Evaluating Certificate Policy - Certification Practice Statement of Unique Government Certification Authority using Public Key Infrastructure Assessment Guidelines: Research in Progress Dea Saka Kurnia Putra Manajemen Persandian Sekolah Tinggi Sandi Negara Bogor, Indonesia dea.saka@student.stsn-nci.ac.id Edit Prima Sekolah Tinggi Sandi Negara Bogor, Indonesia edit.prima@stsn-nci.ac.id Abstract—OSD PSE is the Indonesian Government’s Certification Authority (CA) for National e-Procurement System and later named OSD PSE G2. It has a unique hierarchical structure under the OSD Lemsaneg. As an Issuing CA, the OSD PSE G2 publishes and guarantee the quality of Certificate Policy and Certification Practice Statement (CP-CPS) in order to gain the PKI user’s trustworthy. In this article, we analyze the CP- CPS version 1.0 that published by OSD PSE G2. For this purpose, we apply the methodology of PKI Assessment Guidelines (PAG). The quality assessment of this CP-CPS, including its compliance to the related reference/standard, namely: CP OSD Lemsaneg v.1.1; RFC 3647; and CA Business Practice Disclosure Principle on Trust Service Principles and Criteria for Certification Authorities (BPDP-TSPCCA) version 2.0. We finally found that the CP-CPS version 1.0 does not comply with related standard and reference. Hence, the CP-CPS need to be updated following the current condition of OSD PSE G2. Keywords—Certificate Policy; Certification Practice Statement; PKI Assessment Guidelines; RFC 3647; Trust Service Principles and Criteria for Certification Authorities; Otoritas Sertifikat Digital Pengadaan Barang/Jasa Secara Elektronik. I. INTRODUCTION The development of electronic transactions stimulates demands for the use of public key cryptography system to support the authentication service and non-repudiation in every electronic transaction activity. Public key cryptography system is an aspect of the Public Key Infrastructure (PKI) [1] [2]. Nowadays, the component technologies of PKI such the use of public key cryptography and underlying systems to enable digital signatures, strong authentication, data integrity, non- repudiation, and confidentiality is most often discussed [3]. Application of PKI in Indonesia is used in e-procurement, e- banking and e-shopping along with the enactment of Information and Electronic Transactions Act (UU ITE) and Government Regulation on the Implementation of Electronic Transaction System (PP PSTE) [4]. There are 5 main components in the implementation of the PKI, the Certification Authority (CA), Registration Authority (RA), PKI Client, Digital Certificate and Certificate Distribution System or Repository [5]. CA is the most important component for a digital certificate issuer. Sustainability of the CA will be run in accordance with its purpose if there are at least four types of main documents, namely the Relying Party Agreements, Subscriber Agreements, Certification Practice Statement (CPS), and Certificate Policy (CP) [6]. Otoritas Sertifikat Digital Lembaga Sandi Negara (OSD Lemsaneg) is a CA which issues, distributes, and manages digital certificates with the government agency. OSD Lemsaneg have several certification services refer to the type of use and the guarantee level categories, among others: OSD PSE and OSD Layanan Universal (LU). OSD Lemsaneg is managed by the government agency called Balai Sertifikasi Elektronik (BSrE) that provide information security services for electronic documents [7]. OSD PSE has a key pair cryptoperiod of 5 years. According to the OSD PSE key pair’s cryptoperiod, BSrE as the OSD PSE’s government agency have to extend the OSD PSE’s key pair cryptoperiod. Key ceremony is held on 2016 to generate OSD PSE G2, OSD LU K1, OSD LU K2, OSD LU K3, and OSD LU K4’s key pair with 10 years of cryptoperiod [8]. Start from 2016 OSD PSE named OSD PSE G2. OSD PSE G2 has a unique hierarchical structure as a subordinate CA under the OSD Lemsaneg. According to a common standard of PKI operation, OSD PSE G2 also publish CP-CPS in 2012. The CP-CPS was addressed to regulate the OSD PSE’s certification practices. CP-CPS OSD PSE version 1.0. seems do not relevant anymore because the OSD PSE is now become OSD PSE G2. Since the CP-CPS were a most important PKI component, we conduct a research to assess the CP-CPS in order to measure its compliance to the PKI standard. In the next section, we will review the researches related to the CP-CPS in OSD environment.