Evaluating Certificate Policy - Certification Practice Statement of Unique Government Certification Authority using Public Key Infrastructure Assessment Guidelines: Research in Progress

TL;DR

This research assesses the compliance of Indonesia's government CA policy document with international standards, revealing non-conformities and the need for updates to ensure trustworthiness in PKI operations.

Contribution

The paper applies PKI assessment guidelines to evaluate the Indonesian government CA's policy document, highlighting gaps and proposing the need for revisions to meet standards.

Findings

CP-CPS v1.0 does not fully comply with standards

Identified gaps in policy alignment with RFC 3647

Recommendations for updating the CP-CPS to current standards

Abstract

OSD PSE is the Indonesian Government Certification Authority (CA) for National e-Procurement System and later named OSD PSE G2. It has a unique hierarchical structure under the OSD Lemsaneg. As an Issuing CA, the OSD PSE G2 publishes and guarantee the quality of the Certificate Policy and Certification Practice Statement (CP-CPS) in order to gain the PKI user trustworthy. In this article, we analyze the CP-CPS version 1.0 that published by OSD PSE G2. For this purpose, we apply the methodology of PKI Assessment Guidelines (PAG). The quality assessment of this CP-CPS, including its compliance to the related reference/standard, namely: CP OSD Lemsaneg v.1.1; RFC 3647; and CA Business Practice Disclosure Principle on Trust Service Principles and Criteria for Certification Authorities (BPDP-TSPCCA) version 2.0. We finally found that the CP-CPS version 1.0 does not comply with related standard and reference. Hence, the CP-CPS need to be updated following the current condition of OSD PSE G2.