SPECIFIC CERTIFICATION PRACTICES AND POLICY OF

Transcription

1 SPECIFIC CERTIFICATION PRACTICES AND POLICY OF CERTIFICATES OF REPRESENTATIVES OF LEGAL ENTITIES AND OF INSTITUTIONS WITH NO LEGAL ENTITY FROM THE AC REPRESENTACIÓN NAME DATE Prepared by: FNMT-RCM / v1.5 17/11/2017 Revised by: FNMT-RCM / v1.5 18/12/2017 Approved by: FNMT-RCM / v1.5 22/12/2017 DOCUMENT LOG Version Date Description /07/2015 Document creation /11//2015 Issuing of certificates for representatives of Legal entities and of Institutions with no legal entity as acknowledged. creation /04//2016 Updating of profiles according to ETSI standards and guidelines of TIC Direction /06/2016 Updating in accordance with requirements of ETSI audit /01/2017 Updating in accordance with requirements of ETSI /12/2017 Annual revision of the document. Reference: DPC/CPREP0105/SGPSC/2017 Document classified as: Public Page 1 of 42

2 INDEX 1. INTRODUCTION DOCUMENT ORGANISATION ORDER OF PREVALENCE DEFINITIONS PSEUDONYMS CERTIFICATE PROFILE NAMING RESTRICTIONS USE OF THE POLICY CONSTRAINTS EXTENSION SYNTAX AND SEMANTICS OF POLICY QUALIFIERS SEMANTIC PROCESSING OF THE CERTIFICATE POLICY EXTENSION ACKNOWLEDGMENT AND AUTHENTICATION OF REGISTERED TRADEMARKS MANAGEMENT OF THE LIFE CYCLE OF THE KEYS OF THE TRUST SERVICES PROVIDER MANAGEMENT OF KEY LIFE CYCLES Generation of Trust Services Provider Keys Storage, safeguards, and recovery of Trust Services Provider Keys Distribution of the Signature verification data of the Trust Services Provider Storage, safeguards, and recovery of the Private Keys of the Holders Use of the Signature Creation Data of the Trust Services Provider End of the life cycle of Trust Services Provider Keys Life cycle of cryptographic hardware used to sign Certificates OPERATION AND MANAGEMENT OF PUBLIC KEY INFRASTRUCTURE PUBLICATION OF THE TERMS AND CONDITIONS LIABILITY AND OBLIGATIONS OF THE PARTIES LIABILITY OF THE PARTIES Liability of the Trust Services Provider Liability of the Applicant Liability of the Represented entity and the Representative Liability of the User Entity and trusting third parties OBLIGATIONS AND GUARANTEES OF THE PARTIES Obligations and Guarantees of the Trust Services Provider Registry Office obligations Obligations of the Applicant, Represented entity, and Representative Page 2 of 42

3 Obligations of the User Entity and trusting third parties CERTIFICATES OF REPRESENTATIVES OF LEGAL ENTITIES AND REPRESENTATIVES OF INSTITUTIONS WITH NO LEGAL ENTITY LIABILITY AND OBLIGATIONS OF THE PARTIES Liability of the Parties Obligations and guarantees of the parties SPECIFIC CERTIFICATION PRACTICES Key management services Management of Certificate life cycles Verification of the revocation status of the certificate CERTIFICATION POLICY FOR CERTIFICATES OF REPRESENTATIVES OF LEGAL ENTITIES Identification Type description of the Certificate of Representatives of Legal Entities Community and scope of application Limits of usage of Legal Entity Certificates CERTIFICATION POLICY FOR CERTIFICATES OF REPRESENTATIVES OF INSTITUTIONS WITH NO LEGAL ENTITY Identification Type description of the Certificate of Representatives of Institutions with no Legal Entity Community and scope of application Limits of usage of Certificates of Institutions with no legal entity REPRESENTATIVE CERTIFICATE FOR SOLE AND JOINT ADMINISTRATORS LIABILITY AND OBLIGATIONS OF THE PARTIES Liability of the Parties Obligations and guarantees of the parties SPECIFIC CERTIFICATION PRACTICES Key management services Management of Certificate life cycles Verification of the revocation status of the certificate CERTIFICATION POLICY FOR REPRESENTATIVE CERTIFICATES FOR SOLE AND JOINT ADMINISTRATORS Identification Type description of the Representative Certificate for Sole and Joint Administrators Page 3 of 42

4 Community and scope of application Limits of usage of the Certificates PRICES ANNEX I: IDENTIFICATION OF THE CERTIFICATION AUTHORITY CERTIFICATE AC REPRESENTACIÓN Page 4 of 42

5 1. INTRODUCTION 1. This document is an integral part of the Trust Services Practices and Electronic Certification Statement (TSPS) of the FNMT-RCM, and it aims to inform the public about the conditions and characteristics of the certification services and services for the issuing of electronic Certificates by the FNMT-RCM as a Trust Services Provider, containing the obligations and procedures that with which it agrees to comply in regard to the issuing of the Certificates of Representatives of Legal Entities, Certificates of Representatives of Institutions with no Legal Entity, and Representative Certificates for Sole and Joint Administrators. 2. Specifically, for the purposes of the interpretation of these Specific Certification Practices and Policy, the Definitions section of the TSPS, and in such case, the Issue Law of the Certificate that corresponds to each entity that uses the certification services of the FNMT-RCM must be taken into account. 3. The Certificates of Representatives of Legal Entities and of Representatives of Institutions with no legal entity and of Representative for Sole or Joint Administrators issued by the FNMT-RCM, whose Specific Certification Practices and Certification Policy are defined in this document, are technically considered to be Recognized or qualified Certificates, in accordance with Regulation (EU) No 910/2014, of the European Parliament and Council, dated 23 July 2014, regarding electronic identification and Trust Services for electronic transactions in the interior market, which repeals Directive 1999/93/EC, and in accordance with the principles of security, integrity, confidentiality, authenticity, and non-repudiation stipulated in the Electronic Signature Act 29/2003, dated 19 December (art and concordant points). 4. The Representative Certificates for Sole and Joint Administrators are issued initially to cover the security needs in the legal traffic for these methods of organizing the administration of companies, and later, to be extended to other types of administration based on the state of the art and the possibilities of the Trust Service Providers and the persons and organisations who consume the services. 2. DOCUMENT ORGANISATION 5. The Certification Practices Statement of the FNMT-RCM, as a Provider of Trust Services, is structured, on one hand, based on the common part of the Trust Services Practices and Electronic Certification Statement (TSPS) of the FNMT-RCM, since there are similar levels of action for all of the Entity s services, and on the other, based on the Specific Certification Practices and Certification Policies that apply to each type of certificate issued by the Entity in question. 6. In accordance with the above, the structure of the FNMT-RCM Certification Practices Statement is as follows: 1) On one hand, the Trust Services Practices and Electronic Certification Statement (TSPS), which should be considered to be the main body of the Certification Practices Statement, which describes, in addition to the provisions in article 19 of the Electronic Signature Act 59/2003, of 19 December, the liability regime that applies to members of the Electronic Community, the security controls applied to the procedures and installations of the FNMT-RCM, in that which may be published without detriment to their effectiveness, secrecy and confidentiality standards, as well as questions related to the ownership of its property and assets, the protection of personal information, and Page 5 of 42

6 other general information questions that must be made available to the public, regardless of the role in the Electronic Community. 2) And, on the other hand, the specific Certification Policy which describes the obligations of the parties, the limits of the use of the Certificates, and the responsibilities and Specific Certification Practices that develop the terms defined in the corresponding policy and grant additional or specific functions in addition to the general functions defined in the TSPS. These Certification Policies and Specific Certification Practices specify what is articulated in the main body of the TSPS, and therefore are an integral part of it, both making up the Certification Practices Statement of the FNMT-RCM. 7. This document aims to inform the public about the conditions and characteristics of the certification services provided by the FNMT-RCM as a Trust Services Provider, in regard to the life cycle of the electronic Certificates of Representatives of Legal Entities, Certificates of Representatives of Institutions with no Legal Entity, and Representative Certificates for Sole and Joint Administrators. 8. For the purpose of the interpretation of this annex, the Definitions section in the TSPS and in this document should be taken into account. 9. In short, these Certification Policies and Specific Certification Practices specify what is articulated in the main body of the TSPS, and therefore are an integral part of it, both making up the Certification Practices Statement of the FNMT-RCM for the Certificates of Representatives of Institutions with no Legal Entity, and Certificates of Representatives of sole and joint administrators. The contents described in this document therefore apply to the group of Certificates that are characterized and identified in these Specific Certification Practices and Policy and may also cover special conditions defined in the Issue Law of the corresponding Certificate or group of Certificates, in the case of any specific characteristics or functions. 3. ORDER OF PREVALENCE 10. This Specific Certification Practices Statement applies to Certificates of Representatives of Legal Entities, Certificates of Representatives of Institutions with no Legal Entity, and Representative Certificates for Sole or Joint Administrators, and will take precedence over the provisions in the main body of the TSPS. 4. DEFINITIONS Therefore, in the case of contradictions between this document and the provisions in the TSPS, the information indicated here shall take precedence. 11. For the purposes of the provisions contained in this document, more precisely defining the TSPS and only when the terms begin with an upper case letter and are in cursive, the following will be understood to mean: - Applicant: individual over 18 years of age or an emancipated minor, who following identification requests an operation relating to a Certificate on behalf of the represented entity. For the purposes of these Specific Certification Practices and Policy, this shall be the same as the figure of the Representative. - Certificate of Representatives of Institutions with no Legal Entity: the electronic Page 6 of 42

7 certificate issued by the FNMT-RCM to an Institution with no legal entity that links the Signer to a series of Signature verification data and confirms his/her identity in the area of taxes and other areas permitted by the legislation in force. - Certificate of Representatives of Legal Entities: the electronic certification issued by the FNMT-RCM that links a Signer to a series of Signature verification data and confirms his/her identity. This Certificate corresponds to the certificate that has traditionally been used by Public Administrations in the tax area, and which was later authorized for other areas. This Certificate is therefore issued to Legal Entities for use in their relations with Public Administrations, Entities, and Public Institutions that are associated with or dependent on them. - Institution with no legal entity: entities to which article 35.4 of the General Tax Act the rest of the applicable legislation referenced. - Legal entity: person or group of people who constitute a unit with its own purpose which acquires as an entity legal status and capacity to act which is different to those of its members. - Representative: the natural person who legally or voluntarily acts on behalf of a Legal Entity or an Institution with no legal entity. - Representative certificate for sole and joint administrators: the electronic certification issued by the FNMT-RCM that links the Signer to a series of Signature verification data and confirms his/her identity. The Signer acts on behalf of a Legal entity in the role of legal representative with the position of sole or joint administrator registered in the Mercantile Registry. - Represented entity: Legal entity or Institution with no legal entity on behalf of which the Signer of a Certificate of those covered by these Specific Certification Practices and policy is acting. - Signer: the individual who creates an electronic signature on behalf of his or her own or on behalf of the Legal entity or of the Institution with no legal entity that they represent. - Trust Service: an electronic service that consists of one of the following activities: the creation, verification, validation, management, and conservation of Electronic Signatures, electronic stamps, Timestamps, electronic documents, electronic delivery services, website authentication, and Electronic Certificates, including Electronic Signature and electronic stamp certificates. - Trust Services Provider: the natural person or legal entity that provides one or more Trust Services, in accordance with the provisions in REGULATION (EU) N 910/2014 OF THE EUROPEAN PARLIAMENT AND COUNCIL, dated 23 July 2014, regarding electronic identification and Trust Services for electronic transactions in the internal market and which replaces Directive 1999/93/EC. - Qualified certificate: Electronic certificate issued by a Trust Services Provider that meets the requirements established in Act 59/2003 of electronic signature regarding identity verification, as well as all other circumstances concerning the applicants, and the reliability and guarantees of the certification services being provided. (The terms marked in cursive are defined in this document or in the TSPS). Page 7 of 42

8 5. PSEUDONYMS 12. In terms of the identification of Signers through the use of Certificates issued under the terms of this Certification Policy, the FNMT-RCM does not allow the use of pseudonyms. 6. CERTIFICATE PROFILE 13. All of the Certificates issued under the terms of this policy conform to version 3 of the X.509 standard. The Certificate profiles can be consulted in the site NAMING RESTRICTIONS 14. The encoding of Certificates follows the recommendation RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. All fields defined in the Certificate profile of these Certification Policies, with the exception of the fields for which it is stated otherwise, use UTF8String encoding USE OF THE POLICY CONSTRAINTS EXTENSION 15. The Policy Constraints extension of the CA root certificate is not used SYNTAX AND SEMANTICS OF POLICY QUALIFIERS 16. The Certificate Policies extension includes two Policy Qualifier fields: CPS Pointer: contains the URL where the TSPS and the Specific Certification Policies and Certification Practices that apply to the Certificates are published. User notice: contains a text that could be displayed in the screen by the user of the Certificate during certificate verification SEMANTIC PROCESSING OF THE CERTIFICATE POLICY EXTENSION 17. The Certificate Policy extension includes the OID policy field, which identifies the policy associated to the Certificate by the FNMT-RCM, as well as the two fields described in the previous paragraph. 7. ACKNOWLEDGMENT AND AUTHENTICATION OF REGISTERED TRADEMARKS 18. The FNMT-RCM assumes no commitment of any type regarding the use of registered or unregistered distinctive signs in the issuing of Certificates issued under the terms of this Certification Policy. Application for Certificates that include distinctive signs are only allowed for those whose usage rights are the property of the Represented entity or that have been duly authorized. The FNMT-RCM is not required to previously verify the ownership or registration of the distinctive signs prior to the issuing of Certificates, even if they are included in public registries. Page 8 of 42

9 8. MANAGEMENT OF THE LIFE CYCLE OF THE KEYS OF THE TRUST SERVICES PROVIDER 19. The FNMT-RCM, in its activities as a Trust Services Provider, in regard to the cryptographic keys used for the issuing of Representative Certificates, declares that it will carry out the management processes described in the following section MANAGEMENT OF KEY LIFE CYCLES Generation of Trust Services Provider Keys 20. The Keys of the FNMT-RCM, as a Trust Services Provider, are generated in completely controlled circumstances, in a physically secure environment, and by at least two people authorized to do this, using hardware and software systems that comply with the regulations in effect in the area of cryptographic protection, as described in the TSPS Storage, safeguards, and recovery of Trust Services Provider Keys 21. The FNMT-RCM uses the necessary mechanisms to maintain the confidentiality of its Private key and to maintain the integrity of the way in which it is shown in the TSPS Distribution of the Signature verification data of the Trust Services Provider 22. The FNMT-RCM uses the necessary mechanisms to maintain the integrity and authenticity of its Public Key, as well as its distribution in the way that is shown in the TSPS. 23. Representative Certificates are issued by a subordinate Certification Authority to the root Certification Authority of the FNMT-RCM. The identification of this Certification Authority is described in annex I of this document. 24. Therefore, the Certificates issued under the terms of the Certification Policy described in this document will be signed / sealed electronically with the Signature / Seal Creation Data of the Trust Services Provider. 25. The AC Representación Certification Authority Certificate profile can be consulted at the site Storage, safeguards, and recovery of the Private Keys of the Holders 26. Under no circumstances does the FNMT-RCM generate or store the Private Keys of the Holders of the Certificates, which are generated under the exclusive control of the Applicant, and the custody of which is the responsibility of the Holder of the certificate associated with the Private Keys in question Use of the Signature Creation Data of the Trust Services Provider 27. The Signature / Seal Creation Data of the FNMT-RCM, its activity as a Trust ServiceTrust Services Provider, will be used solely and exclusively for the following purposes: 1) Signing of Certificates. 2) Signing of Revocation Lists. 3) Other uses included in this Statement and/or other applicable legislation. Page 9 of 42

10 End of the life cycle of Trust Services Provider Keys 28. The FNMT-RCM shall have the necessary means to ensure that once the validity period of the Keys of the Trust ServiceTrust Services Provider has expired, that they are not used again, either by destroying them or storing them appropriately for this purpose Life cycle of cryptographic hardware used to sign Certificates 29. FNMT-RCM will have the necessary means to ensure that the cryptographic hardware used to protect its Keys as Trust ServiceTrust Services Provider are not manipulated, based on the current state of the art, throughout its life cycle, with the component in question being located in a physically secure environment from the time it is received until it is destroyed, at such time. 9. OPERATION AND MANAGEMENT OF PUBLIC KEY INFRASTRUCTURE 30. The operations and procedures carried out to put the Certification Policies described in this document into practice are carried out applying the controls required by recognized standards for this purpose. These actions are described in the sections Physical security, procedure, and personnel controls and Technical security controls of the TSPS of the FNMT-RCM. 31. In addition, it is important to note that the FNMT-RCM has an Information Security Management System (hereinafter, ISMS) for its CERES Department, with the ultimate objective of maintaining and guaranteeing the security of the information of the members of the Electronic Community, as well as its own security, so that the FNMT-RCM-CERES services are provided with a reasonable degree of security, in accordance with the current state of the art. The ISMS of the FNMT-RCM-CERES applies to the information assets defined in the Risk Assessment carried out for all of the areas that form part of the department, including the services provided to members of the Electronic Community as assets. 32. The TSPS document provides concrete responses to all aspects regarding the following sections of the European standard ETSI EN : Physical security controls Procedural controls Personnel controls Auditing processes Records archival (registry of events) Key changeover Compromise and disaster recovery Certification Authority or Registration Authority termination 10. PUBLICATION OF THE TERMS AND CONDITIONS 33. The FNMT-RCM provides this document, as well as the TSPS document of the FNMT-RCM to the Electronic Community and other interested parties, specifying the following: 1) The terms and conditions that regulate the use of the Certificates issued by the FNMT- RCM. Page 10 of 42

11 2) The Certification Policy that applies to Certificates issued by the FNMT-RCM. 3) The limits of usage for the Certificates issued under the terms of this Certification Policy. 4) The obligations, guarantees and responsibilities of the parties involved in the issuing and use of the Certificates. 5) The periods of conservation of the information gathered in the registration process and the events occurring in the systems of the Trust Services Provider in relation to the management of the life cycle of the Certificates issued under the terms of this Certification Policy. 11. LIABILITY AND OBLIGATIONS OF THE PARTIES 34. This section covers the obligations and liability of the parties involved in the issuing and use of the Certificate of Representatives of Legal Entities, Certificate of Representatives of Institutions with no Legal Entity, and Representative Certificate for Sole and Joint Administrators. Any specific obligations and liability that identified for each one of these certificates will be expressed in the corresponding sections of this document. 35. The parties for the purposes of this section are the following: FNMT-RCM, as Trust Services Provider. Registration Offices, which, through the personnel designated by the competent authority, must follow the procedures established by the FNMT-RCM. Colegio de Registradores de la Propiedad y Mercantiles de España (CORPME), in the case of Representative Certificate for Sole and Joint Administrators. The Represented entity and the Representative (Applicant). The User entity, third parties who rely on the Certificates and in general the members of the Electronic Community. 36. The FNMT-RCM shall not be liable for the use of these types of Certificates when the Representative or user of the Certificate carries out actions without powers, exceeding powers, or fraudulently against the law or third parties, if there is no certified notification that allows the intended effects to the transferred to the management of the Certificates LIABILITY OF THE PARTIES 37. In order to be able to use Certificates issued by the FNMT-RCM, it is first necessary to form part of the Electronic Community and acquire the condition of User Entity. To trust a Certificate issued by the FNMT-RCM, it will be essential that the validity status of the Certificate be verified using the FNMT-RCM s Certificate Validity Status Information and Consultation Service. 38. If this trust is generated by a member of the Electronic Community, User Entity, or by a third party, without verifying the status of the Certificate, there will be no coverage by the Certification Practices Statement and the party involved shall have no legitimacy to claim or undertake legal action against the FNMT-RCM. Therefore, in this case, the Entity shall not be responsible for damages or conflicts arising from the use or trust of a Certificate issued under the terms of these Specific Certification Practices and Certification Policies. Page 11 of 42

12 Liability of the Trust Services Provider 39. The FNMT-RCM is only responsible for the correct identification of the Applicant, Representative, and the Represented entity. In regard to this information, the FNMT-RCM shall be limited only to expressing it in a Certificate. 40. The FNMT-RCM shall only be liable for deficiencies in the procedures that correspond to its activity as a Trust Services Provider, and pursuant to the terms of these Certification Practices and Policies or the Law. In no other case will it be liable for the actions or losses incurred by Applicants, Representatives, Represented entities, User Entities, or in such case, third parties involved, that are not due to errors that can be attributed to the FNMT-RCM in the aforementioned issuing procedures and/or management of the Certificates. 41. The FNMT-RCM shall not be liable in the case of acts of God, force majeure, terrorist attacks, illegal strikes, as well as in the cases that involve actions that constitute a crime or omission that affect its supplier infrastructure, except in the case of gross negligence by the entity. In any case, in the corresponding contracts and/or agreements, the FNMT-RCM may establish clauses for the limitation of liability in addition to the ones included in this document. 42. The FNMT-RCM shall not be liable to persons whose behaviour in the use of the Certificates has been negligent, with negligence, for these purposes and in any case considered to be the failure to observe the provisions set forth in the Certification Practices Statement, and especially in the stipulations in the sections referring to the obligations and liability of the parties. 43. The FNMT-RCM shall not be liable for any software that it has not provided directly. 44. The FNMT-RCM does not guarantee the cryptographic algorithms nor shall it be liable for damages caused by successful outside attacks on the cryptographic algorithms used, if it applied the necessary diligence in accordance with the state of the art, and proceeded in accordance with terms of this Certification Practices Statement and the Law. 45. In any case, and with the condition of penal clause, the quantity that the FNMT-RCM must pay for the concept of damages as ordered by the court to the harmed third parties or members of the Electronic Community, in the absence of specific regulation in the contracts or agreements, is limited to a maximum of SIX THOUSAND EUROS (6,000 ). 46. The FNMT-RCM does not establish additional limits in the Electronic Certificates issued under the terms of these Specific Certification Practices and Certification Policies in regard to quantity or subject Liability of the Applicant 47. The Applicant shall be responsible for the accuracy and veracity of the information submitted during the Certificate application, and that he/she has been granted sufficient powers by the Represented entity, or that he/she holds the condition of sole or joint administrator for the purposes of the provision of the service. 48. The Applicant shall hold the FNMT-RCM harmless and defend at his/her own expense against any action that may be undertaken against the Entity and against any damages suffered by the FNMT-RCM as a result of false information or significant errors in the information provided during the Certificate application process, or as a result of an action or omission of the Applicant Liability of the Represented entity and the Representative 49. In any case, the Represented entity and the Representative shall be responsible for using the Page 12 of 42

13 Certificate properly and for duly storing it, in accordance with the purpose and function for which it was issued, as well as for informing the FNMT-RCM regarding any change in the status or information with respect to the information reflected in the Certificate, to revoke and re-issue the Certificate. 50. The Represented entity and Representative will likewise be liable, in any case, to the FNMT- RCM, the User Entities, and in such case, third parties, for improper use of the Certificate or false or incorrect information included in it, or actions or omissions that result in harm to the FNMT-RCM or to third parties. 51. The Represented entity will therefore be responsible and obliged not to use the Certificate if the Trust Services Provider has terminated its activity as a Certificate issuing Entity that originally issued the Certificate in question and the substitution stipulated by Law has not taken place. In any case, the Represented entity and Representative shall not use the Certificate in the cases in which the Signature Creation Data of the Provider may be threatened and/or compromised, and the Provider has communicated this, or in such case, if they have become aware of these circumstances Liability of the User Entity and trusting third parties 52. The User entity shall be responsible to third parties that trust the Certificates, and in general, to the members of the Electronic Community, for the verification and confirmation of the status of the Certificates, under no circumstances presuming the validity of the Certificates without carrying out these verifications. 53. The User entity and third parties who trust the Certificates may not be deemed to have acted with the minimum degree of diligence if they trust an electronic signature based on a Certificate issued by the FNMT-RCM without observing the provisions contained in the Certification Practices Statement and in this document and without verifying that the Electronic Signature in question can be verified by reference to a valid Certification chain. 54. If the circumstances indicate the need for additional guarantees, the User Entity will be required to obtain additional guarantees for the trust to be reasonable. 55. The User Entity shall also be responsible for observing the provisions included in the Certification Practices Statement and its possible future modifications, with special emphasis on the usage limits established for each Certificate in its Certification Policy OBLIGATIONS AND GUARANTEES OF THE PARTIES Obligations and Guarantees of the Trust Services Provider 56. The FNMT-RCM shall not be subject to any guarantees or obligations other than those established in the applicable regulations and in the Certification Practices Statement. 57. The FNMT - RCM meets the requirements of the European standards ETSI EN Requirements for trust service providers issuing EU qualified certificates and ETSI EN Certificate profile for certificates issued to natural persons for issuing Qualified certificates and undertakes to continue to comply with that standard or those that replace it. 58. Without detriment to the stipulations in the legislation regarding electronic signatures, and the regulations that develop it, the Trust Services Provider is required to: 59. Prior to issuing the Certificate: Verify that all of the information contained in the Certificate application corresponds to the information provided by the Applicant. Page 13 of 42

14 Verify that the Applicant is in possession of the Private Key, which, once the Certificate has been issued, will constitute the Signature Creation Data corresponding to the Signature Verification Data that will be included in the Certificate, and verify that they match. Guarantee that the procedures followed ensure that the Private Keys constituted by the Signature Creation Data are generated without the creation of copies or the storage of the Private Keys by the FNMT-RCM. Communicate the information to the Representative, and Applicant in such a way as to ensure its Confidentiality. Provide the Applicant, Representative, and other interested parties ( with the Certification Practices Statement, and all relevant information for the development of the procedures related to the life cycle of the Certificates that are the object of these Specific Certification Practices and Certification Policy, in accordance with the applicable regulations. 60. In all cases, the FNMT-RCM shall act effectively to: Verify that the Applicant for the Certificate uses the Private Key that corresponds to the Public Key linked to the identity of the Represented entity and of the Signer of the Certificate. To do this, the FNMT-RCM will verify the correspondence between the Private key and the Public key. Ensure that the information included in the Certificate is based on the information provided by the Applicant or obtained from public registries. Not ignore widely-publicized incidents that could affect the reliability of the Certificate. Ensure that the DN (distinguished name) assigned to the Certificate is unique throughout the Public Key Infrastructure of the FNMT-RCM. 61. Under no circumstances shall the FNMT-RCM include any information other than the information shown here, or specific attributes or circumstances of the Signers or limits in the certificates, other than those that are specified in this Certification Practices Statement. 62. Conservation of information by the FNMT-RCM Conserve all of the information and documentation related to each Certificate, with the necessary security conditions, for fifteen (15) years from the time of issue. Maintain a secure and updated Directory of Certificates, which identifies the issued Certificates, as well as their validity, including, in the form of Revocation Lists, the identification of the Certificates that have been revoked. The integrity of this Directory will be protected by the use of systems that conform to the specific regulatory provisions in this regard dictated in Spain, and in such case, in the EU. Maintain a service for providing information and consultation regarding the status of Certificates. Establish a dating mechanism that makes it possible to precisely determine the date and time when a Certificate was issued, or when its validity expired. Conserve the Certification Practices Statement for 15 years following its substitution due to the publication of a new version, in the proper security conditions. 63. Protection of Personal Information: The FNMT-RCM agrees to comply with the legislation in effect in the area of Protection of Personal Information, fundamentally the Personal Information Page 14 of 42

15 Protection Act 15/1999 of 13 December, and Royal Decree 1720/2007, dated 21 December, approving the regulations developing the Personal Information Protection Act 15/1999, dated 13 December, and the other applicable regulations. The TSPS may be consulted for information regarding the information protection policy followed by the FNMT-RCM, and regarding how the information is used. 64. Revocation of Certificates: The revocation of Certificates and the obligations that the FNMT-RCM assumes in this regard may be consulted in the Certificate revocation procedure described in this document. 65. Termination of the activity of the FNMT-RCM as Trust Services Provider: The corresponding section of the TSPS can be consulted for information in this regard Registry Office obligations 66. For the management of the life cycle of the Certificate of Representatives of Legal Entities, Certificate of Representatives of Institutions with no Legal Entity, and Representative Certificate for Sole and Joint Administrators, Registry Offices have the following obligations: In general which, follow the procedures established by the FNMT-RCM in the applicable Certification Practices and Policy, in performing their functions for the management, issuing, renewal of Certificates, and not deviate from this framework of actions. Allow the FNMT-RCM access to the files and to audit its procedures in relation to the data obtained in its role as a Registry Office. Notify the FNMT-RCM, using the methods provided for this, of any event related to the management of the life cycle of the Certificates issued by the FNMT-RCM: requests for issuing, renewal, etc. In regard to the expiration of the validity of the Certificates: 1 Duly verify the causes for the revocation and suspension that could affect the validity of the Certificates. 2 Notify the FNMT-RCM promptly of the applications for the revocation and suspension of the Certificates. In regard to the Protection of personal information, the provisions in the corresponding section of the TSPS shall apply. The Registry Offices, through the personnel assigned to the service by virtue of labour or civil service relationships, must exercise public functions in accordance with the specific legislation that applies to the FNMT-RCM. Conserve all of the information and documentation related to the Certificates, managing the application, renewal, and revocation for fifteen (15) years. Duly verify the causes for the revocation that could affect the validity of the Certificates. Page 15 of 42

16 Obligations of the Applicant, Represented entity, and Representative 67. The Applicants, Represented entities and Representatives of the Certificates of Representatives of Legal Entities, Certificates of Representatives of Institutions with no Legal Entity, and Representative Certificate for Sole and Joint Administrators shall have the following obligations: Not use the Certificate outside of the limitations specified in these Specific Certification Practices and Policy. Provide truthful information in the application for the Certificates, and to keep that information updated, signing the by a person with sufficient powers. Not request Certificates containing marks, names, or rights that are protected by industrial or intellectual property laws that the party in question does not hold, licence, or have demonstrable authorization to use. Act diligently with respect to the custody and conservation of the Signature creation data or any other sensitive information such as Keys, Certificate activation codes, access words, personal identification numbers, etc., as well as the Certificate supports, which in all cases include the non-disclosure of all of the aforementioned information. Understand and comply with the conditions of use of the Certificate specified in the usage conditions and in the Certification Practices Statement, and specifically the limitations on the use of the Certificates. Understand and comply with the modifications that are made to the Certification Practices Statement. Request the revocation of the corresponding Certificate, in accordance with the procedure described in this document, promptly notifying the FNMT-RCM of the circumstances for the revocation or the suspected loss of Confidentiality, disclosure, modification, or unauthorized use of the Signature creation data. Revise the information contained in the Certificate and notify the FNMT-RCM of any error or inaccuracy. Before trusting the Certificates, verify the Advanced electronic signature / seal of the Trust Services Provider that issued the Certificate. Promptly notify the FNMT-RCM of any changes to the information provided in the Certificate application, requesting the revocation of the certificate in the pertinent cases. Return or destroy the Certificate when required by the FNMT-RCM, and not use the certificate to sign or provide electronic identification when the Certificate has expired or been revoked Obligations of the User Entity and trusting third parties 68. The User Entities, members of the Electronic Community, and in general the third parties that trust the Certificates of Representatives of Legal Entities, Certificates of Representatives of Institutions with no Legal Entity, and Representative Certificates for Sole and joint Administrators have the following obligations: Before trusting the Certificate, verify the Advanced Electronic Signature / Seal of the Page 16 of 42

17 Trust Services Provider that issued the Certificate. Verify that the Certificate that is being trusted remains valid and active. Verify the status of the Certificates in the Chain of Certification, using the Certificate Validity Status Information and Consultation Service of the FNMT-RCM. Verify the limits of use of the Certificate that is being verified. Understand the conditions of use of the Certificate in accordance with the applicable Certification Practice Statements. Notify the FNMT-RCM of any anomaly or information related to the Certificate and that could be considered cause for the revocation of the Certificate, providing all available proof. 12. CERTIFICATES OF REPRESENTATIVES OF LEGAL ENTITIES AND REPRESENTATIVES OF INSTITUTIONS WITH NO LEGAL ENTITY LIABILITY AND OBLIGATIONS OF THE PARTIES 69. This section covers the obligations and liability of the parties involved in the issuing and use of the Certificate of Representatives of Legal Entities and Certificate of Representatives of Institutions with no Legal Entity. Therefore the following list of specific liability and obligations apply to these two types of certificates, as well as those described in section 10 Liability and obligations of the parties in regard to the types of Certificates included in this Specific Certification Practices and Policies document Liability of the Parties Liability of the Trust Services Provider 70. In addition to the liability included in the section on general responsibility, the FNMT-RCM, through the Registry Office shall be responsible for properly identifying the Represented entity and the Representative, verifying the extrinsic legality of the documents provided to accredit the scope of their representation, including an indication of this information in the Certificate. The FNMT-RCM shall not be liable for any damages caused to the Represented entity or to third parties by the Applicant should the Applicant infringe on the obligations to provide credible documentation or if the documentation provided contains inaccuracies, errors, or false information, and the Certificate is issued. Nor shall the FNMT-RCM shall be liable if the Representative uses the Certificate unduly, in the case of invalidation, insufficient legal capacity, expiration, revocation, extinguishing of powers, or if the Representative uses it beyond its initial scope of application Liability of the Applicant 71. Section 10 Liability and obligations of the parties applies. In addition, the Applicant, for this type of Certificate, shall be responsible for accrediting the legal entity of the Represented entity, the effectiveness and sufficient capacity of the powers to make the request, and the use of these Certificates in accordance with their purpose, and to request the revocation of the Certificate when the information for the Applicant or Represented entity changes, and shall be Page 17 of 42

18 liable to the FNMT-RCM and to third parties if the Certificate is used after the termination of their powers, after it has been revoked, if the information has changed, or if the Certificate is used beyond its scope of application Liability of the Represented entity and the Representative 72. Section 10 Liability and obligations of the parties applies. In addition, the Represented entity and the Representative, for this type of Certificate, will be responsible for certifying the legal entity of the Represented entity, the validity and sufficient capacity of the powers of the Representative/Signer to use these Certificates, according to their purpose, and to request revocation of the Certificate when the information of the Representative or Represented entity changes, and shall be liable to the FNMT-RCM and to third parties if the Certificate is used after the termination of the powers of the Representative, after it has been revoked, if the information has changed, or if the Certificate is used beyond its initial scope of application Liability of the User Entity and trusting third parties 73. Section 10 Liability and obligations of the parties applies Obligations and guarantees of the parties Obligations and Guarantees of the Trust Services Provider 74. Without detriment to the stipulations in the legislation regarding electronic signatures, and the regulations that develop it, the Trust Services Provider is required to verify, during the registration process and prior to issuing the Certificate, the information in regard to the legal personality of the Represented entity and the identity and capacity of the Representative. All of these verifications will be carried out in accordance with the Specific Certification Practices expressed in this document, and in accordance with the registration protocols and procedures of the FNMT-RCM. 75. In the processes to verify the aforementioned conditions, the FNMT-RCM may carry out verifications through the intervention of third parties that hold notarial powers or the intervention of public or private registries Registry Office Obligations 76. For the management of the life cycle of the Certificates of Representatives of Legal Entities and Certificates of Representatives of Institutions with no Legal Entity, the Registry Offices have the obligation to verify the identity of the Represented entity, as well as the identity, sufficiency of powers or appointment, and any other personal circumstances of the Representatives of the Certificates that are relevant for the purpose of the Registry Offices, using any of the means permitted by Law and in accordance with the general stipulations of the TSPS, and specifically with these Specific Certification Practices and Policy Obligations of the Represented entity and the Representative 77. Section 10 Liability and obligations of the parties applies. Page 18 of 42

19 Obligations of the User Entity and trusting third parties 78. Section 10 Liability and obligations of the parties applies SPECIFIC CERTIFICATION PRACTICES 79. This section defines the set of Certification Practices adopted by the FNMT-RCM as a Trust Services Provider for the management of the life cycle of the Certificates of Representatives of Legal Entities issued under the terms of this Certification Policy identified with OID and of the Certificates of Representatives of Institutions with no legal entity, issued under the terms of this Certification Policy identified with OID Key management services 80. The FNMT-RCM does not generate or store the Private Keys of the Signers that are generated under their exclusive control Management of Certificate life cycles 81. This section defines the aspects which, although already covered in the TSPS of which this document forms part, includes certain special characteristics that require a greater level of detail. 82. The following section describes the application procedure used by the Registry Office to collect the personal information from an Applicant, confirm his/her identity, as well as the extent and validity of his/her powers of representation of the legal entity, and formalize, between the aforementioned Applicant and the FNMT-RCM, the conditions of use for the later issuing of the Certificate of Representatives of Legal Entities, or the Certificate of Representatives of Institutions with no Legal Entity Application procedure 83. The interested party visits the website of the Trust Services Provider of the FNMT-RCM at the URL where the instructions for the entire process for obtaining the Certificate will be displayed. The Applicant will enter his/her address and Tax ID of the Legal Entity or Institution with no legal entity, in the information collection point provided for this. Likewise, the Applicant will express the desire to obtain the Certificate for which the application is being filed, and will give consent for the FNMT-RCM to query the Identity Information Verification System. 84. The Public and Private Keys are then generated (on a cryptographic device - Token or cryptographic card - if the Applicant has one, or in the browser if they do not have one of these devices), which will be linked to the Certificate that will be generated in a later phase, and the FNMT-RCM assigns the application a unique code. 85. The Applicant must previously consult the General and Specific Certification Practice Statements at the URL with the conditions of use and obligations of the parties. 86. When this application is made, the Public Key that is generated is sent to the FNMT-RCM, along with the corresponding proof of possession of the Private Key, for the later issuing of Page 19 of 42

20 the Certificate. The sending of the Public Key to the CA for the generation of the Certificate is done using a standard format, PKCS#10 or SPKAC, using a secure channel for the transmission. 87. After the FNMT-RCM receives this information, it will use the applicant s Public Key to verify the validity of the information in the application, verifying only the possession and correspondence of the pair of Cryptographic keys by the applicant. 88. This information shall not result in the generation of a Certificate by the FNMT-RCM until it receives confirmation from the Registry Office of the identification of the Representative and the extent and validity of his/her powers to represent the Represented entity. 89. The Certificate application procedure is completed with the transmission by the FNMT-RCM of an to the address provided by the Applicant, specifying the unique application code assigned and informing the Applicant of the upcoming phases in the process to obtain the Certificate Confirmation of personal identity and validity of powers of representation 90. The FNMT-RCM, as a Trust Services Provider, before it issues the Certificate, will identify the Applicant of the Certificate, as well as the information regarding the legal entity of the Represented entity and the extent and validity of his/her powers of representation of the Representative, by physically visiting a Registry Office with which the FNMT-RCM has signed an agreement for this purpose. During this act, the Applicant and any other third party whose attendance is required, will provide the information and documents that are requested and will accredit their personal identity, as well as the extent and validity of their powers of representation of the Represented entity. 91. In general, in all cases, the Applicants for these Certificates will be required to visit an authorized Registry Office, with the following identification documents: National Identity Card, Foreign Resident Identity Card, Passport, or other documents allowed by law (in the latter two cases, they will also be required to provide Foreign Resident Identity Number). The person responsible for accreditation in the Registry Office will verify that the documents provided comply with all of the requirements to confirm the identity of the Applicant, the Representative, as well as the information related to the legal entity of the represented party. This visit may be waived if the signature in the application for the issuing of the Certificate has been legalized by a notary, notwithstanding the need to sufficiently accredit the extent and validity of the powers of representation. 92. Likewise, the FNMT-RCM, specifically, will verify, directly or through a third party, the information regarding the incorporation, and in such case, the legal entity of the entity for which the issuing of the Certificate is being requested, and the validity of the powers of representation of the Applicant to make the aforementioned application, with the prior submission of the certified documentation that is required for this purpose, and which will be held by the Trust Services Provider itself or by the Registry Office authorised for this purpose to allow later consultation. The list of this documentation is published in the electronic office portal of the FNMT-RCM ( 93. Once the Registry Office has carried out these verifications, it will validate the information and send it to the FNMT-RCM, along with the application code sent by the Applicant by . This information will be sent via secure communications established for such purpose between the Registry Office and the FNMT-RCM. The personal information and their processing, in such case, shall be subject to the specific legislation. Page 20 of 42