|
For enterprises and governments who plan to or already have setup their own PKI, the Premium or the Standard service offering can be used. Alternatively, if an enterprise or government does not plan to setup their own PKI, they may acquire CertiPath compliant identities and credentials from a  . Currently CertiPath has three certified service providers, ARINC, Exostar and SITA.
Applicants planning to operate their own PKI may choose between the Standard and Premium services based on the considerations described below:
| Considerations |
Standard |
Premium |
| Do you plan to deploy your own Public Key Infrastructure (PKI)? |
Yes |
Yes |
| Do you need the ability to setup your own root CA with autonomy to define your own Certificate Policy (CP)? |
No |
Yes |
| Do you need the ability to setup your own subordinate CAs based on business Units, geography or programs |
No |
Yes |
| Are you willing to inherit the CertiPath CP and accept any changes to the CP approved by Policy Management Authority (PMA) unconditionally? |
Yes |
No |
| Are you willing to have the Certification Practices Statement (CPS) based on the CP audited by third party auditors? |
Yes |
Yes |
| Do you plan to deploy the PKI based on the CP and the CPS defined? |
Yes |
Yes |
| Are you willing to provide a production representative test environment for the duration of your membership with CertiPath? |
Yes |
Yes |
| Are you willing to perform interoperability testing in a test environment? |
Yes |
Yes |
| Are you willing to be subjected to a third party zero day or pre-operational audit of the PKI based on the approved CPS? |
Yes |
Yes |
| Are you willing to perform the Production Environment Interoperability Testing? |
Yes |
Yes |
|
General considerations to note:
- " With either service, customers must write a CPS that implements the CP
- The CPS language cannot be a duplicate of the CP language.
- Where the CP has "must" and/or "shall", the corresponding "how" is captured in the CPS - in DETAIL.
- Your CPS is NOT a public document
- Your auditor will see your CPS.
- CertiPath management (not the CertiPath PMA) may ask to see certain sections under NDA in certain conditions
- For the Compliance Analysis and Audit described above:
- Please hire a third party auditor that meets the qualifications of CertiPath described in the CertiPath application
- Your chosen auditor will perform a paper based analysis in which the CP (whether your own or the CertiPath CP) is compared to your CPS to ensure the CPS implements the CP
- Once the Analysis is completed satisfactorily, applicants build out a PKI compliant with their CPS. In the event the applicant is using an existing PKI, modifications required to bring the PKI into compliance with the newly analyzed CPS are made at this time.
- NOTE: The auditor must be present at the root key cutting ceremony for Standard and Premium Services customers regardless of which model (i.e. in-source, etc.) has been chosen. For pre-existing PKIs, there must be evidence of the third party auditor that witnessed the original root key ceremony.
|
