8/13/2019 Rootca Cps
1/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 1 of 58
Huawei Equipment CA
Certification Practice Statement
Release v1.0.0
Huawei Technologies Co., Ltd.
Copyright reserved
8/13/2019 Rootca Cps
2/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 2 of 58
Contents
1Introduction .......................................................................................................................................................... 71.1Overview ........................................................................................................................................................ 71.2Document Name and Identification ................................................................................................................ 81.3PKI Participants .............................................................................................................................................. 8
1.3.1Certification authorities ............................................................................................................................ 81.3.2Registration authorities ............................................................................................................................ 91.3.3Subscribers ............................................................................................................................................... 91.3.4Relying parties ......................................................................................................................................... 91.3.5Certificates Applicant ............................................................................................................................... 91.3.6Sponsor ................................................................................................................................................... 101.3.7Other Participants ................................................................................................................................... 10
1.4Certificate Usage .......................................................................................................................................... 101.4.1Appropriate certificate uses .................................................................................................................... 101.4.2Prohibited certificate uses ...................................................................................................................... 10
1.5Policy Administration ................................................................................................................................... 111.6Definitions and Acronyms ............................................................................................................................ 11
2Information publication and management .......................................................................................................... 132.1Repositories .................................................................................................................................................. 132.2Publication of certification information ........................................................................................................ 132.3Time or frequency of publication ................................................................................................................. 13
2.3.1Time or frequency of publication of electronic certification service rule .............................................. 132.3.2Time or frequency of publication of certificate and CRL ...................................................................... 132.3.3Time or frequency of publication of HWCA public information ........................................................... 13
2.4Access controls on repositories..................................................................................................................... 133Identification and Authentication ....................................................................................................................... 15
3.1Naming ......................................................................................................................................................... 153.1.1Types of names ...................................................................................................................................... 153.1.2Need for names to be meaningful........................................................................................................... 153.1.3Anonymity or pseudonymity of subscribers........................................................................................... 153.1.4Rules for interpreting various name forms ............................................................................................. 153.1.5Uniqueness of names .............................................................................................................................. 153.1.6Recognition, authentication, and role of trademarks .............................................................................. 15
3.2Initial Identity Validation ............................................................................................................................. 163.2.1Method to prove possession of private key ............................................................................................ 163.2.2Authentication of organization identity .................................................................................................. 163.2.3Authentication of individual identity ..................................................................................................... 173.2.4Identification and authentication of domain name (or IP address) ......................................................... 173.2.5Validation of authority ........................................................................................................................... 18
3.3Identification and Authentication for Re-key Requests ................................................................................ 183.3.1Identification and authentication for routine re-key ............................................................................... 183.3.2Identification and authentication for re-key after revocation ................................................................. 18
8/13/2019 Rootca Cps
3/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 3 of 58
3.4Identification and authentication for Revocation Requests .......................................................................... 184Certificate Life-Cycle Operational Requirements .............................................................................................. 20
4.1Certificate Application .................................................................................................................................. 204.1.1Who can submit a certificate application ............................................................................................... 204.1.2Enrollment process and responsibilities ................................................................................................. 20
4.2Certificate Application Processing ............................................................................................................... 204.2.1Performing identification and authentication ......................................................................................... 204.2.2Approval or rejection of certificate applications .................................................................................... 204.2.3Time to process certificate applications ................................................................................................. 21
4.3Certificate Issuance ....................................................................................................................................... 214.3.1CA actions during certificate issuance ................................................................................................... 214.3.2Notification to subscriber by the CA of issuance of certificate .............................................................. 21
4.4Certificate Acceptance .................................................................................................................................. 214.4.1Conduct constituting certificate acceptance ........................................................................................... 214.4.2Publication of the certificate by the CA ................................................................................................. 214.4.3Notification of certificate issuance by the CA to other entities .............................................................. 22
4.5Key Pair and Certificate Usage ..................................................................................................................... 224.5.1Subscriber private key and certificate usage .......................................................................................... 224.5.2Signature and validation ......................................................................................................................... 234.5.3Relying party public key and certificate usage....................................................................................... 23
4.6Certificate Renewal ...................................................................................................................................... 234.7Certificate key renewal ................................................................................................................................. 234.8Certificate change ......................................................................................................................................... 244.9Certificate revocation and hang up ............................................................................................................... 24
4.9.1Circumstance for certificate renewal ...................................................................................................... 244.9.2Who may request renewal ...................................................................................................................... 244.9.3Processing certificate renewal requests .................................................................................................. 24
4.10 Certificate state service .......................................................................................................................... 254.11 End of Subscription ................................................................................................................................ 254.12 Key Escrow and Recovery ..................................................................................................................... 25
5Facility, Management, and Operational Controls ............................................................................................... 275.1Physical Security Controls ............................................................................................................................ 27
5.1.1Site location and construction ................................................................................................................ 275.1.2Physical access ....................................................................................................................................... 275.1.3Power and air conditioning .................................................................................................................... 275.1.4Water exposures ..................................................................................................................................... 275.1.5Fire prevention and protection ............................................................................................................... 275.1.6Media storage ......................................................................................................................................... 285.1.7Waste disposal ........................................................................................................................................ 28
5.2Procedural Controls ...................................................................................................................................... 285.2.1Trusted roles ........................................................................................................................................... 285.2.2Number of persons required per task ..................................................................................................... 295.2.3Identification and authentication for each role ....................................................................................... 29
8/13/2019 Rootca Cps
4/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 4 of 58
5.2.4Roles requiring separation of duties ....................................................................................................... 295.3Personnel Controls ........................................................................................................................................ 29
5.3.1Qualifications, experience, and clearance requirements ........................................................................ 295.3.2Background check procedures................................................................................................................ 305.3.3Training requirements ............................................................................................................................ 305.3.4Retraining frequency and requirements ................................................................................................. 305.3.5Job rotation frequency and sequence ...................................................................................................... 305.3.6Sanctions for unauthorized actions......................................................................................................... 315.3.7Independent contractor requirements ..................................................................................................... 315.3.8Documentation supplied to personnel .................................................................................................... 31
5.4Audit Logging Procedures ............................................................................................................................ 315.4.1Types of events recorded ........................................................................................................................ 315.4.2Frequency of processing log .................................................................................................................. 325.4.3Retention period for audit log ................................................................................................................ 325.4.4Protection of audit log ............................................................................................................................ 325.4.5Audit log backup procedures .................................................................................................................. 325.4.6Audit collection system .......................................................................................................................... 325.4.7Notification to event-causing subject ..................................................................................................... 32
5.5Records Archival .......................................................................................................................................... 335.5.1Types of records archived ...................................................................................................................... 335.5.2Retention period for archive ................................................................................................................... 335.5.3Protection of archive .............................................................................................................................. 335.5.4Archive backup procedures .................................................................................................................... 335.5.5Requirements for time-stamping of records ........................................................................................... 335.5.6Archive collection system ...................................................................................................................... 335.5.7Procedures to obtain and verify archive information ............................................................................. 33
5.6Key Changeover ........................................................................................................................................... 335.7Compromise and Disaster Recovery ............................................................................................................. 34
5.7.1Compromise handling procedures .......................................................................................................... 345.7.2Computing resources, software, and/or data are corrupted .................................................................... 345.7.3Entity private key compromise procedures ............................................................................................ 345.7.4Business continuity capabilities after a disaster ..................................................................................... 34
5.8CA or RA Termination ................................................................................................................................. 346Technical Security Controls ............................................................................................................................... 36
6.1Key Pair Generation and Installation ............................................................................................................ 366.1.1Key pair generation ................................................................................................................................ 366.1.2Private key delivery to subscriber .......................................................................................................... 366.1.3Public key delivery to subscriber ........................................................................................................... 366.1.4Key sizes ................................................................................................................................................ 366.1.5Public key parameters generation and quality checking ........................................................................ 366.1.6Key usage purposes ................................................................................................................................ 36
6.2Private Key Protection and Cryptographic Module Engineering Controls ................................................... 376.2.1Private key escrow ................................................................................................................................. 37
8/13/2019 Rootca Cps
5/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 5 of 58
6.2.2Private key backup ................................................................................................................................. 376.2.3Private key transfer into or from a cryptographic module...................................................................... 376.2.4Private key storage on cryptographic module ........................................................................................ 376.2.5Method of destroying private key .......................................................................................................... 37
6.3Other Aspects of Key Pair Management ...................................................................................................... 386.3.1Public key archival ................................................................................................................................. 386.3.2Certificate operational periods and key pair usage periods .................................................................... 38
6.4Activation Data ............................................................................................................................................. 386.4.1Activation data generation and installation ............................................................................................ 386.4.2Activation data protection ...................................................................................................................... 386.4.3Other aspects of activation data.............................................................................................................. 38
6.5Computer Security Controls ......................................................................................................................... 386.5.1Specific computer security technical requirements ................................................................................ 386.5.2Life Cycle Security Controls .................................................................................................................. 396.5.3System development controls ................................................................................................................. 396.5.4Security management controls ............................................................................................................... 396.5.5Life cycle security controls .................................................................................................................... 39
6.6Network Security Controls ........................................................................................................................... 397Certificate, CRL, and OCSP Profiles ................................................................................................................. 40
7.1Certificate Profile.......................................................................................................................................... 407.1.1Huawei Root CA Certificate Profile ...................................................................................................... 407.1.2Huawei Issuing CA Certificate Profile ................................................................................................... 407.1.3Equipment Certificate Profile ................................................................................................................. 41
7.2CRLCertificate revocation list.............................................................................................................. 427.3OCSP ............................................................................................................................................................ 42
8Compliance Audit and Other Assessment .......................................................................................................... 438.1Assessment frequency and conditions .......................................................................................................... 438.2Assessor qualification ................................................................................................................................... 438.3Relation between assessor and assessed object ............................................................................................ 438.4Assessment contents ..................................................................................................................................... 438.5Measures taken for problems and weaknesses .............................................................................................. 448.6Assessment result notification and publication............................................................................................. 44
9Other Business and Legal Matters ...................................................................................................................... 459.1Fees ............................................................................................................................................................... 45
9.1.1Certificate issuance or renewal fees ....................................................................................................... 459.1.2Certificate access fees ............................................................................................................................ 459.1.3Revocation or status information access fees ......................................................................................... 459.1.4Fees for other services ............................................................................................................................ 459.1.5Refund policy ......................................................................................................................................... 45
9.2Financial Responsibility ............................................................................................................................... 459.2.1Insurance coverage ................................................................................................................................. 459.2.2Insurance or warranty coverage for end-entities .................................................................................... 45
9.3Confidentiality of Business Information ....................................................................................................... 46
8/13/2019 Rootca Cps
6/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 6 of 58
9.3.1Scope of confidential information .......................................................................................................... 469.3.2Information not within the scope of confidential information ............................................................... 469.3.3Responsibility to protect confidential information ................................................................................. 46
9.4Privacy of Personal Information ................................................................................................................... 479.4.1Privacy plan ............................................................................................................................................ 479.4.2Information treated as privacy ................................................................................................................ 479.4.3Information not deemed privacy ............................................................................................................ 479.4.4Responsibility to protect private information ......................................................................................... 479.4.5Notice and consent to use private information ....................................................................................... 489.4.6Disclosure pursuant to judicial or administrative process ...................................................................... 489.4.7Other information disclosure circumstances .......................................................................................... 48
9.5Intellectual Property Rights .......................................................................................................................... 489.6Representations and Warranties.................................................................................................................... 49
9.6.1CA representations and warranties ......................................................................................................... 499.6.2RA representations and warranties ......................................................................................................... 519.6.3Subscriber representations and warranties ............................................................................................. 519.6.4Relying party representations and warranties......................................................................................... 539.6.5Representations and warranties of other participants ............................................................................. 53
9.7Disclaimers of Warranties ............................................................................................................................ 539.8Limitations of Liability ................................................................................................................................. 549.9Indemnities ................................................................................................................................................... 549.10 Term and Termination ............................................................................................................................ 55
9.10.1 Term ................................................................................................................................................. 559.10.2 Termination ...................................................................................................................................... 559.10.3 Effect of termination and survival ................................................................................................... 55
9.11 Individual notices and communications with participants ..................................................................... 559.12 Amendments .......................................................................................................................................... 55
9.12.1 Procedure for amendment ................................................................................................................ 559.12.2 Notification mechanism and period ................................................................................................. 559.12.3 Amendment agreement .................................................................................................................... 569.12.4 Circumstances under which OID must be changed ......................................................................... 56
9.13 Dispute Resolution Procedures .............................................................................................................. 569.14 Governing Law ....................................................................................................................................... 579.15 Compliance with Applicable Law .......................................................................................................... 579.16 Miscellaneous Provisions ....................................................................................................................... 57
9.16.1 Entire agreement .............................................................................................................................. 579.16.2 Assignment ...................................................................................................................................... 579.16.3 Severability ...................................................................................................................................... 589.16.4 Enforcement (attorneys' fees and waiver of rights) ......................................................................... 589.16.5 Force Majeure .................................................................................................................................. 58
9.17 Other Provisions ..................................................................................................................................... 58
8/13/2019 Rootca Cps
7/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 7 of 58
1 Introduction
This Certification Practice Statement (hereinafter, CPS) describes the practices of Huawei Equipment Certification
Authority (hereinafter called as HWCA) and the activities in HWCA issuance, and certificate management, operation
and maintenance service, provides the regulations on actual operation for supervision and implementation. This CPS
provides the lawful constraints for the related parties and reminders the related parties to produce and use a digital
certificate within the range regulated in this CPS and validate the digital certificate.
This CPS document will be updated and revised with CA change and will be published at the Web site
http://support.huawei.com/support/pki.
The document structure and content requirement of this CPS should comply with the format in the chapter 4 of RFC
3647.
1.1 Overview
This CPS publishes the basic standpoint and view of the HWCA on the electronic certification service, which is basis
for actual application and operation document and applies to all entities with relationships with the HWCA, including
Certification Authorities (CAs), Registration Authorities (RAs), Staff, Subscribers, and Relying Parties. All
participants must completely understand and perform the articles in the CPS to enjoy rights and assume liabilities.
The Huawei Equipment CA is divided into root CA and issuing CA. the CA hierarchy is shown as follows:
Currently, the HWCA hierarchy consists of the following CAs:
CA type CA name Description of Function
Root CA Huawei Equipment CA Serves as the trust anchor
Huawei Equipment CA
Huawei Issuing CA Huawei Issuing CA
Self-signed
8/13/2019 Rootca Cps
8/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 8 of 58
for the HWCA hierarchy.
Issuing CA Huawei Wireless Network
Product CA
Issues certificates to Huawei
wireless network products.
1.2 Document Name and Identification
The name of this document is HWCA Certification Practice Statementand gives comprehensive description of the
digital certificate and related services provided by the Huawei. HWCACPS, Huawei CA HWCA Certification
Practice Statement, Huawei CACPS, Huawei CA center CPSand Huawei CA center electronic certification
service ruleand other similar expressions should be regarded as this document and reference to this document at any
site.
1.3 PKI Participants
1.3.1 Certification authorities
All CAs within the HWCA hierarchy are called as the certification authority. The CA is an organization to issue the
digital certificate and provides the digital certificate to the electronic certification service. HWCA is the first CA of
the Huawei and provided the electronic digital certificate service to the Huawei devices.
HWCA will deploy CA by the product family. The root CA is the self-signed digital certificate generated by Huawei.
This root CA can be only used by Huawei to sign and issue sub-CA certificate to all Huawei products. the sub-CA of
the product family signs and issues digital certificates for different products.
Now the Huawei CA will not sign and issue CA certificate to outside temporarily and only provides the digital
certificate service to the equipment provided and delivered by Huawei to customers and copartners.
HWCA provides the following digital certificate lifecycle management.
Digital certificate registration application
Digital certificate revocation
Digital certificate hang-up
Digital certificate update
Digital certificate state query service
Distribute certificate status information in the form of Certificate Revocation Lists (CRLs)
8/13/2019 Rootca Cps
9/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 9 of 58
periodically.
Provide a repository to store and certificates and certificate status information.
Directory service
1.3.2 Registration authorities
The registration authority of HWCA (hereinafter called as RA) is the business branch formally authorized by
HWCA. It can identify and authenticate the entity identity of the certificate applicant and either approve or reject
certificate application, certificate revocation and certificate renewal service. the certificate application, certificate
revocation and certificate suspension can be originated by RA and forwarded to CA if audited successfully.
The auditing policy of the Huawei RA system is divided into automatic system auditing and manual auditing. For the
Huawei Issuing CAs, the RA function is performed by Huawei using a combination of automated and manual
processes. The automatic system auditing should be permitted by RA administrator and the auditing policy should be
made. It is used for automated or real-time system. After the corresponding policies are met, the system automatically
audits the certificate request. For other non-automated or real-time system, the manual auditing must be adopted.
1.3.3 Subscribers
The subscriber is the lawful holder of the certificate and is the entity of HWCA. The subscribers are the legal
end-entities to receive the certificates issued by HWCA. The subscriber in this document mainly includes the entities
such as the hosts, servers and network devices which have applied and legally held the digital certificates issued by
the CA within the HWCA domain
The subscriber is the legal holder of a digital certificate and has the corresponding private key of the public key in the
digital certificate. The subscriber is responsible for security protection, storage and use of the private key.
1.3.4 Relying parties
Relying Parties include any entity, individual and organization that may rely upon certificates issued by HWCA and
uses a Subscribers Certificate to verify the integrity of a digitally signed message, to identify the creator of a
message, to authenticate a Subscriber, or to establish confidential communications with the Subscriber. such as the
customers who purchase Huawei equipment.
1.3.5 Certificates Applicant
Applicant can be any natural person or corporate who expects to become the subscriber of HWCA or sub-CA. the
certificate applicant can complete application according to the necessary information regulated in this CPS by the
8/13/2019 Rootca Cps
10/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 10 of 58
type of the certificate to acquire. After a certificate applicant submits its application, it indicates that the HWCA is
authorized for identity identification and the applicant agrees to assist HWCA and its authorized authority to identify
all facts, occurrence environment and other related information in a proper manner at this discretion. Here the proper
manneris consistent with the requirements in this CPS and related laws and regulations.
1.3.6 Sponsor
Sponsor can be any group or organization which can pay all certificate service costs for the affiliated or serving
subscribers or potential subscriber group and is a special certificate service transaction point. The certificate sponsor
has a right to cancel all or partial certificate services of the holder which certificate cost is paid by the sponsor
according to the regulations in this CPS, other regulations published by HWCA, laws and policies. It includes, but not
limited to, revocation of the certificate of the holder.
1.3.7 Other Participants
It indicates other non-mentioned entities which affiliate to HWCA certificate system such as third-party identity
authentication organization selected by HWCA, directory service provider and PKI service-related participants.
1.4 Certificate Usage
1.4.1 Appropriate certificate uses
The HWCA digital certificate is applicable to the applications in the areas such as electronic government public
service, E-business, enterprise informationize and network information transfer and provides foundational credit
service in construction of the trusted network environment. The HWCA digital certificate can be also used for other
purposes, but it cannot breach the local laws and regulations, this CPS (complied in certificate issuing) and subscriber
agreement and can be trusted by the relying parties .the certificate applicant can check and decide to use a proper
certificate type at discretion on demand.
1.4.2 Prohibited certificate uses
The certificate issued by the HWCA cannot be used for the following purposes:
1Certificate application scope not agreed by HWCA and subscriber
2The certificate use cannot breach any state law, regulation or destruct the state security. Otherwise, the incurred
legal aftermath is undertaken by the user.
In addition, the certificate is not designed for, is not intended for and is not authorized for control equipment under
the dangerous environment or failure-prevention occasion such as nuclear device operation, space shuttle pilot, air
8/13/2019 Rootca Cps
11/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 11 of 58
traffic control system or weapon control system because its any failure will lead to death, personnel injury or severe
environment damage.
1.5 Policy Administration
According to the regulations in the related laws, the HWCA specifies HWCA-CPS policy development team to
draft, register, maintain and update the CPS. The contents of Huawei CPS will be subjective to update and revisal
with CA change and will be published at the website http://support.huawei.com/support/pki.
1.6 Definitions and Acronyms
Table 1.1- Definitions and abbreviations
Abbreviations/nouns Definition
HWCA Abbreviation of Huawei Certification Authority
Certificate Authority Huawei Root CA and CAs are Huaweis electronic certification
service organization or group.
Registration authority The CA registration authority is called as RA. It is an agent which signs the
registration authority agreement and is authorized by HWCA to issue the HWCA
certificate. The RA processes the certificate application from the certificate
applicants and submits it to CA.
Certificate issuing authority It includes HWCA-authorized registration authority, registration branch authority
and transaction point certificate issuing authority. The certificate issuing authority
will issue HWCA certificate to the certificate applicants
Relying party It indicates a person who is engaged in related activities based on the trust for the
digital certificate and/or electronic signature
Subscriber Individual, collection, unit, organization, server or other individual or entities which
own any HWCA certificate
Certificate applicant It indicates individual, enterprise and organization which request HWCA to issue
certificate
Subscriber It indicates the holder of different certificates which are signed and issued by CA
OCSP It indicates Online Certificate Status Protocol and can support to real time search the
8/13/2019 Rootca Cps
12/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 12 of 58
state of digital certificate
LDAP It indicates Lightweight Directory Access Protocol and is used to search and
download digital certificate and digital certificate revocation list (CRL)
PKI It indicates Public Key Infrastructure
CRL It indicates Certificate Revocation List. CRL records all user digital certificate SN of
the revoked digital certificates before the old invalid date expires and can be
searched when the digital certificate users authenticate peer digital certificate.
Generally CRL is called as the digital certificate blacklist. Generally it includes the
CA name, issuing date, scheduled issuing date for next revocation list, changed or
revoked digital certificate SN and time and reason for change or revocation.
Certificate The certification indicates that different entities review the identity via the trusted
and neutral third party (such as HWCA) prior to network trade and the third-party
proves the identity reliability and legality.
Priate key It is the digital key which can not be open and be kept by the holder and is used to
create electronic signature, decrypt packet or encrypt the profile with the
corresponding public key
Public key It is the digital key which can be open, can be used to validate corresponding packet
with private key signature, can be used to encrypt packet and files and can be
decrypted by the corresponding private key
PKCS It is Public Key Cryptography Standard
8/13/2019 Rootca Cps
13/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 13 of 58
2 Information publication and management
2.1 RepositoriesHWCA provides repositories to support certificate services and try the best effort to keep access to its public
repository and its policy information so that Relying Parties may obtain certificates and CRLs from or
through that public repository.
The repository shall be available as required by the certificate information posting and retrieval stipulations
of this CPS.
2.2 Publication of certification information
Huawei CA will publish CPS, root CA certificate, CA certificates chain and CRLs. The subscribers can get them at
the HWCA websitehttp://support.huawei.com/support/pki .
2.3 Time or frequency of publication
This CPS and any subsequent changes are made publicly available within one week of approval.
The CRLs are updated at least daily.
The certificate database is updated every time a certificate is published.
2.3.1 Time or frequency of publication of electronic certification service rule
The HWCA will publish the latest CPS version in time. if the rule changed and supplement is approved, without a
special case, the HWCA will publish the CPS at the websitehttp://support.huawei.com/support/pki within five
business days.
2.3.2 Time or frequency of publication of certificate and CRL
For all revoked or suspended certificates, the list CRL will be automatically published via HWCA directory server.
The latest CRL can be manually published on demand. The users can search or download latest CRL at the HWCA
websitehttp://support.huawei.com/support/pki .For the issuing CA, CRL is issued at least within 24 hours, and a
Root CRL is issued at least every year The CRL list can be manually updated in case of an emergency.
2.3.3 Time or frequency of publication of HWCA public information
Once HWCA will publish the related notifications, notices and other public information due to some reasons, it will
quickly publish it at the websitehttp://support.huawei.com/support/pki .
2.4 Access controls on repositories
URLs of each HWCA can use SSL-based HTTP for secure access to records. Other URLs for issuing important
information should be based on https. HWCA is configured with the information access control and security auditing
measures to guarantee that only authorized HWCA persons can write and modify the HWCA online notice version
http://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pkihttp://support.huawei.com/support/pki8/13/2019 Rootca Cps
14/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 14 of 58
and published information. The authorized operations will be recorded. If necessary, HWCA can independently select
and manage information privilege to guarantee that only qualified parties can read the information with certain
privilege.
8/13/2019 Rootca Cps
15/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 15 of 58
3 Identification and Authentication
3.1 Naming
3.1.1 Types of names
The HWCA-published certificate contains a distinguished name of the issuing organization and subscribers as Issuer
and Subject fields. The distinguish name assigned to the subject of a certificate are unique within a CA and can be
used to identify the owner of certificate. All names specified in X.509 certificates must be expressed as non-null
subject Distinguished Names (DNs) complying with the X.500 standard.
3.1.2 Need for names to be meaningful
The user identification information used by the identifier name must include the specific, traceable and affirmative
representation meaning. The anonymity or pseudo name is forbidden.
For the digital certificate provisioned to the device in during manufacturing, the distinguish name assigned to the
subject of a certificate is provided by HWCA. The common name in the subject field contains the equipment
information such as equipment serial number which identifies relationship between equipment and certificate. For
this type of equipment digital certificate, the subject alternative name includes a DSN name that contains the
equipment serial number.
3.1.3 Anonymity or pseudonymity of subscribers
HWCA does not accept or allow any anonymous or pseudo name and only accept the name with specific meaning as
the unique identifier. The certificate which is applied with the pseudo or counterfeited name is invalid. If the fact is
proven, the certificate will be revoked.
3.1.4 Rules for interpreting various name forms
No applicable
3.1.5 Uniqueness of names
The distinguish name assigned to the subject of a certificate are unique within HWCA. When DN is same, the first
applicants will use this DN. The followed applicants should add other identification information into DN item for
distinguishing.
3.1.6 Recognition, authentication, and role of trademarks
Applicants must not use the names in the certification application which will infringe the intellectual property or
proprietary trademark of others, however, HWCA will not check whether the certification applicants of the names in
8/13/2019 Rootca Cps
16/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 16 of 58
the certification applications own this intellectual property or proprietary trademark and will not arbitrate, mediate or
solve the dispute caused by the domain name, trademark name and service regulations. When this dispute occurs,
HWCA has a right to reject or suspend the certificate application till the dispute is solved (if necessary) according to
the rule of first application and first use and will not be liable to any certificate applicant.
3.2 Initial Identity Validation
3.2.1 Method to prove possession of private key
When HWCA signs the certificate, HWCA will first compute by using the data digest algorithm according to the
information in the certificate applicant, then decrypt the private key in the applicant by using the public key in the
application and finally compare them. if they are equal, it indicates that the digital certificate applicant owns the
corresponding signature private key of the signature public key.
3.2.2 Authentication of organization identity
When applying certificates for organizations, the applicant should appoint the legally authorized certificate
application representative, sign on Certificate Applicant to accept the articles in the certificate application and
undertake corresponding liabilities. HWCA and the certificate authority should review whether the certificate
applicant is qualified in face-to-face manner.
The identity of an organization should be identified in the following manners:
1. The authorized organization dealer should go to the application site with self original ID card, business license
registration certificate, original organization code certificate (original or copy) and duplicates.
2. Check consistency of the ID card, business license registration certificate, original organization code certificate
(original or copy) and duplicates.
3. Check whether the information in ID card, business license registration certificate, original organization code
certificate is consistent with the information in the application form.
4. Check whether the organization accepts the articles in HWCA digital certificate user responsibility statement.
5. Check integrity of the application materials submitted by the subscriber.
6. HWCA can identify by inquiring third-party database or corresponding authority and using the reasonable methods
to HWCA such as telephone and post address survey.
7. If HWCA cannot get the required information from third-party, it can request third-party to survey or request the
certificate applicant to guarantee truth of the provided additional information and proof materials. HWCA and
8/13/2019 Rootca Cps
17/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 17 of 58
authorized authority should review legality of the applicant materials. The review contents include, not limited to, the
above statement.
3.2.3 Authentication of individual identity
The checkers of the HWCA-authorized certificate issuing authority should reasonably and carefully check the
originals and copies of the application materials according to the procedure, review truth of the applicant materials
according to the management regulations and can reject or approve the application.
After HWCA receives the certificate application from the individual subscriber, before issuing the certificate to this
subscriber, HWCW should check and identify the individual identity of this certificate applicant. The identification
procedure is shown as follows:
1. The individual certificate applicant should go to the certificate application site wit hthe self ID card or password
original and duplicates and check true of the subscriber identity in face-to-face manner.
2. Check whether the applicant ID card or the passport original and copy are consistent with the duplicates.
3. Check whether the information in the applicant ID original or passport is consistent with the information in the
application form.
4. Check whether this applicant can accept the articles in HWCA digital certificate user responsibility statement.
5. Check integrity of the application materials submitted by this subscriber.
6. The review contents include, not limited to, the above statement.
The applicant must be liable to truth of the application materials. After HWCA and authorized certificate authority
review compliance to the laws and regulations, they will not be liable for applicant identity proving such as ID card
legality identification. The HWCA and its authorized certificate authority should store the detailed information
3.2.4 Identification and authentication of domain name (or IP address)
The applicant fills the written application form. After signed by the authorized representative of the organization and
sealed by the organization (for individual application, individual signature is required), the applicant should go to the
HWCA-authorized certificate issuing authority to for identity check and fee payment with related materials.
If the certificates DN is the domain name (RDN),besides the written materials submitted by the applicant which will
be reviewed, the applicant, should also provide additional proof for domain name use right or inquire it for the
corresponding domain name registration authority to check whether the subscriber can use the corresponding domain
name. The auditors of the HWCA-authorized certificate issuing authority will carefully and reasonably check truth of
the applicant material original and copies according to the related regulations.
8/13/2019 Rootca Cps
18/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 18 of 58
3.2.5 Validation of authority
When a natural person or corporate applies for a certificate via the authorized third-party agent, the HWCA and its
authorized certificate authority should audit the identity and qualification of the authorized person, including his
identity information and authorization proof, and can check information via a call, letter or other methods for legality.
HWCA has a right to confirm information on the authorized persons via third-party or other modes and request the
authorized person to provide additional proof such as trust letter.
3.3 Identification and Authentication for Re-key Requests
HWCA has a right to decide the valid period of a certificate on demand. Before the valid period expires, to keep old
certificate name, the subscriber should generate a new key pair and obtain the certificate again to guarantee certificate
use continuity. This process is called as key update. When the information related to the certificate changes or the
subscriber has doubt on the key security, he must register again to generate a new key pair and apply the certificate
authority for signing and issuing certificate.
3.3.1 Identification and authentication for routine re-key
If the routine key is updated due to expired certificate, the certificate owner can sign the update request message by
using the old private key and request to sign the certificate again. The certificate issuing authority will validate and
identify correctness, legality and uniqueness of the update request message.
The certificate owner can fill change application form and submit related documents according to the initial identity
validation steps in case of certificate or key change application, HWCA-authorized certificate issuing authority will
check it. The auditor should reasonably and carefully check the application document originals and copies according
to the regulated procedure, review truth of the applicant information and approve or reject it.
3.3.2 Identification and authentication for re-key after revocation
HWCA does not update key for the revoked certificate. The certificate user must register identity and apply for a new
certificate.
3.4 Identification and authentication for Revocation Requests
When the certificate subscriber or his legal agent applies to revoke a certificate, he should go to HWCA certificate
authority for transaction, including fill certificate revocation application form, and submit related documents
according to the initial identity validation steps. The HWCA-authorized certificate issuing authority will check it.
The auditors of HWCA-authorized certificate issuing authority will reasonably and carefully check the application
8/13/2019 Rootca Cps
19/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 19 of 58
document originals and copies according to the regulated procedure, review truth of the applicant information and
approve or reject it.
8/13/2019 Rootca Cps
20/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 20 of 58
4 Certificate Life-Cycle Operational Requirements
4.1 Certificate Application
HWCA provides online digital certificate application Website interface for 24-hour online application service.
For the digital certificate application service, a Huawei RA system has responsibility to identify and authenticate the
identity and audit the certificate application request. Only the approved certificate request will be submitted to the CA
system and then the CA system signs and issues digital certificate to the applicant.
4.1.1 Who can submit a certificate application
Generally, there is no restriction on a certificate application, but currently the certificate application interface of the
HWCA only accepts the certificate application from the staff, authorized CA, RA authority, organization or entities.
For the equipments delivered by Huawei, the Huawei CA system do not provide online certificate application
interface to these equipments. The staff work for Huawei technical support service has duty to apply certificate for
these equipment if necessary.
4.1.2 Enrollment process and responsibilities
When applying for a certificate the applicants are responsible for providing accurate information and fill out an
application form required for the digital certificate. After receiving the application, the RA system authenticates the
applicant identity and validates the contents of the certificate application request. After successful auditing, the RA
approve the digital certificate request. Otherwise, it will reject the request.
4.2 Certificate Application Processing
4.2.1 Performing identification and authentication
The HWCA or authorized certificate issuing organization should audit the materials submitted by the certificate
applicant according to the regulations and related flow regulations in the chapter 3 of CPS and approve or reject it.
4.2.2 Approval or rejection of certificate applications
Certificate application approval
HWCA will approve the application and issue a certificate upon successful completion of the identity-proofing
process and validation process of the certificate request.
Certificate application rejection
The HWCA can reject to sign certificate at its discretion and will not be liable for any incurred loss or cost. If the
8/13/2019 Rootca Cps
21/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 21 of 58
application fails during the identity identification and authentication, HWCA will reject the certificate application.
Generally HWCA will inform the applicant about any problems. However HWCA has a right to reject to inform the
applicants or explain failure reason and will not be liable for any compensation. The rejected certificate applicant can
apply again after providing accurate information.
4.2.3 Time to process certificate applications
Huawei will make an effort to process the certificate applications within a reasonable time upon receiving the request.
There is no maximum process time for an application unless otherwise indicated in other relevant agreement. If the
processing period is extended, the application will remain active until it is approved or rejected.
4.3 Certificate Issuance
4.3.1 CA actions during certificate issuance
Once receiving the certificate request to issue a certificate from Huawei RA for applicant, HWCA creates and signs
the certificate based on the information in certificate request that contains subscribers data.
At the same time, HWCA will publish the certificate to repository and send the certificate to applicant via Huawei
RA.
4.3.2 Notification to subscriber by the CA of issuance of certificate
After a certificate has been issued, HWCA directly informs subscribers or through an authorized agent by means of
face-to-face notification, Email notification, post letter notification and other methods recognized by HWCA.
4.4 Certificate Acceptance
4.4.1 Conduct constituting certificate acceptance
After HWCA digital certificate is signed and issued, the certificate applicant downloads the certificate and verifies its
content. A Subscribers receipt of a certificate and subsequent use of the certificate and private key corresponding to
the public key in the certificate constitute certificate acceptance. After the certificate applicant accepts the digital
certificate, he should properly save the corresponding private key securely (stored into the storage medium).
If the subscriber isobject to accepting the certificate, the applicant must explicitly inform Huawei with the reasons
and details.
4.4.2 Publication of the certificate by the CA
Once the certificate applicant accepts the certificate, HWCA will publish the certificate duplicate on the directory
8/13/2019 Rootca Cps
22/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 22 of 58
server and in one or more manners decided by the HWCA. The certificate applicant can publish the digital certificate
signed and issued by HWCA in other information database.
4.4.3 Notification of certificate issuance by the CA to other entities
For the certificate signing and issuing of HWCA, HWCA and its authorized registration authority will not inform
other entity. The subscriber and relying parties can search on the information repository.
4.5 Key Pair and Certificate Usage
4.5.1 Subscriber private key and certificate usage
The subscriber must have knowledge on PKI business. When applying a digital certificate, he must guarantee
correctness and truth of the provided registration information.
The subscribers must use the trusted system or secure agent to generate key pair, securely and properly store the
private key and guarantee that the private key holder is the actual entity corresponding to the certificate subject name.
The subscribers must also prevent the compromise, loss, disclosure, modification, or otherwise unauthorized use of
their private keys.
After the subscriber accepts the digital certificate, he must properly store the corresponding private key of the
certificate (stored into the storage medium) to avoid loss, leakage, tempering or theft. When any user is using a
certificate, he must validate the certificate, including check whether the certificate is revoked, is within the valid
period and is signed and issued by HWCA.
When using the signature related to the certificate signed and issued by HWCA and signed information, all involving
parties (HWCA and certificate authority, certificate subscriber and relying parties) should enjoy the corresponding
liabilities and fulfill corresponding obligations according to the regulations in CPS. All parties are deemed to be
informed and agree with the articles in this CPS and agreement and specification between HWCA and all parties. For
any use of certificate and private key beyond the regulations in this CPS, HWCA will not assume any liability.
The certificates signed and issued by HWCA can be used to indicate the certificate holders identity in case of
certificate application and validate the signature made by the certificate holder by using the private key corresponding
to the public key in the certificate, so the signature and signature validation can guarantee truthful identity of the
certificate holder, information integrity, information non-repudiation, key agreement. If the certificate holder uses this
certificate for other purposes, HWCA will not assume any liability and obligation.
If some fields of this certificate indicate the use scope and purpose of the certificate, this certificate can be used
8/13/2019 Rootca Cps
23/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 23 of 58
within this scope. For any action beyond the application marked in the certificate, the actor should be liable for it.
HWCA will not assume any liability and obligation for any action beyond the application scope.
4.5.2 Signature and validation
The signature is created in the following cases:
Created in valid use period of a certificate;
The signature is correctly validated via certificate path validation.
The trusted parties do not discover or notice that the signature violates the actions regulated in CPS.
The relying parties should comply with all regulations in this CPS.
The certificate use does not indicate that the subscriber can act or take any special action for any individual interest.
The signature validation aims to guarantee that the signature is created by using the private key corresponding to the
public key in the issuer certificate and the signature is not change after created.
4.5.3 Relying party public key and certificate usage
After the certificate from the peer is obtained, the user can know its identity by viewing the certificate, validate truth
of the electronic signature via the public key, realize communication non-repudiation and keep confidentiality and
integrity of data transfer between two parties.
Before the certificate and signature is trusted, the relying parties should independently do reasonable endeavor and
make reasonable judgment. Except additional regulation in this CPS, the certificate is not a commitment from the
certificate issuing authority to any power or privilege. The relying party can only trust the certificate and its public
key within the scope regulated in this CPS and make decision. Validate a certificate by using a CRL and OCSP and
trust a certificate only if it has not been suspended or revoked.
If some fields of a certificate indicate use scope and purpose, this certificate can only be used in this scope. The
relying parties must make a reasonable judgment. The relying party will be liable for any trust to the action beyond
the application scope in this certificate. HWCA will not assume any liability and obligation.
4.6 Certificate Renewal
Not applicable.
4.7 Certificate key renewal
8/13/2019 Rootca Cps
24/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 24 of 58
Not applicable.
4.8 Certificate change
Not applicable.
4.9 Certificate revocation and hang up
The certificate revocation is permanent and cannot be recovered.
4.9.1 Circumstance for certificate renewal
1. The new key pair replaces the old key pair.
2. Key disclose: the corresponding key of the public key in the certificate is disclosed or the user is doubtful for the
key.
3. Affiliation relation change: when the subject related to the key-related subscriber is changed.
4. Operation termination: the certificate is not used for old purpose, but the key is not disclosed, but termination is
required (E.g. a subscriber leaves from an organization);
5. The certificate update fee is not received.
6. The subscriber main body does not exist;
7. The subscriber does not comply with liabilities and obligations regulated in this CPS or other agreement, laws
and regulations.
8. When a subscriber applies for initial registration, he does not provide true materials.
9. The private key corresponding to the public key in certificate is stolen, faked, counterfeited or tempered.
10. The subscriber application is revoked.
4.9.2 Who may request renewal
When the case 1-9 of the chapter CPS4.9.1 is met, the entity requesting certificate revocation can be HWCA or other
authorized agent and the revocation is mandatory. After revocation, the subscriber must be instantly informed.
If the case 10 of the chapter CPS4.9.1 is met, the entity requesting certificate revocation will be consistent with the
statement in CPS4.1.2.
Other cases will depend on actual condition. HWCA can determine it.
4.9.3 Processing certificate renewal requests
The subscriber application revocation flow is described as follows:
Before the subscriber revokes a certificate, he should decrypt the encrypted data such as encrypted Email, back
8/13/2019 Rootca Cps
25/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 25 of 58
up it (E.g. The mail contents are copied and are stored as plaintext or the mail attach is stored) and delete the
certificate.
The applicant fills out revocation application form and the revocation reason. Then submit the revocation request
to HWCA.
The HWCA or authorized registration authority should check the certificate revocation application submitted
by the subscriber according to the regulations in CPS3.4;
HWCA or authorized registration authority checks the revocation application and then revokes the certificate.
HWCA publishes the information into the public repository in time for subscriber and relaying parties
downloading the revocation informant.
4.10 Certificate state service
HWCA makes available certificate status checking services including CRLs, OCSP and appropriate web interfaces..
CRL
HWCA will sign and publish the CRL to public repository and make it available from
http://support.huawei.com/support/pki.
OCSP
Currently HWCA only makes OCSP responses available for internal use.
4.11 End of Subscription
The service termination indicates that the certificate user terminates the service with HWCA, including the following
two cases:
When the certificate expired or revoked, the system terminates the service with HWCA.
When the certificate expired, if the certificate does not extend certificate use or does not apply for a certificate again,
the certificate user can terminate the service.
When the certificate is not expired, the system terminates the service with HWCA.
If the certificate service is terminated by the certificate users due to certain reason in the valid period of the certificate,
HWCA will hang up or revoke the certificate according to the requirements of the certificate user. The service
between the certificate user and HWCA will terminate.
4.12 Key Escrow and Recovery
8/13/2019 Rootca Cps
26/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 26 of 58
Not applicable
8/13/2019 Rootca Cps
27/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 27 of 58
5 Facility, Management, and Operational Controls
5.1 Physical Security Controls
The HWCA certification service system is located in high security and stable building and has independent software
and hardware OS. Only the authorized operator can access the management area for operation according to the
related safety operation regulation. The root key of HWCA is located under the highly secure environment to prevent
against damage or unauthorized operation.
5.1.1 Site location and construction
To guarantee security and reliability of the physical environment, HWCA fully considers the threats such as water
disaster, fire, earthquake, electromagnetic disturbance and emission, crime and job accidents and can provide the
functions such as vibration resistance, fire prevention, water prevention, constant humidity and control, spare power
generation, gate access control and video monitoring to guarantee continuous and reliable certification service.
5.1.2 Physical access
When an operator wants to enter the device room, he must pass the strict approval, safety check and identity check
based on IC card gate control system. The measures such as material access registration, personnel access registration
and 24-hour video monitoring and guarding and walking inspection are taken. Without permission, it is forbidden to
bring any prohibited objects into the device room such as metal objects, electronic camera, vidicon and USB memory.
5.1.3 Power and air conditioning
HWCA system is powered by double power supplied. When one power breaks, the system can normally operate. The
UPS is used to avoid power fluctuation and guarantee emergency power supply.
The central air conditioner is used for adjustment and control of the temperature and humidity inside the system
device room, which can guarantee that the air quality, temperature and humidity, fresh air and air cleanness reach the
state regulations inside the device room.
5.1.4 Water exposures
HWCA device room is located in F3. The certificate service system is located in a closed building and the waterproof
and erosion-resisting measures are taken to guarantee system safety.
5.1.5 Fire prevention and protection
The HWCA device room is installed with the fire automated alarm system and gas automatic fire extinguishing
system. This system can be started in an automated, manual or mechanical emergency operation mode. under
8/13/2019 Rootca Cps
28/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 28 of 58
automated state, when the protection area catches a fire, after the fire alarm controller receives two independent fire
alarm signals from the protection zone, it will instantly give out joint signals. After 30 s delay, the fire alarm controls
output signals and starts fire extinguishing system. The alarm controller receives the feedback signals from the
pressure signal device, the indicator will be on in the protection zone to prevent any person from entering. When
some persons are working the protection zone, the system can switch from automated state to the manual state via
manual/automated switch outside the protection zone door. When a fire alarm occurs in the protection zone, the alarm
controller only gives out alarm signals and will not output action signals. The on-duty person confirms the fire alarm
and can press the control panel or crash the emergency start button outside the protection zone, he can instantly start
the system and spray the gas fire extinguishing agent. When the automated and manual emergency start fails, the
person can start via the mechanical emergency operation in the bottle storage room.
5.1.6 Media storage
HWCA should store and use the physical mediums according to the waterproof, fireproof, vibration-proof,
damp-proof, erosion-proof, anti-insect, anti-static and anti-electromagnetic emission. The measures such as medium
use registration, medium duplication prevention and information encryption are taken to protect medium safety.
5.1.7 Waste disposal
When the hardware equipment, storage equipment and encryption equipment used by the HWCA certification service
system is abandoned, the sensitive and confidential information should be securely and utterly deleted.
When the files and storage medium include sensitive and confidential information, special destruction measures
should be taken to guarantee that the information cannot be recovered and read.
All processing actions should be recorded for review. All destruction actions should comply with the related laws and
regulations.
5.2 Procedural Controls
5.2.1 Trusted roles
In order to reduce opportunities for unauthorized modification or misuse of information or services, HWCA segregate
duties and areas of responsibility by different roles, key functions and posts for CA system execution, including but
not limited to Operation security management team, Super administrator, System administrator, System auditor, Key
administrator, Security administrator, Network administrator, Monitoring administrator, Gate control administrator,
Input person, Auditor, Certificate maker. These posts are assigned to guarantee clear responsibility, establish effective
8/13/2019 Rootca Cps
29/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 29 of 58
security mechanism and guarantee internal management and operation security.
5.2.2 Number of persons required per task
Table 5.1minimum staff for trusted roles
SN Trusted roles Persons
1 Operation security management team 3-5
2 Super administrator 2
3 System administrator 2
4 System auditor 1
5 Security administrator 1
6 Network administrator 1
7 Monitoring administrator 1
8 Gate control administrator 1
9 Operator Several
10 Auditor Several
11 Certificate maker Several
5.2.3 Identification and authentication for each role
After all HWCA employees must be certified, they will be allocated with the security tokens such as required system
operation card, gate control card, login password and operation certificate by job nature and title privilege. For the
employees who use the security token, HWCA system will independently record and supervise all operation actions.
The security tokens only belong to the token holder or organization and cannot be shared according to the security
specification. HWCA system and procedure can control the operator privileges by token.
5.2.4 Roles requiring separation of duties
The HWCA defines the trusted roles according to the rule of trusted role separation and operation and management
separation. The security administrator and network administrator cannot be appointed as one person. The system
administrator and system auditor cannot be appointed as one person. The monitoring administrator and gate control
administrator cannot be appointed as a person. The input person and auditor cannot be appointed as one person.
5.3 Personnel Controls
5.3.1 Qualifications, experience, and clearance requirements
8/13/2019 Rootca Cps
30/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 30 of 58
The staff who is assigned by HWCA as the trusted roles should meet the following conditions:
1. Have good social and work background
2. Comply with state laws and regulations and obey uniform schedule and management of HWCA
3. Comply with the security management specifications, regulations and systems of HWCA
4. Have good individual quality, culture and careful and responsible attitude
5. Have good team cooperation spirit
5.3.2 Background check procedures
HWCA staff is employed according to the strict employment procedure. The background of the trusted staff will be
survey according to the post requirement.
HWCA performs strict background survey on the key CA staff. The survey includes, not limited to, validation of
previous work record, validation of identity proof truth, validation of truth of the diploma and other certificate and
validation of cheat behaviors. The registration authority, registration branch authority and operators at the transaction
site should be surveyed by referring to the HWCA survey for the trusted staff. The responsible organization of the
transaction site can supplement survey, probation and training based on it, but it can not violate the HWCA certificate
transaction regulation and HWCA electronic certificate service rule.
HWCA identifies the flow management rule. The CA staff is restricted by the contract and regulations and can not
disclose sensitive information of the HWCA certification service system. All staff sign secrete agreement with
HWCA.
5.3.3 Training requirements
HWCA will hold staff training on responsibilities, posts, technology, policies, laws and security on demand. HWCA
provides the following comprehensive training to HWCA staff, including but not limited to:
Information security knowledge training and examination
Post responsibility and post skill training
Fire control knowledge training and drilling
Professional knowledge and skill training on PKI system business
5.3.4 Retraining frequency and requirements
HWCA will hold periodical staff training according to the internal environment change and staff conditions to adapt
to the new change and continuously improve the professional quality of the staff.
5.3.5 Job rotation frequency and sequence
8/13/2019 Rootca Cps
31/58
Huawei Equipment CA Certification Practice Statement Confidentialitylevel:public
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved. 31 of 58
Not involved
5.3.6 Sanctions for unauthorized actions
When the HWCA staff make unauthorized or over-limit operation, HWCA should take some appropriate
administrative and disciplinary actions against personnel who perform unauthorized actions, such as instantly
abandon or terminate security certificate and IC card of this employee.
5.3.7 I
Top Related