digital certificate registration application

Digital certificate revocation

Digital certificate hang-up

Digital certificate update

Digital certificate state query service

Distribute certificate status information in the form of Certificate Revocation Lists (CRLs)


9/58



periodically.

Provide a repository to store and certificates and certificate status information.

Directory service

1.3.2 Registration authorities

The registration authority of HWCA (hereinafter called as RA) is the business branch formally authorized by

HWCA. It can identify and authenticate the entity identity of the certificate applicant and either approve or reject

certificate application, certificate revocation and certificate renewal service. the certificate application, certificate

revocation and certificate suspension can be originated by RA and forwarded to CA if audited successfully.

The auditing policy of the Huawei RA system is divided into automatic system auditing and manual auditing. For the

Huawei Issuing CAs, the RA function is performed by Huawei using a combination of automated and manual

processes. The automatic system auditing should be permitted by RA administrator and the auditing policy should be

made. It is used for automated or real-time system. After the corresponding policies are met, the system automatically

audits the certificate request. For other non-automated or real-time system, the manual auditing must be adopted.

1.3.3 Subscribers

The subscriber is the lawful holder of the certificate and is the entity of HWCA. The subscribers are the legal

end-entities to receive the certificates issued by HWCA. The subscriber in this document mainly includes the entities

such as the hosts, servers and network devices which have applied and legally held the digital certificates issued by

the CA within the HWCA domain

The subscriber is the legal holder of a digital certificate and has the corresponding private key of the public key in the

digital certificate. The subscriber is responsible for security protection, storage and use of the private key.

1.3.4 Relying parties

Relying Parties include any entity, individual and organization that may rely upon certificates issued by HWCA and

uses a Subscribers Certificate to verify the integrity of a digitally signed message, to identify the creator of a

message, to authenticate a Subscriber, or to establish confidential communications with the Subscriber. such as the

customers who purchase Huawei equipment.

1.3.5 Certificates Applicant

Applicant can be any natural person or corporate who expects to become the subscriber of HWCA or sub-CA. the

certificate applicant can complete application according to the necessary information regulated in this CPS by the


10/58



type of the certificate to acquire. After a certificate applicant submits its application, it indicates that the HWCA is

authorized for identity identification and the applicant agrees to assist HWCA and its authorized authority to identify

all facts, occurrence environment and other related information in a proper manner at this discretion. Here the proper

manneris consistent with the requirements in this CPS and related laws and regulations.

1.3.6 Sponsor

Sponsor can be any group or organization which can pay all certificate service costs for the affiliated or serving

subscribers or potential subscriber group and is a special certificate service transaction point. The certificate sponsor

has a right to cancel all or partial certificate services of the holder which certificate cost is paid by the sponsor

according to the regulations in this CPS, other regulations published by HWCA, laws and policies. It includes, but not

limited to, revocation of the certificate of the holder.

1.3.7 Other Participants

It indicates other non-mentioned entities which affiliate to HWCA certificate system such as third-party identity

authentication organization selected by HWCA, directory service provider and PKI service-related participants.

1.4 Certificate Usage

1.4.1 Appropriate certificate uses

The HWCA digital certificate is applicable to the applications in the areas such as electronic government public

service, E-business, enterprise informationize and network information transfer and provides foundational credit

service in construction of the trusted network environment. The HWCA digital certificate can be also used for other

purposes, but it cannot breach the local laws and regulations, this CPS (complied in certificate issuing) and subscriber

agreement and can be trusted by the relying parties .the certificate applicant can check and decide to use a proper

certificate type at discretion on demand.

1.4.2 Prohibited certificate uses

The certificate issued by the HWCA cannot be used for the following purposes:

1Certificate application scope not agreed by HWCA and subscriber

2The certificate use cannot breach any state law, regulation or destruct the state security. Otherwise, the incurred

legal aftermath is undertaken by the user.

In addition, the certificate is not designed for, is not intended for and is not authorized for control equipment under

the dangerous environment or failure-prevention occasion such as nuclear device operation, space shuttle pilot, air


11/58



traffic control system or weapon control system because its any failure will lead to death, personnel injury or severe

environment damage.

1.5 Policy Administration

According to the regulations in the related laws, the HWCA specifies HWCA-CPS policy development team to

draft, register, maintain and update the CPS. The contents of Huawei CPS will be subjective to update and revisal

with CA change and will be published at the website http://support.huawei.com/support/pki.

1.6 Definitions and Acronyms

Table 1.1- Definitions and abbreviations

Abbreviations/nouns Definition

HWCA Abbreviation of Huawei Certification Authority

Certificate Authority Huawei Root CA and CAs are Huaweis electronic certification

service organization or group.

Registration authority The CA registration authority is called as RA. It is an agent which signs the

registration authority agreement and is authorized by HWCA to issue the HWCA

certificate. The RA processes the certificate application from the certificate

applicants and submits it to CA.

Certificate issuing authority It includes HWCA-authorized registration authority, registration branch authority

and transaction point certificate issuing authority. The certificate issuing authority

will issue HWCA certificate to the certificate applicants

Relying party It indicates a person who is engaged in related activities based on the trust for the

digital certificate and/or electronic signature

Subscriber Individual, collection, unit, organization, server or other individual or entities which

own any HWCA certificate

Certificate applicant It indicates individual, enterprise and organization which request HWCA to issue

certificate

Subscriber It indicates the holder of different certificates which are signed and issued by CA

OCSP It indicates Online Certificate Status Protocol and can support to real time search the


12/58



state of digital certificate

LDAP It indicates Lightweight Directory Access Protocol and is used to search and

download digital certificate and digital certificate revocation list (CRL)

PKI It indicates Public Key Infrastructure

CRL It indicates Certificate Revocation List. CRL records all user digital certificate SN of

the revoked digital certificates before the old invalid date expires and can be

searched when the digital certificate users authenticate peer digital certificate.

Generally CRL is called as the digital certificate blacklist. Generally it includes the

CA name, issuing date, scheduled issuing date for next revocation list, changed or

revoked digital certificate SN and time and reason for change or revocation.

Certificate The certification indicates that different entities review the identity via the trusted

and neutral third party (such as HWCA) prior to network trade and the third-party

proves the identity reliability and legality.

Priate key It is the digital key which can not be open and be kept by the holder and is used to

create electronic signature, decrypt packet or encrypt the profile with the

corresponding public key

Public key It is the digital key which can be open, can be used to validate corresponding packet

with private key signature, can be used to encrypt packet and files and can be

decrypted by the corresponding private key

PKCS It is Public Key Cryptography Standard


13/58



2 Information publication and management

2.1 RepositoriesHWCA provides repositories to support certificate services and try the best effort to keep access to its public

repository and its policy information so that Relying Parties may obtain certificates and CRLs from or

through that public repository.

The repository shall be available as required by the certificate information posting and retrieval stipulations

of this CPS.

2.2 Publication of certification information

Huawei CA will publish CPS, root CA certificate, CA certificates chain and CRLs. The subscribers can get them at

the HWCA websitehttp://support.huawei.com/support/pki .

2.3 Time or frequency of publication

This CPS and any subsequent changes are made publicly available within one week of approval.

The CRLs are updated at least daily.

The certificate database is updated every time a certificate is published.

2.3.1 Time or frequency of publication of electronic certification service rule

The HWCA will publish the latest CPS version in time. if the rule changed and supplement is approved, without a

special case, the HWCA will publish the CPS at the websitehttp://support.huawei.com/support/pki within five

business days.

2.3.2 Time or frequency of publication of certificate and CRL

For all revoked or suspended certificates, the list CRL will be automatically published via HWCA directory server.

The latest CRL can be manually published on demand. The users can search or download latest CRL at the HWCA

websitehttp://support.huawei.com/support/pki .For the issuing CA, CRL is issued at least within 24 hours, and a

Root CRL is issued at least every year The CRL list can be manually updated in case of an emergency.

2.3.3 Time or frequency of publication of HWCA public information

Once HWCA will publish the related notifications, notices and other public information due to some reasons, it will

quickly publish it at the websitehttp://support.huawei.com/support/pki .

2.4 Access controls on repositories

URLs of each HWCA can use SSL-based HTTP for secure access to records. Other URLs for issuing important

information should be based on https. HWCA is configured with the information access control and security auditing

measures to guarantee that only authorized HWCA persons can write and modify the HWCA online notice version
http://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pki


14/58



and published information. The authorized operations will be recorded. If necessary, HWCA can independently select

and manage information privilege to guarantee that only qualified parties can read the information with certain

privilege.


15/58



3 Identification and Authentication

3.1 Naming

3.1.1 Types of names

The HWCA-published certificate contains a distinguished name of the issuing organization and subscribers as Issuer

and Subject fields. The distinguish name assigned to the subject of a certificate are unique within a CA and can be

used to identify the owner of certificate. All names specified in X.509 certificates must be expressed as non-null

subject Distinguished Names (DNs) complying with the X.500 standard.

3.1.2 Need for names to be meaningful

The user identification information used by the identifier name must include the specific, traceable and affirmative

representation meaning. The anonymity or pseudo name is forbidden.

For the digital certificate provisioned to the device in during manufacturing, the distinguish name assigned to the

subject of a certificate is provided by HWCA. The common name in the subject field contains the equipment

information such as equipment serial number which identifies relationship between equipment and certificate. For

this type of equipment digital certificate, the subject alternative name includes a DSN name that contains the

equipment serial number.

3.1.3 Anonymity or pseudonymity of subscribers

HWCA does not accept or allow any anonymous or pseudo name and only accept the name with specific meaning as

the unique identifier. The certificate which is applied with the pseudo or counterfeited name is invalid. If the fact is

proven, the certificate will be revoked.

3.1.4 Rules for interpreting various name forms

No applicable

3.1.5 Uniqueness of names

The distinguish name assigned to the subject of a certificate are unique within HWCA. When DN is same, the first

applicants will use this DN. The followed applicants should add other identification information into DN item for

distinguishing.

3.1.6 Recognition, authentication, and role of trademarks

Applicants must not use the names in the certification application which will infringe the intellectual property or

proprietary trademark of others, however, HWCA will not check whether the certification applicants of the names in


16/58



the certification applications own this intellectual property or proprietary trademark and will not arbitrate, mediate or

solve the dispute caused by the domain name, trademark name and service regulations. When this dispute occurs,

HWCA has a right to reject or suspend the certificate application till the dispute is solved (if necessary) according to

the rule of first application and first use and will not be liable to any certificate applicant.

3.2 Initial Identity Validation

3.2.1 Method to prove possession of private key

When HWCA signs the certificate, HWCA will first compute by using the data digest algorithm according to the

information in the certificate applicant, then decrypt the private key in the applicant by using the public key in the

application and finally compare them. if they are equal, it indicates that the digital certificate applicant owns the

corresponding signature private key of the signature public key.

3.2.2 Authentication of organization identity

When applying certificates for organizations, the applicant should appoint the legally authorized certificate

application representative, sign on Certificate Applicant to accept the articles in the certificate application and

undertake corresponding liabilities. HWCA and the certificate authority should review whether the certificate

applicant is qualified in face-to-face manner.

The identity of an organization should be identified in the following manners:

1. The authorized organization dealer should go to the application site with self original ID card, business license

registration certificate, original organization code certificate (original or copy) and duplicates.

2. Check consistency of the ID card, business license registration certificate, original organization code certificate

(original or copy) and duplicates.

3. Check whether the information in ID card, business license registration certificate, original organization code

certificate is consistent with the information in the application form.

4. Check whether the organization accepts the articles in HWCA digital certificate user responsibility statement.

5. Check integrity of the application materials submitted by the subscriber.

6. HWCA can identify by inquiring third-party database or corresponding authority and using the reasonable methods

to HWCA such as telephone and post address survey.

7. If HWCA cannot get the required information from third-party, it can request third-party to survey or request the

certificate applicant to guarantee truth of the provided additional information and proof materials. HWCA and


17/58



authorized authority should review legality of the applicant materials. The review contents include, not limited to, the

above statement.

3.2.3 Authentication of individual identity

The checkers of the HWCA-authorized certificate issuing authority should reasonably and carefully check the

originals and copies of the application materials according to the procedure, review truth of the applicant materials

according to the management regulations and can reject or approve the application.

After HWCA receives the certificate application from the individual subscriber, before issuing the certificate to this

subscriber, HWCW should check and identify the individual identity of this certificate applicant. The identification

procedure is shown as follows:

1. The individual certificate applicant should go to the certificate application site wit hthe self ID card or password

original and duplicates and check true of the subscriber identity in face-to-face manner.

2. Check whether the applicant ID card or the passport original and copy are consistent with the duplicates.

3. Check whether the information in the applicant ID original or passport is consistent with the information in the

application form.

4. Check whether this applicant can accept the articles in HWCA digital certificate user responsibility statement.

5. Check integrity of the application materials submitted by this subscriber.

6. The review contents include, not limited to, the above statement.

The applicant must be liable to truth of the application materials. After HWCA and authorized certificate authority

review compliance to the laws and regulations, they will not be liable for applicant identity proving such as ID card

legality identification. The HWCA and its authorized certificate authority should store the detailed information

3.2.4 Identification and authentication of domain name (or IP address)

The applicant fills the written application form. After signed by the authorized representative of the organization and

sealed by the organization (for individual application, individual signature is required), the applicant should go to the

HWCA-authorized certificate issuing authority to for identity check and fee payment with related materials.

If the certificates DN is the domain name (RDN),besides the written materials submitted by the applicant which will

be reviewed, the applicant, should also provide additional proof for domain name use right or inquire it for the

corresponding domain name registration authority to check whether the subscriber can use the corresponding domain

name. The auditors of the HWCA-authorized certificate issuing authority will carefully and reasonably check truth of

the applicant material original and copies according to the related regulations.


18/58



3.2.5 Validation of authority

When a natural person or corporate applies for a certificate via the authorized third-party agent, the HWCA and its

authorized certificate authority should audit the identity and qualification of the authorized person, including his

identity information and authorization proof, and can check information via a call, letter or other methods for legality.

HWCA has a right to confirm information on the authorized persons via third-party or other modes and request the

authorized person to provide additional proof such as trust letter.

3.3 Identification and Authentication for Re-key Requests

HWCA has a right to decide the valid period of a certificate on demand. Before the valid period expires, to keep old

certificate name, the subscriber should generate a new key pair and obtain the certificate again to guarantee certificate

use continuity. This process is called as key update. When the information related to the certificate changes or the

subscriber has doubt on the key security, he must register again to generate a new key pair and apply the certificate

authority for signing and issuing certificate.

3.3.1 Identification and authentication for routine re-key

If the routine key is updated due to expired certificate, the certificate owner can sign the update request message by

using the old private key and request to sign the certificate again. The certificate issuing authority will validate and

identify correctness, legality and uniqueness of the update request message.

The certificate owner can fill change application form and submit related documents according to the initial identity

validation steps in case of certificate or key change application, HWCA-authorized certificate issuing authority will

check it. The auditor should reasonably and carefully check the application document originals and copies according

to the regulated procedure, review truth of the applicant information and approve or reject it.

3.3.2 Identification and authentication for re-key after revocation

HWCA does not update key for the revoked certificate. The certificate user must register identity and apply for a new

certificate.

3.4 Identification and authentication for Revocation Requests

When the certificate subscriber or his legal agent applies to revoke a certificate, he should go to HWCA certificate

authority for transaction, including fill certificate revocation application form, and submit related documents

according to the initial identity validation steps. The HWCA-authorized certificate issuing authority will check it.

The auditors of HWCA-authorized certificate issuing authority will reasonably and carefully check the application


19/58



document originals and copies according to the regulated procedure, review truth of the applicant information and

approve or reject it.


20/58



4 Certificate Life-Cycle Operational Requirements

4.1 Certificate Application

HWCA provides online digital certificate application Website interface for 24-hour online application service.

For the digital certificate application service, a Huawei RA system has responsibility to identify and authenticate the

identity and audit the certificate application request. Only the approved certificate request will be submitted to the CA

system and then the CA system signs and issues digital certificate to the applicant.

4.1.1 Who can submit a certificate application

Generally, there is no restriction on a certificate application, but currently the certificate application interface of the

HWCA only accepts the certificate application from the staff, authorized CA, RA authority, organization or entities.

For the equipments delivered by Huawei, the Huawei CA system do not provide online certificate application

interface to these equipments. The staff work for Huawei technical support service has duty to apply certificate for

these equipment if necessary.

4.1.2 Enrollment process and responsibilities

When applying for a certificate the applicants are responsible for providing accurate information and fill out an

application form required for the digital certificate. After receiving the application, the RA system authenticates the

applicant identity and validates the contents of the certificate application request. After successful auditing, the RA

approve the digital certificate request. Otherwise, it will reject the request.

4.2 Certificate Application Processing

4.2.1 Performing identification and authentication

The HWCA or authorized certificate issuing organization should audit the materials submitted by the certificate

applicant according to the regulations and related flow regulations in the chapter 3 of CPS and approve or reject it.

4.2.2 Approval or rejection of certificate applications

Certificate application approval

HWCA will approve the application and issue a certificate upon successful completion of the identity-proofing

process and validation process of the certificate request.

Certificate application rejection

The HWCA can reject to sign certificate at its discretion and will not be liable for any incurred loss or cost. If the


21/58



application fails during the identity identification and authentication, HWCA will reject the certificate application.

Generally HWCA will inform the applicant about any problems. However HWCA has a right to reject to inform the

applicants or explain failure reason and will not be liable for any compensation. The rejected certificate applicant can

apply again after providing accurate information.

4.2.3 Time to process certificate applications

Huawei will make an effort to process the certificate applications within a reasonable time upon receiving the request.

There is no maximum process time for an application unless otherwise indicated in other relevant agreement. If the

processing period is extended, the application will remain active until it is approved or rejected.

4.3 Certificate Issuance

4.3.1 CA actions during certificate issuance

Once receiving the certificate request to issue a certificate from Huawei RA for applicant, HWCA creates and signs

the certificate based on the information in certificate request that contains subscribers data.

At the same time, HWCA will publish the certificate to repository and send the certificate to applicant via Huawei

RA.

4.3.2 Notification to subscriber by the CA of issuance of certificate

After a certificate has been issued, HWCA directly informs subscribers or through an authorized agent by means of

face-to-face notification, Email notification, post letter notification and other methods recognized by HWCA.

4.4 Certificate Acceptance

4.4.1 Conduct constituting certificate acceptance

After HWCA digital certificate is signed and issued, the certificate applicant downloads the certificate and verifies its

content. A Subscribers receipt of a certificate and subsequent use of the certificate and private key corresponding to

the public key in the certificate constitute certificate acceptance. After the certificate applicant accepts the digital

certificate, he should properly save the corresponding private key securely (stored into the storage medium).

If the subscriber isobject to accepting the certificate, the applicant must explicitly inform Huawei with the reasons

and details.

4.4.2 Publication of the certificate by the CA

Once the certificate applicant accepts the certificate, HWCA will publish the certificate duplicate on the directory


22/58



server and in one or more manners decided by the HWCA. The certificate applicant can publish the digital certificate

signed and issued by HWCA in other information database.

4.4.3 Notification of certificate issuance by the CA to other entities

For the certificate signing and issuing of HWCA, HWCA and its authorized registration authority will not inform

other entity. The subscriber and relying parties can search on the information repository.

4.5 Key Pair and Certificate Usage

4.5.1 Subscriber private key and certificate usage

The subscriber must have knowledge on PKI business. When applying a digital certificate, he must guarantee

correctness and truth of the provided registration information.

The subscribers must use the trusted system or secure agent to generate key pair, securely and properly store the

private key and guarantee that the private key holder is the actual entity corresponding to the certificate subject name.

The subscribers must also prevent the compromise, loss, disclosure, modification, or otherwise unauthorized use of

their private keys.

After the subscriber accepts the digital certificate, he must properly store the corresponding private key of the

certificate (stored into the storage medium) to avoid loss, leakage, tempering or theft. When any user is using a

certificate, he must validate the certificate, including check whether the certificate is revoked, is within the valid

period and is signed and issued by HWCA.

When using the signature related to the certificate signed and issued by HWCA and signed information, all involving

parties (HWCA and certificate authority, certificate subscriber and relying parties) should enjoy the corresponding

liabilities and fulfill corresponding obligations according to the regulations in CPS. All parties are deemed to be

informed and agree with the articles in this CPS and agreement and specification between HWCA and all parties. For

any use of certificate and private key beyond the regulations in this CPS, HWCA will not assume any liability.

The certificates signed and issued by HWCA can be used to indicate the certificate holders identity in case of

certificate application and validate the signature made by the certificate holder by using the private key corresponding

to the public key in the certificate, so the signature and signature validation can guarantee truthful identity of the

certificate holder, information integrity, information non-repudiation, key agreement. If the certificate holder uses this

certificate for other purposes, HWCA will not assume any liability and obligation.

If some fields of this certificate indicate the use scope and purpose of the certificate, this certificate can be used


23/58



within this scope. For any action beyond the application marked in the certificate, the actor should be liable for it.

HWCA will not assume any liability and obligation for any action beyond the application scope.

4.5.2 Signature and validation

The signature is created in the following cases:

Created in valid use period of a certificate;

The signature is correctly validated via certificate path validation.

The trusted parties do not discover or notice that the signature violates the actions regulated in CPS.

The relying parties should comply with all regulations in this CPS.

The certificate use does not indicate that the subscriber can act or take any special action for any individual interest.

The signature validation aims to guarantee that the signature is created by using the private key corresponding to the

public key in the issuer certificate and the signature is not change after created.

4.5.3 Relying party public key and certificate usage

After the certificate from the peer is obtained, the user can know its identity by viewing the certificate, validate truth

of the electronic signature via the public key, realize communication non-repudiation and keep confidentiality and

integrity of data transfer between two parties.

Before the certificate and signature is trusted, the relying parties should independently do reasonable endeavor and

make reasonable judgment. Except additional regulation in this CPS, the certificate is not a commitment from the

certificate issuing authority to any power or privilege. The relying party can only trust the certificate and its public

key within the scope regulated in this CPS and make decision. Validate a certificate by using a CRL and OCSP and

trust a certificate only if it has not been suspended or revoked.

If some fields of a certificate indicate use scope and purpose, this certificate can only be used in this scope. The

relying parties must make a reasonable judgment. The relying party will be liable for any trust to the action beyond

the application scope in this certificate. HWCA will not assume any liability and obligation.

4.6 Certificate Renewal

Not applicable.

4.7 Certificate key renewal


24/58



Not applicable.

4.8 Certificate change

Not applicable.

4.9 Certificate revocation and hang up

The certificate revocation is permanent and cannot be recovered.

4.9.1 Circumstance for certificate renewal

1. The new key pair replaces the old key pair.

2. Key disclose: the corresponding key of the public key in the certificate is disclosed or the user is doubtful for the

key.

3. Affiliation relation change: when the subject related to the key-related subscriber is changed.

4. Operation termination: the certificate is not used for old purpose, but the key is not disclosed, but termination is

required (E.g. a subscriber leaves from an organization);

5. The certificate update fee is not received.

6. The subscriber main body does not exist;

7. The subscriber does not comply with liabilities and obligations regulated in this CPS or other agreement, laws

and regulations.

8. When a subscriber applies for initial registration, he does not provide true materials.

9. The private key corresponding to the public key in certificate is stolen, faked, counterfeited or tempered.

10. The subscriber application is revoked.

4.9.2 Who may request renewal

When the case 1-9 of the chapter CPS4.9.1 is met, the entity requesting certificate revocation can be HWCA or other

authorized agent and the revocation is mandatory. After revocation, the subscriber must be instantly informed.

If the case 10 of the chapter CPS4.9.1 is met, the entity requesting certificate revocation will be consistent with the

statement in CPS4.1.2.

Other cases will depend on actual condition. HWCA can determine it.

4.9.3 Processing certificate renewal requests

The subscriber application revocation flow is described as follows:

Before the subscriber revokes a certificate, he should decrypt the encrypted data such as encrypted Email, back


25/58



up it (E.g. The mail contents are copied and are stored as plaintext or the mail attach is stored) and delete the

certificate.

The applicant fills out revocation application form and the revocation reason. Then submit the revocation request

to HWCA.

The HWCA or authorized registration authority should check the certificate revocation application submitted

by the subscriber according to the regulations in CPS3.4;

HWCA or authorized registration authority checks the revocation application and then revokes the certificate.

HWCA publishes the information into the public repository in time for subscriber and relaying parties

downloading the revocation informant.

4.10 Certificate state service

HWCA makes available certificate status checking services including CRLs, OCSP and appropriate web interfaces..

CRL

HWCA will sign and publish the CRL to public repository and make it available from

http://support.huawei.com/support/pki.

OCSP

Currently HWCA only makes OCSP responses available for internal use.

4.11 End of Subscription

The service termination indicates that the certificate user terminates the service with HWCA, including the following

two cases:

When the certificate expired or revoked, the system terminates the service with HWCA.

When the certificate expired, if the certificate does not extend certificate use or does not apply for a certificate again,

the certificate user can terminate the service.

When the certificate is not expired, the system terminates the service with HWCA.

If the certificate service is terminated by the certificate users due to certain reason in the valid period of the certificate,

HWCA will hang up or revoke the certificate according to the requirements of the certificate user. The service

between the certificate user and HWCA will terminate.

4.12 Key Escrow and Recovery


26/58



Not applicable


27/58



5 Facility, Management, and Operational Controls

5.1 Physical Security Controls

The HWCA certification service system is located in high security and stable building and has independent software

and hardware OS. Only the authorized operator can access the management area for operation according to the

related safety operation regulation. The root key of HWCA is located under the highly secure environment to prevent

against damage or unauthorized operation.

5.1.1 Site location and construction

To guarantee security and reliability of the physical environment, HWCA fully considers the threats such as water

disaster, fire, earthquake, electromagnetic disturbance and emission, crime and job accidents and can provide the

functions such as vibration resistance, fire prevention, water prevention, constant humidity and control, spare power

generation, gate access control and video monitoring to guarantee continuous and reliable certification service.

5.1.2 Physical access

When an operator wants to enter the device room, he must pass the strict approval, safety check and identity check

based on IC card gate control system. The measures such as material access registration, personnel access registration

and 24-hour video monitoring and guarding and walking inspection are taken. Without permission, it is forbidden to

bring any prohibited objects into the device room such as metal objects, electronic camera, vidicon and USB memory.

5.1.3 Power and air conditioning

HWCA system is powered by double power supplied. When one power breaks, the system can normally operate. The

UPS is used to avoid power fluctuation and guarantee emergency power supply.

The central air conditioner is used for adjustment and control of the temperature and humidity inside the system

device room, which can guarantee that the air quality, temperature and humidity, fresh air and air cleanness reach the

state regulations inside the device room.

5.1.4 Water exposures

HWCA device room is located in F3. The certificate service system is located in a closed building and the waterproof

and erosion-resisting measures are taken to guarantee system safety.

5.1.5 Fire prevention and protection

The HWCA device room is installed with the fire automated alarm system and gas automatic fire extinguishing

system. This system can be started in an automated, manual or mechanical emergency operation mode. under


28/58



automated state, when the protection area catches a fire, after the fire alarm controller receives two independent fire

alarm signals from the protection zone, it will instantly give out joint signals. After 30 s delay, the fire alarm controls

output signals and starts fire extinguishing system. The alarm controller receives the feedback signals from the

pressure signal device, the indicator will be on in the protection zone to prevent any person from entering. When

some persons are working the protection zone, the system can switch from automated state to the manual state via

manual/automated switch outside the protection zone door. When a fire alarm occurs in the protection zone, the alarm

controller only gives out alarm signals and will not output action signals. The on-duty person confirms the fire alarm

and can press the control panel or crash the emergency start button outside the protection zone, he can instantly start

the system and spray the gas fire extinguishing agent. When the automated and manual emergency start fails, the

person can start via the mechanical emergency operation in the bottle storage room.

5.1.6 Media storage

HWCA should store and use the physical mediums according to the waterproof, fireproof, vibration-proof,

damp-proof, erosion-proof, anti-insect, anti-static and anti-electromagnetic emission. The measures such as medium

use registration, medium duplication prevention and information encryption are taken to protect medium safety.

5.1.7 Waste disposal

When the hardware equipment, storage equipment and encryption equipment used by the HWCA certification service

system is abandoned, the sensitive and confidential information should be securely and utterly deleted.

When the files and storage medium include sensitive and confidential information, special destruction measures

should be taken to guarantee that the information cannot be recovered and read.

All processing actions should be recorded for review. All destruction actions should comply with the related laws and

regulations.

5.2 Procedural Controls

5.2.1 Trusted roles

In order to reduce opportunities for unauthorized modification or misuse of information or services, HWCA segregate

duties and areas of responsibility by different roles, key functions and posts for CA system execution, including but

not limited to Operation security management team, Super administrator, System administrator, System auditor, Key

administrator, Security administrator, Network administrator, Monitoring administrator, Gate control administrator,

Input person, Auditor, Certificate maker. These posts are assigned to guarantee clear responsibility, establish effective


29/58



security mechanism and guarantee internal management and operation security.

5.2.2 Number of persons required per task

Table 5.1minimum staff for trusted roles

SN Trusted roles Persons

1 Operation security management team 3-5

2 Super administrator 2

3 System administrator 2

4 System auditor 1

5 Security administrator 1

6 Network administrator 1

7 Monitoring administrator 1

8 Gate control administrator 1

9 Operator Several

10 Auditor Several

11 Certificate maker Several

5.2.3 Identification and authentication for each role

After all HWCA employees must be certified, they will be allocated with the security tokens such as required system

operation card, gate control card, login password and operation certificate by job nature and title privilege. For the

employees who use the security token, HWCA system will independently record and supervise all operation actions.

The security tokens only belong to the token holder or organization and cannot be shared according to the security

specification. HWCA system and procedure can control the operator privileges by token.

5.2.4 Roles requiring separation of duties

The HWCA defines the trusted roles according to the rule of trusted role separation and operation and management

separation. The security administrator and network administrator cannot be appointed as one person. The system

administrator and system auditor cannot be appointed as one person. The monitoring administrator and gate control

administrator cannot be appointed as a person. The input person and auditor cannot be appointed as one person.

5.3 Personnel Controls

5.3.1 Qualifications, experience, and clearance requirements


30/58



The staff who is assigned by HWCA as the trusted roles should meet the following conditions:

1. Have good social and work background

2. Comply with state laws and regulations and obey uniform schedule and management of HWCA

3. Comply with the security management specifications, regulations and systems of HWCA

4. Have good individual quality, culture and careful and responsible attitude

5. Have good team cooperation spirit

5.3.2 Background check procedures

HWCA staff is employed according to the strict employment procedure. The background of the trusted staff will be

survey according to the post requirement.

HWCA performs strict background survey on the key CA staff. The survey includes, not limited to, validation of

previous work record, validation of identity proof truth, validation of truth of the diploma and other certificate and

validation of cheat behaviors. The registration authority, registration branch authority and operators at the transaction

site should be surveyed by referring to the HWCA survey for the trusted staff. The responsible organization of the

transaction site can supplement survey, probation and training based on it, but it can not violate the HWCA certificate

transaction regulation and HWCA electronic certificate service rule.

HWCA identifies the flow management rule. The CA staff is restricted by the contract and regulations and can not

disclose sensitive information of the HWCA certification service system. All staff sign secrete agreement with

HWCA.

5.3.3 Training requirements

HWCA will hold staff training on responsibilities, posts, technology, policies, laws and security on demand. HWCA

provides the following comprehensive training to HWCA staff, including but not limited to:

Information security knowledge training and examination

Post responsibility and post skill training

Fire control knowledge training and drilling

Professional knowledge and skill training on PKI system business

5.3.4 Retraining frequency and requirements

HWCA will hold periodical staff training according to the internal environment change and staff conditions to adapt

to the new change and continuously improve the professional quality of the staff.

5.3.5 Job rotation frequency and sequence


31/58



Not involved

5.3.6 Sanctions for unauthorized actions

When the HWCA staff make unauthorized or over-limit operation, HWCA should take some appropriate

administrative and disciplinary actions against personnel who perform unauthorized actions, such as instantly

abandon or terminate security certificate and IC card of this employee.

5.3.7 I

Documents

Rootca Cps