The second principle is—The certification authority maintains effective controls to provide reasonable assurance that:
Effective key management controls and practices are essential to the trustworthiness of the public key infrastructure. Cryptographic key management controls and practices cover CA key generation; CA key storage, backup, and recovery; CA public key distribution (especially when done in the form of self-signed “root” certificates); CA key escrow (optional); CA key usage; CA key destruction; CA key archival; the management of CA cryptographic hardware through its life cycle; and CA-provided subscriber key management services (optional). Strong key life cycle management controls are vital to guard against key compromise that can damage the integrity of the public key infrastructure.
The user certificate life cycle is at the core of the services provided by the CA. The CA establishes its standards and practices by which it will deliver services in its published CPS and CPs. The user certificate life cycle includes the following:
Effective controls over the registration process are essential, as poor identification and authentication controls jeopardize the ability of subscribers and relying parties to rely on the certificates issued by the CA. Effective revocation procedures and timely publication of certificate status information are also essential elements, as it is critical for subscribers and relying parties to know when they are unable to rely on certificates that have been issued by the CA.