CATCert General Certificate Policy
General Certificate Policy
Agència Catalana de Certificació
Ref. D1111 N-PGDC
Page 1 of 116
CATCert General Certificate Policy
Reference: Version: Date:
D1111 N-PGDC 3.4 09/02/2010
Ref. D1111 N-PGDC
Page 2 of 116
CATCert General Certificate Policy
Contents 1. PRELIMINARIES........................................................................................................................... 6 1.1 INTRODUCTION.................................................................................................................................... 7 1.2 DOCUMENT NAME AND IDENTIFICATION................................................................................................. 15 1.3 CERTIFICATE USER COMMUNITY........................................................................................................... 17 1.4 CERTIFICATE USE............................................................................................................................... 21 1.5 POLICY ADMINISTRATION.................................................................................................................... 30 2. INFORMATION PUBLISHING AND CERTIFICATE DIRECTORY.................................... 32 2.1 CERTIFICATE DIRECTORY..................................................................................................................... 32 2.2 15BPUBLICATION OF CERTIFICATION ENTITY INFORMATION.................................................................... 32 2.3 16BFREQUENCY OF PUBLICATION........................................................................................................ 32 2.4 7BACCESS CONTROL......................................................................................................................... 33 3. IDENTIFICATION AND AUTHENTICATION......................................................................... 34 3.1 18BNAME MANAGEMENT6F............................................................................................................... 34 3.2 19BINITIAL IDENTITY VALIDATION....................................................................................................... 38 3.3 20BIDENTIFICATION AND AUTHENTICATION OF RENEWAL REQUESTS........................................................... 42 3.4 21BIDENTIFICATION AND AUTHENTICATION OF REVOCATION REQUESTS21F................................................ 43 3.5 AUTHENTICATION OF A SUSPENSION REQUEST......................................................................................... 43 4. 3BCERTIFICATE LIFE CYCLE OPERATIONAL SPECIFICATIONS ............................... 44 4.1 23BAPPLICATION FOR THE ISSUE OF A CERTIFICATE................................................................................ 44 4.2 24BPROCESSING THE CERTIFICATE APPLICATION..................................................................................... 46 4.3 25BCERTIFICATE ISSUANCE................................................................................................................ 49 4.4 26BCERTIFICATE ACCEPTANCE............................................................................................................ 51 4.5 27BUSE OF THE KEY PAIR AND CERTIFICATE......................................................................................... 52 4.6 CERTIFICATE RENEWAL WITHOUT KEY RENEWAL..................................................................................... 53 4.7 123RENEWAL OF CERTIFICATES WITH KEY RENEWAL............................................................................... 54 4.8 ONLINE RENEWAL.............................................................................................................................. 55 4.9 CERTIFICATE AMENDMENT................................................................................................................... 55 4.10 CERTIFICATE REVOCATION AND SUSPENSION......................................................................................... 55 4.11 CERTIFICATE STATUS CHECKING SERVICES............................................................................................ 61 4.12 33BSUBSCRIPTION TERMINATION ...................................................................................................... 62 4.13 KEY DEPOSIT AND RECOVERY............................................................................................................ 62 5. 4BPHYSICAL, MANAGEMENT AND OPERATIONAL SECURITY CONTROLS.............63 5.1 PHYSICAL SECURITY CONTROLS............................................................................................................ 63 5.2 PROCEDURE CONTROLS....................................................................................................................... 66 5.3 STAFF CONTROLS............................................................................................................................... 67 5.4 38BSECURITY AUDIT PROCEDURES....................................................................................................... 69 5.5 ARCHIVING INFORMATION/DOCUMENTATION .......................................................................................... 71 5.6 KEY RENEWAL.................................................................................................................................. 74 5.7 KEY COMPROMISE AND DISASTER RECUPERATION.................................................................................... 74 5.8 TERMINATION OF THE SERVICE............................................................................................................. 75
Ref. D1111 N-PGDC
Page 3 of 116
CATCert General Certificate Policy
6. TECHNICAL SECURITY CONTROLS...................................................................................... 77 6.1 KEY PAIR GENERATION AND INSTALLATION............................................................................................ 77 6.2 PROTECTING THE PRIVATE KEY............................................................................................................. 79 6.3 OTHER ASPECTS RELATING TO KEY PAIR MANAGEMENT............................................................................ 82 6.4 46BACTIVATION DATA...................................................................................................................... 82 6.5 COMPUTER SECURITY CONTROLS.......................................................................................................... 83 6.6 TECHNICAL LIFE CYCLE CONTROLS........................................................................................................ 84 6.7 49BNETWORK SECURITY CONTROL 125F............................................................................................. 84 6.8 TIMESTAMP...................................................................................................................................... 85 7. CERTIFICATE PROFILES AND REVOCATION LISTS........................................................ 86 7.1 51BCERTIFICATE PROFILE.................................................................................................................. 86 7.2 CERTIFICATE REVOCATION LIST PROFILE................................................................................................ 89 8. 7BCONFORMITY AUDIT............................................................................................................ 90 8.1 53BFREQUENCY OF CONFORMITY AUDITS.............................................................................................. 90 8.2 AUDITOR IDENTIFICATION AND CLASSIFICATION...................................................................................... 90 8.3 AUDITOR'S RELATIONSHIP WITH THE ENTITY UNDER AUDIT........................................................................ 90 8.4 LIST OF ELEMENTS TO BE AUDITED....................................................................................................... 91 8.5 57BACTIONS TO BE TAKEN IF THERE IS A NON-CONFORMITY.................................................................... 91 8.6 DEALING WITH AUDIT REPORTS............................................................................................................ 91 9. COMMERCIAL AND LEGAL REQUIREMENTS.................................................................... 92 9.1 FEES................................................................................................................................................ 92 9.2 60BFINANCIAL CAPACITY................................................................................................................... 92 9.3 61BCONFIDENCIALITY....................................................................................................................... 93 9.4 PERSONAL DATA PROTECTION.............................................................................................................. 94 9.5 INTELLECTUAL PROPERTY RIGHTS......................................................................................................... 99 9.6 64BOBLIGATIONS AND PUBLIC LIABILITY ........................................................................................... 100 9.7 GUARANTEE REFUSAL....................................................................................................................... 110 9.8 66BLIABILITY LIMITATIONS.............................................................................................................. 111 9.9 67BCOMPENSATION........................................................................................................................ 111 9.10 TERM AND TERMINATION................................................................................................................ 111 9.11 69BNOTIFICATIONS ...................................................................................................................... 112 9.12 70BMODIFICATIONS...................................................................................................................... 112 9.13 CONFLICT RESOLUTION .................................................................................................................. 113 9.14 72B APPLICABLE LAW................................................................................................................... 114 9.15 CONFORMITY WITH APPLICABLE LAW................................................................................................ 114 9.16 74BMISCELLANEOUS PROVISIONS.................................................................................................... 114 10. APPENDIX I.............................................................................................................................. 116 DOCUMENT CONTROL............................................................................................................................ 116 CONTROL OF VERSIONS PGDC 2ND SEMESTRE 2010................................................................................. 116
Ref. D1111 N-PGDC
Page 4 of 116
CATCert General Certificate Policy
Ref. D1111 N-PGDC
Page 5 of 116
CATCert General Certificate Policy
1. Preliminaries On 23 July 2001, an institutional agreement was signed by the parliamentary groups of the Parlament de Catalunya [Parliament of Catalonia], the Generalitat de Catalunya [Government of Catalonia] and the Consorci d’Ens Locals de Catalunya (Localret) [Consortium of Local Authorities of Catalonia, which is composed of the Catalan municipalities and deals with information systems issues] on developing policies to deal with fundamental changes in social and economic structures that arise due to the convergence of new information and communication technologies within Catalan public services. Within this development, it was decided to set up systems to allow the different sectors of public administration to interrelate with each other and with the public by online electronic means. These means were to be equipped with the necessary security measures and, in particular, make use of digital identity certificates and electronic signatures. In order to fulfil this institutional agreement and to develop the Catalunya en Xarxa [Catalonia on-line] programme, Localret and the Generalitat de Catalunya [Government of Catalonia] agreed to create the Consorci per a l’Administració Oberta Electrònica de Catalunya [Open Electronic Administration Consortium of Catalonia]. The purpose of this Consortium was to develop public policies relating to electronic services for public administration and to act as an electronic signature certification authority (technical) to guarantee the confidentiality, integrity, identity and authenticity of electronic communications and documents created within Catalan public administration. The Consorci per a l’Administració Oberta Electrònica de Catalunya [Open Electronic Administration Consortium of Catalonia] was constituted on 25 February 2002. At this session, the Consejo General [General Council] adopted the resolution to incorporate a direct management entity in the form of an independent corporate body. This body was named Agència Catalana de Certificació (CATCert) [Catalan Certification Agency] and its purpose was to manage digital certificates and provide other services related to electronic signatures within Catalan public services. CATCert was created by resolution of the Comisión Ejecutiva del Consorci de l’Administració Oberta Electrónica de Catalunya [Executive Committee of the Open Electronic Administration Consortium of Catalonia] on 29 April 2002, as an independent corporate body. Its Articles of Association were published in the Diario Oficial de la Generalitat de Catalunya [Official Journal of the Government of Catalonia] on 30 May 2003, by Resolution PRE/1574/2003, of 15 May [Resolución PRE/1574/2003]. Therefore, the Agencia Catalana de Certificació [Catalan Certification Agency] has become the main entity within the Catalan public certification system that regulates the issuance and management of certificates issued to: Catalan institutions of self-government, institutions within local authorities and all other public and private entities that make up the Catalan public sector. It is also responsible for accepting and using certificates issued to citizens and companies by other certification service providers who request the corresponding classification. These institutions issue certificates through a technical infrastructure provided by CATCert called the “Jerarquía pública de certificación de Catalunya”" [“public certification hierarchy of
Ref. D1111 N-PGDC
Page 6 of 116
CATCert General Certificate Policy
Catalonia”]. They will be able to accept and use certificates issued by other providers via CATCert classification and validation services. One of the most important elements of the Jerarquía pública de certificación de Catalunya [public certification hierarchy of Catalonia] is the drafting and publication of a política general de certificación [general certificate policy] (contained in this document). This policy contains requirements and conditions and will be applicable to all certificates issued to individual persons and legal entities by the various certification entities linked to the hierarchy. Furthermore, the requirements and conditions set out in this policy are to be used to provide assistance in the approval of the certificate policies of third-party providers, in order to allow Catalan public administration to appropriately classify and accept their certificates. Law 11/2007 of 22 June on Citizens' electronic access to public services [Ley de acceso electrónico de los ciudadanos a los servicios públicos] recognises the specific characteristics of public administration electronic signatures and regulates the corresponding digital certificates in the electronic office, automated administration stamps and the electronic signatures of public administration staff. This reinforces the initial moves made in the services provided by CATCert. The proposed regulation also requires the revision of the contents of the general certificate policy where they relate to new types of certificates, without affecting the rest of the certification model of the Catalan public system. CATCert complies with the current baseline requirements of the CA/Browser Forum for the issuance and management of extended validation certificates, published at http://www.cabforum.org/.
1.1 Introduction 1.1.1
Certificate types and classes
The Agència Catalana de Certificació [Catalan Certification Agency] (CATCert ) has established a classification system for certification services in order to allow it to issue digital certificates for a wide range of purposes and to different end users, and to enable it to classify other certificates issued by certification service providers. This classification system is based on comparing the certificates issued by other providers with those issued by CATCert, among other published criteria. For this reason, it is important that all users are familiar with the contents of this document, both when deciding which certificates they need to request from CATCert and when using certificates issued by third-party providers. Firstly, within the Jerarquía pública de certificación de Catalunya [public certification hierarchy of Catalonia], operated by CATCert, certificates are issued to other Certification Entities, which links them into the hierarchy. These certificates are called Certificados de Infraestructura de Entidad de Certificación (CIC) [Certification Entity Infrastructure Certificates] and allow certification entities that subscribe to CIC certificates to issue certificates to other Certification Entities and to end users. CICs are issued to offer services to a specific user community (examples might include employees of the Generalitat de Catalunya [Government of Catalonia], entities that make up the local Administration, citizens or university students and teaching staff) within the Ref. D1111 N-PGDC
Page 7 of 116
CATCert General Certificate Policy
Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia] and can be assigned different levels (1, 2 and so on). Certification Entities can use their CIC certificates to issue certificates to end users or to other Certification Entities within their own user community, depending on their specific needs and as long as there is no technical effect on the workings of the platforms, systems and applications that are normally employed by the end users. Every CIC certificate will be assigned an appropriate level depending on its term of validity, which will be used to programme the periodic renewal of the certificate infrastructure. End-user certificates are split into: -
Certificados personales [personal certificates], where the holder of the private key is an individual person who is acting in their own name and on their own behalf (and is the certificate subscriber or owner), or who is representing or acting on behalf of a legal entity (which is the certificate subscriber or owner).
-
Certificados de entidad [entity certificates], where the subscriber to the certificate and, pursuant to law, signatory, is a legal entity acting through a key holder (for the purposes of these certificates the key holder is also referred to as the “responsable de custodia”, i.e. “custodian”).
-
Certificados de dispositivo [device certificates], where the holder of the private key is a computerised device that carries out signing and decryption operations automatically, under the responsibility of an individual person or a legal entity (referred to as the subscriber or owner of the certificate).
-
Certificados de objeto [object certificates], where the holder of the private key can access and manage an object, such as a digital envelope, where cryptographic services are required in order to do this.
End-user certificates are issued in two forms: -
Certificados de Clase 1 [Class 1 certificates] are public certificates, which belong to a public sector organisation (corporate), characterised by the fact that the individual person who holds the private key is linked to the subscriber or holder of the certificate, which is a legal entity. Furthermore, with entity certificates, the holder of the private key has been authorised, in accordance with the applicable power of attorney law, to obtain the certificate. The individual who holds the private key is named on the certificate. There are provisions for the possibility of using pseudonyms in special cases such as certificates for law enforcement agencies or judiciary staff. The subscriber normally acts as the certificate registration entity, although this is not strictly necessary, since it can be agreed that CATCert or a Collaborating Registration Entity authorised by CATCert will undertake this role.
-
The rest of the certificates will be certificados de Clase 2 [Class 2 certificates], issued in competition with the free market and usually under the subsidiary action regime, when there are no providers that offer the service or the number of providers is insufficient to guarantee effective distribution among end users (citizens, companies and professionals). Data for the issue of certificados de clase 2 [class 2 certificates] is always registered by the Certification Entity or a registration entity under the
Ref. D1111 N-PGDC
Page 8 of 116
CATCert General Certificate Policy
responsibility of the Certification Entity, which can never be an individual certificate subscriber. Certificados de clase 2 [class 2 certificates] can be individual or for a private-sector organisation, or a public-sector organisation outside Catalonia (corporate), depending on whether they are issued to an individual person acting in his or her own name, or to an organisation acting through an individual person who is named on the certificate, even if this is through the use of a pseudonym. In this way, the Certification Entities of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia] will, depending on their needs and the current situation of the certification services market, be able to issue the following groups of certificates: -
Certificados de entidad de certificación de nivel 2 o superior [level 2 or above certification entity certificates].
-
Certificados personales de clase 1 y de clase 2 [class 1 and class 2 personal certificates].
-
Certificados de entidad de clase 1 y de clase 2 [class 1 and class 2 entity certificates].
-
Certificados de dispositivos de clase 1 y de clase 2 [class 1 and class 2 device certificates].
-
Certificados de objeto de clase 1 y de clase 2 [class 1 and class 2 object certificates].
It is the exclusive responsibility of CATCert to issue certificados de entidad de certificación de nivel 1 [level 1 certification entity certificates] to new Certification Entities. Below are details of the different policies for infrastructure, personal, certification entity, device and object certificates, both in class 1 and class 2, which are offered to the Certification Entities and the user community. Also included are possible combinations and extensions for their specific uses.
1.1.1.1 Infrastructure certificates There are seven types of infrastructure certificates: 1) Certificado de infraestructura de entidad de certificación vinculada (CIC) [linked certification entity infrastructure certificate], issued to the Certification Entities that are linked to the hierarchy. Linked Certification Entities can, in their turn, issue infrastructure certificates or endentity certificates (personal, entity and device), according to the class of CIC certificate they hold, from the time when they obtain a valid CIC certificate and while that certificate remains valid. 2) Certificado de infraestructura personal de firma electrónica reconocida de operadores (CIPISR) [operators' qualified electronic signature personal infrastructure certificate],
Ref. D1111 N-PGDC
Page 9 of 116
CATCert General Certificate Policy
which is used to authorise operations related to certification services, such as approving certificate applications. 3) Certificado de infraestructura de dispositivo servidor seguro (CIDS) [secure server device infrastructure certificate], which is used for an SSL or TLS infrastructure computer application server so that it can be identified by any client applications that are connected to it, and to protect private communications between the client and the server, e.g. certification entity servers. 4) Certificado de infraestructura de dispositivo de aplicación digitalmente asegurada (CIDA) [digitally-secure application device infrastructure certificate], which is used for computer applications in the infrastructure that are identified digitally. They sign web services and other protocols electronically, and receive encrypted documents and messages, e.g. message notification applications belonging to certification entities. 5) Certificado de infraestructura de servidor de estado de certificados en línea (CIO) [on-line certificate status server infrastructure certificate], which is used by an OCSP Responder server to sign certificate validity status responses. 6) Certificado de infraestructura de entidad de sellos de tiempo (CIT) [entity infrastructure certificate of timestamps], which is used by entities to sign the timestamps that they issue. 7) Certificado de infraestructura de entidad de validación (CIV) [entity infrastructure certificate of validation], which is used by entity validation servers to sign their reports.
1.1.1.2 Personal certificates There are four types of personal certificate: 1) Certificados personales de firma electrónica reconocida (CPSR) [qualified electronic signature personal certificates], pursuant to article 6 of Law 59/2003 of 19 December on the electronic signature [Ley 59/2003, de firma electrónica] which allows individual persons, who are individual owners or who are linked to a corporate public or private institution (position, attribution, power of attorney) to sign documents with a secure signature-creation device. 2) Certificados personales de firma electrónica reconocida (CPSA) [Qualified electronic signature personal certificates], article 6 of Law 59/2003 of 19 December on the electronic signature [Ley 59/2003, de firma electrónica] which allows individual persons, who are individual owners or who are linked to a corporate public or private institution (position, attribution, power of attorney) to sign documents without a secure signature-creation device. 3) Certificados personales de identidad (CPI) [Personal identity certificates], which are used to sign authentication messages (identity confirmation) and secure computer system access messages. 4) Certificados personales de cifrado (CPX) [Personal encryption certificates], which are used to produce or receive confidential documents and messages.
Ref. D1111 N-PGDC
Page 10 of 116
CATCert General Certificate Policy
Earlier policies allow the certificates to be combined, depending on the users' needs. This means that a single certificate can be subject to more than one policy. For example, qualified signature and identification policies are often combined. Additionally, depending on technical requirements and the users' needs, these types of certificate may incorporate other functions, which will, in any case, be identified in a specific certificate policy, which has to be developed or approved by CATCert.
1.1.1.3 Entity certificates There are four types of entity certificate: 1) Certificados de entidad de firma electrónica reconocida (CESR) [Qualified electronic signature entity certificates] pursuant to article 7 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica] which allows public and private institutions, corporations subject to public law and public legal entities (collectively known as “entities”) to sign documents using a secure signature-creation device. 2) Certificados de entidad de firma electrónica avanzada (CESA) [Advanced electronic signature entity certificates] in accordance with the definition given in point 2, article 3 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica] and in accordance with the provisions of article 7 of the same law. 3) Certificados de entidad para identificación (CEI) [Entity identification certificates], which are used to sign authentication messages (identity confirmation) and secure computer system access messages. 4) Certificados de entidad de cifrado (CEX) [Entity encryption certificates], in accordance with article 7 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica] which allows public and private institutions, corporations subject to public law and public legal entities (collectively known as “entities”) to produce and receive confidential documents. Additionally, depending on technical requirements and the users' needs, these types of certificate may incorporate other functions, which will, in any case, be identified in a specific certificate policy, which has to be developed or approved by CATCert.
1.1.1.4 Device certificates There are four types of device certificate: 1) Certificado de firma de aplicaciones informáticas (CDP) [Computer application signing certificate], which is used to digitally sign computer applications to be transmitted via networks. 2) Certificado de dispositivo servidor seguro (CDS) [Secure server device certificate], which is occupied by an SSL or TLS computer application server so that it can be identified by client applications connected to it, and to protect private communications between the client and the server. Ref. D1111 N-PGDC
Page 11 of 116
CATCert General Certificate Policy
3) Certificado de dispositivo de aplicación digitalmente asegurada (CDA) [Digitallysecure application device certificate], which is used for computer applications that are digitally identified, that electronically sign web services and other protocols, and that receive encrypted documents and messages. 4) Certificado de dispositivo de cifrado (CDX) [Device encryption certificate], used to automatically encrypt communications between devices identified on the certificates in order to set up private virtual networks. Additionally, depending on technical requirements and the users' needs, these types of certificate may incorporate other functions, which will, in any case, be identified in a specific certificate policy, which has to be developed or approved by CATCert. Specific types of CDS and CDA certificates can be created which are, at least, intended for use in the electronic office and for the automated administration applications used in Catalan public administration, in accordance with article 19 of Law 11/2007, of 22 June [Ley 11/2007].
1.1.1.5 Object certificates There is one type of object certificate: 1) Certificado de objeto sobre digital administrativo (COS) [Administrative digital envelope object certificate], which is used to encrypt documentation in a digital envelope that can only be opened when the date indicated on the envelope has been reached. Additionally, depending on technical requirements and users' needs, it is possible for this type of certificate to incorporate other functions which will, in any case, be identified in each Declaración de Prácticas de Certificación [Certification Practice Statement].
1.1.1.6 Test certificates. Under specific circumstances, test certificates for any of the types of certificate included in this policy can be issued.
1.1.2
Relationship between the certificate policy and other documents
This document contains the general certificate policy of the Agència Catalana de Certificació [Catalan Certification Agency]. A certificate policy is a set of principles and rules relating to the issuance and management of digital certificates, with public key support, which can be used in a variety of services, such as identity authentication, confirming the integrity and authenticity of documentation and ensuring the confidentiality of data, documents and transmissions. The certificate policy sets out the minimum requirements that have to be obeyed by Certification Entities, subscribers and other certificate users.
Ref. D1111 N-PGDC
Page 12 of 116
CATCert General Certificate Policy
Every Certification Entity should have a Declaración de Prácticas de Certificación [Certification Practice Statement] containing the procedures that it applies when providing its services, in accordance with the provisions of article 19 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica]. This Declaration should give the extent to which the requirements set out in the policies for the certificates that it handles are applied, and detail its professional practices in relation to providing certification services. This documentation is related to supplementary documentation, which includes the legal instruments that regulate the provision of the service (auxiliary legal documentation), security documentation and transaction documentation.
1.1.3
Frequently-used terms in this document
In order to assist understanding of this document, below are brief definitions of the most frequently-used terms in this document: Certificate
Electronic document Certification Entity, which the electronic signature individual person or a confirms their identity.
Declaración de prácticas de certificación [Certification Practice Statement]
Document required by the Law on the Electronic Signature [Ley de firma electrónica], which details the requirements that the certification service provider has to meet when it issues certificates.
Certification Entity
An individual person or a legal entity that issues certificates, in accordance with the Law on the Electronic Signature [Ley de firma electrónica]. Sometimes this is used synonymously with certification authority, which is a technical component of the service.
Root certification entity
Higher certification entity in the certification hierarchy, which legally guarantees all of the certificates issued by the certification entities linked to the hierarchy.
Linked certification entity
Certification entity that has been linked to a certification hierarchy in such a way as to allow the higher certification entity to guarantee the certificates issued by the linked entity.
Virtual certification entity
Certification entity that has delegated all of the technical operations involved in issuing certificates to a certification service provider.
Ref. D1111 N-PGDC
signed by a links data verifying to an entity (an legal entity) and
Page 13 of 116
CATCert General Certificate Policy
Registration entity
An individual person or legal entity that carries out the procedures involved in checking the identity and other circumstances of certificate subscribers and holders. Sometimes this is used synonymously with registration authority, which is a technical component of the service.
Collaborating registration entity
Registration entity that collaborates with certification entities in issuing certificates to subscribers.
Internal registration entity
Registration entity that registers the key holders of an organ of public administration that subscribes to certificates.
Virtual registration entity
Internal registration entity that has delegated the technical tasks involved in the process of checking the identity and other personal circumstances of the subscribers and certificate holders to the certification entity or to a collaborating registration entity.
Jerarquía pública de certificación de Group of public and Catalan certification Catalunya [Public certification hierarchy of entities, registration entities and other Catalonia] certificate-issuing entities organised into a public system that is controlled and guaranteed by the Agència Catalana de Certificació [Catalan Certification Agency], which is delegated to act as a root certification entity for the self-governing institutions of Catalonia and Catalan public administration. Lista de revocación de [Certificate revocation list]
certificados
Electronic document signed by a certification entity that gives details of certificates that are either temporarily or permanently invalid.
Certificate profile
Document detailing the syntactic semantic contents of the certificates.
Key holder
An individual person who receives a certificate issued to a group subscriber and who uses it on behalf of the subscriber.
Certification service provider
Individual person or legal entity that is delegated by a certification entity to act
Ref. D1111 N-PGDC
and
Page 14 of 116
CATCert General Certificate Policy
legally as a certification entity or to provide certification services to third parties. Electronic stamp
In accordance with Law 11/2007, of 22 June, on Citizens' electronic access to public services [Ley 11/2007, de Acceso electrónico de los ciudadanos a los servicios públicos], this is an electronic signature system for automated administration, based on the electronic certificate.
Electronic office
In accordance with Law 11/2007, of 22 June, on Citizens' electronic access to public services [Ley 11/2007, de Acceso electrónico de los ciudadanos a los servicios públicos], this is the electronic address available to citizens via the telecommunications networks, which is owned, managed and administered by public administration or an administrative organ or entity in exercising its duties.
Sistema público catalán de certificación [Catalan public certification system]
Subscriber
All public and private Catalan, national and international certification entities, registration entities and other certificate-issuing entities as a whole, organised into a public system that is controlled and guaranteed by the Agència Catalana de Certificació [Catalan Certification Agency], which is delegated by the self-governing institutions of Catalonia and Catalan public administration to act as a classification entity. Individual person or legal entity that contracts certification services for individual or group use.
1.2 Document name and identification This document on the certificate policies of the hierarchy is called “Política general de certificación – Agència Catalana de Certificació” [“General certificate policy – Agència Catalana de Certificació”]. This document has no OID, due to its general nature. However, every certificate policy (basic, resulting for a combination of policies or a specific certificate policy that is generally applicable) is given its own OID, which allows it to be identified. The OID is to be included on the certificate, in the field “Información de política” [Policy Information], except when this is not possible for technical reasons. Ref. D1111 N-PGDC
Page 15 of 116
CATCert General Certificate Policy
Every Linked Certification Entity can, before starting to issue certificates, establish its own certificate policy, based on the contents of this document for each type and class of certificate. These policies can specify or establish new certification rules, but must also respect for the rules set out in this policy in full. There are two possible types of specific policy: a) Policies defining rules that are applicable to the entire user community, regardless of the Certification Entity issuing the certificate, e.g. the creation of a specific type of CPSR certificate, including the position, which is a policy that could be applicable to other Certification Entities. b) Policies that set out or adapt rules that are applicable to a certain section of the user community. These generally depend on a specific Certification Entity, e.g. the adaptation of a CPSR to the specific needs of a Certification Entity, which may not make sense for other Certification Entities. For some policies, the concept of “level” is introduced, which refers to the cryptographic strength of the keys, how they are generated and their custody and application. There are two levels depending on the type of certificate: a) High level: the generation, custody and application of the private key is to be carried out: a. For individual and entity certificates, in a secure signature-creation device, pursuant to Law 59/2003 [Ley 59/2003]. b. For device certificates, in cryptographic hardware that complies with the requirements set out in any protection profile or security target that has been written in accordance with CC EAL 3 or FIPS 140-1 or -2 level 2, which includes the requirements of CEN Workshop Agreement CWA14167-1 for non-qualified certificates or in accordance with other certification schemes (ITSEC), which include the requirements of CEN Workshop Agreement CWA14167-1 for non-qualified certificates. b) Medium level: the generation, custody and application of the private key can be carried out in cryptographic modules in software, and it will have commonly used algorithms and parameters. Every basic certificate policy, every combination of certificate policies and every specific certificate policy will have its own OID, which is to be specified in the corresponding Declaración de Prácticas de Certificación [Certification Practice Statement]. This OID is allocated by the Agència Catalana de Certificació [Catalan Certification Agency], within its OID branch 1.3.6.1.4.1.15096.1.3.1. In this way it is ensured that the certificate conforms with this general policy.1
1
TS 101 456: 8.4; TS 102042: 8.3
Ref. D1111 N-PGDC
Page 16 of 116
CATCert General Certificate Policy
1.3 Certificate user community This certificate policy regulates a user community, which can obtain certificates for a wide range of administrative and private dealings, in accordance with Law 59/2003 [Ley 59/2003] and the corresponding administrative regulations. Class 1 certificates issued by Linked Certification Entities are not issued to the public. Instead they are issued to the self-governing institutions of Catalonia, local-authority institutions, and all other public and private entities that compose the Catalan public sector (hereinafter “the institutions”), and they are received and used by their employees, their devices and the objects that they manage. On the other hand, class 2 certificates can be issued to the public and to closed user environments, in particular for use in administrative dealings where digital certificates are accepted, in free competition with other certification service providers.
1.3.1
Certification service providers
A certification service provider is an individual person or a legal entity that produces certificates and provides other services related to the electronic signature, in accordance with Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica]. The certification service provider generates digital certificates by operating its own certification entities, which sign the certificates. In the Catalan public certification system, the following providers can offer services: 1) Certification service providers belonging to institutions. 2) Providers classified by CATCert as certification services.
1.3.1.1 Certification service providers belonging to institutions CATCert will be the main certification service provider to institutions and will offer services to a wide range of institutional certification entities, which govern different user communities, with the corresponding certification authority technical systems distinct from but linked to the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia]. In its role as a certification service provider to institutions, CATCert will be liable to its end users and, especially, to third-party certificate and electronic signature verifiers, for the performance of the certification authority technical systems that operate on behalf of the different certification entities. In the event that a certification entity is operated directly by an institution, incorporated as a certification service provider, with its own certification authority technical system, this certification entity can become integrated into the Catalan public certification system by
Ref. D1111 N-PGDC
Page 17 of 116
CATCert General Certificate Policy
technically linking its certification authority system to the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia].
1.3.1.2 Classified certification service providers Public and private certification service providers, unlike institutions, which operate in the market in accordance with Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica], can apply to CATCert to be qualified in order to allow their certificates to be qualified and used by institutions. The conditions of qualification and technical mechanisms for using certificates from providers that have been qualified by the institutions are to be previously established by CATCert.
1.3.2
Root Certification Entity
CATCert is the Root Certification Entity, which has a main certification authority technical system, which is used to integrate other certification entities into the Sistema público catalán de certificación [Catalan public certification system] by technically linking the corresponding certification authorities to the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia]. This technical linking is achieved by issuing level 1 and level 2 CIC certificates.
1.3.3
84B
Linked Certification Entities
Linked Certification Entities are the institutions to whom the certification service provider provides its certificate issuance and management services, through the certification authorities. They are registered in the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia]. The institution uses a Linked Certification Entity to issue certificates to other linked certification entities or to end users, by issuing infrastructure, personal, entity, device and object certificates. When the institution delegates the operation of the linked certification entity to CATCert, in its legal capacity as certification service provider, the institution remains responsible for the organisation and management decisions related to the certification entity. This responsibility, which may not be delegated, is called Virtual Certification Entity. In its turn, CATCert can create its own Linked Certification Entities, when there is no single institution that is responsible for a user community that requires certificates.
1.3.4
5B
Registration entities
Registration Entities are individual persons or legal entities that assist the Linked Certification Entities in certain procedures and dealings with certificate applicants and subscribers, Ref. D1111 N-PGDC
Page 18 of 116
CATCert General Certificate Policy
especially in the steps involving identification, registration and authentication of the certificate subscribers and key holders. The administrator of the Certification Entity is responsible for the process of creating registration entities. The registration entity is established by resolution or agreement. CATCert verifies that the Registration Entity has the necessary material and human resources, and that it has appointed employees to take charge of the relevant tasks. It is also responsible for training the employees who issue the certificates as registration entity operators and, consequently, for issuing the corresponding operator certificates (normally CIPISR). It is the task of CATCert to validate certificate applications from Registration Entities by examining their applications and making the necessary checks to ensure compliance with the General Certificate Policy and the Declaración de Prácticas de Certificación [Certification Practice Statement]. With class 1 certificates, the Registration Entity and the subscriber can be the same organisation and, consequently, the Registration Entity can normally also act as the certificate applicant. With class 2 certificates, the Registration Entity and the subscriber have to be different organisations, since the Registration Entity always has to act on behalf of the Linked Certification Entity. There are three types of Registration Entity: 1) Internal Registration Entities, operated by an institution that subscribes to class 1 certificates. 2) Virtual Registration Entities, corresponding to institutions that are subscribers to certificates and that have delegated registration to CATCert or to Collaborating Registration Entities. 3) Collaborating Registration Entities, which assist institutions subscribing to class 1 certificates (which in any case act as Virtual Registration Entities) in the certificate issuance process, and which collaborate with Linked Certification Entities in the process of issuing class 2 certificates. In order to become Internal Registration Entities, institutions have to design and implement the corresponding technical, legal and security components and procedures, regarding the life cycle of secure signature-creation devices and, where applicable, encryption components and procedures in the life cycle of the software keys and of the certificates that they issue. These components and procedures have to be previously approved by the Certification Entity.
1.3.5
End users
End users are the persons that obtain and use personal, entity, device and object certificates issued by Certification Entities. The following end users can be specifically identified: a) Certificate applicants b) Certificate subscribers or owners
Ref. D1111 N-PGDC
Page 19 of 116
CATCert General Certificate Policy
c) Key holders d) Signature, stamp and certificate verifiers
1.3.5.1 Certificate applicants All certificates have to be applied for by a person, acting in their own name, in the name of an institution or in the name of another individual person or legal entity. Applicants can be: a) The person that is the future subscriber or key holder, as applicable. b) A person authorised by the future subscriber. c) A person authorised by the Registration Entity. d) A person authorised by the Certification Entity. The applicant may be expressly or implicitly authorised, and in cases where the certification entity deems it necessary, the authorisation may take the form of a legal document.
1.3.5.2 Certificate subscribers Subscribers are institutions and individual persons or legal entities, which are identified as such in the “Subject” field of the certificate. In device certificates, the “Subject” field also identifies the device, and in object certificates, the “Subject” field also identifies the object. The subscriber is licensed to use the certificate. When the subscriber is an institution or another legal entity and the certificate in question is a personal certificate, the subscriber always acts through a duly authorised key holder, who will be identified on the certificate.
1.3.5.3 Key holders Key holders are individual persons who are the sole holders of the digital signature keys of personal or entity (organisation class 1 or 2) certificates. They are duly authorised by the subscriber to hold this position and are properly identified on the certificate through their name and surname(s) or using a pseudonym. Entity certificate key holders must also take into account the provisions of article 7 of Law 59/2003, of 19 December [Ley 59/2003]. With CPX and CEX certificates there are also decryption key holders. These are different in that the decryption key, unlike the signature key, can be recovered by the Certification Entity, in certain cases and under certain conditions, depending on the provisions of the corresponding Declaración de Prácticas de Certificación [Certification Practice Statement].
Ref. D1111 N-PGDC
Page 20 of 116
CATCert General Certificate Policy
1.3.5.4 Certificate verifiers Verifiers are persons (including individual persons, institutions, legal entities and other organisations and entities) that receive digital signatures, electronic stamps and digital certificates and have to verify them before they can be trusted.
1.4 Certificate use This section lists the applications for which each type of certificate can be used. It sets out limitations and prohibitions in relation to certain applications.
1.4.1
Normal uses for the certificates
1.4.1.1 Specific requirements for CIC Certificados de entidad de certificación (CIC) [Certification entity certificates] are issued by the Root Certification Entity to organisations that operate a Certification Entity within their hierarchy, for different uses, depending on their class: - Signing requests for the renewal, suspension and revocation of CIC certificates. - Issuance and signing of CIC, CPISR, CIDS, CIDA, CIO, CIV, CIT, CPSR, CPSA, CPISR, CPISA, CPIXSA, CPI, CPX, CESR, CEX, CDS, CDA and COS certificates. - Issuance and signing of listas de revocación de certificados (LRC) [certificate revocation lists]. CICs are obtained after following a process to allow the admission of the Linked Certification Entity into the certification services of the Agència Catalana de Certificació [Catalan Certification Agency].
1.4.1.2 Specific requirements for CIPISR Certificados de infraestructura personal de identificación y firma reconocida (CIPISR) [Identification and qualified signature personal infrastructure certificates] are issued by Registration Entity operators for the tasks involving the issuance and management the life cycle of the certificates of a Certification Entity.
1.4.1.3 Specific requirements for CIDS Certificados de infraestructura de dispositivo servidor seguro (CIDS) [Secure server device infrastructure certificates] are issued to Certification Entities that are responsible for operating secure SSL or TLS servers, and have the following uses:
Ref. D1111 N-PGDC
Page 21 of 116
CATCert General Certificate Policy
- Server authentication. - Encrypting communications between the client and the server. CIDS certificates are ordinary certificates which guarantee the identity of the Certification Entity and of the specific server where they are working.
1.4.1.4 Specific requirements for CIDA 288B
Certificados de infraestructura de dispositivo de aplicación digitalmente asegurada (CIDA) [digitally-secure application device infrastructure certificates] are issued to Certification Entities that are responsible for operating computer applications that are digitally identified, that electronically sign webservices and other protocols, and that receive encrypted documents and messages. CIDA certificates are ordinary certificates which guarantee the identity of the Certification Entity and the integrity and authenticity of the signed data. They also allow encrypted information to be received. The CIDA private key can be archived by the certification entity so that, under certain circumstances, it can be recovered and the encrypted information can be accessed, by request of the Certification Entity.
1.4.1.5 Specific requirements for CIO 289B
Certificados de infraestructura de servidor de estado de certificados en línea (CIO) [On-line certificate status server infrastructure certificates], are issued to Certification Entities that are responsible for operating an OCSP Responder server to sign responses relating to certificate validity status. CIO certificates are ordinary certificates, which guarantee the identity of the Certification Entity and of the OCSP Responder server, and the integrity and authenticity of the data signed.
1.4.1.6 Specific requirements for CIT 290B
Certificados de infraestructura de entidad de sellos de tiempo (CIT) [Entity infrastructure certificates of timestamps] are issued to Certification Entities that are responsible for operating a server to sign the timestamps that they issue. CIT certificates are ordinary certificates, which guarantee the identity of the Certification Entity and of the server signing the timestamp, and the integrity and authenticity of the data signed.
Ref. D1111 N-PGDC
Page 22 of 116
CATCert General Certificate Policy
1.4.1.7 Specific requirements for CIV 291B
Certificados de infraestructura de entidad de validación (CIV) [Entity infrastructure certificates of validation] are issued to Certification Entities that are responsible for operating the validation server of an entity to sign its reports. CIV certificates are ordinary certificates, which guarantee the identity of the Certification Entity and of the validation server of the entity, and the integrity and authenticity of the data signed.
1.4.1.8 Specific requirements for CPSR 292B
Certificados personales de firma reconocida (CPSR), [Qualified signature personal certificates] are certificates that are qualified in accordance with the provisions of article 11.1, have the contents prescribed in article 11.2, and that are issued in accordance with the obligations in articles 12, 13 and 17 to 20 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica], and which comply with the provisions of the technical standards of the European Telecommunications Standards Institute with identification reference TS 101 456. CPSR are qualified certificates that work with secure electronic-signature-creation devices, in accordance with article 24.3 of Law 59/2003, of 19 December [Ley 59/2003]. For this reason, CPSRs guarantee the identity of the subscriber and the holder of the identification and signature private key, and allow a “qualified electronic signature” to be generated. That is, an advanced electronic signature which is based on a qualified certificate and that has been generated using a secure device. For this reason, pursuant to the provisions of article 3 of Law 59/2003, of 19 December [Ley 59/2003], the signature will have legal effect, without the need to fulfil any additional requirements. CPSR certificates can include a declaration relating to the employee category and position of the key holder, which have been checked before issuing the certificate and which are correct, when this is provided for in a specific policy.
1.4.1.9 Specific requirements for CPSA 293B
Certificados personales de firma avanzada (CPSA), [Advanced signature personal certificates] are certificates that are qualified in accordance with the provisions of article 11.1, have the contents prescribed in article 11.2, and that are issued in accordance with the obligations in articles 12, 13 and 17 to 20 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica], and which comply with the provisions of the technical standards of the European Telecommunications Standards Institute with identification reference TS 101 456. CPSA do not necessarily work with secure electronic-signature-creation devices, in accordance with article 24.3 of Law 59/2003, of 19 December [Ley 59/2003]. CPSA guarantee the identity of the subscriber and, where applicable, the holder of the signature key. This makes them ideal to support the advanced electronic signature.
Ref. D1111 N-PGDC
Page 23 of 116
CATCert General Certificate Policy
While the advanced electronic signature is not directly equivalent to a written signature, this equivalence can be produced through an electronic-signature contract or a specific legal regulation, which sets out the additional conditions necessary for this equivalence to be produced.
1.4.1.10
294B
Specific requirements for CPI
Certificados personales de identidad (CPI) [Personal identity certificates] have a variety of uses, which include the following: - Distributed identification, based on presenting the document. - Authentication in access-control systems that form part of operating and centralised systems. CPIs are ordinary certificates, which guarantee the identity of the subscriber and, where applicable, the holder of the signature key.
1.4.1.11
295B
Specific requirements for CPX
Certificados personales de cifrado (CPX) [Personal encryption certificates] can only be used to receive messages containing confidential data, in any format, protected by the sender encrypting the text in the message, using the subscriber's public key given on the CPX. The key holder can use their private key to decrypt the message. CPX guarantee the identity of the subscriber, but do not allow data messages to be electronically signed. The CPX private key can be archived by the certification entity so that, under certain circumstances, the encrypted information can be recovered and accessed, even without the subscriber's involvement, in the case of individual certificates, or the key holder's involvement, in the case of organisation certificates.
1.4.1.12
296B
Specific requirements for CESR
Certificados de entidad de firma reconocida (CESR), [Qualified signature entity certificates] are certificates that are not issued to the public. They are qualified in accordance with the provisions of article 11.1, have the contents prescribed in article 11.2, and that are issued in accordance with the provisions articles 7, 12, 13 and 17 to 20 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica], and which comply with the provisions of the technical standards of the European Telecommunications Standards Institute with identification reference TS 101 456. CESR correspond to qualified certificates with secure electronic-signature-creation devices, in accordance with article 24.3 of Law 59/2003, of 19 December [Ley 59/2003].
Ref. D1111 N-PGDC
Page 24 of 116
CATCert General Certificate Policy
For this reason, CESR guarantee the identity of the subscriber and the custodian of the private signature key, which makes them ideal to back up the qualified electronic signature of the entity. That is, an advanced electronic signature which is based on a qualified certificate and that has been generated using a secure device, and for this reason, pursuant to the provisions of article 3.4 of Law 59/2003, of 19 December [Ley 59/2003], the signature will have equivalent legal effect to a written signature, without the need to fulfil any additional requirements.
1.4.1.13
Specific requirements for CESA
Certificados de entidad de firma avanzada (CESA), [Advanced signature entity certificates] are certificates that are qualified in accordance with the provisions of article 11.1, have the contents prescribed in article 11.2, and that are issued in accordance with the provisions of articles 7, 12, 13 and 17 to 20 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica], and which comply with the provisions of the technical standards of the European Telecommunications Standards Institute with identification reference TS 101 456. CESAs do not necessarily work with secure electronic-signature-creation devices, in accordance with article 24.3 of Law 59/2003, of 19 December [Ley 59/2003]. CESAs guarantee the identity of the subscriber and the custodian of the private signature key. This makes them ideal to support the advanced electronic signature. While the advanced electronic signature is not directly equivalent to a written signature, this equivalence can be produced through an electronic-signature contract or a specific legal regulation, which sets out the additional conditions necessary for this equivalence to be produced.
1.4.1.14
298B
Specific requirements for CEI
Certificados de entidad para identificación (CEI) [Entity identification certificates] have a variety of uses, which include the following: - Distributed identification, based on presenting the document. - Authentication in access-control systems that form part of operating and centralised systems. CEIs are qualified certificates that guarantee the identity of the subscriber and, where applicable, the holder of the signature key.
1.4.1.15
299B
Specific requirements for CEX
Certificados de entidad de cifrado (CEX), [Entity encryption certificates] are qualified certificates, not issued to the public, which are issued to subscribers and can only be used to encrypt or receive message containing confidential data, in any format, protected by
Ref. D1111 N-PGDC
Page 25 of 116
CATCert General Certificate Policy
encrypting the text in the message, using the subscriber's public key, which is given on the CEX. The key holder uses their private key to decrypt the messages. The CEX private key can be archived by the certification entity so that under certain circumstances, it can be recovered and used to access the encrypted information.
1.4.1.16
Specific requirements for CDS
Certificados de dispositivo servidor seguro (CDS) [Secure server device certificates] are issued to individual persons or legal entities that are responsible for operating secure SSL or TLS servers, and have the following uses: - Server authentication. - Encrypting communications between the client and the server. CDS certificates are ordinary certificates, which guarantee the identity of the responsible person and of the specific server where they are working. Certificados CDS-1 Sede electrónica [CDS-1 Electronic office certificates] can only be supplied to public administration and to administrative organs and entities, in accordance with article 10 of Law 11/2007 [Ley 11/2007], and have to fulfil the requirements of article 17 of Law 11/2007 [Ley 11/2007].
1.4.1.17
301B
Specific requirements for CDP
Certificados de firma de software (CDP) [Software signing certificates] are issued to legal entities that are responsible for the issuance, publishing or digital distribution of computer software for software signing, which allows it to be remotely installed and run. CDP certificates are ordinary certificates, which guarantee the identity of the person and the origin and integrity of the signed software.
1.4.1.18
302B
Specific requirements for CDA
Certificados de dispositivo de aplicación digitalmente asegurada (CDA) [Digitally-secure application device certificates] are issued to legal entities that are responsible for operating computer applications that are digitally identified, that electronically sign webservices and other protocols, and that receive encrypted documents and messages. CDA certificates are ordinary certificates, which guarantee the identity of the responsible person and the integrity and authenticity of the signed data. They also allow encrypted information to be received. Certificados CDA-1 Sello electrónico [CDS-1 Electronic stamp certificates] can only be supplied to public administration and to administrative organs and entities for automated
Ref. D1111 N-PGDC
Page 26 of 116
CATCert General Certificate Policy
administrative tasks, and they have to fulfil the requirements of article 18 of Law 11/2007 [Ley 11/2007].
1.4.1.19
303B
Specific requirements for COS
Certificados de objeto sobre digital administrativo (COS) [Administrative digital envelope object certificates] are issued to contracting bodies to be published and used in electronic tenders that require them, such as those provided for in Decree 96/2004, of 20 January [Decreto 96/2004].
1.4.2
8B
Prohibited applications
The certificates have not been designed for, cannot be destined for and are not authorised to be used or resold as control equipment for dangerous situations or for uses that require actions in safe mode, such as in the workings of nuclear power stations, air navigation or communication systems, or weapon control systems, where an error could lead directly to death, personal injury or severe environmental damage. End-entity certificates cannot be used to sign requests for the issue, renewal, suspension, enablement or revocation of certificates, or to sign any type of public key certificates, or to sign listas de revocación de certificados (LRC) [certificate revocation lists]. Signature certificates cannot be used to sign authentication messages that the signatory cannot understand, in particular SSL or TLS client challenges, except when they are combined with an identity certificate. Signature certificates may not be used to receive encrypted messages, except when used in combination with an encryption certificate and the private key is not stored. In certificates where a specific position is named, use is restricted to tasks belonging to that position and only for the uses given on the certificate.
1.4.2.1 Specific requirements for CIC 304B
CIC certificates have to be in accordance with the provisions of this policy and, in any case, their limitations will be restricted by the class of CIC certificate, as specified in this policy and, where applicable, in the specific certificate policy.
1.4.2.2 Specific requirements for CIPISR 305B
CIPISRs cannot be put to any use other than that of the Registration Entity operator.
Ref. D1111 N-PGDC
Page 27 of 116
CATCert General Certificate Policy
1.4.2.3 Specific requirements for CIDS CIDS cannot be used in any systems other than those of the Certification Entity.
1.4.2.4 Specific requirements for CIDA CIDAs cannot be used in any systems other than those of the Certification Entity.
1.4.2.5 Specific requirements for CIO CIOs cannot be used in any systems other than those of the Certification Entity.
1.4.2.6 Specific requirements for CIT CITs cannot be used in any systems other than those of the Certification Entity.
1.4.2.7 Specific requirements for CIV CIVs cannot be used in any systems other than those of the Certification Entity.
1.4.2.8 Specific requirements for CPSR CPSRs cannot be used to sign requests for the issuance, renewal, suspension or revocation of certificates, or to sign any type of public key certificate, or to sign listas de revocación de certificados (LRC) [certificate revocation lists]. CPSRs cannot be used to sign authentication messages that the signatory cannot understand, in particular SSL or TLS client challenges, except when they are combined with a CPI. CPSRs cannot be used to receive encrypted messages, except when used in combination with a CPX and the private key is not stored.
1.4.2.9 Specific requirements for CPSA CPSAs cannot be used to sign requests for the issuance, renewal, suspension or revocation of certificates, or to sign any type of public key certificate, or to sign listas de revocación de certificados (LRC) [certificate revocation lists]. CPSAs cannot be used to sign authentication messages that the signatory cannot understand, in particular SSL or TLS client challenges, except when they are combined with a CPI. CPSAs cannot be used to receive encrypted messages, except when used in combination with a CPX and the private key is not stored.
Ref. D1111 N-PGDC
Page 28 of 116
CATCert General Certificate Policy
1.4.2.10
Specific requirements for CPI
CPIs cannot be used to sign requests for the issuance, renewal, suspension or revocation of CIC certificates or any other type of certificate, or listas de revocación de certificados (LRC) [certificate revocation lists]. Neither may they be used to receive encrypted messages, except when combined with a CPX.
1.4.2.11
Specific requirements for CPX
CPXs cannot be used to generate digital signatures for any type of data message, except when used in combination with a CPSR (if the private key is not stored), CPS or CPI.
1.4.2.12
Special requirements for CPISR Cargo [CPISR Position] and CPISR Cargo con Uso [CPISR Position with Use].
Further to the restrictions put in place by the basic policies, on which these certificates are based, their use is restricted to tasks related to the Position itself and to the uses given on the certificate.
1.4.2.13
Specific requirements for CESR and CESA
CESRs and CESAs cannot be used to sign requests for the issuance, renewal, suspension or revocation of CIC certificates, or to sign any type of public key certificate, or to sign listas de revocación de certificados (LRC) [certification revocation lists]. CESRs and CESAs cannot be used to sign authentication messages that the signatory cannot understand, in particular SSL or TLS client challenges, except when they are combined with a CEI. Neither may they be used to receive encrypted messages, except when used in combination with a CEX and the private key is not stored.
1.4.2.14
Specific requirements for CEX
CEXs cannot be used to generate digital signatures on any type of data message.
1.4.2.15
Specific requirements for CDS
CDSs cannot be used to sign requests for the issuance, renewal, suspension or revocation of CIC certificates, any other type of certificate, or listas de revocación de certificados (LRC) [certification revocation lists].
Ref. D1111 N-PGDC
Page 29 of 116
CATCert General Certificate Policy
1.4.2.16
Specific requirements for CDA
CDAs cannot be used to sign requests for the issue, renewal, suspension or revocation of CIC certificates, any other type of certificate, or listas de revocación de certificados (LRC) [certification revocation lists]. Neither may they be used to secure applications other the one identified on the certificate.
1.4.2.17
Specific requirements for COS
No stipulation.
1.5 Policy administration 1.5.1
9B
Organisation that administers specifications
CATCert - Agència Catalana de Certificació Passatge de la Concepció, 11 08008 - Barcelona
1.5.2
90B
Organisation contact data
CATCert - Agència Catalana de Certificació Área de Assessorament i Recerca Passatge de la Concepció, 11 08008 – Barcelona
1.5.3
Person who determines whether a DPC conforms with the policy
CATCert - Agència Catalana de Certificació Área de Assessorament i Recerca Passatge de la Concepció, 11 08008 – Barcelona
1.5.4
92B
Approval Procedure
The documentation and organisation systems of the Certification Entity have to guarantee, through the existence and application of the corresponding procedures, the correct maintenance of the certification policy and of the service specifications related to it.
Ref. D1111 N-PGDC
Page 30 of 116
CATCert General Certificate Policy
In this way, there will be a planned procedure for modifying service specifications and for publishing service specifications. Final modifications to the policy will have to be approved by CATCert, after ensuring that the requirements set out in the corresponding sections of this document have been complied with.
Ref. D1111 N-PGDC
Page 31 of 116
CATCert General Certificate Policy
2. Information publishing and certificate directory 2.1 Certificate directory Certificate directory services will be available 24 hours a day, 7 days a week. If a fault occurs in the system that is out of the control of the Certification Entity, the latter has to make every effort to make the service available again within the time period set out in the corresponding section and the applicable DPC.
2.2 Publication of Certification Entity information 15B
The Certification Entity has to publish the following information on its website 2 (http://www.catcert.cat/): a. Listas de certificados revocados [certificate revocation lists] and other information about certificate revocation status. b. Política general de certificación [General Certificate Policy]. c. Certificate and certificate revocation list profiles. d. Declaración de Prácticas de Certificación [Certification Practice Statement]. e. Legal instruments that are binding with subscribers and verifiers. The Certification Entity is to inform users of any changes to its specifications or conditions of service. In any case, the changes are to be clearly explained on the main service Website. The obsolete version of the document that has been changed should not be removed, but it should be indicated that it has been substituted by a new version.
2.3 Frequency of publication 16B
Certification Entity information is to be published when it becomes available. When information is issued in relation to certificate validity, it is to be published immediately. Changes to the DPC are regulated by the provisions of the corresponding section of the DPC. Information on certificate revocation status is to be published in accordance with the provisions of the corresponding sections of this policy. 15 (fifteen) days after the publication of the new version, the reference to the change can be removed from the main page of the website and inserted in the directory.
2
TS 101 456: 7.3.5; TS 102042: 7.3.5
Ref. D1111 N-PGDC
Page 32 of 116
CATCert General Certificate Policy
Obsolete versions of the documentation are to be kept for a period of 15 (fifteen) years by the Certification Entity, and may be consulted by interested parties that can provide just cause.
2.4 Access control 7B
The Certification Entity may not limit reader access to the information set out in the corresponding section, but it has to establish controls in order to keep the directory up-todate on certificates that have been issued and to protect the integrity and authenticity of the information on certificate revocation status.3 The Certification Entity is to use reliable systems for the Directory so that:4 - The authenticity of certificates can be checked. - Unauthorised persons cannot alter any data. - Certificates can only be accessed in the scenarios and by the persons that the signatory has authorised. - Any technical changes that affect security requirements can be detected.
3
TS 101 456: 7.3.6 j); TS 102042: 7.3.6 j)
4
Ley 59/2003: 20.1g)
Ref. D1111 N-PGDC
Page 33 of 116
CATCert General Certificate Policy
3. Identification and authentication 3.1 Name management 5 18B
6F
This section sets out requirements that relate to the identification and authentication procedures that have to be used when registering Linked Certification Entities and subscribers, including organisations and individual persons. These procedures have to be carried out prior to issuing and delivering certificates.
3.1.1
Types of names
All certificates will contain a different name X.501 in the Subject field, including a Common Name component (CN=). The syntactic structure and content of the fields of each certificate, as well as their semantic meaning are described in the corresponding document: “perfil de certificado” [certificate profile], which is published on the Agència Catalana de Certificació [Catalan Certification Agency] website (http://www.catcert.cat/).
3.1.2
Meaning of the names
In certificates that correspond to individual persons, the signatory's identification will consist of their name and surname(s), plus their DNI [Spanish ID number], or where applicable, a pseudonym. If a pseudonym is used, it must be obvious that it is such.6 In certificates that correspond to legal entities, the entity will be identified by its registered name and its CIF [Tax ID Number].7
3.1.3
Use of anonymity and pseudonyms
Pseudonyms may not be used to identify an organisation. Personal certificates, both for individuals and organisations, and entity certificates can use pseudonyms instead of the true name of the key holder that corresponds to the certificate. If a pseudonym is used, it must be obvious that it is such.8
5
TS 101 456: 7.3.1
6
Article 11.2.e), Law 59/2003 (Ley 59/2003).
7
Article 11.2.e), Law 59/2003 (Ley 59/2003).
8
Article 11.2.e), Law 59/2003 (Ley 59/2003).
Ref. D1111 N-PGDC
Page 34 of 116
CATCert General Certificate Policy
3.1.4
Interpreting name formats
No additional stipulations.
3.1.5
Uniqueness of names
The name of each certificate subscriber has to be unique, in every certificate generation service operated by a Linked Certification Entity and for every type of certificate. This means that a person can have different types of certificate issued by the same Linked Certification Entity in the same name. It is also possible to have the same type of certificate issued by different Linked Certification Entities in the same name. Once a subscriber name has been occupied, it cannot be reassigned to a different subscriber9.
3.1.6
Resolution of conflicts relating to names
Certificate applicants may not include names in their applications that may lead to the infraction of third-party rights, by the future subscriber, for instance, by using false identification documents (DNI). The Certification Entity will not have to determine whether a certificate applicant has the right to use the name that appears on the certificate application. Neither will it act as arbitrator or mediator, nor in any way have to resolve any dispute concerning the property of persons' or organisations' names, domain names, trademarks or trade names (for instance, relating to e-mail addresses). The Certification Entity reserves the right to refuse any certificate application due to conflicts relating to the name. In certificados individuales [individual certificates], conflicts relating to the names of subscribers who are identified on their certificates by their real name are to be rectified by including the following in the name field on the certificate: - In the case of Spanish nationals, the subscriber's DNI [Spanish ID number]: e.g. (C) = ES; (SN) = DNI - In the case of foreigners that are linked to Spain in some way, for instance through residence in Spanish territory, the NIE [Spanish foreigners' ID number] of the subscriber: e.g. French (C) = ES; (SN) = NIE e.g. Argentinian (C) = ES; (SN) = NIE In the case of foreigners who are nationals of States that are signatories of the Schengen Agreement and who do not have a NIE [Spanish foreigners' ID number], the national 9
TS 101 456: 7.3.3 d); TS 102042: 7.3.3 d)
Ref. D1111 N-PGDC
Page 35 of 116
CATCert General Certificate Policy
identification document from their country of origin or the subscriber's valid passport number: e.g. Italian (C) = IT; (SN) = IT-National Identification Document - In the case of foreigners who are nationals of States that are not signatories of the Schengen Agreement and who do not have a NIE [Spanish foreigners' ID number], their valid ordinary, diplomatic, official or service Passport number: e.g. Chinese (C) = CN; (SN) = CN-Passport In the two abovementioned scenarios, the code of the country where the subscriber is a national is to be included together with the cited identifier, separated by a dash, in accordance with the parameters set out in standard ISO 3166 Codes (Countries). In certificados de organización [organisation certificates], conflicts relating to the name of key holders that are identified on the certificates by their real name are to be rectified by including the following in the name field on the certificate:
If the “Organizational Unit” or subscriber in the “Subject” field is subject to Spanish Law: - In the case of Spanish nationals, the key holder's DNI [Spanish ID number]: e.g. (C) = ES; (SN) = DNI - In the case of foreigners that are linked to Spain in some way, for instance through residence in Spanish territory, the key holder's NIE [Spanish foreigners' ID number]: e.g. French (C) = ES; (SN) = NIE e.g. Argentinian (C) = ES; (SN) = NIE In the case of foreigners who are nationals of States that are signatories of the Schengen Agreement and who do not have a NIE [Spanish foreigners' ID number], the national identification document from their country of origin or the key holder's valid passport number: e.g. Italian (C) = IT; (SN) = IT-National Identification Document - In the case of foreigners who are nationals of States that are not signatories of the Schengen Agreement and who do not have a NIE [Spanish foreigners' ID number], the key holder's valid ordinary, diplomatic, official or service passport number: e.g. Chinese (C) = ES; (SN) = CN-Passport In the two abovementioned scenarios, the code of the country where the subscriber is a national is to be included together with the cited identifier, separated by a dash, in accordance with the parameters set out in standard ISO 3166 Codes (Countries). - Any other identifier assigned to the key holder by the subscriber: e.g.: professional association membership number
Ref. D1111 N-PGDC
Page 36 of 116
CATCert General Certificate Policy
If the “Organizational Unit” or subscriber in the “Subject” is not subject to Spanish Law, the semantics of the “Serial Number” will depend on the legislation that is applicable, in accordance with the “Country Name” of the Entity.
In certificados de entidad [entity certificates], conflicts relating to the names of key custodians who are identified on the certificates by their real name, are to be rectified by including the DNI [Spanish ID number] or NIE [Spanish foreigners' ID number] of the key custodian in the name field on the certificate. These criteria are established bearing in mind that the various Public, State, Autonomous Community and Local Administration bodies establish for themselves the type of identification that they consider to be valid and for which procedures this identification is required. Therefore, depending on the certificate that the interested party has available to them, the latter may or may not be able to deal with a specific organ of Public Administration. However, any type of procedure can be carried out using the following CATCert certificates because these certificates use the NIF (tax ID number) to identify the person (holder or subscriber): -
CPSR con Cargo [CPSR with Position]
-
CPI con Cargo [CPI with Position]
-
idCAT
-
idCAT-T
-
CPISA
-
CPISR
-
CPISR con Cargo [CPISR with Position]
-
CPISR con Cargo para Uso concreto [CPISR with Position for a specific Use]
-
CPISR Estudiante [CPISR Student]
-
CPIXSA
-
CPX
-
CPX con Cargo [CPX with Position]
-
CPX Estudiante [CPX Student]
However, this policy limits the use of all certificates with position to tasks that are specific to that position, like, for instance: -
CPSR con Cargo [CPSR with Position]
-
CPI con Cargo [CPI with Position]
-
CPISR con Cargo [CPISR with Position]
-
CPISR con Cargo para Uso concreto [CPISR with Position for a specific Use]
-
CPX con Cargo [CPX with Position]
-
CPIXSA con Cargo [CPIXSA with Position]
Ref. D1111 N-PGDC
Page 37 of 116
CATCert General Certificate Policy
With the other CATCert certificates that use criteria other than the DNI [Spanish ID number] or NIE [Spanish foreigners' ID number] to identify the subscriber or key holder, only certain processes can be carried out, depending on the criteria that has been set out by the competent organ in each Public Administration. Among these certificates we find: -
CPISR de Estudiante Extranjero [Foreign Student CPISR]
-
CPX de Estudiante Extranjero [Foreign Student CPX]
-
CPISR de Extranjero con Cargo [Foreigner CPISR with Position]
-
CPX de Extranjero con Cargo [Foreigner CPX with Position]
-
idCAT-CEX.
Regarding the treatment of registered trademarks see the corresponding section. If the name that needs to be included on the certificate is excessively long, one of the names should be abbreviated, but never the first surname.
3.2 Initial identity validation 19B
3.2.1
Proof of possession of the private key
This section describes the methods to be used in order to prove possession of the certificate private key that corresponds to the public key.10. The method for proving possession of the private key will be PKCS #10, another equivalent cryptographic test or any other method approved by the Agència Catalana de Certificació [Catalan Certification Agency]. This requirement is not applicable when the key pair is generated by a Local Registration Entity during the process of generating the subscriber's secure signature-creation device. In this case, possession of the private key is proven using the trustworthy procedure of delivering and accepting the secure device and the corresponding certificate and pair of keys stored inside it. It must be ensured that only the subscriber to individual certificates or the key holder of organisation or entity certificates has the signature key.
3.2.2
100B
Authenticating the identity of an organisation
This section contains requirements for checking the identity of an organisation identified on the certificate.
10
TS 101456: 7.3.1.j); TS 102042: 7.3.1.n)
Ref. D1111 N-PGDC
Page 38 of 116
CATCert General Certificate Policy
3.2.2.1 Linked Certification Entities operated by third parties Prior to issuing and delivering a Linked Certification Entity certificate, the Root Certification Entity has to ensure the authenticity of its identity and the other data set out in the corresponding section. To do this, the Certification Entity can use the following methods: 1) Obtaining information about the organisation from an external supplier of this kind of service. 2) Checking the supporting documentation supplied by the applicant. In this case, the representative of the future Certification Entity needs to attend in person.
3.2.2.2 Registration Entities 321B
The Certification Entity has to authenticate, prior to issuing and delivering an operator certificate, for any of the components of a Registration Entity, the identity of the Registration Entity and the operator, as set out in the section corresponding to organisation certificates. To do this, the Certification Entity can use the following methods: 1) Obtaining information about the organisation from an external supplier of this kind of service. 2) Checking the supporting documentation supplied by the applicant. In this case, the representative of the future Registration Entity needs to attend in person.
3.2.2.3 Certificate subscribers Requirements for certificados de clase 1 [class 1 certificates] With class 1 certificates it is not necessary to carry out any authentication procedures on the organisation that owns the certificate because these are corporate certificates, where the organisation subscribing to the certificate and the Registration Entity coincide.
Requirements for certificados de clase 2 [class 2 certificates] Prior to issuing and delivering a certificado de clase 2 de organización [class 2 organisation certificate], the Certification Entity has to ensure the authenticity of the subscriber's identity and the other data set out in the corresponding section for organisation certificates. The Certification Entity can use Registration Entities to carry out this task. To do all of this, the Certification Entity or Registration Entity can use the following methods: 1) Obtain information about the organisation from an external provider of this type of service, at the discretion of the Certification Entity, which has to be previously approved by the external provider.
Ref. D1111 N-PGDC
Page 39 of 116
CATCert General Certificate Policy
2) Checking the following points in the supporting documentation supplied by the applicant:11 a) Complete legal name of the organisation b) Legal status of the organisation c) Tax Identification Number d) Registered Identification Data Further to the checks that have to be made on the organisation that is responsible for the secure server, the following should also be checked: 1) The existence of the server 2) The owner of the domain name from the corresponding register. 3) The organisation's authorisation for the certificate to be issued to the server
3.2.3
Authenticating the identity of an individual person
This section contains requirements for checking the identity of an individual person on a certificate.
3.2.3.1 Required identification elements12 323B
The Certification Entity is to establish the number and types of documents that are needed to prove the identity of the key holder. It may use the following: 1) National Identity Document or Foreigners' Identification Number or, equivalently, proof of renewal of the DNI or NIE [Spanish national ID or foreigners' ID] plus one other document providing photographic proof of identity. 2) Passport 3) Any other document that is permissible by law, as long as it contains the following information (at the very least):13 a. Name and surname of the person b. Legally recognised identification number c. The other aspects of the person that have to be recorded on the certificate
11
TS 101 456: 7.3.1 e); TS 102 042: 7.3.1 g)
12
Article 13.1, Law 59/2003 (Ley 59/2003).
13
TS 101 456:7.3.1 d); TS 102 042: 7.3.1 f)
Ref. D1111 N-PGDC
Page 40 of 116
CATCert General Certificate Policy
3.2.3.2 Validating the identification elements14 Requirements for certificados de Clase 1 [Class 1 certificates] The identification information of class 1 certificate key holders is to be validated by comparing the information in the application with the internal registers held by the Registration Entity, which has to ensure that the information being certified is correct. A corporate provider of human resources information can be used for this task.
Requirements for certificados de Clase 2 [Class 2 certificates] Confirmation of the identification information for subscribers to individual certificates and for key holders of organisation certificates is obtained by comparing the information on the application with the supporting documentation, supplied either electronically or on paper.
3.2.3.3 Requirement for in-person attendance15 325B
An individual person that has to obtain a qualified certificate can be identified: - By appearing before those responsible for verifying his/her identity. - Through the process set out in administrative legislation, when the person appears before Public Administration. It is not necessary to attend in person if the signature on the certificate issuance application has been legalised by a public notary or in the circumstances provided for in article 13.4 of Law 59/2003, of 19 December [Ley 59/2003].16 However, this policy does not support this mechanism, due to non-existence of a procedure to this effect on the part of the notaries. It is possible to avoid having to attend in person if the certificate issuance application has been authenticated using a certificado electrónico de firma reconocida [qualified electronic signature certificate] that falls within the CATCert classification system, as long as it is valid and the applicant declares that no more than five years have passed since he/she was identified in person. Before a qualified certificate can be issued and delivered, the subscriber (for individual certificates) or the key holder will have to appear in person directly or indirectly to enable the Certification Entity to check his/her identity. During this step, which can be deferred until the time of delivery and acceptance of the certificate or secure signature-creation device, the identity of the person is validated.
14
TS 101 456:7.3.1 c); TS 102 042: 7.3.1 d)
15
TS 101 456: 7.3.1 c)
16
Article 13.1, Law 59/2003 (Ley 59/2003).
Ref. D1111 N-PGDC
Page 41 of 116
CATCert General Certificate Policy
Specific requirements for CPSRs and CESRs Before a CPSR or CESR certificate can be issued and delivered, the subscriber (for individual certificates) or the key holder will have to appear in person directly or indirectly to enable the Certification Entity to check his/her identity. During this step, which can be deferred until the time of delivery and acceptance of the certificate or secure signature-creation device, the identity of the person is validated.
3.2.3.4 Linking the individual person to an organisation Requirements for certificados de clase 1 [class 1 certificates] Since this relates to corporate certificates, where the Registration Entity and subscriber are the same institution, it is not necessary to obtain specific documented proof of the link between the key holder and the Registration Entity, instead the internal registers of the institution can be used.
Requirements for certificados de clase 2 [class 2 certificates] When organisation certificates are issued, the Certification Entity has to obtain documented proof of the link between the individual person and the organisation, via any of the means permitted by law. 17. 18F
The Certification Entity can use Registration Entities to carry out this task.
3.2.4
Non-verified subscriber information
Not applicable.
3.3 Identification and authentication of renewal requests 20B
3.3.1
103B
Validation for routine certificate renewal 18 19F
Prior to renewing a certificate, the Certification Entity will have to check whether the information used to verify the identity and the rest of the subscriber's or key holder's information is still valid. If any of the subscriber's or key holder's information has changed, the new information has to be properly registered, in accordance with the provisions of the corresponding section.
17
TS 101 456: 7.3.1 e); TS 102 042: 7.3.1 g)
18
TS 101 456: 7.3.2; TS 102 042: 7.3.2
Ref. D1111 N-PGDC
Page 42 of 116
CATCert General Certificate Policy
3.3.2
104B
Validation for certificate renewal after revocation 19 20F
Before generating a certificate for a subscriber whose certificate is going to be revoked (as long as the reason for the revocation is not the compromise of the private key), the Certification Entity will have to check whether the information used to verify the identity and the rest of the subscriber's and key holder's data remains valid. If any of the subscriber's or key holder's information has changed, the new information has to be properly registered, in accordance with the provisions of the corresponding section.
3.4 Identification requests 20 21B
and
authentication
of
revocation
21F
The Certification Entity will have to authenticate requests and reports relating to certificate revocation, and check that they have come from an authorised source. These requests and reports have to be confirmed in accordance with the procedures established in the Declaración de Prácticas de Certificación [Certification Practice Statement] of the Certification Entity.
3.5 Authentication of a suspension request The subscriber has to identify themselves to CATCert over the telephone, by giving their identification number (NIF) [Tax ID number] and correctly answering the secret question that they gave on their certificate application form (in the case of idCAT), or giving the suspension code that was written on their certificate delivery document (for all other certificates).
19
TS 101 456: 7.3.2; TS 102 042: 7.3.2
20
TS 101 456: 7.3.6 c): TS 102 042: 7.3.6 c)
Ref. D1111 N-PGDC
Page 43 of 116
CATCert General Certificate Policy
4. Certificate life cycle operational specifications 3B
The following certificate life cycle operational requirements are non-applicable to test certificates, which are governed by the provisions of the DPC of the Linked Certification Entity that issued them.
4.1 Application for the issue of a certificate 23B
4.1.1
105B
Legal right to request issuance
4.1.1.1 Requirements for all types of certificate Before a certificate can be issued and delivered, a certificate application has to be made. If the applicant and subscriber are different entities, the Certification Entity has to have given authorisation for the application to be made, via a legal instrument. The following types of authorisation may exist: 1. Class 1. Registration Entity before the Certification Entity, authorising its own employees. 2. Class 2. Registration Entity before the Certification Entity, authorising employees related to the subscriber (this may be an employee of the subscriber, an external representative or even a different entity). The following types of application may exist: 1. Electronic application for a trade certificate (no public key and not digitally signed). 2. Electronic application for a certificate made by the interested party, without key generation (no public key and not digitally signed). 3. Electronic application for a certificate made by the interested party, with key generation (PKCS 10 or compatible mechanism, with the user's public key and digital signature, with the objective of proving possession of the private key, in accordance with the corresponding section of this signature policy).
4.1.1.2 Specific CIC requirements The future Certification Entity cannot request the certificate until it has completed its admission process, in the Jerarquía de Entidades de Certificación [Hierarchy of Certification Entities] of the Agència Catalana de Certificació [Catalan Certification Agency].
4.1.1.3 Requirements for personal entity and device certificates 329B
Specific requirements for certificados de Clase 1 [Class 1 certificates]
Ref. D1111 N-PGDC
Page 44 of 116
CATCert General Certificate Policy
Further to the provisions of the corresponding section, the Linked Certification Entity will have to receive certificate applications in accordance with at least one of the following cases: 1) Application made by a person who has been authorised by the Linked Certification Entity, instead of the key holder. In this case, there must be a document, either in paper or electronic format, referring to the certificate request, produced by the organisation for the Linked Certification Entity, which should include mention of the person or persons to be authorised to make requests. The end-user data needed to make the request can come from the database belonging to the organisation or, if the user is not in the database, the data are to be entered manually by the applicant. 2) Application made by the future key holder, an event where a range of circumstances may coincide: - There is a document, whether in paper or electronic format, of the certificate application. - The applicant generates the key pair or agrees for them to be generated. - The applicant has generated the key pair, in which case the applicant has to send the public key for certification and prove possession of the private key. - The applicant accepts a subscriber's agreement, which could consist of conditions of use. - In order to request a certificate, another valid certificate may be used, in accordance with the provisions of art. 13.4.b of Law 59/2003 [Ley 59/2003].
Specific requirements for certificados de Clase 2 [Class 2 certificates] Further to the provisions of the corresponding section, the Linked Certification Entity will have to receive certificate applications in accordance with at least one of the following cases: 1) Application made by a person authorised by the Linked Certification Entity, in the place of the subscriber (in the case of individual certificates) or of the key holder (in the case of organisation certificates). In this case, there must be a document, either in paper or electronic format, referring to the certificate request, produced by the organisation for the Linked Certification Entity, which should include mention of the person or persons to be authorised to make requests. The end user's data that is required to make the application are to be entered, in all cases, by the applicant. 2) Application made by the future subscriber (in the case of individual certificates) or the future key holder (in the case of organisation certificates), an event where a range of circumstances may coincide: - There is a document, whether in paper or electronic format, of the certificate application. - The applicant generates the key pair or agrees for them to be generated.
Ref. D1111 N-PGDC
Page 45 of 116
CATCert General Certificate Policy
- The applicant has generated the key pair, in which case the applicant has to send the public key for certification and prove possession of the private key. - The applicant accepts a subscriber's agreement, which could consist of conditions of use.
4.1.2
Registration procedure. Responsibilities
The Linked Certification Entity has to ensure that the certificate applications are complete, accurate and duly authorised. 21 2
Before the certificate can be issued and delivered, the Linked Certification Entity has to inform the subscriber (in the case of individual certificates) or the future key holder (in the case of organisation certificates) of the terms and conditions that are applicable to the certificate.22 In organisation certificates, this requirement can be fulfilled by delivering the legal instrument that links the Certification Entity to the subscriber or by sending a delivery note to the key holder that includes this information. This information has to be communicated using durable media, in paper or electronic format, and use easy-to-understand language.23 The application can be accompanied by supporting documentation justifying the subscriber's identity and other circumstances (in the case of individual certificates) or the key holder's identity and other circumstances (in the case of organisation or entity certificates) in accordance with the provisions of the corresponding section in this certificate policy. It can also be accompanied by a physical address and other data, which allows contact to be made with the subscriber (in the case of individual certificates) or the key holder (in the case of organisation or entity certificates). 24 25F
4.2 Processing the certificate application 24B
4.2.1
Requirements for all types of certificate
Once a certificate application has been made, the Certification Entity has to verify the information that has been supplied, in accordance with the corresponding section of this policy. If the information is incorrect, the Certification Entity has to refuse the application. If the data is verified as being correct, the Certification Entity can approve the certificate.
21
TS 101 456: 7.3.1; TS 102 042: 7.3.1
22
TS 101 456: 7.3.1 a); TS 102 042: 7.3.1 a)
23
TS 101 456: 7.3.1 b); TS 102 042: 7.3.1 c)
24
TS 101 456: 7.3.1 f); TS 102 042: 7.3.1 j)
Ref. D1111 N-PGDC
Page 46 of 116
CATCert General Certificate Policy
4.2.2
Specific requirements for the CIC
When the Certification Entity applying to be linked to the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia] is not operated by CATCert, before the certificate is issued, checks will be made as to whether the corresponding certification services provider can prove that its services are sufficiently trustworthy. 25 26F
As part of the admission process of the Certification Entity, CATCert will check the following aspects: - That the policies and procedures in place in the Certification Entity are nondiscriminatory. 26 27F
- That the Certification Entity will offer its services to all applicants whose activities fall within the operating sphere declared 27 in its DPC, in accordance with the provisions of section 1.3 of this policy. 28F
- That the Certification Entity is a legal entity 28, in accordance with the provisions of section 1.3.1 of this policy. This will be checked in accordance with the provisions of the corresponding section of this policy. 29F
- That the Certification Entity has suitable quality and security management systems in place to provide the service. 29 This will be checked in the conformity audit provided for section 8 of this policy. 30F
- That the Certification Entity employs qualified staff, who have the necessary experience to provide the services being offered, in the sphere of electronic signatures and the appropriate security and management procedures. 30. 31F
- That the Certification Entity fulfils the financial capacity requirements set out in section 9.2 of this policy. 31. 32F
- That the Certification Entity fulfils the requirements relating to dispute resolution procedures set out in section 9.13 of this policy. 32. 33F
- That the Certification Entity has sufficiently documented the legal relationships that form the basis of the externalisation of some or all of its services. 33. 34F
25
Law 59/2003 [Ley 59/2003] Article 20.1 a); TS 101 456: 7.5; TS 102 042: 7.5
26
TS 101 456: 7.5 a); TS 102 042: 7.5 a)
27
TS 101 456: 7.5 b); TS 102 042: 7.5 b)
28
TS 101 456: 7.5 c); TS 102 042: 7.5 c)
29
TS 101 456: 7.5 d); TS 102 042: 7.5 d)
30
Law 59/2003 [Ley 59/2003]: Article 20.1 c); TS 101 456: 7.5 g); TS 102 042: 7.5 g)
31
TS 101 456: 7.5 f); TS 102 042: 7.5 f)
32
TS 101 456: 7.5 h); TS 102 042: 7.5 h)
33
TS 101 456: 7.5 i); TS 102 042: 7.5 i)
Ref. D1111 N-PGDC
Page 47 of 116
CATCert General Certificate Policy
4.2.3
Personal certificate requirements
The Certification Entity will have to: - Use the certificate generation process that securely links the certificate to the information held in the register, including the certified public key. 34. 35F
- If the Certification Entity generates the key pair, it will have to use a certificate generation procedure that is securely linked to the key generation procedure, and ensure that the private key is securely delivered to the subscriber (in the case of individual certificates) or to the key holder (in the case of organisation 35 or entity certificates). 6F
- Protect the confidentiality and integrity of the data held in the register, especially if they are exchanged with the subscriber (in the case of individual certificates) or the key holder (in the case of organisation or entity certificates) or with a third-party applicant, where applicable. 36. 37F
4.2.3.1 Specific requirements for personal certificates Additionally, the Certification Entity will have to: - Include the information set out in article 11 of Law 59/2003 [Ley 59/2003] on the certificate, in accordance with the provisions of section 7 of this policy. - Guarantee the date and time of issue of its certificates.37 - If the Certification Entity supplies its own secure signature-creation device, use a secure signature-creation device management procedure that ensures that the device is securely delivered to the subscriber (in the case of individual certificates) or to the key holder (in the case of organisation or entity certificates). 38. 39F
- Use trustworthy systems and products that are protected against any possible alteration and that guarantee technical security and, where applicable, encryption of the certification process that they support. 39 40F
- Ensure that the certificate is issued through systems that employ fraud protection and, if the Certification Entity generates the private keys, that guarantee the confidentiality of the keys during the generation process. 40 41F
34
TS 101 456: 7.3.3 b); TS 102042: 7.3.3 b)
35
TS 101 456: 7.3.3 c); TS 102042: 7.3.3 c)
36
TS 101 456: 7.3.3 e); TS 102042: 7.3.3 e)
37
Law 59/2003 [Ley 59/2003]: Art. 20.1 b)
38
TS 101 456: 7.3.3 c); TS 102042: 7.3.3 c)
39
Law 59/2003 [Ley 59/2003]: Art. 20.1 d)
40
TS 101 456: 7.3.3, referring to D 99/93: Anexo II g);
Ref. D1111 N-PGDC
Page 48 of 116
CATCert General Certificate Policy
4.2.4
Entity certificate requirements
Additionally, the Certification Entity will have to: - Include the information set out in article 11.2 of Law 59/2003 [Ley 59/2003] on the certificate, in accordance with the provisions of section 7 of this policy. - Guarantee the date and time of issue of its certificates. 41 42F
- If the Certification Entity supplies the secure signature-creation device, use a secure signature-creation device management procedure that ensures that the device is securely delivered to the key custodian. 42 43F
- Use trustworthy systems and products that are protected against any possible alteration and that guarantee technical security and, where applicable, encryption of the certification process that they support. 43 44F
- Ensure that the certificate is issued through systems that employ fraud protection and, if the Certification Entity generates the private keys, that guarantee the confidentiality of the keys during the generation process. 44 45F
4.2.5
Device certificate requirements
Once the secure-server certificate application has been approved, the Certification Entity, or the authorised Registration Entity will contact the person responsible for installing the certificate, in order to determine the dispatch mechanism for the public key being certified, in accordance with the provisions of the corresponding section. After secure receipt of the public key, the certificate will be issued and delivered.
4.3 Certificate issuance 25B
4.3.1
112B
Certification Entity activities during the issuance and renewal processes
After the certificate application has been approved, the certificate is securely issued 45 and made available to the subscriber (in the case of individual certificates) or to the key holder (in the case of organisation or entity certificates), so that it can be accepted in accordance with the provisions of the corresponding section. 46 46F
47F
The procedures set out in this section are also applicable to certificate renewal, since this involves the issuance of a new certificate. The Certification Entity will have to: 41
Law 59/2003 [Ley 59/2003]: Art. 20.1 b)
42
TS 101 456: 7.3.3 c); TS 102042: 7.3.3 c)
43
Law 59/2003 [Ley 59/2003]: Art. 20.1 d)
44
TS 101 456: 7.3.3, referring to D 99/93: Anexo II g);
45
TS 101 456: 7.3.3
46
TS 101 456: 7.3.5 a)
Ref. D1111 N-PGDC
Page 49 of 116
CATCert General Certificate Policy
a. Use the certificate generation process that securely links the certificate to the information held in the register, including the certified public key. 47 48F
b. If the Certification Entity generates the key pair, it will have to use a certificate generation procedure that is securely linked to the key generation procedure, and ensure that the private key is securely delivered to the subscriber (in the case of individual certificates) or to the key holder (in the case of organisation or entity certificates). 48 49F
c. The confidentiality and integrity of the data held in the register must be protected, especially if they are exchanged with the subscriber (in the case of individual certificates) or the key holder (in the case of organisation or entity certificates) or with a third-party applicant, where applicable. 49 50F
Further to complying with the provisions of the corresponding section, the Certification Entity will have to: a. Include the information set out in article 11.2 of Law 59/2003 [artículo 11.2 de la Ley 59/2003] in the certificate, in accordance with the provisions of the corresponding section of this policy. b. State the date and time of issue of the certificate. 50 51F
c. If the Certification Entity supplies its own secure signature-creation device, it will have to use a secure signature-creation device management procedure that ensures that the device is securely delivered to the subscriber (in the case of individual certificates) or to the key holder (in the case of organisation or entity certificates). 51 52F
d. Use trustworthy systems and products that are protected against any possible alteration and that guarantee technical security and, where applicable, encryption of the certification process that they support. 52 53F
e. Take measures against certificate fraud and, if the Linked Certification Entity generates private keys, ensure that it guarantees the confidentiality of the keys during their generation process. 53 54F
4.3.2
Providing notice of issuance to the subscriber
The Certification Entity will have to notify the applicant as to whether their application has been approved or refused.
47
TS 101 456: 7.3.3 b)
48
TS 101 456: 7.3.3 c)
49
TS 101 456: 7.3.3 e)
50
Art. 20,1,b) Law 59/2003 [Ley 59/2003]
51
TS 101 456: 7.3.3 c)
52
Law 59/2003 [Ley 59/2003]: 20.1 d)
53
TS 101 456: 7.3.3, referring to D 99/93: Anexo II g); Art. 20,1,e) Law 59/2003 [Ley 59/2003]
Ref. D1111 N-PGDC
Page 50 of 116
CATCert General Certificate Policy
Notification is also to be sent to the subscriber (in the case of individual certificates) or the future key holder (in the case of organisation or entity certificates) informing them that the certificate has been created and is available, and how to obtain it.
4.4 Certificate acceptance 26B
4.4.1
114B
Responsibilities of the Certification Service Provider
The Certification Entity will have to: - Certify the subscriber's identity (in the case of individual certificates) or the key holder's identity (in the case of organisation or entity certificates), when this is necessary and if it has not already been done, in accordance with the provisions of sections 3.1.8. and 3.1.9. of this policy. Give the subscriber (in the case of individual certificates) or the future key holder (in the case of organisation or entity certificates) access to the certificate. 54 55F
- Deliver, where applicable, the cryptographic-signature device and signature verification, either encrypted or decrypted. - In the case of organisation and entity certificates, provide the key holder with a certificate delivery note (and, where applicable, the cryptographic device mentioned in the above section) containing at least the following information: - Basic information on the certificate policy and use, including information about the Linked Certification Entity and the applicable Declaración de Prácticas de Certificación [Certification Practice Statement], as well as the key holder's obligations, powers and responsibilities. - Information about the certificate and cryptographic device. - The key holder's acknowledgement of receipt of the certificate and, where applicable, the cryptographic device and his/her acceptance of these elements. - Key holder's obligations. - Key holder's responsibilities. - Method for exclusively assigning the private key and certificate activation data to the key holder and, where applicable, the cryptographic device, in accordance with the provisions of the corresponding sections of this policy. - Date of delivery and acceptance.
54
TS 101 456: 7.3.5 a); TS 102042: 7.3.5 a)
Ref. D1111 N-PGDC
Page 51 of 116
CATCert General Certificate Policy
4.4.2
115B
Conduct that constitutes acceptance of the certificate
The certificate can be accepted by signing the delivery note and, where applicable, the key holder's note. The certificate can also be accepted via an online mechanism for certificate activation.
4.4.3
116B
Certificate publication
Certificados de clase 1 [class 1 certificates] can be published without the prior consent of the key holders, while in order to publish certificados de clase 2 [class 2 certificates], the subscribers' consent is always required. 55 56F
4.4.4
Notifying third parties of issuance
Not applicable.
4.5 Use of the key pair and certificate 27B
4.5.1
Use by subscribers
The certificates are to be used in accordance with their function and established purpose, they may not be used for other functions or for other purposes. In the same way, certificates have to be used in accordance with the applicable law, with special observation of the importation and exportation restrictions that are imposed at any given time. The Key Usage extension is used to establish technical limitations on to the uses of a private key corresponding to a public key listed on an X.509v3 certificate. It should be born in mind that the effectiveness of limitations based on certificate extensions sometimes depends on the operation of computer applications that have not been manufactured by and cannot be controlled by Certification Entities. The subscriber's obligations: To use the key pair exclusively for electronic signatures and in accordance with any other limitations of which they are notified.56 To be especially diligent in the custody of their private key and secure signature-creation device, in order to avoid unauthorised use. 57 If the subscriber generates its own keys, it is obligated to:
55
Law 59/2003 [Ley 59/2003]: Art. 17.2
56
TS 101456: 6.2.b)
57
TS 101456: 6.2.c), stricter, and extend to the secure signature-creation device.
Ref. D1111 N-PGDC
Page 52 of 116
CATCert General Certificate Policy
a. Generate its subscriber keys using an algorithm that is recognised as being acceptable for the qualified electronic signature.58 b. Create the keys within the secure signature-creation device.59 c. Use key longitudes and algorithms that are recognised as being acceptable for the qualified electronic signature.60
4.5.2
Use by a third party that trusts the certificates
Certificates are to be used in accordance with their function and established purpose, they may not be used for other functions or for other purposes. In the same way, certificates have to be used in accordance with the applicable law, with special observation of the importation and exportation restrictions that are imposed at any given time. The Key Usage extension is used to establish technical limitations as to the uses of a private key corresponding to a public key listed on an X.509v3 certificate. It should be born in mind that the effectiveness of limitations based on certificate extensions sometimes depends on the operation of computer applications that have not been manufactured by and cannot be controlled by Certification Entities.
4.6 Certificate renewal without key renewal When a request is made to renew a certificate without renewing the key pair, the Registration Entity will have to check that this key pair is still cryptographically trustworthy. If it is deemed that this is the case, the Registration Entity will have to check that the registration data is still valid and, if any data has changed, then this will have to be verified, saved and the subscriber will have to be in agreement with it, as set out in the corresponding section of this policy. 61 62F
If the legal conditions of service provision have changed since the certificate was issued, the Certification Entity or, where applicable, the Registration Entity, will have to inform the applicant of this fact. 62. 63F
58
TS 101456: 6.2.d) primero
59
TS 101456: 6.2.f)
60
TS 101456: 6.2.d) segundo
61
TS 101 456: 7.3.2 a) and c); TS 102 042: 7.3.2 a) and c)
62
TS 101 456: 7.3.2 b); TS 102 042: 7.3.2 b)
Ref. D1111 N-PGDC
Page 53 of 116
CATCert General Certificate Policy
4.6.1
Specific requirements for certificados de infraestructura [infrastructure certificates] 120B
Infrastructure certificates cannot be renewed under any circumstances without also renewing the keys.
4.6.2
Specific requirements for certificados de firma electrónica reconocida [qualified electronic signature certificates] 121B
Qualified electronic signature certificates cannot be renewed without also renewing the keys.
4.6.3
Specific requirements for all other personal certificates
The procedure applicable to certificate renewal without the renewal of the keys can be based on the prior existence of a valid certificate, as long as the key pair of this certificate is cryptographically trustworthy for the new term of validity of the certificate, and it is not suspected that the subscriber's or key holder's private key has been compromised. 63 64F
4.7 Renewal of certificates with key renewal 123
When an application is made for certificate renewal with key renewal, the Registration Entity will have to check that the data it has registered is still valid. If any data has changed, then this will have to be verified, saved and the subscriber will have to be in agreement with it, as set out in the corresponding section of this policy. 64 65F
If the legal conditions of service provision have changed since the certificate was issued, the Certification Entity or the Registration Entity will have to inform the applicant of this fact. 65 66F
Certificate renewal begins two months before its date of expiration, when the subscriber receives an e-mail containing information on the steps to be taken in order to renew the certificate. This e-mail will be resent 30 days before expiration. The certificate renewal process is the same as the process used for the issuance of new certificates. In any case, if more than five years have passed since the last time that the subscriber was identified in person at a Registration Entity office, he or she will have to attend again in order to carry out the renewal. For keyring certificates, the subscriber has to go to the Registration Entity office.
63
TS 101 456: 7.3.2 d); TS 102 042: 7.3.2 d)
64
TS 101 456: 7.3.2 a) and c); TS 102 042: 7.3.2 a) and c)
65
TS 101 456: 7.3.2 b); TS 102 042: 7.3.2 b)
Ref. D1111 N-PGDC
Page 54 of 116
CATCert General Certificate Policy
4.8 Online renewal CATCert allows the online renewal of digital certificates based on secure authentication and the corresponding electronic singing of the delivery document of the new certificate. This is carried out using the certificate that is to be renewed within its last two months of validity.
4.9 Certificate amendment The certificate applicant should request that his/her/its certificates be amended if he/she/it becomes aware of any changes to the required information or information relating to positions, limits of use or certificate user devices (e.g. IP addresses, or server or application data). The applicant can also request for the other data included on the certificate to be amended. In order to make amendments, the Registration Entity may request proof of the circumstances that justify the amendment. Any amendment to data held on a certificate will mean that it has to be revoked and a new certificate issued. In any case, amendment will be considered to be renewal.
4.10 Certificate revocation and suspension The Certification Entity has to include details of the following in its Declaración de Prácticas de Certificación [Certification Practice Statement]:66 a. Who can request renewal b. How to make the request c. The confirmation requirements for renewal requests d. If it is possible to suspend certificates and the causes for suspension e. The mechanisms used to distribute information about revocation status f.
The longest possible delay between receiving a request and making any revocation status change available to verifiers, which may not exceed one day under any circumstances.
4.10.1 Causes for certificate revocation A Certification Entity can revoke a certificate for the following reasons: 1. Circumstances that affect the information contained on the certificate.67 - Modification of any of the data contained on the certificate.
66
TS 101 456: 7.3.6 a); TS 102042: 7.3.6 a)
67
Law 59/2003 [Ley 59/2003]: Art. 8.1.g)
Ref. D1111 N-PGDC
Page 55 of 116
CATCert General Certificate Policy
- Discovery that any of the data supplied on the certificate application is incorrect, or alteration or amendment of the circumstances that have been verified for the issuance of the certificate. - Discovery that any of the data contained on the certificate is incorrect. 2. Circumstances that affect key or certificate security - Compromise of the private key or of the infrastructure or systems of the Certification Entity that issued the certificate when this affects the trustworthiness of the certificates issued after this incident. - Infraction by the Certification Entity of the requirements provided for in the certificate management procedures set out in its DPC. - Compromise or suspected compromise of the security of the subscriber's key or certificate (in the case of individual certificates) or the key holder's key or certificate (in the case of organisation or entity certificates). 68. F
- Unauthorised access or use by a third party of the subscriber's private key (in the case of individual certificates) or the key holder's private key (in the case of organisation or entity certificates). 69 70F
- The irregular use of the certificate by the subscriber (in the case of individual certificates) or the key holder (in the case of organisation or entity certificates) or lack of diligence in the custody of the private key. 3. Circumstances that affect the security of the cryptographic device - Compromise or suspected compromise of the security of the cryptographic device. - The cryptographic device is lost or rendered useless by damage. - Unauthorised access or use by a third party of the subscriber's activation data (in the case of individual certificates) or the key holder's activation data (in the case of organisation or entity certificates). 4. Circumstances that affect the subscriber or key holder. - Termination of the relationship between the Linked Certification Entity and the subscriber (in the case of individual certificates) or the key holder (in the case of organisation or entity certificates). - Amendment or termination of the underlying legal relationship or cause that led to the issuance of the certificate to the subscriber (in the case of individual certificates) or the key holder (in the case of organisation or entity certificates). - Infraction by the certificate applicant of the requirements set out for making certificate applications. - Infraction by the subscriber (in the case of individual certificates) or the key holder (in the case of organisation or entity certificates) of the obligations, 68
Law 59/2003 [Ley 59/2003]: Art. 8.1.c)
69
Law 59/2003 [Ley 59/2003]: Art. 8.1 c)
Ref. D1111 N-PGDC
Page 56 of 116
CATCert General Certificate Policy
responsibilities and guarantees set out in the corresponding legal instrument or in the Declaración de Prácticas de Certificación [Certification Practice Statement] of the Linked Certification Entity that issued the certificate. - The subsequent incapacity or death of the subscriber (in the case of individual certificates) or the key holder (in the case of organisation or entity certificates). 70 F
- In the case of organisation certificates, the winding-up of the legal entity subscribing to the certificate, 71 and the termination of the power of attorney awarded by the subscriber to the holder or the termination of the relationship between the subscriber and key holder. 72F
- Request by the subscriber to revoke the certificate in accordance with the provisions of section 3.4. of this policy. 5. Other circumstances - Suspension of the certificate for a period exceeding 120 days. - The termination of the provision of services by CATCert, in accordance with the provisions of this General Certification Policy. - Court or administrative order to this effect (Art. 8.1 of Law 59/2003 on the electronic signature [Ley 59/2003, de firma electrónica]). If the entity to which the revocation request is being made does not have all of the information needed to decide whether or not to revoke the certificate, but there are signs that it has been compromised, then it may decide to suspend it. In this event, any actions taken during the suspension period will be invalid, as long as the certificate is eventually revoked. They will be valid if the suspension is lifted (enablement) and the certificate becomes valid again. The legal instrument that links the Linked Certification Entity to the subscriber shall establish that the subscriber will have to request certificate revocation in the event that he/she/it becomes aware of any of the abovementioned circumstances. 4.10.2
125B125B
Legal right to request revocation
The following persons can request revocation of a certificate: - In the case of individual certificates, the subscriber in whose name the certificate was issued. - In the case of organisation certificates, a representative authorised by the subscriber or key holder. - In the case of entity certificates, a representative authorised by the subscriber or key custodian. - The Registration Entity that requested issuance of the certificate. 70
Law 59/2003 [Ley 59/2003]: Art. 8.1 e)
71
Law 59/2003 [Ley 59/2003]: Art. 8.1 e)
Ref. D1111 N-PGDC
Page 57 of 116
CATCert General Certificate Policy
4.10.3
126B
Revocation request procedures
The Certification Entity has to bear in mind the following rules: The entity that needs to revoke a certificate has to make the request to the Linked Certification Entity or, where applicable, to the Registration Entity that approved the certification request, and include the following information: - Date of revocation request - Subscriber's identity - Detailed reason for the revocation request - Name and title of the person requesting revocation - Contact information of the person requesting revocation In cases where the immediate revocation of the certificate is required, a call may be made or an e-mail sent to the Linked Certification Entity or, where applicable, to the Registration Entity. The request has to be authenticated by the receiver, in accordance with the requirements set out in the corresponding section of this policy, before proceeding to revocation. 72 73F
If the receiver of the request is the Registration Entity, once it has authenticated the request, it can directly revoke the certificate or send a revocation request to the Linked Certification Entity. The revocation request has to be processed on receipt. 73 74F
The subscriber and, where applicable, the key holder, has to be informed about the change in the status of the revoked certificate. 74 75F
The Linked Certification Entity cannot reactivate the certificate once it has been revoked. 75 . 76F
Note: A revoked certificate cannot be used again. That is to say that the revocation cannot be lifted or voided in any way: it is a permanent certificate status.
4.10.4
127B
Revocation request period
Revocation requests are to be sent as quickly as possible once the cause of revocation is known.
72
TS 101 456: 7.3.6. c); TS 102042: 7.3.6 c)
73
TS 101 456: 7.3.6. b); TS 102042: 7.3.6 b)
74
TS 101 456: 7.3.6. e); TS 102042: 7.3.6 e)
75
TS 101 456: 7.3.6. f); TS 102042: 7.3.6 f)
Ref. D1111 N-PGDC
Page 58 of 116
CATCert General Certificate Policy
4.10.5 Maximum term for processing revocation requests Revocation requests are to be processed in the shortest time possible, within the office opening hours of the Certification Entity. 76. 77F
If outside the office opening hours, the subscriber or, where applicable, the key holder, will have to request preventative suspension of the certificate. 4.10.6 Obligation to consult certificate revocation information Verifiers have to check the status of any certificates that they wish to trust. A method for verifying the status of certificates is by consulting the latest LRC issued by the Certification Entity that issued the certificate that the verifiers wish to trust. The Certification Entity will have to supply information to the verifiers about how and where to find the corresponding LRC.
4.10.7 Frequency of issue of listas de revocación de certificados (LRC) [certificate revocation lists]
4.10.7.1
Specific CIC requirements
The Root Certification Entity or certification entity that issues certification entity certificates is required to issue an LRC immediately after revoking a Certification Entity from the hierarchy. In any case, a quarterly LRC is to be issued.
4.10.7.2
Requirements for personal entity and device certificates
The Linked Certification Entity will have to issue an LRC at least every 24 hours. 77 78F
This LRC has to give the time scheduled for the issuance of a new LRC, if it will be possible to issue an LRC before the term indicated on the previous LRC. 78. 79F
Revoked certificates that expire will be removed from the LRC sixty days after their expiration date.
4.10.8 Maximum term for LRC publication LRCs will be published immediately on the CATCert website (http://www.catcert.cat/).
76
Law 59/2003 [Ley 59/2003]: Art. 10
77
TS 101 456: 7.3.6 g); TS 102042: 7.3.6 g)
78
TS 101 456: 7.3.6 g); TS 102042: 7.3.6 h)
Ref. D1111 N-PGDC
Page 59 of 116
CATCert General Certificate Policy
4.10.9 Availability of certificate status checking services Alternatively, verifiers can consult the certificates published in the directory of the Linked Certification Entity, via a web interface.
4.10.10 Obligation to consult certificate status checking services A verifier that does not use an LRC to check the validity of a certificate will have to use the directory of a Linked Certification Entity for this task. Verifiers are required to check the status of any certificates that they wish to trust. A method for verifying the status of certificates is by consulting the latest LRC issued by the Linked Certification Entity that issued the certificate that the verifiers wish to trust. The Linked Certification Entity will have to supply information to the verifiers about how and where to find the corresponding LRC.
4.10.11 Other types of certificate revocation information It is possible to set up other means of obtaining information about certificate revocation, which will have to be detailed in the DPC of the Linked Certification Entity. CATCert allows the validity status of certificates to be checked using the OCSP protocol. 4.10.12 Special requirements in the event of compromise of the private key As far as possible, all members of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia] are to be notified of any compromise of the private key of a Linked Certification Entity, via the CATCert directory.
4.10.13 Causes for certificate suspension The Linked Certification Entity can suspend a certificate in the following events: - If it is previously known that the subscriber will not use the certificate for a prolonged period of time. - If it is suspected that a key has been compromised, until this is confirmed. In the second case, the Linked Certification Entity has to ensure that the certificate is not suspended for longer than is necessary to confirm whether it has been compromised.
4.10.14 Who can request suspension 137B
The following persons can request the suspension of a certificate:
Ref. D1111 N-PGDC
Page 60 of 116
CATCert General Certificate Policy
- In the case of individual certificates, the subscriber in whose name the certificate was issued. - In the case of organisation certificates, a representative authorised by the subscriber or key holder. - In the case of entity certificates, an authorised representative of the subscriber or the key custodian. - The Registration Entity that requested issuance of the certificate.
4.10.15 Suspension request procedures 138B
In the case of suspension by the subscriber or, where applicable, the key holder, a valid certificate has to be available so that it can be authenticated by the Linked Certification Entity or, where applicable, the Registration Entity. If no certificate is available, a Linked Certification Entity or, where applicable, a Registration Entity should be asked to request the suspension. In its Declaración de Prácticas de Certificación [Certification Practice Statement], the Linked Certification Entity has to set out the procedures and mechanisms to access its suspension systems.
4.10.16 Maximum term of suspension The maximum term of suspension is one hundred and twenty calendar days. 4.10.17 Enabling a suspended certificate The subscriber can enable a certificate that has been suspended by appearing before before the Virtual Certification Entity or, where applicable, the Registration Entity, showing identification and signing the corresponding enabling request document to inform the entity that the cause of the suspension no longer exists.
4.11 Certificate status checking services 4.11.1 Service operation specifications Verifiers can download and install LRCs from the directory of the Linked Certification Entity. Alternatively, verifiers can consult the certificates published in the directory of the Linked Certification Entity, via a web interface.
Ref. D1111 N-PGDC
Page 61 of 116
CATCert General Certificate Policy
4.11.2 Service availability LRC distribution systems and on-line certificate status consultation systems have to be available 24-hours a day, 7 days a week. 79 80F
If the certificate status checking systems fail for reasons beyond the control of the Certification Entity, the latter has to make every possible effort to ensure that the service remains inactive for the shortest possible time. The Certification Entity is to include details of the maximum time that the service may remain out of operation in its DPC. 80. 81F
The Certification Entity will have to supply information to the verifiers about the working of the certificate status information service.
4.11.3 Other functions of the service No additional stipulations.
4.12 Subscription termination 33B
Termination of the subscription does not imply that certificates that have been issued have been revoked, rather that they can be used until they expire.
4.13 Key deposit and recovery 4.13.1 Key deposit and recovery policy and practices The Certification Entity has to include details of the following in its DPC: a. Who can request key deposit and recovery b. How to make the request c. Request confirmation requirements d. The mechanisms used to deposit and recover keys 4.13.2
145B
Session key encapsulation and recovery policy and practices
No additional stipulations.
79
TS 101 456: 7.3.6 i); TS 102042: 7.3.6 i)
80
TS 101 456: 7.3.6 i); TS 102042: 7.3.6 i)
Ref. D1111 N-PGDC
Page 62 of 116
CATCert General Certificate Policy
5. Physical, management and operational security controls 4B
5.1 Physical security controls The Certification Entity has to have facilities available that physically protect its certificate generation, cryptographic device and revocation management services from any possible compromises that could arise from unauthorised access to its systems or data.81 Physical protection is to be achieved by creating clearly defined security perimeters around the certification generation, cryptographic device and revocation management services. Any part of the facilities that are shared with other organisations have to be located outside these perimeters. 82 83F
The Certification Entity has to set up physical security and environmental controls to protect the resources of the facilities where its systems are located, as well as the systems themselves and the equipment used for the operations. The physical and environmental security policy that is applicable to certificate generation, cryptographic device and revocation management services should provide for the following contingencies: 83: 84F
- Physical access controls - Protection against natural disasters - Fire protection measures - Support system failure (electricity supply, telecommunications, etc.) - Demolition of the structure - Floods - Protection against theft - Conformity and unauthorised entry - Disaster recuperation - Unauthorised removal of equipment, information, media and any applications related to the components used for the services provided by the Certification Entity 84. 85F
81
TS 101 456: 7.4.4 d); TS 102 042: 7.4.4 d)
82
TS 101 456: 7.4.4 e) ; TS 102 042: 7.4.4 e)
83
TS 101 456: 7.4.4 f); TS 102 042: 7.4.4 f)
84
TS 101 456: 7.4.4 g); TS 102 042: 7.4.4 g)
Ref. D1111 N-PGDC
Page 63 of 116
CATCert General Certificate Policy
5.1.1
Location and construction of the facilities
The location of the facilities has to enable security forces to attend reasonably quickly after having been notified of an incident (if there is no permanent physical presence of security personnel employed by the Certification Entity). The quality and strength of the materials used to construct the facilities have to guarantee suitable levels of protection against intrusion by brute force.
5.1.2
147B
Physical access
The Certification Entity has to establish security levels that restrict access to the various physical perimeters and barriers that have been defined. For access to the Certification Entity offices where the processes related to the certificate life cycle are carried out, there is to be a requirement for prior authorisation, presentation of identification at the time of access and an access register is to be kept. There should also be filming by closed-circuit television, the videos which should be held on file. 85 86F
The identification process carried out by the access control system is to involve recognising the individual through a biometric feature, except in the case of escorted visits. The generation of Certification Entity cryptographic keys and their storage will have to be carried out in offices that are specifically dedicated to these purposes, and that require at least two people to access them and to be present at all times.
5.1.3
148B
Electricity and air conditioning
The computer equipment belonging to the Certification Entity will have to be properly protected against surges or cuts in the electricity supply, which could damage them or interrupt the service. The installations are to be equipped with a system to stabilise the current, and their own generating systems with sufficient autonomy to maintain the electricity supply for the time required to completely close all computer systems in an orderly fashion. Computer equipment is to be located in an environment that guarantees a suitable climate (temperature and humidity) and optimum working conditions.
5.1.4
Exposure to water
The Certification Entity is required to have suitable flood detection systems in place to protect equipment and assets from this eventuality, if the conditions of the location of the facilities make this necessary.
85
TS 101 456: 7.4.4 a) and d); TS 102 042: 7.4.4 a) and d)
Ref. D1111 N-PGDC
Page 64 of 116
CATCert General Certificate Policy
5.1.5
Fire warning and protection
All facilities and assets belonging to the Certification Entity are required to have automatic fire detection and extinguishing systems. Specifically, cryptographic devices and media that store the Certification Entity keys, have to be equipped with a designated fire-protection system, in addition to the system installed in the rest of the facility.
5.1.6
Media storage
Media has to be kept in such a way as to guarantee both its integrity and confidentiality, in accordance with the information classification system that has been established. 86 87F
To achieve this, flame-proof offices or cupboards will need to be available. Access to this media, including in order to eliminate it, is to be restricted to specifically authorised persons.
5.1.7
Waste management
Storage media, both paper and magnetic, is to be eliminated using mechanisms that guarantee that it will be impossible to recover the information. In the case of magnetic media, it should be formatted, permanently deleted or physically destroyed. In the case of paper documents, they should be physically destroyed.
5.1.8
Backup copy outside the facilities
The Certification Entity is to make periodic backup copies of the information systems and store them in offices that are physically separate from where the equipment is kept. A daily incremental backup copy should be made as well as a weekly backup copy. When removing information from the offices, suitable measures should be adopted to prevent the unlawful recovery of this information (such as, for example, using bags with secure devices that require an access key or combination, or using encrypted files).
86
TS 101 456: 7.4.5 c) and i); TS 102 042: 7.4.5 c) and i)
Ref. D1111 N-PGDC
Page 65 of 116
CATCert General Certificate Policy
5.2 Procedure controls Certification Entities have to guarantee that their systems are operated securely 87 and, to do this, they will have to establish and implement procedures for the duties that affect the provision of their services.88 88F
Employees working for the Certification Entity are to carry out administrative and management procedures in accordance with the security polity of the Certification Entity.89
5.2.1
154B
Trusted roles
The people who occupy these positions have to be formally nominated by the top management of the Certification Entity. 90 91F
91
Trusted roles are to include: : 92F
a. Personnel responsible for security b. Systems administrators c. Systems operators d. Systems auditors e. Any other person with access to data of a personal nature Trusted roles and obligations are to be defined and recorded in the Declaración de Prácticas de Certificación [Certification Practice Statement] of the Certification Entity. 92 93F
5.2.2
Number of people per task
The trusted roles identified in the security policy of the Linked Certification Entity and their associated responsibilities are to be documented in workplace descriptions. 93. 94F
87
Art. 20, 1, d) Law 59/2003 [Ley 59/2003]; TS 101 456: 7.4.5; TS 102 042: 7.4.5
88
TS 101 456: 7.4.5 d); TS 102 042: 7.4.5 d)
89
TS 101 456: 7.4.3 d); TS 102 042: 7.4.5 d)
90
TS 101 456: 7.4.3 h); TS 102 042: 7.4.3 h)
91
TS 101 456: 7.4.3 g); TS 102 042: 7.4.3 g)
92
RD 994/99: Art. 9.1
93
TS 101 456: 7.4.3 b); TS 102 042: 7.4.3 b)
Ref. D1111 N-PGDC
Page 66 of 116
CATCert General Certificate Policy
5.2.3
156B
Identification and authentication for each role
The Certification Entity is to identify and authenticate employees before they are allowed to access their trusted role. 94 95F
5.2.4
Roles that require task separation
The Certification Entity is to list all trusted duties and roles in its security policy. 95 These descriptions are to be produced bearing in mind that sensitive duties have to be separated, and that minimum privilege should be conceded, wherever possible. In order to determine how sensitive a role is, the following elements should be taken into account: 96 97F
a. Duties associated with the role b. Access level c. How the role is monitored d. Training and awareness e. Required skills
5.3 Staff controls 5.3.1
Requirements authorisation
relating
to
background,
qualifications,
experience
and
CATCert employs qualified personnel that have the necessary experience to provide the services being offered, in the sphere of electronic signatures and the suitable security and management procedures. This requirement is applied to CATCert management personnel, especially in relation to security-staff procedures. Qualifications and experience can be substituted for the appropriate education and training. Staff in trusted positions may have no personal interests that conflict with undertaking the duty that has been entrusted to them.
5.3.2
160B
Training requirements
The Certification Entity is to train its staff in trusted and management positions until they achieve the necessary qualifications in accordance with the corresponding section of this policy. 94
TS 101 456: 7.4.6 e); TS 102 042: 7.4.3 e)
95
TS 101 456: 7.4.3 b); TS 102 042: 7.4.3 b)
96
TS 101 456: 7.4.3 c); TS 102 042: 7.4.3 c)
Ref. D1111 N-PGDC
Page 67 of 116
CATCert General Certificate Policy
Training is to include the following content: a. The security principles and mechanisms of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia] and the user environment of the person to be trained. b. The versions of machinery and applications in use c. The tasks that the person has to carry out d. Management and processing of incidents and security compromises e. Business continuity and emergency procedures f.
Management and security procedures related to dealing with data of a personal nature 97 104F
5.3.3
Training update requirements and frequency
Every member of staff linked to a Registration Entity is required to attend the Registration Entity training course given by CATCert.
5.3.4
Sequence and frequency of labour turnover
No additional stipulations.
5.3.5
Penalties for unauthorised actions
The Certification Entity will have to have a penalty system in place, in order to cover liabilities arising from unauthorised actions. Disciplinary actions could include suspension and dismissal of the person responsible for the damage.
5.3.6
Requirements for contracting external personnel
The Certification Entity can contract external personnel for any duty, including for a trusted location. In this case, the staff will have to be submitted to the same controls as the other employees. In the event that external personnel do not have to be submitted to these controls, they will have to be constantly accompanied by a CATCert employee. In the event that all or some of the certification services are operated by third parties, the controls and precautions set out in this section 5, or other parts of the certificate policy of the DPC, are to be applied and completed by the third party carrying out the operational roles of 97
RD 994/99: Art. 9.2
Ref. D1111 N-PGDC
Page 68 of 116
CATCert General Certificate Policy
the certification service. In all cases, the Certification Entity will be responsible for ensuring that they are executed effectively. These aspects are to be specified in the legal instrument used to agree the provision of certification services by the third party that is not the Certification Entity.
5.3.7
Supplying documentation to staff
The Certification Entity is to supply documentation that is strictly necessary to its staff from time to time, in order to ensure that its staff is sufficiently competent, in accordance with the provisions of the corresponding section of this policy.
5.4 Security audit procedures 38B
5.4.1
Types of events registered
At a minimum, the Certification Entity has to keep a record of the following events related to the security of the entity: - System startup and shutdown - Startup and shutdown of the Certification Authority (technical) application - Attempts to create, delete or change passwords or user permissions within the system - Changes to Certification Authority (technical) keys - Changes to certificate issuance policies - Attempts to log in to and log out of the system - Unauthorised attempts to log in to the Certification Entity network - Unauthorised attempts to access system files - Generation of Certification Entity keys and Linked Certification Entity keys - Invalid attempts to read and write on a certificate and in the directory - Events related to the certificate life cycle, such as a certificate application or the issuance, revocation or renewal of a certificate - Events related to the cryptographic module life cycle, such as its receipt, use and uninstallation. The Certification Entity also has to hold the following information on file, either manually or electronically: - Key generation ceremonies and key management databases - Physical access records - System maintenance and configuration changes
Ref. D1111 N-PGDC
Page 69 of 116
CATCert General Certificate Policy
- Staff changes - Reports on compromises and discrepancies - Records of the destruction of materials that contain information about keys, activation data or personal information about subscribers (in the case of individual certificates), key holders (in the case of organisation certificates) or key custodians (in the case of entity certificates). - Possession of activation data for operations involving the Certification Entity private key. - Complete reports on any physical intrusion attempts on the infrastructures that support the issuance and management of certificates.
5.4.2
Audit record processing frequency
Audit records are to be examined at least once a week in order to search for suspect or unusual activity. Processing audit records involves checking them. This includes verifying that they have not been manipulated, a brief inspection of all of the entries in the record, and a more in-depth investigation of any alerts or irregularities in the records. The actions carried out within the audit check also have to be documented.
5.4.3
Term for keeping audit records
Audit records are to be kept for at least two months after being processed and at that time they are to be archived in accordance with the corresponding section of this policy.
5.4.4
Protecting audit records
Register files, both manual and electronic, have to be protected against being read, modified, deleted or any other kind of unauthorised manipulation by using logical and physical access controls.
5.4.5
170B
Backup procedures
Incremental backup copies of audit records are to be generated on a daily basis and complete copies on a weekly basis.
Ref. D1111 N-PGDC
Page 70 of 116
CATCert General Certificate Policy
5.4.6
171B
Location of the audit record accumulation system
The audit record accumulation system has to be a Certification Entity internal system consisting of application records, network records and operating system records, as well as the data generated manually, which are to be stored by duly authorised personnel.
5.4.7
172B
Notifying the originator of the audit of the auditing event
When the audit record accumulation system registers an event, it will not be necessary to send notice to the individual, organisation, device or application that originated the event. They can be informed as to the whether the result of their action was successful or not, but not that the action was audited.
5.4.8
Vulnerability analysis
Events in the audit process are to be saved, in order to monitor system vulnerabilities. Vulnerability analyses have to be carried out, reviewed and revised by examining these monitored events. These analyses are to be carried out on a daily, monthly and yearly basis in accordance with their definition in the Plan de Auditoría [Audit Plan] of the Certification Entity.
5.5 Archiving information/documentation The Certification Entity has to guarantee that all of the information/documentation relating to certificates will be kept for an appropriate period of time, 98 in accordance with the provisions of the corresponding section of this policy. 105F
5.5.1
Types of events registered
The Certification Entity and the entities that depend on it are to save all of the events that occur during the life cycle of a certificate, including its renewal. 99 106F
The Certification Entity has to keep a register of the following:
Type of document submitted in the certificate application
Unique identification number supplied on the abovementioned document
98
TS 101 456: 7.4.11; TS 102 042: 07/04/2011
99
TS 101 456: 7.4.11 h) ; TS 102 042: 7.4.11 h)
Ref. D1111 N-PGDC
Page 71 of 116
CATCert General Certificate Policy
Identity of the Registration Entity that accepted the certificate application 100 107F
The location of copies of certificate applications and the agreement signed by the the subscriber (in the case of individual certificates) or the key holder (in the case of organisation or entity certificates). 101 108F
-
Any other type of documentation generated throughout the life cycle of a certificate, in accordance with the operating and archiving procedures of the Certification Entity.
-
Any documentation related to the creation and maintenance of the Certification Entity itself and its associated registration entities.
5.5.2
175B
Period of conservation of documentation
Depending on the value (administrative, legal, tax-related, informative) of the documentation generated, the following periods of conservation have been established:
5.5.2.1 Permanent conservation The Certification Entity is to keep the following types of documentation permanently: -
Record of listas de revocación de certificados (LRC) [certificate revocation lists]
-
Record of digital certificate management: the database of the Certification Entity that registers all of the events and operations that occur throughout the life cycle of digital certificates.
-
Documentation related to the issuance of certificados de infraestructura de entidad de certificación vinculada (CIC) [linked certification entity infrastructure certificates]
-
Documentation related to the creation and maintenance of the Certification Entity and its associated registration entities. 15-year conservation
The Certification Entity and its associated entities are to keep documentation generated as a result of the operations specified in sections 4 and 5.5.1. of this policy, for 15 years: -
Issuance of digital certificates, except for certificados de infraestructura de entidad de certificación vinculada (CIC) [linked certification entity infrastructure certificates], which are to be kept permanently
-
Suspension of digital certificates (for all types of certificates)
-
Enablement of digital certificates (for all types of certificates)
-
Revocation of digital certificates (for all types of certificates)
-
Renewal of digital certificates (for all types of certificates)
100
TS 101 456: 7.4.11 i); TS 102 042: 7.4.11 i)
101
TS 101 456: 7.4.11 i) ; TS 102 042: 7.4.11 i)
Ref. D1111 N-PGDC
Page 72 of 116
CATCert General Certificate Policy
Once this conservation period has expired they should be destroyed.
5.5.3
Archive protection
The Certification Entity and the entities that depend on it have to: - Maintain the integrity and confidentiality of the archive that contains the data on the certificates issued. 102 109F
- Archive the abovementioned data completely and confidentially. 103 110F
- Protect the privacy of the subscriber's registration data (in the case of individual certificates) or the key holder's registration data (in the case of organisation or entity certificates). 104 111F
5.5.4
177B
Backup copy procedures
5.5.4.1 Requirements for all types of certificates The Certification Entity has to make incremental backup copies on a daily basis of all of its electronic documents in accordance with this policy. Furthermore, it has to make complete weekly backup copies for data recovery, in accordance with the corresponding section of this policy.
5.5.4.2 Specific requirements for personal and identity certificates The Certification Entity has to keep paper documents, in accordance with the corresponding section, in a place away from the facilities of the Certification Entity for data recovery, in accordance with the corresponding section of this policy.
5.5.5
Date and timestamping requirements
The Certification Entity has to issue certificates and LRCs with time and date information. This information does not have to be signed.
102
TS 101 456: 7.4.11 a); TS 102 042: 7.4.11 a)
103
TS 101 456: 7.4.11 b); TS 102 042: 7.4.11 b)
104
TS 101 456: 7.4.11 j); TS 102 042: 7.4.11 j)
Ref. D1111 N-PGDC
Page 73 of 116
CATCert General Certificate Policy
5.5.6
179B
Location of the archive system
The Certification Entity is to have an archived data maintenance system outside its own facilities, as specified in the corresponding section of this policy.
5.5.7
180B
Procedures for obtaining and verifying archived information
Only persons authorised by the Certification Entity may access archived data, whether this is located in the facilities of the Certification Entity or elsewhere.
5.6 Key renewal For the renewal of CIC certificates, the issuing Certification Entity has to check whether the requirements that led to the issuance of the certificate are still being fulfilled. The request for the new certificate is to be signed with the private key of the CIC certificate being renewed, as long as this certificate is still valid. End users are informed of CIC certificate renewals through their publication in the CATCert Registry.
5.7 Key compromise and disaster recuperation 5.7.1
Incident and compromise management procedure
The Certification Entity is to establish the procedures that it applies to the management of incidents that affect its keys and, especially, if key security is compromised.
5.7.2
Resource, application and data corruption
When an event takes place that corrupts resources, applications or data belonging to the Certification Entity, the necessary management procedures are to be initiated, in accordance with the Plan de Continuidad de Negocio [Business Continuity Plan], in order to bring the system back to its normal working state.
5.7.3
183B
Compromise of the Entity's private key
The Plan de Continuidad de Negocio [Business Continuity Plan] (or disaster recuperation plan) of the Certification Entity has to consider the compromise or suspected compromise of the private key of the Certification Entity as a disaster. If a compromise occurs, the Certification Entity has to provide the following (at a minimum): - All subscribers and verifiers are to be notified of the compromise.
Ref. D1111 N-PGDC
Page 74 of 116
CATCert General Certificate Policy
- It is to be stated that all certificates and any information on certificate revocation status delivered using the key of this Certification Entity are no longer valid.105
5.7.4
Facilities disaster
The Certification Entity has to develop, maintain, test and when necessary, execute a business continuity plan for any contingencies that occur in its facilities, whether these arise due to natural or human causes, which states how the Information Systems services are restored. The location of the disaster recuperation systems is to be equipped with the physical security protection detailed in the Plan de continuidad de negocio [Business continuity plan]. The Certification Entity has to be capable of restoring normal operation of the PKI within 48 hours, to enable the following actions to be carried out (at a minimum): - Certificate issuance - Certificate revocation - Revocation information publishing
5.8 Termination of the service 5.8.1
Certification Entity
The Certification Entity has to ensure that any possible interruptions experienced by subscribers and third parties are kept to a minimum as a consequence of the cessation of the services of the Certification Entity and, in particular, ensure continued maintenance of the records required to provide evidence of certification in legal proceedings. Before terminating its services, the Certification Entity has to carry out the following procedures (at a minimum): - Notify all subscribers and verifiers (there is no requirement that the Certification Entity has any previous relationship with third parties). - Terminate all authorisations given to subcontractors that act in the name of the Certification Entity in the certificate issuance process. - Carry out the tasks required to transfer its obligations to maintain all registered information and archives containing records of events to the subscriber and verifiers, within the time periods indicated. - Destroy the private keys of the Certification Entity or withdraw them from use. The Certification Entity has to declare, in its practices, the provisions that it has in place for the termination of its services. These are to include:
105
TS 101 456: 7.4.8 c); TS 102 042: 7.4.8 c)
Ref. D1111 N-PGDC
Page 75 of 116
CATCert General Certificate Policy
- Giving notice to all entities affected, at least two months prior to the effective termination of the service. - Transferring the obligations of the Certification Entity to other persons, with their consent. - Providing information on how the revocation status of certificates that have been issued, but that still have not expired, are going to be dealt with. 106 113F
The Certification Entity can transfer the certificates, under the terms provided for in Law 59/2003, of 19 December [Ley 59/2003, de 19 de diciembre].
5.8.2
5B
Registration Entity
No additional stipulations.
106
TS 101 456: 7.4.9; TS 102 042: 7.4.9
Ref. D1111 N-PGDC
Page 76 of 116
CATCert General Certificate Policy
6. Technical security controls The Certification Entity is required to use trustworthy systems and products that are protected against any possible alteration and that guarantee the technical and cryptographic security of the certification process that they support.107
6.1 Key pair generation and installation 6.1.1
Key pair generation
6.1.1.1 Requirements for all certificates The key pair can be generated by the future subscriber or by the Registration Entity.
6.1.1.2 Specific requirements for CIC CATCert will generate the Certification Entity keys in accordance with the Ceremonia de Claves [Key Ceremony], within the high-security perimeters specifically assigned for this task.
6.1.1.3 Specific requirements for encryption certificates The keys of encryption certificates will be created by the Registration Entity and, where applicable, stored for their subsequent recovery.
6.1.2
Sending the private key to the subscriber
For qualified-signature certificates and high-level certificates, the subscriber's private key (in individual certificates) or the key holder's private key (in organisation or entity certificates) will have to be delivered, duly protected, using a smart card that complies with a standard endentity secure electronic signature device protection profile, in accordance with Common Criteria, EAL 4, or FIPS 140-2 Level 3 or a higher level of security.
6.1.3
189B
Sending the public key to the certificate issuer
The method for sending the public key to the Certification Entity will be PKCS #10, another equivalent cryptographic test or any other method approved by the Agència Catalana de Certificació [Catalan Certification Agency].
107
Law 59/2003 [Ley 59/2003]: Art. 20.1 d); TS 101 456: 7.4.7; TS 102 042: 7.4.7
Ref. D1111 N-PGDC
Page 77 of 116
CATCert General Certificate Policy
6.1.4
Distribution of the public key of the Certification Service Provider
Keys belonging to Certification Entities have to be communicated to the verifiers, ensuring the integrity of the key and authenticating its origin. 108 115F
The CATCert public key will be published in the Certification Entity directory, in self-signed certificate format, together with a declaration specifying that the key allows the Certification Entity to be authenticated. Additional measures will have to be put in place to be able to trust the self-signed certificate, such as checking the digital fingerprint of the certificate. The public key of the Linked Certification Entity will be published in the Certification Entity directory, in CIC certificate format, signed by CATCert. Additionally, in S/MIME applications, the data message can contain a certificate chain, including CIC certificates with the public keys of the Certification Entities in the hierarchy, which are distributed to the users in this way.
6.1.5
Key sizes
The keys of Linked Certification Entities will be at least 2048 bits. The keys of all of the certificates issued by Linked Certification Entities are 2048 bits.
6.1.6
Generating public key parameters
No additional stipulations.
6.1.7
Checking the quality of public key parameters
This is carried out in accordance with ETSI special report TS 001 276, which indicates the quality of electronic signature algorithms.
6.1.8
Key generation in computer applications or in items of equipment
The key pairs of the Certification Entities (both of CATCert and of the Linked Certification Entities) have to be generated using cryptographic hardware that complies with the requirements set out in a standard certification authority secure electronic signature device protection profile, in accordance with ITSEC, Common Criteria EAL 4 or FIPS 140-2 Level 3 or a higher level of security.
108
TS 101 456: 7.2.3 a); TS 102 042: 7.2.3 a)
Ref. D1111 N-PGDC
Page 78 of 116
CATCert General Certificate Policy
The key pairs of subscribers to signature certificates and high-level certificates have to be generated using smart cards or cryptographic devices that comply with the requirements set out in a standard end-entity secure electronic signature device protection profile, in accordance with Common Criteria EAL 4 or FIPS 140-2 Level 3 or a higher level of security. The generation of keys for all other certificates can be carried out using computer applications.
6.1.9
Key usage
The Certification Entity will have to include the extension KeyUsage on all of its certificates, giving the authorised uses of the corresponding private keys.
6.2 Protecting the private key 6.2.1
Private key protection modules
6.2.1.1 Cryptographic module standards 109 116F
The private keys of the Certification Entities (both of CATCert and of Linked Certification Entities) have to be protected using cryptographic hardware that complies with the requirements set out in a standard certification authority secure electronic signature device protection profile, in accordance with Common Criteria EAL 4 or FIPS 140-2 Level 3 or a higher level of security. The key pairs of subscribers to signature certificates and high-level certificates will be protected for smart cards or in cryptographic devices that comply with the requirements set out in a standard end-entity secure electronic signature device protection profile, in accordance with Common Criteria EAL 4 or FIPS 140-2 Level 3 or a higher level of security. Private key protection for all other certificates can be carried out using computer applications.
6.2.1.2 Life cycle of integrated-circuit cards Integrated-circuit cards (also known as smart cards) are delivered with the issuance of each new certificate by the Registration Entity, or directly by CATCert, when it is acting as a Virtual Registration Entity. For each new issuance or renewal of a certificate, a new card is delivered, that is to say, certificates are not loaded on used cards. When CATCert detects errors or defects in the cards, it can remove the affected cards from service. If defects or errors are detected in specific cases, the affected card will be replaced,
109
TS 101 456: 7.2.2
Ref. D1111 N-PGDC
Page 79 of 116
CATCert General Certificate Policy
prior to revoking the certificate, and a new certificate will be issued on a new card at no additional cost to the subscriber.
6.2.2
Control of the private key by more than one person (n of m)
Off-line access to the private keys of Certification Entities will require the simultaneous combination of three (3) cryptographic devices protected by an access key, from among five (5) devices. The requirement for Linked Certification Entities will be a combination of two (2) cryptographic devices from five (5) possible devices. Each of these devices is the responsibility of one specific person, who should be the only person that knows the access key to the device. The access key may only be known by one person: the person who is responsible for the device. Nobody shall know more than one access key. The cryptographic devices are to be stored in the offices of the Certification Entity, and an additional person will be required for them to be accessed.
6.2.3
Depositing the private key
The private keys of the Certification Entity are to be stored in flame-proof spaces and protected by physical access controls that require two people in order to get in. The private keys of personal and entity certificates cannot be stored at the Certification Entity, except in the case of encryption certificates.
6.2.4
Backup of the private key
There has to be a backup copy of the private key of the Linked Certification Entity and of the means of accessing it. These should be kept in a different office to the one where they are normally stored.
6.2.5
200B
Archiving the private key
110 117F
The private key of the Certification Entity must have a backup copy made, stored and available for recovery in the event that it is required by personnel subject to the policy on trusted employees. These employees have to be expressly authorised to carry out these duties, and their number should be limited to those people who need to do it as part of Certification Entity practices. The private key has to be kept and used under the protection of a cryptographic device that complies with the requirements set out in a standard certification authority secure electronic
110
TS 101 456: 7.2.2
Ref. D1111 N-PGDC
Page 80 of 116
CATCert General Certificate Policy
signature device protection profile, in accordance with Common Criteria EAL 4 or FIPS 140-2 Level 3 or a higher level of security. When the signature private key does not have this type of device, it will have to be encrypted. The security controls applied to the backup copies belonging to the Certification Entity have to be at the same level or at a higher level than those that are applied to the keys in use. When the keys are stored in a dedicated hardware module, suitable controls will need to be in place so that the keys can never abandon the device. Copies of certificate private keys are not to be stored, except in the case of data encryption certificates, where, in accordance with the DPC of the Certification Entity, this private key can be stored in order to guarantee data recovery.
6.2.6
Introducing the private key into the cryptographic module
The private keys of Certification Entities will be stored in encrypted files with fragmented keys and on smart cards (from which they cannot be extracted). These cards are used to introduce the private key into the cryptographic module.
6.2.7
Storing the private key in the cryptographic module
Private keys are generated directly in the cryptographic modules.
6.2.8
Activating the private key
For CIC certificates, at least two people are needed to activate the private key. For personal and entity certificates, the subscriber's private key s activated by entering the pin on the smart card or the activation data required for the cryptographic device.
6.2.9
Deactivating the private key
For personal and entity certificates that include the basic qualified-signature policy, when the smart card is removed from the reading device, or the application that uses it ends the session, it will be necessary to reintroduce the activation data mentioned above.
6.2.10 Destroying the private key Private keys are to be destroyed in such a way as to prevent their theft, modification, unauthorised divulgence and unauthorised use.
Ref. D1111 N-PGDC
Page 81 of 116
CATCert General Certificate Policy
6.2.11 Qualification of cryptographic modules Linked Certification Entity modules have to be certified with the level and increases provided for in a standard certification authority secure electronic signature device protection profile, in accordance with Common Criteria EAL 4 or FIPS 140-2 Level 3. Modules of subscribers to qualified electronic-signature certificates and high-level certificates have to be certified with the level and increases provided for in a standard end-entity secure electronic signature device protection profile, in accordance with Common Criteria EAL 4 or FIPS 140-2 Level 3.
6.3 Other aspects relating to key pair management 6.3.1
Public key archiving
The Certification Entity has to archive its public keys in accordance with the provisions of the corresponding section of this policy.
6.3.2
Periods of use of public and private keys 111 118F
The periods of use of the keys will be as determined by the validity of the certificate, and once this period has passed, it will no longer be possible to use them. As an exception, the decryption private key can still be used after the expiration of the certificate.
6.4 Activation data 46B
6.4.1
209B
Generation and installation of activation data
If the Certification Entity provides the subscriber with a secure signature-creation device, then the activation data of the device will have to be securely generated by the Certification Entity.
6.4.2
210B
Activation data protection
If the Certification Entity provides the subscriber with a secure signature-creation device, the activation data for device will have to be distributed separately from the signature-creation device itself (e.g. by delivering them at different times or using different routes). An exception to this is when the subscriber (in the case of individual certificates) or the key holder (in the case of organisation or entity certificates) receives the certificate in person, on
111
TS 101 456: 7.2.6; TS 102 042: 7.2.6
Ref. D1111 N-PGDC
Page 82 of 116
CATCert General Certificate Policy
a device, from a Registration Entity. In this case he or she can select and enter the activation data in such a way as to ensure that only the subscriber knows this information.
6.4.3
Other aspects relating to activation data
No additional stipulations.
6.5 Computer security controls 6.5.1
Specific technical requirements for computer security 112 119F
It will have to be guaranteed that system access is limited to duly authorised individuals. In particular: - The Certification Entity has to guarantee the effective administration of the access level of its users (operators, administrators and any user with direct access to the system) in order to keep the system secure, including managing user accounts, audits, amendments and appropriate access denial. - The Certification Entity has to guarantee that access to the information systems and applications is restricted in accordance with the provisions of the access control policy, and that the systems supply sufficient security controls to implement the segregation of duties set out in the Entity practices, including separating administration duties in security and operator systems. Specifically, the use of system utility programmes is to be restricted and tightly controlled. - The employees of the Entity will have to be identified and recognised before using critical applications related to the certificate life cycle. - Certification Entity employees will be responsible for and will have to be able to justify their activities, for instance, by using an events archive. - They will have to avoid the possibility of revealing sensitive data through the reuse of storage objects (e.g. deleted files) which are left accessible to unauthorised users. - Security and monitoring systems have to allows fast detection, registration and action when faced with irregular or unauthorised attempts to access their resources (e.g. via an intrusion detection, monitoring and alarm system). - Access to public information devices belonging to the Entity (e.g. certificates or information on revocation status) will have to be equipped with access controls for data modification and deletion.
112
TS 101 456: 7.4.6; TS 101 456: 7.4.6
Ref. D1111 N-PGDC
Page 83 of 116
CATCert General Certificate Policy
6.5.2
Evaluation of computer security levels
CA and RA applications have to be trustworthy, in accordance with technical specification CEN CWA 14167-1.
6.6 Technical life cycle controls 6.6.1
System development controls
A security requirements analysis will have to be carried out during the design and requirement specification phases of any components used in Certification Authority (technical) and Registration Authority (technical) applications in order to guarantee that the systems are secure. 113 120F
Change control procedures are to be used for new versions, updates and emergency patches of these components. 114. 121F
6.6.2
Security management controls
The Certification Entity will have to keep an inventory of all computer assets and classify them in accordance with their protection needs, which should be consistent with the risk analysis carried out. 115. 122F
System configuration is to be audited periodically in accordance with the provisions of the corresponding section of this policy. 116. 123F
Capacity needs are to be monitored and procedures planned in order to guarantee sufficient electronic and storage availability for computer assets. 117. 124F
6.6.3
Evaluating the security level of the life cycle
No stipulation.
6.7 Network security control 49B
118 125F
It will have to be guaranteed that access to the various networks of the Certification Entity is limited to duly authorised individuals. In particular: 113
TS 101 456: 7.4.7 a)
114
TS 101 456: 7.4.7 b)
115
TS 101 456: 7.4.2 a)
116
TS 101 456: 7.4.6 h)
117
TS 101 456: 7.4.5 f)
118
TS 101 456: 7.4.6
Ref. D1111 N-PGDC
Page 84 of 116
CATCert General Certificate Policy
- Controls need to be introduced (such as a firewall) to protect the internal network from external domains that are accessible to third parties. Firewalls are to be configured in such as way to impede access and protocols that are not needed for the Certification Entity to operate. - Sensitive data will have to be protected when it is exchanged via unsecured networks (including the subscriber's registration data). - It must be guaranteed that local network components (such as routers) are located in secure environments, and their configurations should be subject to periodic audit.
6.8 Timestamp No additional stipulations.
Ref. D1111 N-PGDC
Page 85 of 116
CATCert General Certificate Policy
7. Certificate profiles and revocation lists 7.1 Certificate profile 51B
Certificates issued by the Agència Catalana de Certificació [Catalan Certification Agency] and the Certification Entities attached to the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia] will have the contents and fields described in the corresponding “perfil de certificado” [certificate profile] document, which the Agència Catalana de Certificació [Catalan Certification Agency] publishes on its website (http://www.catcert.cat/). In any case, the profile of each certificate will include the following data within its structure (at a minimum): a. Serial number, which will be a unique code based on the identified name of the issuer. b. Signature algorithm, with one of the algorithms identified in the corresponding section of this policy. c. The identified name of the issuer, in accordance with the corresponding section of this policy. d. Commencement of certificate validity, in Coordinated Universal Time, encoded in accordance with RFC 2459. e. End of certificate validity, in Coordinated Universal Time, encoded in accordance with RFC 2459. f. The identified name of the subject, in accordance with the corresponding section of this policy. g. Subject's public key, encoded in accordance with RFC 2459. h. Signature, generated and encoded in accordance with RFC 2459. The certificates are to be in accordance with the following regulations: 1. RFC 2459: Internet X.509 Public Key Infrastructure - Certificate and CRL Profile, January 1999. 2. ITU-T Recommendation X.509 (1997): Information Technology – Open Systems Interconnection - The Directory: Authentication Framework, June 1997. Additionally, CPSR and entity certificates are to be in accordance with the following regulations: 1. ETSI TS 101 862 v1.2.1 (2001-06): Qualified Certificate Profile, 2001. 2. RFC 3039: Internet X.509 Public Key Infrastructure – Qualified Certificate Profile, 2001 (as long as this does not conflict with TS 101 862).
Ref. D1111 N-PGDC
Page 86 of 116
CATCert General Certificate Policy
Qualified certificates will also have to contain the following fields 119: 126F
a. Statement that they are issued as qualified certificates b. The unique identification code of the certificate c. Identification of the certification services provider that issued the certificate, giving its registered name, address, e-mail address and tax identification number. d. The advanced electronic signature of the certification services provider that issued the certificate. e. Identification of the signatory (the subscriber, in the case of individual certificates, or the key holder, in the case of organisation or entity certificates), by his or her name and surname(s), DNI [Spanish ID number] or equivalent identification number, or via a pseudonym. If a pseudonym is used, it must be obvious that it is such. f.
Where a representative is used, the instruction on the document accrediting the powers of the signatory to act in the name of the individual person or legal entity that is being represented.
g. The signature-verification data that corresponds to the signature-creation data that is controlled by the signatory. h. The start and end of the period of validity of the certificate. i.
The limits of use of the certificate, if any have been envisaged.
j.
The limits on the value of the transactions for which the certificate may be used, if any have been envisaged.
7.1.1
217B
Version number
All certificates will contain a field with a version number, stating that they are version 3 certificates.
7.1.2
218B8B
Certificate extensions
The extensions of each certificate, as well as their semantic meaning, will be described in the corresponding “perfil de certificado” [certificate profile] document published in the directory of the Agència Catalana de Certificació [Catalan Certification Agency].
7.1.3
219B
Algorithm object identifiers
The Certification Entity can use the following signature algorithm: sha-1WithRSAEncryption OID = {iso (1) member-bodi (2) us (840) rsadsi (113549) pkcs (1) pkcs-1 (1) 5}. 119
Law 59/2003 [Ley 59/2003]: Art. 11.2
Ref. D1111 N-PGDC
Page 87 of 116
CATCert General Certificate Policy
7.1.4
Name formats
The Certification Entity has to complete the certificate name fields with the information set out in the profile that corresponds to the certificate, published on the CATCert website (http://www.catcert.cat/). 7.1.5
Name restrictions
No additional stipulations.
7.1.6
222B
Certificate policy object identifier
The Certification Entity has to complete the certificate policy extension with the object identifiers set out in the corresponding section of this policy, when they directly adhere to it. If they create their own policies, in the scenarios permitted by this certificate policy, they are to include the object identifier that has been specifically defined for the purpose.
7.1.7
Use of the policy restrictions extension
No additional stipulations.
7.1.8
224B
Policy qualifier syntax and semantics 120 127F
The Certification Entity has to include a policy qualifier in its certificates, with the following elements: - CPS Pointer - explicit Text CPS Pointer will have to include a URI reference to the general verification conditions of the certificates issued by the Certification Entity. Explicit Text will have to contain a concise declaration relating to the certificate.121
7.1.9
Processing semantics for the critical certificate policy extension
No additional stipulations.
120
RFC 2459: 4.2.1.5.
121
See the corresponding section 5.
Ref. D1111 N-PGDC
Page 88 of 116
CATCert General Certificate Policy
7.2 Certificate revocation list profile 7.2.1
226B
Version number
No additional stipulations.
7.2.2
Certificate revocation list and list element extensions
Listas de revocación de certificados [certificate revocation lists] issued by the Agència Catalana de Certificació [Catalan Certification Agency] and the Certification Entities attached to the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia] will have the contents and fields described in the corresponding “perfil de lista de revocación de certificados” [certificate revocation list profile] document, which the Agència Catalana de Certificació [Catalan Certification Agency] publishes on its website (http://www.catcert.cat/).
Ref. D1111 N-PGDC
Page 89 of 116
CATCert General Certificate Policy
8. Conformity audit 7B
The Linked Certification Entity has to carry out a periodic conformity audit, once it has begun operating, in order to ensure that it is meeting the security and operating requirements that have to be fulfilled in order to form part of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia]. Further to the conformity audit, the Linked Certification Entity has to be prepared to pass other non-periodic checks to show that it is trustworthy: - Before accepting a new Certification Entity subordinated to the hierarchy, the Agència Catalana de Certificació [Catalan Certification Agency] has to check its security documents and DPC and PdC to ensure that they meet the security and operating requirements that have to be fulfilled in order to form part of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia] of the Agència Catalana de Certificació [Catalan Certification Agency]. - Once the Linked Certification Entity has begun to operate, if it is suspected, at any time, that it is not fulfilling one of the security requirements or a key compromise has been detected, whether it is a suspected or a real compromise, or any event that could endanger the security or integrity of the Linked Certification Entity, an internal audit will have to be carried out. The Linked Certification Entity can delegate the task of carrying out audits to a third party, in this case it will have to cooperate fully with the personnel that carry out the investigation.
8.1 Frequency of conformity audits 53B
In addition to the internal audits that the Linked Certification Entity carries out in accordance with its own criteria, or if it is suspected that a security measure has not been complied with, or if keys have been compromised, the Linked Certification Entity also has to carry out an annual conformity audit.
8.2 Auditor identification and classification If the Linked Certification Entity has an internal auditing department, this department can be in charge of carrying out the conformity audit. If it does not have this department, the Linked Certification Entity can use an independent external auditor, which must have proven experience in computer security, information systems security and in carrying out conformity audits of Certification Authorities and related elements.
8.3 Auditor's relationship with the entity under audit Conformity audits carried out by third parties have to be carried out by an entity that is independent from the Linked Certification Entity under audit. In the case of internal audits, the auditor must not have any conflict of interests that might negatively affect his or her capacity to carry out auditing services.
Ref. D1111 N-PGDC
Page 90 of 116
CATCert General Certificate Policy
8.4 List of elements to be audited The elements to be audited are the following: - Certification Authority processes and related elements - Information Systems - Process centre protection - Documents
8.5 Actions to be taken if there is a non-conformity 57B
Once the completed conformity audit report has been received, the Linked Certification Entity has to discuss any deficiencies found in the audit with the entity that carried out the audit and with CATCert, and develop and execute a corrective plan to solve these deficiencies. If the Linked Certification Entity is unable to develop and/or execute this plan or if the deficiencies found represent an immediate threat to the security or integrity of the system, one of the following actions will have to be taken: - Revoke the key of the Linked Certification Entity, as described in the corresponding sections of this policy. - Terminate the Linked Certification Entity service, as described in the corresponding section of this policy.
8.6 Dealing with audit reports The Linked Certification Entity has to deliver the reports containing the results of the audit to CATCert as the Root Certification Entity of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia] within 15 days of the audit having been carried out.
Ref. D1111 N-PGDC
Page 91 of 116
CATCert General Certificate Policy
9. Commercial and legal requirements 9.1 Fees 9.1.1 Certificate issuance and renewal fees CATCert establishes the fees that are to be applied by all Linked Certification Entities when lending their services. These fees can be found on the CATCert website (http://www.catcert.cat/tarifas/). CATCert does not give refunds. If products are defective, the defective product will be replaced by another one in full working order.
9.1.2
Certificate access fee
No fee may be charged for accessing certificates.
9.1.3
Certificate status information access fee
No fee may be charged for accessing information about certificate status.
9.1.4
Fees for other services
No additional stipulations.
9.1.5
232B
Refund Policy
No additional stipulations.
9.2 Financial capacity 60B
9.2.1 Public liability insurance The Certification Entity is required to guarantee that it has sufficient public liability cover, pursuant to the provisions of article 20.2 of Law 59/2003, of 19 December (Ley 59/2003), except when it is exempt from this obligation by law. This insurance is to cover the actions of CATCert as certification service provider. In the event of incorrect or unauthorised use of certificates, CATCert (or the corresponding Certification Entity) will not act as a trustee before subscribers or third parties, who should Ref. D1111 N-PGDC
Page 92 of 116
CATCert General Certificate Policy
contact the party breaching the conditions of certificate use set out by CATCert (or the corresponding Certification Entity).
9.2.2
234B
Other assets
No additional stipulations.
9.2.3
Insurance cover for subscribers and third parties that trust certificates
No additional stipulations.
9.3 Confidenciality 61B
9.3.1
236B
Confidential information
The following information must be kept confidential by the Certification Entity: a. Business information provided by its suppliers and other persons with whom CATCert or the Linked Certification Entity is obligated legally or by collective agreement to maintain confidential. b. Records of transactions, including complete transaction records and audit records. c. Internal and external audit records created and/or kept by the Linked Certification Entity and its auditors. d. Business continuity and emergency plans e. Security policy and plans f.
Operating documentation and other operating plans, such as archiving, monitoring and other similar plans.
g. All information identified as "Confidential".
9.3.2
Non-confidential information
The following information is not of a confidential nature: a. The Declaraciones de Prácticas de Certificación [Certification Practice Statements] of all of the Certification Entities. b. All information identified as “Public”.
Ref. D1111 N-PGDC
Page 93 of 116
CATCert General Certificate Policy
9.3.3
Responsibility to protect confidential information
The Linked Certification Entity will be responsible for establishing the appropriate measures to protect confidential information. These measures should include the appropriate confidential information clauses in the legal instruments in place with all persons.
9.4 Personal data protection 9.4.1.
239B
Personal Data Protection Policy
CATCert has a personal data protection policy in accordance with Organic Law 15/1999, of 13 December on Personal Data Protection (LOPD) [Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal] and the applicable regulatory legislation on the protection of data of a personal nature. In order to provide its own digital certification services, it is responsible for the files “suscriptores de certificados” [certificate subscribers] and “Personas físicas certificadas” [certified individual persons], created in accordance with the LOPD and communicated to the Registro de la Agencia Catalana de Protección de Datos [Register of the Catalan Data Protection Authority]. The structure of the files containing data of a personal nature is the following: CERTIFICATE SUBSCRIBERS: •
Identification data of the subscriber group: name of the entity or body that is applying for certificates, CIF [tax ID number], full postal address, e-mail address, website.
•
Identification data of the person assuming the role of service manager: name, surname(s), DNI [Spanish ID number] or equivalent, telephone, fax, postal address, e-mail address.
INDIVIDUAL PERSONS CERTIFIED:
•
Identification data: name, surname(s) and DNI [Spanish ID number] or equivalent of the certified individual person. Other optional personal data requested for the authorised person, such as the CIP [personal identification code] of their Tarjeta Sanitaria Individual [Individual Health Card].
•
Contact data: full postal address to receive notices and e-mail address.
•
Data of the entity to which services are being provided (only in the case of class 1 and class 2 group certificates).
•
Registered name of the entity, CIF [Tax ID Number], area of affiliation: political, organic, labour or professional.
Ref. D1111 N-PGDC
Page 94 of 116
CATCert General Certificate Policy
The data collected and used by the certification services provider will be legally considered to be basic level data. CATCert develops procedures mentioned in this document, which it applies when providing its services, in which, in accordance with the requirements set out in the certificate policies that it manages, and in accordance with article 19 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica], the requirements and obligations relating to obtaining and managing personal data are detailed, to these effects complying with the provisions of Organic Law 15/1999, of 13 December on Personal Data Protection [Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal] and Royal Decree 1720/2007, of 21 December [Real Decreto 1720/2007], which approves the Implementing Provisions of Organic Law 15/1999 on Personal Data Protection (RLOPD) [Reglamento de Desarrollo de la Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal]. CATCert sets out the necessary technical and organisational security measures in order to comply with the security measures applicable to automated forms provided for in the RLOPD. For informational purposes, below are details of the measures applied, the precept of the RLOPD and the section of this document and of the Política General de Certificación [General Certification Policy] of CATCert where they are developed: a. Scope of application of the security document with detailed specification of protected resources (article 88 of RD 1720/2007) - section 6.1. b. Measures, regulations, procedures, rules and standards that guarantee the level of security required by RD 1720/2007 - section 6.1 and, in general, all of the technical controls in sections 5 and 6 of the Política General de Certificación [General Certificate Policy] of CATCert. c. Staff duties and obligations (article 89 of RD 1720/2007) - section 5.3. d. Incidents register (article 90 of RD 1720/2007), notification, management and incidents response procedures – section 9.4.5. e. Access control (article 91 of RD 1720/2007) – sections 5 and 6. f.
Media management (article 92 of RD 1720/2007) – section 5.
g. Identification and authentication (article 93 of RD 1720/2007) – section 5.2. h. Backup copy and data recovery procedures (article 94 of RD 1720/2007) – section 5.5.5.5
9.4.2. Data of a personal nature not available to third parties Pursuant to the provisions of article 3 of Organic Law 15/1999, of 13 December, on personal data protection [Ley Orgánica 15/1999, de protección de datos de carácter personal], data of a personal nature is considered to be any information relating to identified or identifiable individual persons.
Ref. D1111 N-PGDC
Page 95 of 116
CATCert General Certificate Policy
Any data of a personal nature that has to be included in the certificates and in the mechanism described for checking the status of certificates are considered to be personal data of a public nature, pursuant to the Law on the Electronic Signature [Ley de Firma Electrónica]. In this respect, the following will not be considered to be public data available to third parties: - Certificate applications, either approved or refused, and any other personal information for the issuance and maintenance of certificates. - Private keys generated and/or stored by the Certification Entity. - Any other data of a personal nature that is not susceptible to being consulted, stored or accessed by third parties. In any case, the data collected by the certification service provider will be legally considered to be basic level data. Personal data is to be treated in accordance with article 9 of the LOPD and in all cases their security is guaranteed in order to avoid unauthorised amendments, loss and access, also, in accordance with the provisions of Royal Decree 1720/2007, of 21 December [Real Decreto 1720/2007], which approves the Implementing Regulations of Organic Law 15/1999 on Personal Data Protection [Reglamento de Desarrollo de la Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal].
9.4.3.
Data of a personal nature available to third parties
This information is personal information that is included in the certificates and in the mechanism described for checking certificate status, in accordance with section 3.1. of this document. This information, supplied in certificate applications under the terms provided for in article 17.2 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica], is included in the certificates and in the mechanism for checking certificate status. It is a legal requirement that these data of a personal nature are made be available to third parties (“public data”). The following information will not be considered confidential: a. Certificates that have been or are being issued. b. The subscriber's acceptance of a certificate issued by the Certification Entity. c. The name and surname(s) of the subscriber to the certificate, and any other circumstances or personal data belonging to the owner in the event that they are important in relation to the purpose of the certificate, in accordance with this document. d. The e-mail address of the subscriber to the certificate. e. The uses and economic limits described on the certificate.
Ref. D1111 N-PGDC
Page 96 of 116
CATCert General Certificate Policy
f.
The period of validity of the certificate, and the date of issue and expiry of the certificate.
g. The serial number of the certificate. h. The different statuses and situations of the certificate and their dates of commencement, specifically: pending generation and/or delivery, revoked, suspended, expired and the reason for the status change. i.
Listas de revocación de certificados (LRC) [certificate revocation lists], and any other information relating to certificate revocation status.
j.
The information contained in the public section of the Certification Entity Register.
9.4.4.
Liability corresponding to personal data protection
CATCert guarantees, at a minimum, that it will comply with its legal obligations as a certification service provider, in accordance with Law 59/2003, of 19 December [Ley 59/2003], and pursuant to this, and in accordance with article 22 of the aforementioned Law, that it will be held liable for any damages and injuries that it causes when carrying out its own activities if, for the present purposes, it fails to comply with the obligations provided for in article 17 of Law 59/2003 [Ley 59/2003], relating to the protection of personal data.
9.4.5.
Management of incidents related to data of personal nature
In this document, CATCert has included its procedures for giving notice of, managing and responding to incidents related to personal data. The notification procedure begins when the systems administrator at the facilities of the Certification Entity makes immediate contact by telephone with the Responsable del Área Técnica [Technical Area Manager] of the Certification Entity, and describes the type of incident and effects that have been observed. If, while managing the incident, it is necessary to make modifications to system software or configurations, or it is necessary to restore backup copies or make other similar interventions, the administrator must wait to receive the corresponding request by digitallysigned e-mail, which is sent by the Responsable del Área Técnica [Technical Area Manager] or the technical manager of the affected project (in this case, with a copy of the message to the Technical Area Manager). Once the necessary updates have been made and normal system operation has been reestablished, the systems administrator must send an e-mail to the Responsable del Área Técnica [Technical Area Manager] giving a descriptive report, which in the case of an incident occurring on files that contain data of a personal nature, is no more than a duly completed standard form. The Responsable del Área Técnica [Technical Area Manager] has to keep a copy of the forms corresponding to incidents registered in the preceding 12 months in relation to files containing data of a personal nature. These are kept in a dedicated directory in the server,
Ref. D1111 N-PGDC
Page 97 of 116
CATCert General Certificate Policy
which is shared by Certification Entity users, duly protected so that it can only be accessed by Technical Area staff. In this way it is ensured that backup copies of its contents are made. The following data is given on the Registro de Incidencias [Incidents Record] form: •
In which resource the incident occurred
•
Its code and description
•
Day and time
•
Type of incident
•
Effects
•
Notifier and receiver
•
Response
•
Procedures to be carried out
•
Person to carry out the procedures
•
Recovery procedure
•
Person (and authorisation) to make the recovery
•
Restored data
9.4.6.
Giving consent for dealing with personal data
In order to provide its services, CATCert has to collect and store certain information which entails dealing with personal data. When class 1 certificates are issued, these data are provided by the subscribers, without the need for consent from the key holders involved, in accordance with the provisions of the legislation regulating the relationship between employees and the certificate subscriber and any other applicable legislation, as provided for in article 6 of the LOPD. CATCert advises key holders that it has obtained their personal data in accordance with article 5 of the LOPD.
9.4.7.
Communication of personal data
CATCert only communicates data of a personal nature to third parties in cases that have been legally provided for. Specifically, CATCert is required to reveal the identity of signatories when this information is requested by judicial bodies in their line of duty and in the other scenarios provided for in article 11.2 of the LOPD.
Ref. D1111 N-PGDC
Page 98 of 116
CATCert General Certificate Policy
CATCert complies with all legal provisions, in accordance with the data protection policy provided for in section 9.4.1. Exceptionally and due to the situation provided for in the Política General de Certificación [General Certification Policy], which contemplates the eventuality of the Certification Entity being wound up, CATCert will provide personal data in the event of a transfer of service provider.
9.5 Intellectual property rights 9.5.1
Ownership of certificates and revocation information
The Linked Certification Entity will be the only entity that enjoys intellectual property rights over the certificates that it issues. The Linked Certification Entity will have to concede a non-exclusive licence for the reproduction, distribution, verification and use of its certificates, at no charge, in relation to digital signatures and/or encryption systems within the scope of application of this policy, in accordance with the corresponding binding instrument between the Linked Certification Entity and the party that reproduces and/or distributes the certificate. The abovementioned norms are to appear in the legal instruments that exist between the Linked Certification Entity and the subscribers and verifiers. In addition, the certificates issued by the Linked Certification Entity have to contain a legal notice referring to their ownership. This legislation will be applied to the use of certificate revocation information.
9.5.2
Ownership of the certificate policy and the Declaración de Prácticas de Certificación [Certification Practice Statement]
CATCert will be the sole entity to enjoy intellectual property rights over the certification policy of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia]. Every Linked Certification Entity will be the owner of its own Declaración de Prácticas de Certificación [Certification Practice Statement].
9.5.3
Ownership of information relating to names
The subscriber and, where applicable, the key holder, will retain any right, where such right exists, over the trade mark, product or trade name held on the certificate. The subscriber and, where applicable, the key holder, will be the owner of the identified name on the certificate, formed using the information specified in the corresponding section of this policy.
Ref. D1111 N-PGDC
Page 99 of 116
CATCert General Certificate Policy
9.5.4
Key ownership
Key pairs will be the property of the certificate subscribers. When a key is divided into parts, all of parts of the key will be the property of the key owner.
9.6 Obligations and public liability 64B
9.6.1
250B
Certification Entities
9.6.1.1 Obligations and other undertakings Obligations of CATCert CATCert has the following obligations a. To operate the Root Certification Entity diligently, in accordance with the policies, practices and legislation of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia]. b. To operate its Linked Certification Entities, which belong to it or that provide services to the Virtual Certification Entities, in accordance with the provisions of section 9.6.1.1.2. c. To guarantee equivalence in the security of the operations of the Linked Certification Entities of third-party certification service providers, and especially, to ensure that they are fulfilling the obligations provided for in section 9.6.1.1.2. Obligations of the Linked Certification Entities Linked Certification Entities are obligated to comply with the following: a. The Linked Certification Entity has to guarantee that it is complying with all of the requirements set out in this certification policy, and accept full liability for this guarantee. 122 140F
b. The Linked Certification Entity will be the sole entity responsible for complying with the procedures described in this Policy, including when part of all of its operations are externally contracted. 123. 141F
c. The Linked Certification Entity has to provide its certification services in accordance with its Declaración de Prácticas de Certificación [Certification Practice Statement] in force, 124 which must include the content provided for in article 19 of Law 59/2003 Ley 59/2003] at the very least. 142F
122
TS 101456: 6.1 primero; TS 102042: 6.1 primero
123
TS 101456: 6.1 segundo; TS 102042: 6.1 segundo
124
TS 101456: 6.1 cuarto; TS 102042: 6.1 tercero
Ref. D1111 N-PGDC
Page 100 of 116
CATCert General Certificate Policy
d. Before issuing the certificate and delivering it to the subscriber, the Linked Certification Entity will have to advise the subscriber of the aspects provided for in article 18.b. of Law 59/2003 [Ley 59/2003], 125 and of the following aspects: 143F
a) The applicable policy, stating whether the certificates are issued to the public and whether there is a need to use a secure signature-creation device. 126 144F
b) How the Linked Certification Entity guarantees its pecuniary liability. 127 145F
c) Whether the Certification Entity has been declared to be in accordance with the certification policy and, where applicable, the system with which it has been declared to be in accordance. Specifically, its certification services provider certificate 128 and its certificates for the electronic-signature products it uses. 129. F
147F
e. This requirement is to be met via an applicable “Texto divulgativo de la política de certificado” [“Informational text on the certificate policy”], which can be sent electronically, using a communication medium that will last over time and written in easy-to-understand language. 130. F
f.
The Linked Certification Entity has to obligate its subscribers, key holders and verifiers by using legal instruments that are appropriate to each situation.
g. These legal instruments can be sent electronically, must be in writing and employ easy-to-understand language and should contain the following (at the very least): 131 149F
a) Provisions in accordance with the contents of this certification policy. b) Name of the applicable policy, stating whether the certificates are issued to the public and whether there is a need to use a secure signature-creation device. c) Declaration that the information held on the certificate is correct, unless otherwise stated by the subscriber. 132 150F
d) Consent to the publication of the certificate in the directory and to allowing third-party access to the certificate. 133 151F
e) Consent to storing the information used to register the subscriber and key holder, to provide the secure signature-creation device and to pass this 125
TS 101456: 7.3.1 a) and b); TS 102042: 7.3.1 a) and c)
126
TS 101456: 7.3.4
127
Law 59/2003 [Ley 59/2003]: Art. 26
128
Law 59/2003 [Ley 59/2003]: Art. 26
129
Law 59/2003 [Ley 59/2003]: Art. 27
130
; TS 101456: 7.3.1 a) and b); TS 102042: 7.3.1 a) and c)
131
TS 101456: 7.3.4; TS 102 042: 7.3.4
132
TS 101456: 7.3.1 h) quinto; TS 102 042: 7.3.1 l) quinto
133
TS 101456: 7.3.1 h) cuarto; TS 102042: 7.3.1 l) cuarto
Ref. D1111 N-PGDC
Page 101 of 116
CATCert General Certificate Policy
information on to third parties if the Linked Certification Entity 134 ceases to operate, without revocation of valid certificates. 152F
f)
Limits of use of the certificate, including those set out in section 4.5. of this policy.
g) Information about how to validate a certificate, including the requirement to check the status of the certificate, and the conditions under which trust can be reasonably be placed in the certificate, which is applicable when the subscriber acts as a verifier. h) Applicable liability limitations, including the uses for which the Linked Certification Entity accepts and refuses to accept liability. i)
Procedures applicable to dispute resolution.
j)
Applicable law and competent jurisdiction.
h. The Linked Certification Entity has to identity the certificate subscriber, in accordance with articles 12 and 13 of Law 59/2003 [Ley 59/2003] and this certification policy and, specifically: a) The Linked Certification Entity has to check for itself or through a Registration Entity, the identity and any other personal circumstances of certificate applicants, in accordance with the provisions of article 13 of Law 59/2003 [Ley 59/2003]. b) If the subscriber to the individual person certificate (certificado de clase 1 [class 1 certificate] or certificado de clase 2 colectivo [class 2 group certificate]) is a legal entity, the Linked Certification Entity has to check that the key holder is duly authorised by the subscriber. i.
The Linked Certification Entity has to comply with all other obligations provided for in article 12 of Law 59/2003 [Ley 59/2003].
Specific requirements for personal and entity certificates The Certification Entity has to assume other obligations incorporated directly into the certificate or incorporated by reference. 135 153F
Note: Incorporation by reference is achieved by including an object identifier or other type of link to a document on the certificate, which is considered to be wholly included in this certificate policy. In addition to the provisions of the corresponding section, the legal instrument that binds the Linked Certification Entity to the subscriber has to be written in easy-to-understand language, and must contain the following (at a minimum):
134
TS 101456: 7.3.1 h) tercero; TS 102042: 7.3.1 l) tercero
135
TS 101 456: 6.1 tercero
Ref. D1111 N-PGDC
Page 102 of 116
CATCert General Certificate Policy
a. Name of the applicable policy, stating whether the certificates are issued to the public or a closed user community and whether there is a need to use a secure signaturecreation device. 136. 154F
b. Certification of Linked Certification Entity services 137 155F
c. How the Linked Certification Entity guarantees its pecuniary liability. 138. 156F
Specific Electronic office requirements for the CDS, CDSCD and CDS-1 The Certification Entity has to check the domain name and other technical data, such as the IP, which have to appear on the certificate.
Obligations of Virtual Certification Entities Virtual Certification Entities are under obligation to do the following: a. Determine the subscriber and verifier community of the Linked Certification Entity. b. Approve the certificate policies and, where necessary, the specific certificate policies. c. Approve, where necessary, the Declaración de Prácticas de Certificación [Certification Practice Statement]. d. Approve the contractual and regulatory documentation of the certification services in the user community of the Linked Certification Entity. e. Provide timely notice to the Linked Certification Entity of all information related to changes to be made, service incidents, complaints and service inspections. The above obligations are to be exercised with the framework of the policies, practices and regulations of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia].
9.6.1.2 Guarantees offered to subscribers and verifiers The Linked Certification Entity shall guarantee the subscriber (at a minimum): a. That it will comply with its legal obligations as a certification service provider, in accordance with Law 59/2003, of 19 December [Ley 59/2003]. b. That there are no factual errors in the information held on the certificates, either identified or made by the Linked Certification Entity and, where applicable, the Registration Entity. c. That there are no factual errors in the information held on the certificates owing to lack of diligence in the management of the certificate application or the creation of the 136
TS 101 456: 7.3.4
137
Law 59/2003 [Ley 59/2003]: Art. 26
138
Law 59/2003 [Ley 59/2003]: Art. 20.2
Ref. D1111 N-PGDC
Page 103 of 116
CATCert General Certificate Policy
certificate. d. That the certificates comply with all of the material requirements set out in the DPC. e. That revocation services and use of the directory are in accordance with all of the material requirements set out in the DPC. The Linked Certification Entity guarantees the verifier (at a minimum): a. That it will comply with its legal obligations as a certification service provider, in accordance with Law 59/2003, of 19 December [Ley 59/2003]. b. That the reference information held on or incorporated into the certificate is correct, unless otherwise indicated. c. In the case of certificates published in the directory, that the certificate has been issued to the subscriber identified in the directory and that the certificate has been accepted, in accordance with the corresponding section of this certificate policy. d. That approval of the certificate application and issuance of the certificate complied with all of the material requirements provided for in the DPC. e. Speed and security in providing its services, especially revocation services. In addition, the Certification Entity will guarantee the subscriber and the verifier: a. That the certificate contains all of the information that a qualified certificate has to contain pursuant to article 11.2 of Law 59/2003, of 19 December [Ley 59/2003]. b. That if it generates the subscriber's private keys or, where applicable, the key holder's keys, confidentiality is maintained throughout the process. 139. 158F
c. The liability of the Certification Entity, with the established limitations. 9.6.2
Registration entities
9.6.2.1 Obligations and other undertakings Obligations of Internal Registration Entities Internal Registration Entities are under obligation to comply with the following: a. To act exclusively in relation to persons linked to the Internal Registration Entity. b. To name two or more of its employees (depending on the EC, generally four or more) as registration authority (technical) operators, and to advise CATCert of the data that corresponds to these persons so that the corresponding operator certificates can be issued. When an operator no longer has the capacity to act in this role, under the control and authority of the Internal Registration Entity, this Internal Registration Entity has to immediately ask the Linked Certification Entity to revoke the corresponding operator certificate. c. To validate and approve certificate requests and generate certificates for key holders, in accordance with the procedures and technical instruments established by the 139
Law 59/2003 [Ley 59/2003]: Art. 20.1.e)
Ref. D1111 N-PGDC
Page 104 of 116
CATCert General Certificate Policy
Linked Certification Entity, in accordance with the DPC and the operating documentation of the Linked Certification Entity. d. If the Internal Registration Entity does not have up-to-date information about the key holder, to check their identity in person or in accordance with the provisions of article 13.4. of Law 59/2003 [Ley 59/2003], and register a document that provides evidence of their the full name, place and date of birth, DNI [Spanish ID number] and/or any other information that could be used to differentiate a person from another in the sphere of the Internal Registration Entity. e. To verify, when necessary, any specific attributes of the key holder and register a document that provides evidence of this information. f.
To make or process certificate suspension, enablement, revocation and renewal requests, in accordance with the procedures and technical instruments established by the Linked Certification Entity, in accordance with the Declaración de Prácticas de Certificación [Certification Practice Statement], and the operating documentation of the Linked Certification Entity.
g. To store the records, whether on paper or electronically, employing the suitable security measures, authenticity, integrity and means of conservation in relation to the information held on the certificate, for a period of 15 years. These records have to be available to the Linked Certification Entity.
Virtual registration entity Virtual Registration Entities are under obligation to comply with the following: a. To supply the documentary proof needed to register users and to allow the subsequent issuance of certificates by the Linked Certification Entity or the Collaborating Registration Entity. b. The documentary proof will have to be obtained by an organic unit of the Virtual Registration Entity that is legally empowered to vouch for the data to be certified, which shall be stated to CATCert. Collaborating Registration Entity The Certification Entity can delegate some duties to Collaborating Registration Entities, 140 which will be under obligation to comply with them, under the same conditions as the Certification Entity. 159F
The Collaborating Registration Entity is to provide assistance to subscribers to class 1 certificates that have a Virtual Registration Entity, and all subscribers to class 2 certificates. The Collaborating Registration Entity acts in its own name, notwithstanding the liability of the Linked Certification Entity. The Collaborating Registration Entity will be obligated to record certificate data and the approval of the certificate if the data is correct. To do this, it will have to carry out any checks 140
Art 13.5. Law 59/2003
Ref. D1111 N-PGDC
Page 105 of 116
CATCert General Certificate Policy
it deems necessary regarding the identity and other personal and complementary data belonging to the subscribers, and if necessary, the key holders. These checks have to include the supporting documentation supplied by the applicant and, if the Collaborating Registration Entity deems it necessary, any other relevant documentation and information, supplied by the subscriber, the key holder or by third parties. If the Collaborating Registration Entity detects errors in the data that has to be included on the certificates, or in the documentation supporting these data, it will be obligated to make any changes it deems necessary before issuing the certificate, or to paralyse the issuance process and to manage the corresponding incident with the subscriber. If the Collaborating Registration Entity corrects the data without first managing the corresponding incident with the subscriber, it will be required to notify the subscriber of the data that is eventually certified at the time of delivery. The Collaborating Registration Entity reserves the right to refuse an application for the issue of a certificate when the supporting documentation supplied by the subscriber is insufficient to allow the correct identification and/or authentication of the subscriber and, where necessary, the key holder.
9.6.2.2 Guarantees offered to subscribers and verifiers CATCert's guarantee for digital certification services CATCert guarantees that the private key of the Certification Entity that is used to issue certificates has not been compromised, unless CATCert has given notice to the contrary through the CATCert certification register, in accordance with the Declaración de Prácticas de Certificación [Certification Practice Statement]. CATCert alone guarantees that: a) Electronic signature certificates contain all of the information required by Law 59/2003, of 19 December [Ley 59/2003]. b) It has not originated or introduced any false or erroneous declarations in the information on any certificate, neither has it neglected to include necessary information provided by the subscriber and validated by CATCert or by the collaborating registration entity, at the time of issue of the certificate. c) All certificates meet the formal requirements and provisions of its Declaración de Prácticas de Certificación [Certification Practice Statement]. d) It is bound by the operating, security and archiving procedures described in the Declaración de Prácticas de Certificación [Certification Practice Statement].
Exclusions from the guarantee CATCert does not guarantee any software used by the subscriber or by any other person to generate, verify or use in any other manner any digital signature or digital certificate issued
Ref. D1111 N-PGDC
Page 106 of 116
CATCert General Certificate Policy
by CATCert, except for in cases where there exists a declaration written by CATCert to the contrary.
9.6.3
252B
Subscribers
9.6.3.1 Obligations and other undertakings Requirements for all types of certificates The Linked Certification Entity shall obligate 141 the subscriber to: 160F
a. Provide complete and appropriate information to the Linked Certification Entity, in accordance with the requirements of this certification policy and especially as regards the registration procedure. 142 161F
b. Give their consent prior to the issuance and delivery of the certificate. c. Comply with the obligations established for the subscriber in this certification policy and in article 23.1 of Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica]. d. Use the certificate in accordance with the provisions of the corresponding section. e. Notify the Linked Certification Entity, without unjustifiable delay, of the loss, alteration, unauthorised use, theft or compromise of their secure signature-creation device. f.
Notify the Linked Certification Entity and any person that the subscriber believes may trust the certificate, without unjustifiable delay, of: 143 162F
a) The loss, theft or potential compromise of the private key. b) Loss of control over the private key due to the activation data having been compromised (e.g. the PIN code of the secure signature-creation device) or for any other cause. c) Any inaccuracies or changes in the contents of the certificate that the subscriber is aware of or becomes aware of. g. To stop using the private key after the term indicated in the corresponding section. h. To Transfer to the key holders the obligations that are specific to them. i.
Not to monitor, manipulate or carry out reverse engineering on the technical installation of the hierarchy, without prior written permission.
j.
To avoid intentionally compromising the security of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia].
141
No requirement is set out regarding the way in which this requirement is fulfilled. It could be done by using a contract or another legal instrument. 142
TS 101 456: 6.2.a) is considered to be a generic obligation for all of the types of certificates requested by subscribers. 143
TS 101 456: 6.2.g)
Ref. D1111 N-PGDC
Page 107 of 116
CATCert General Certificate Policy
Specific requirements for certificados de firma electrónica reconocida [qualified electronic signature certificates]. The Linked Certification Entity shall obligate the subscriber to: a. To use the key pair exclusively for electronic signatures and in accordance with any other limitations of which they are notified. 144 F
b. To recognise that these electronic signatures are electronic signatures that are equivalent to written signatures, in accordance with article 3.4. of Law 59/2003, of 19 December [Ley 59/2003]. c. To be especially diligent in the custody of their private key and secure signaturecreation device, in order to avoid unauthorised use. 145 164F
d. If the subscriber generates its own keys, it is obligated to: 1. To generate its subscriber keys using an algorithm that is recognised as being acceptable for the qualified electronic signature. 146 165F
2. To create the keys within the secure signature-creation device. 147 F
3. Use key longitudes and algorithms that are recognised as being acceptable for the qualified electronic signature. 148. 167F
e. To notify the Certification Entity, without unjustifiable delay, of the loss, alteration, unauthorised use, theft or compromise of the secure signature-creation device.
9.6.3.2 Guarantees offered by the subscriber The Linked Certification Entity will have to obligate the subscriber, using the corresponding legal instrument, to guarantee: a. That if the subscriber is the certificate applicant, that all of the declarations made on the application are correct. b. That all of the information supplied by the subscriber that is held on the certificate is correct. c. That the certificate is exclusively used for legal and authorised purposes, in accordance with the DPC of the Linked Certification Entity. d. That every digital signature created with the private key that corresponds to the public key listed on the certificate is the digital signature of the subscriber or key holder and 144
TS 101 456: 6.2.b)
145
TS 101 456: 6.2.c), stricter, and extend to the secure signature-creation device.
146
TS 101 456: 6.2.d) primero
147
TS 101 456: 6.2.f)
148
TS 101 456: 6.2.d) segundo
Ref. D1111 N-PGDC
Page 108 of 116
CATCert General Certificate Policy
that the certificate has been accepted and is operational (it has not expired or been revoked) at the time of creating the signature. e. That the subscriber is an end entity and not a Certification Entity, and will not use the private key corresponding to the public key listed on the certificate to sign any certificate (or any other certified public key format) or LRC. f.
That no unauthorised person has ever had access to the subscriber's private key.
9.6.3.3 Protecting the private key The Linked Certification Entity will have to obligate the subscriber, using the corresponding legal instrument, to guarantee that the subscriber is solely liable for any damages arising from the subscriber's breach of the duty to protect the private key.
9.6.4
253B
verifiers
9.6.4.1 Obligations and other undertakings The Linked Certification Entity has to obligate the user of the certificate,149 a. Assess whether the certificate is appropriate for its intended use. b. Verify the validity, suspension or revocation of the certificates issued using information about certificate status. 150 169F
c. Verify all of the certificates in the hierarchy of certificates, before trusting the digital signature or any of the certificates in the hierarchy. d. Be conscious of any limitations on the use of the certificate, regardless of whether these are stated on the certificate or in the verifier's contract. 151 170F
e. Be conscious of any precautions in place in a contract or other instrument, regardless of their legal nature. 152 171F
f.
Not monitor, manipulate or carry out reverse engineering on the technical installation of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia], without prior written permission.
g. To avoid intentionally compromising the security of the Jerarquía pública de certificación de Catalunya [Public certification hierarchy of Catalonia]. h. Recognise that the electronic signatures produced by qualified-signature certificates, are electronic signatures that are equivalent to written signatures, in accordance with 149
Typically through general conditions of use of the certificate.
150
TS 101 456: 6.3 a); TS 102 042: 6.3 a)
151
TS 101 456: 6.3 b); TS 102 042: 6.3 b)
152
TS 101 456: 6.3 c); TS 102 042: 6.3 c)
Ref. D1111 N-PGDC
Page 109 of 116
CATCert General Certificate Policy
article 3.4. of Law 59/2003, of 19 December [Ley 59/2003].
9.6.4.2 Guarantees offered by the verifier The Certification Entity will have to obligate the verifier, using the corresponding legal instrument, to declare: a. That the verifier has sufficient information available to make an informed decision as to whether or not to trust the certificate. b. That the verifier is solely responsible for trusting or not trusting the information contained in the certificate. c. That the verifier will accept sole liability if he/she/it fails to comply with his/her/its obligations as verifier. 9.6.5
254B
9.6.5.1
Other participants 364B
Obligations and guarantees of the directory
The Linked Certification Entity can delegate some duties to the directory, which in this case will be obligated to comply with them, under the same conditions as the Certification Entity. The roles, obligations and duties of the directory are to be set out in detail in the Declaración de Prácticas de Certificación [Certification Practice Statement] of the Linked Certification Entity, and in any auxiliary legal documentation, especially in relation to delivery to subscribers, key holders and verifiers.
9.6.5.2 Guarantees offered by the directory The Linked Certification Entity has to set out the public liability of the directory in its DPC, when the directory is operated by a third party.
9.7 Guarantee refusal 9.7.1
255B
Refusal of Certification Entity guarantees
The Linked Certification Entity can refuse all of the service guarantees, which are not linked to the obligations provided for in Law 59/2003, of 19 December [Ley 59/2003], including, in particular, the guarantee of adaptation to a specific purpose and the guarantee on the commercial use of the certificate.
Ref. D1111 N-PGDC
Page 110 of 116
CATCert General Certificate Policy
9.8 Liability limitations 66B
9.8.1
256B
Liability limitations of the Certification Entity
The Linked Certification Entity is to limit its liability and restrict its service to the issuance and management of certificates and, where applicable, of subscriber's key pairs and cryptographic devices (signature and signature verification, as well as encryption and decryption) supplied by the Certification Entity. The Linked Certification Entity can limit its liability by including limits of use on its certificates 153 and placing limits on the value of transactions for which certificates may be used. 154 172F
173F
9.8.2
Acts of God and Force Majeure
The Linked Certification Entity shall include clauses to limit its liability in the event of Acts of God or Force Majeure, in the legal instruments that it uses to bind subscribers and verifiers.
9.9 Compensation 67B
9.9.1
Subscriber's indemnity clause
No subscriber indemnity clause shall be established.
9.9.2
Verifier's indemnity clause
No verifier's indemnity clause shall be established.
9.10 Term and termination 9.10.1 Term The Linked Certification Entity will have to set out, in its legal instruments with the subscribers and verifiers, a clause that establishes the term of validity of the legal relationship, based on which the certificates are provided to the subscribers.
153
Law 59/2003 [Ley 59/2003]: 11.2.h)
154
Law 59/2003 [Ley 59/2003]: 11.2.i)
Ref. D1111 N-PGDC
Page 111 of 116
CATCert General Certificate Policy
9.10.2
261B
Termination
The Linked Certification Entity will have to set out, in its legal instruments with the subscribers and verifiers, a clause that establishes the consequences of the termination of the legal relationship, based on which the certificates are provided to the subscribers.
9.10.3
262B
Survivorship
The Linked Certification Entity will have to set out, in its legal instruments with the subscribers and verifiers, survivorship clauses, based on which certain rules will remain in force after the termination of the legal relationship that regulated the service between the parties. To these effects, the Linked Certification Entity will have to remain vigilant because, at least the requirements contained in the obligations, public liability, conformity audit and confidentiality sections will remain in force after the termination of the certificate policy and of the legal instruments that bind the Certification Entity to subscribers and verifiers. CATCert will set out a Business Continuity Plan. This Business Continuity Plan will determine the obligations that CATCert assumes if activities cease. These obligations will be aimed at maintaining the validity of any certificates issued until their expiration date, and the use and custody of all of the information generated by CATCert in its activities as certification service provider, like for instance, all types of backup copy, logs and documentation, independently of the media that have been used to generate or store them. To these effects, CATCert ensures that a backup copy is generated periodically, as a complementary precaution in current activity and to ensure business continuity.
9.11 Notifications 69B
The Linked Certification Entity will have to establish notice clauses in the legal instruments that bind it to subscribers and verifiers. The notice clause is to provide for the procedure that the parties should use to notify each other of events.
9.12 Modifications 70B
9.12.1 Amendment procedure Linked Certification Entities can unilaterally modify their certificate policy, where appropriate, in accordance with the following procedure: - The amendment has to be justified from a technical, legal or commercial perspective. - The amendment proposed by a Linked Certification Entity cannot go against the certificate policy established by CATCert.
Ref. D1111 N-PGDC
Page 112 of 116
CATCert General Certificate Policy
- Amendments should be monitored in order to guarantee that the resulting specifications always meet the requirements with which they were attempting to comply, and which led to the change. - The implications of the change for the user are to be established and the need to notify the user of the amendment is to be envisaged. - The new policy has to be approved by CATCert.
9.12.2 Notice periods and mechanisms CATCert is to be notified of modifications to the policy so that they can be approved.
9.12.3 Circumstances in which an OID has to be changed No additional stipulations.
9.13 Conflict resolution 9.13.1 Extrajudicial conflict resolution The Linked Certification Entity will have to establish the applicable mediation and resolution procedures in the legal instruments that bind it to subscribers and verifiers. 155 . 174F
To these ends, the Linked Certification Entity is considered to be an organ of Public Administration. In situations where discrepancies arise from the use of the certificates issued by the Linked Certification Entity, they are to be resolved by applying the same jurisdiction criteria as in case of documents signed by hand.
9.13.2
267B
Competent jurisdiction
The Linked Certification Entity will have to include, in the legal instruments that bind it to subscribers and verifiers, a competent jurisdiction clause stating that international jurisdiction corresponds to the Spanish courts. Territorial and functional jurisdiction is to be determined depending on the applicable private international legislation and procedural law. When the Linked Certification Entity is considered to be an organ of Public Administration the applicable administrative legislation will be taken into account.
155
TS 101 456: 7.5.1 h); TS 102042: 7.5.1 h)
Ref. D1111 N-PGDC
Page 113 of 116
CATCert General Certificate Policy
9.14 Applicable law 72B
The Linked Certification Entity will have to set out, in the legal instruments that bind it to subscribers and verifiers, that the law applicable to the provision of services, including certification policies and practices, is as follows: - In general, Spanish law, as long as the Linked Certification Entity is incorporated in the Spanish state and/or its certification services are provided via an establishment that is permanently located in the Spanish State. 156 F
- For Certification Entities linked to the hierarchy that are considered to be organs of Public Administration, the corresponding state and autonomous community administrative legislation.
9.15 Conformity with applicable law The Linked Certification Entity will have to declare that it complies with Law 59/2003, of 19 December, on the electronic signature [Ley 59/2003, de firma electrónica] and Law 34/2002, of 11 July, on information society and electronic commerce services [Ley 34/2002, de servicios de la sociedad de la información y de comercio electrónico] in its DPC and in the legal instruments in place with subscribers and verifiers.
9.16 Miscellaneous provisions 74B
9.16.1
268B
Integration clause
The Certification Entity will have to establish integration clauses in the legal instruments that bind it to subscribers and verifiers. By virtue of the integration clause it is understood that the legal instrument regulating the service is the complete and final agreement between the parties.
9.16.2
269B
Subrogation
The rights and obligations associated with the condition of Linked Certification Entity cannot be assigned to any class of third party and no third-party entity may be subrogated the legal position of Certification Entity. In the event of assignment or subrogation, the Linked Certification Entity will be wound up. The rights and obligations associated with the condition of Linked Certification Entity may be the object of assignment or subrogation, but CATCert must be notified of this occurrence.
156
Law 59/2003 [Ley 59/2003]: 1.2
Ref. D1111 N-PGDC
Page 114 of 116
CATCert General Certificate Policy
9.16.3
270B
Divisibility
The Certification Entity will have to establish divisibility clauses in the legal instruments that bind it to subscribers and verifiers. By virtue of the divisibility clauses, if one clause becomes invalid, this will not affect the rest of the contract. In the event that, based on articles 7 and 8 of Law 7/1998 on general contracting conditions [Ley 7/1998 sobre condiciones generales de la contratación] they are not considered to be incorporated into the contract, this non-incorporation or invalidity will not render the entire contract ineffectual, if the contract can subsist without the aforementioned clauses. 157 176F
9.16.4
271B
Applications
No additional stipulations.
9.16.5
272B
Other clauses
No additional stipulations.
157
Law 7/1998 [Ley 59/2003]: Art. 10
Ref. D1111 N-PGDC
Page 115 of 116
CATCert General Certificate Policy
10. APPENDIX I Document control Project:
Report on the modification of the PGdC document
Destination entity:
Agència Catalana de Certificació
Reference code:
Revisions 2nd semester 2010
Version:
Changes to v.3.3 creating v.3.4 in Catalan and Spanish
Date of issue:
09/02/2011
Control of versions PGdC 2nd semestre 2010
Version
Parts changed
Change description
Author of change
3.4
Sections 1, 4.9.7 and 9.15
Adaptation CAB/Forum Extended Validation
Policy Office
Ref. D1111 N-PGDC
Date of change 09/02/2011
Page 116 of 116