28 May 1999

Date:         Fri, 28 May 1999 11:38:16 -0400
From:         Michael Power <Power.Michael@TBS-SCT.GC.CA>
Subject:      Policy for Public Key Infrastructure Management in the Government
              of Canada

For those who may be interested, the Treasury Board (a committee of Cabinet)
approved yesterday evening a Policy for Public Key Infrastructure Management
in the Government of Canada. The policy provides direction to government
departments with respect to the issuance and use of certificates and
provides a governance structure for the Government of Canada PKI.

The following is a very brief outline of the Application, Policy
Requirements and Appendices of the Policy. The unofficial version of the
document is now available on our website in PDF format (see signature block


The policy applies to all departments and agencies in Schedule I, Parts I
and II of the Public Service Staff Relations Act, the Canadian Forces and
the Royal Canadian Mounted Police.

Policy Requirements

1.      Certificate Authorities (CA): departments that intend to issue
certificates (or have them issued on their behalf) must retain full
responsibility for the certificates and their use.  If they intend to issue
certificates to individuals outside the department, they must be members of
the Government of Canada PKI (GoC PKI) and GoC PKI Policy Management
Authority (PMA).

2.      Cross-certification: departments must cross-certify with other
departments and external organizations only through the Canadian Central

3.      Employees: departments must implement and communicate to their
employees the policies and procedures for the appropriate use of

4.      External Subscribers: departments must ensure that persons outside
government to whom they intend to issue certificates agree in writing to the
terms and conditions for the appropriate use of these certificates,
including privacy and limits on liability, before issuing the certificates.
Their obligations under this agreement must be explained to them.

5.      Procurement of CA Services: departments that intend to procure CA
services must require the government or private-sector service provider to
operate in accordance with the department's Certificate Policy (CP) and
Certification Practice Statement (CPS). These certificates must be issued in
the name of Her Majesty, and information held by service provider must be
retained in Canada.

6.      Repository: departments must establish and operate a repository for
public key certificates and revocation lists that conforms to applicable
standards and is registered with the government Registrar of Repositories.

7.      Key Management: departments must comply with GoC policy for the
back-up of private confidentiality keys. Employee keys will be backed-up but
consent must be obtained from all others prior to the back-up of those keys.
The policy is consistent with the government's cryptography policy.

8.      Liability: departments must establish limits of liability for
certificates that are no less than those set by the PMA and agree to abide
by the rules in the policy for accountability for loss.

9.      Transition: the policy sets out transition rules to govern the
transition from current practices to those required under this policy.

10.     Exemptions: The policy provides a process for departments to apply
for an exemption from the requirement to be a member of the GoC PKI or the
requirement to cross-certify through the Canadian Central Facility. Specific
classes of exemptions may be established.

Appendix A, Definitions

Contains definitions of the terms and concepts used in the policy.

Appendix B, Memorandum of Understanding

Sets out the form of the written cross-certification arrangement between
government departments.

Appendix C, Minimum Terms and Conditions Required for Cross-Certification

Sets out the minimum provisions for a written cross-certification agreement
with an organization other than a department

Appendix D, Minimum Terms and Conditions Required For External Subscriber

Sets out the minimum terms and conditions to be contained in an external
subscriber agreement.

Appendix E, Model External Subscriber Agreements

Includes three example external subscriber agreements that departments may
use or adapt for their external subscribers.  The three agreements range
from a short simple one for citizens who require low-assurance certificates
to a long form for businesses or professions with complex dealings with

Appendix F, Minimum Elements Required for Departmental Policies Governing
Certificate Use by Employees

Departments are to implement a policy that will govern the appropriate use
of GoC PKI certificates by employees.  This does not have to a discrete
policy but may be included in another appropriate police, e.g., a network

Appendix G, Model Employee Use Policy

An example policy for the appropriate use of GoC PKI certificates by
employees that departments may adapt to their purposes.

Appendix H, Minimum Terms and Conditions for the Procurement of
Certification Authority Services

Sets out the minimum terms and conditions that departments should include in
any contacts for CA services.

Appendix I, Framework for Public Key Infrastructure Documentation

Sets out a framework for PKI documentation including the organization
responsible for producing and/or approving it.

Michael Power
Deputy Director, Policy/        Directeur adjoint, Politiques
Interdepartmental PKI Task Force/ Groupe interministériel de mise oeuvre de
Treasury Board Secretariat/ Secrétariat du Conseil du Trésor

275 rue Slater Street, Ottawa, Canada K1A 0R5
Tel. 946-5056; Fax. 946-9893;
Email: power.michael@tbs-sct.gc.ca
Website: http://www.cio-dpi.gc.ca