| 1. The PKI manages the registration, issuance and control of X.509 certificates for use by DoD personnel in the conduct of official business. An X.509 certificate binds an end entity (such as a subscriber, router, or automated message guard) to a key pair, certifying that the entity identified in the certificate has the private key associated with the public key incorporated into the certificate. |
2. The key pairs are used by end entities to perform cryptographic operations: to digitally sign information, to ensure the identity of the signer and the integrity of the information, and to encrypt information to ensure confidentiality. The DoD PKI issues separate certificates and key pairs for identity authentication and integrity, and for confidentiality.
3. Secret keys, private keys, and Cryptographic Service Providers shall be protected within the cryptographic module from unauthorized disclosure, modification, and substitution. Public keys shall be protected within the cryptographic module against unauthorized modification and substitution.
4. SAs shall document and specify all cryptographic keys, cryptographic key components, and Cryptographic Service Providers employed by a cryptographic module.
5. All private key pairs that are used to assert non-repudiation and are tightly bound to an entities identity must be protected in accordance with classification level of the information being processed.
6. All users and custodians are responsible to protect and store all private keys. For the hardware token, users must promptly report lost or stolen tokens. For software private keys, users must store them in a tamper evident package locked in a safe.