Public Key Infrastructure Configuration Requirements

1.1 Internal Credential Management Public Key Infrastructure (PKI) services offered by Shared Services Canada on behalf of the Treasury Board of Canada Secretariat (TBS) must be used by departments to meet internal user requirements that are based on PKI technology. Footnote 1

1.2 Departments that have requirements to establish their own PKI solution for users must:

• 1.2.1 Verify that their requirements cannot be met by the Internal Credential Management PKI;
• 1.2.2 Contact the Office of the Chief Information Officer (OCIO), Cyber Security, by email at zztbscybers@tbs-sct.gc.ca to identify their requirements;
• 1.2.3 Contact the Canadian Centre for Cyber Security (CCCS), which is part of the Communications Security Establishment (CSE), at contact@cyber.gc.ca for guidance on cryptographic measures and key management;
• 1.2.4 Ensure that system Security Assessment and Authorization (SA&A) plans are developed and followed, including yearly audits in accordance with the Government of Canada X.509 Public Key Infrastructure Certificate Policy for Person Entity (accessible only on the Government of Canada network);
• 1.2.5 Ensure that the certification authority is implemented in accordance with the Government of Canada X.509 Public Key Infrastructure Certificate Policy for Person Entity (accessible only on the Government of Canada network) and Certification Practice Statement before being put into operation; and
• 1.2.6 Ensure that the use and management of the departmental PKI is aligned with Government of Canada requirements for security and identity management as established by the Treasury Board through the Policy on Government Security and its supporting policy instruments.

2. Public key infrastructure interoperability

2.1 The Internal Credential Management Certification Authority and all applicable departmental certification authorities that require interoperability between separate PKI systems with other departments must cross-certify with the Canadian Federal PKI Bridge Footnote 2 (CFPB) rather than establish one-on-one relationships with each other.

2.2 Before entering an agreement to cross-certify with an external entity, sponsoring departments must obtain the approval of the Chief Information Officer of Canada.

2.3 External entities that have a requirement to interoperate with one or more departments must also cross-certify through the CFPB, which is operated by the Royal Canadian Mounted Police on behalf of TBS. Footnote 3

2.4 To achieve cross-certification with the CFPB, organizations must:

• 2.4.1 Submit a request stating the business requirement for cross-certifying with the CFPB to the OCIO, Cyber Security, at zztbscybers@tbs-sct.gc.ca;
• 2.4.2 Identify a department as a sponsor for organizations external to the Government of Canada;
• 2.4.3 Examine the certificate policy of the requesting certification authority to ensure alignment with those of the CFPB;
• 2.4.4 Perform test-bed trials;
• 2.4.5 Negotiate a formal cross-certification agreement with the OCIO; and
• 2.4.6 Exchange cross-certificates between the requesting certification authority and the CFPB.

3. Government of Canada certificate policy

3.1 All departments that implement PKI for users, including those cross-certified with the CFPB, must conform to the Government of Canada X.509 Public Key Infrastructure Certificate Policy for Person Entity (accessible only on the Government of Canada network), unless an exemption has been granted by the Chief Information Officer of Canada.

4. Cryptographic algorithms

4.1 All cryptographic algorithms and associated key lengths must be implemented in accordance with Cryptographic Algorithms for Unclassified, Protected A, and Protected B Information (ITSP.40.111), including encryption, digital signature and key agreement algorithms. ITSP.40.111 also covers hash algorithms used in conjunction with digital signatures, such as secure hash algorithm (SHA)-2 and SHA-3. Weaker algorithms, such as message-digest (MD)5 or SHA-1, must not be used in conjunction with digital signatures.

5. Non-person entity public key infrastructure

5.1 Departments must use approved enterprise PKI services to meet internal non-person entity requirements.

5.2 Departments must follow the guidance on hypertext transfer protocol secure (HTTPS) found in the Web Sites and Services Management Configuration Requirements for external PKI requirements.

Footnotes

Internal Credential Management can be used to:

• encrypt information up to and including Protected B;
• support electronic signatures in accordance with the Government of Canada Guidance on Using Electronic Signatures; and
• support user authentication in systems that store or process information up to and including Protected B.

The Canadian Federal PKI Bridge is the policy management authority for the Government of Canada Public Key Infrastructure. It is responsible for signing and managing cross-certificates with the top government-level certificate authorities.

If a department wants to directly cross-certify with an external certification authority rather than through the CFPB, the department must be granted an exception by the Chief Information Officer of Canada. Note that the department must also ensure that sufficient controls are in place to prevent unauthorized transitive trust with other external PKIs that may be cross-certified with the external entity.