Skip to content | Change text size
 

Public Key Infrastructure Policy

Please note that this policy has not yet been revised or converted to the new format .

1.  Preamble

Information Technology Services (ITS) will establish a Public Key Infrastructure for Monash University and provide personal Digital Certificates to Authorised Users. Information Technology Services will also supply Server Certificates to Monash servers.

Digital Certificates enhance security by providing the following

  • Proof of sender – The ability to digitally sign documents.
  • Non-repudiation - Proof that a user sent a given transmission.
  • Data integrity – Enable the receiver to verify that a document was not altered in transmission.
  • Encryption – Enhanced privacy through transmission of data in an encrypted format rather than as plain text.

2.  Purpose

The purpose of this policy is to

2.1  Define the responsibilities of ITS, as a Public Key Infrastructure service provider.

2.2  Define the responsibilities of Authorised Users using Monash issued Digital Certificates.

3.  Policy Status

University wide policy

4.  Responsible Officer

Executive Director, ITS.

5.  Approving Body

UNITPOL

6.  Definitions

Certificate Authority
An authority trusted and authorised to issue and revoke Digital Certificates. The Certificate Authority is also responsible for maintaining the Certificate Revocation List.
Certificate Revocation List
A list of Digital Certificates that have been revoked prior to their expiry date.
Certificate Practice Statement A statement of practices that the Public Key Infrastructure and its customers must conform to.
Digital Certificate An electronic document used to verify the identity of a user, a server or a group of people. Digital Certificates are used to verify that a user sending a message is who he, she or (in the case of organisations) it claims to be and to provide the recipient with a means to encode a reply.
Digital Signature
A digital signature is a mark (in digital form) that only the sender of an electronic transmission can make but which is easily recognised as belonging to the sender. A Digital Signature also provides the means to ensure that a document has not been tampered with.
ITS Information Technology Services
Authorised User As defined in section 6 of the Monash University IT Security Policy document.
Private Key The part of a two part cryptographic key-pair that is to be safeguarded by the owner. A private key can be used to generate a Digital Signature or decrypt encrypted information. It is difficult for an unauthorised user or a program to determine a Private Key given the associated Public Key provided that the key is large enough.
Private Encryption Key A private key that is used for decrypting encrypted information.
Private Signing Key A private key that is used to generate a Digital Signature.
Public Key The published part of a two part cryptographic key-pair, which other users can make use of to send the owner encrypted documents and verify the owner’s Digital Signature. Public Keys are embedded in Digital Certificates.
Public Key Infrastructure A Public Key Infrastructure is a security management system dedicated to the management of Digital Certificates for the purposes of secure exchange of electronic messages.
Registration Authority A person who is responsible to the Certification Authority for local (on-site) identification of users.
Server Certificate A Digital Certificate which is used by a server.

7.  Policy Scope

The scope of this policy includes all Authorised Users. The policy covers responsibilities of ITS, as PKI service providers, and subscribers to the service wishing to use Digital Certificates for either University related work or personal use.

8.  Policy

8.1  ITS Responsibilities

  1. ITS will issue Digital Certificates, upon request, to Authorised Users in accordance with the practices referenced in the Monash University Public Key Infrastructure Policy and the Monash University CA Policies.
  2. All Digital Certificates issued by Monash University will be unique.
  3. ITS will assume responsibility for all Certificate Authority and Registration Authority tasks.
  4. ITS will establish localised, faculty based, Registration Authorities for the purposes of verifying the identity of Authorised Users on behalf of the Monash University Certificate Authority. An authorised Registration Authority must authenticate all Authorised Users before a Digital Certificate is issued. Identification and Authentication procedures for Registration Authorities and Authorised Users are described in the Monash University Certificate Practice Statement.
  5. Digital Certificates issued by Monash University will be valid until the earlier of (i) the specified expiry date of the certificate or (ii) the date from which the person ceases to be an Authorised User.
  6. Digital Certificates may be revoked prior to their expiry date at the request of the owner or any authorised Registration Authority.
  7. ITS will maintain a Certificate Revocation List which is published in the Monash Directory Service and other locations as defined in the Monash University Certificate Practice Statement.
  8. ITS will ensure that Digital Certificates issued on behalf of Monash University contain no personal information other than that described in the Monash University Certificate Practice Statement.
  9. ITS will retain copies of user’s Private Encryption Keys and reserves the right to decrypt e-mail messages and other encrypted data, if necessary, in accordance with the terms described in the Monash University Certificate Practice Statement.
  10. Private Signing Keys will not be recoverable if lost or destroyed by the owner. Backup copies of Private Signing Keys will not be kept in order to ensure that only the owner has access to their Private Signing Key. Users who have lost their signing key will need to be issued with a new one.
  11. ITS will review Certificate Authority operations on a regular basis to ensure the integrity of the service, as described in the Monash University Certificate Practice Statement.
  12. ITS will accept no responsibility for the management or use of personal Digital Certificates that are supplied directly to users by external vendors.

8.2  Authorised User Responsibilities

  1. Digital Certificates issued by Monash University are to be used for authorised and legal purposes only. Authorised IT usage at Monash University is defined in the following policies
  • Information Technology Use Policy - Staff and Other Authorised Users
  • Acceptable Use of Information Technology Facilities by Students
  • IT Security Policy
  1. Authorised Users are entitled to use the Digital Certificates for private purposes, provided such use is lawful.
  2. Authorised Users are bound by the terms and conditions described in the Monash Certificate Practice Statement as well as the Monash University Public Key Infrastructure Policy.
  3. Authorised Users are responsible for determining the validity of digitally signed or encrypted messages by verifying certificates against the Certificate Revocation List.
  4. Authorised Users are solely responsible for maintaining the integrity of their Private Signing Key. As with all authentication schemes, the onus is on the user to keep the Private Key private.
  5. Authorised Users must report any instance of key compromise or suspected compromise to ITS immediately.
  6. Authorised Users are expressly forbidden from allowing another person to send email that has been signed or encrypted with their Digital Certificate on their behalf.
  7. Authorised Users are expressly forbidden from misrepresenting their identity by using another person’s Digital Certificate for signing documents.
  8. Authorised Users will be held solely responsible for any messages signed with their private signing key.

9.  Procedures

Related documentation

  1. Monash University Certificate Practice Statement. Please see Monash University CA Policies.
  2. Procedure for Obtaining a Monash University Digital Certificate.
  3. Procedure for Revoking a Digital Certificate.  Please see Monash Public Key Infrastructure - Subscriber Agreement.
  4. The main digital certificates website that contains all relevant documentation see Digital Certificate Services.

Policy Information

Title of Policy

Monash University Public Key Infrastructure Policy

Policy Reference

 ITEC15

Author

Michael Guenzel & Leon Troeth, Web & Internet Facilities, ITS

Central Registry File No.

 RMO2001/1471

Approval Process

Authorising Person

ITS Directors' Group

UNITPOL

 

Meeting No.

 29/01

Meeting No.

01/01

 

Meeting Date

9 October 2001

Meeting Date

12 November 2001

 

Agenda Item

7.3

Agenda Item

4.5

Policy effective on

12 November 2001

Policy expires on

 

Policy next reviewed on

 12 November 2003

Related ITS regulations

 

Comments

Monash only access

Web links updated 5 October 2004