Professional Documents
Culture Documents
CERTIFICATE
POLICY
OF THE SAP SERVICE
MARKETPLACE ROOT CA
Version 1.0
Neurottstrae 16
69190 Walldorf
Germany
T +49/1805/34 34 24
F +49/1805/34 34 20
www.sap.com
CONTENTS
1 Introduction 4
1.1 Overview 4
1.2 Community and Applicability 4
1.2.1 Service Marketplace Root Certification
Authority (SMP Root CA) 4
1.2.2 Certification Authority (CA) 4
1.2.3 Subscriber, End User or Certificate holder 4
1.2.4 Applicability 5
1.3 Contact Details 5
2 General Provisions 6
2.1 Obligations 6
2.1.1 SMP Root CA obligations 6
2.1.2 CA obligations 6
2.1.3 Subscriber obligations 6
2.2 Publication of SMP Root CA information 6
2.3 Access controls 6
2.4 Types of information to be kept confidential 6
3 Identification and Authentication 7
3.1 Initial Registration 7
3.2 Types of names 7
4 Operational Requirements 8
4.1 Application for CA-Certificate 8
4.2 Certificate Issuance for CA-Certificate 8
4.3 Certificate Acceptance of CA-Certificate 8
4.4 Security Audit Procedures 8
4.5 Records Archival 8
4.6 Compromise and Disaster Recovery 8
4.7 SMP Root CA Termination 8
INTRODUCTION
1.1 Overview
The hierarchy of the SMP Public Key Infrastructure (hereafter
called SMP PKI) is shown in the figure below:
Self-signed
Root CA-Certificate
SMP Root CA
Certification of
CA Certificate
CA
.......
Certification of
subscriber Certificate
Issues CA-Certificates
SAProuter CA
..........
Issues
SAProuter-Certificates
R1 ..... Rn
Subscriber
1.2.4 Applicability
The SMP Root CA-Certificates can be used to sign CACertificates.
1.3 Contact Details
The department of Global Solution Services of SAP AG,
Germany, operates the SMP Root CA of the SAP Trust Center
Services.
SAP AG
Global Solution Services
Trust Center Services
Raiffeisenring
68789 St. Leon-RotGermany
E-Mail: security@sap.com
URL:http://service.sap.com/TCS
GENERAL PROVISIONS
2.1 Obligations
2.1.1 SMP Root CA obligations
2.1.2 CA obligations
disapproved.
OPERATIONAL REQUIREMENTS
The SMP Root CA generates key pair for the second level
The active lifetime for the SMP Root CAs public and private
key is restricted to 10 years.
6.6 Computer Security Controls
To assure computer security of the operating system of the
SMP Root CA, specific security controls should be
implemented. Due to security reasons the SMP Root CA is
maintained off-line. The configuration of and access control
to the SMP Root CA systems is strictly controlled and limited
to authorized persons only.
10
SPECIFICATION ADMINISTRATION
made accordingly.
Only authorized persons of the SAP Trust Center Services
11
CERTIFICATE PROFILES
Constant
Description
SignatureAlgorithm
Version
Version 3
SerialNumber
Serial Number
Signature
SHA-1/RSA
Algorithm OID: 1.3.14.3.2.29
Issuer
CN=SMP Root CA
OU= Service Marketplace
O=SAP
C=DE
Validity
NotBefore 18.07.2000
NotAfter 18.07.2010
Subject
CN=SMP Root CA
OU=Service Marketplace
O=SAP
C=DE
subjectPublicKeyInfo
KeyUsage
SubjectAlternativeName
URL: http://service.sap.com/TCS
7Basic Constraints
Subject Type=CA
Path Length Constraint=None
Allowed to act as a CA!
12
BIBLIOGRAPHY
9.1 Abbreviations
C
CA
CN
CP
O
OU
RSA
SHA
SMP
SMP Root CA
[Bie2000]
Biester, J.; Bauspiess, F.; Fell, H.: SPHINX Technische
Grundlagen, Tailoring MTTv2, 2000.
TCS
Country
Certification Authority
Common Name
Certificate Policy
Organization
Organizational Unit
Rivest, Shamir und Adleman
Secure Hash Algorithm
SAP Service Marketplace
SAP Service Marketplace Root Certification
Authority
Trust Center Services
9.2 Glossary
9.2.1 Certificate Policy (CP)
The CP describes a security policy for issuing certificates and
maintaining certificate status information. This includes e.g.
the operation of the CA, as well as guidelines for users for the
requesting, using, and handling of certificates and keys.
A named set of rules that indicate the applicability of a
certificate to a particular community and/or class of
application with common security requirements. (RFC 2527)
9.2.2 Subscriber
These are entities (in this case a system) that have been issued
certificates within the PKI.
[Gut2000]
Gutmann, P.: X.509 Style Guide, 2000.
http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
[ITU97]
ITU-T X.509: Information Technology Open Systems
Interconnection
The directory: Authentication Framework, 1997.
[RFC2527]
Chokhani, S.; Ford, W.: Internet X.509 Public Key
Infrastructure Certificate Policy and Certification Practices
Framework, 1999.
[RFC3280]
Housley, R.; Ford, W.; Polk, W.; Solo, D.: "Internet X.509
Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile", 2002.
[Web2000]
N.N.: WebTrust Program for Certification Authorities, 2000.
http://www.cica.ca/cica/cicawebsite.nsf/public/SPWTpdf/$file/e
CertAuth.pdf
13