|
+CRY-08.01B |
1. ÜbersichtCRY-08.01BThe cloud service provider has documented and implemented procedures to securely issue and obtain public-key certificates, ensuring the integrity and authenticity of cryptographic keys. These procedures include:1. Verification of identity before issuing public-key certificates that are issued by or on behalf of the cloud service provider for its own system components or personnel to ensure they are granted to legitimate entities; 2. Secure methods for issuing certificates that are issued by or on behalf of the cloud service provider for its own system components or personnel to prevent unauthorised access; and 3. Procedures for obtaining public-key certificates from trusted Certificate Authorities to ensure the authenticity of the certificates used by the cloud service provider. The first two bullet points apply to certificates issued by or on behalf of the cloud service provider for its own system components and personnel. If the cloud service provider offers certificate authority services for cloud service customers, the shared responsibility principle applies, i.e. the cloud service provider should ensure that the cloud service provides adequate technical measures to enable cloud service customers to perform adequate identity verification (cf. also the Complementary Customer Criteria). The third bullet point applies to certificates that the cloud service provider obtains from external Certificate Authorities for use in its own cloud services and system components. The cloud service provider should ensure that certificates are obtained only from trusted Certificate Authorities and that the authenticity of received certificates is verified before use. This criterion does not necessarily extend to certificates that cloud service customers obtain from external Certificate Authorities for their own purposes; the selection and validation of external Certificate Authorities by customers falls under customer responsibility within the shared responsibility model.
1.1 Referenzen1.2 Identifizierte Anforderungen1.2 Related Regulation2. Identifizierte Anforderungen
3. Related Regulations
|