Certification Practice Statement. esfirma

Transcription

1 Certification Practice Statement esfirma

2 General information Documentary checks Security classification: Public Target entity: ESFIRMA Version: 1.1 Date of Edition: 02/06/2016 File: esfirma DPC v1r1.docx Format: Office 2016 Authors: BC-NA-FA Formal State Prepared by: Reviewed by: Approved by: Name: BC-GA-FA Date: 09/03/2016 Name: NA Date: 29/04/2016 Name: Date: Version control Version Parts that change Description of change Author of change Date of change 1.0 Original Creation of the esfirma 29/04/2016 document 1.1 esfirma 02/06/2016

3 Index 1. INTRODUCTION PRESENTATION NAME OF THE DOCUMENT AND IDENTIFICATION Identifiers of certificates PARTICIPANTS IN THE CERTIFICATION SERVICES Provider of certification services Registrars End Entities USE OF CERTIFICATES Uses permitted for certificates Limits and prohibitions of use of certificates ADMINISTRATION OF THE POLICY Organizationization administering the document Contact details for the Organizationization Document management procedure PUBLICATION OF INFORMATION AND CERTIFICATE S REPOSITORY CERTIFICATE S REPOSITORY PUBLICATION OF INFORMATION OF THE CERTIFICATION SERVICE PROVIDER FREQUENCY OF PUBLICATION ACCESS CONTROL IDENTIFICATION AND AUTHENTICATION INITIAL REGISTRATION Types of names Meaning of names Use of anonymous and user IDs Interpretation of names formats Uniqueness of names Resolution of conflicts related to names INITIAL IDENTITY VALIDATION Proof of possession of private key Authentication of the identity of the Subscriber acting through a representative Authentication of the identity of a natural person Non verified subscriber information IDENTIFICATION AND AUTHENTICATION OF RENEWAL APPLICATIONS Validation for the routine of certificate renewal... 38

4 identification and authentication of the request for renewal after revocation prior IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST AUTHENTICATION OF A REQUEST FOR SUSPENSION OPERATION OF THE LIFECYCLE OF THE CERTIFICATES REQUIREMENTS ISSUE OF CERTIFICATE REQUEST Authority to request the issuance Procedure of discharge and responsibilities PROCESSING OF THE APPLICATION FOR CERTIFICATION Implementation of the identification and authentication functions Approval or rejection of the application Deadline to resolve the request ISSUANCE OF THE CERTIFICATE Shares of the CA during the issuance process Notification of the issuance to Subscriber DELIVERY AND ACCEPTANCE OF THE CERTIFICATE CA responsibilities Conduct constituting acceptance of the certificate Certificate Publication Notification of the issuance to third parties USE OF THE PAIR OF KEYS AND CERTIFICATE Use by the Subscriber or signer Use by the Subscriber Use by the third party who relies on certificates CERTIFICATE RENEWAL RENEWAL OF KEYS AND CERTIFICATES Causes of renewal of keys and certificates procedure of renewal certificate wherever required new identification Notification of the issuance of the certificate renewed Conduct constituting acceptance of the certificate Publication of the certificate Notification of the issuance to third parties MODIFICATION OF CERTIFICATES REVOCATION AND SUSPENSION OF CERTIFICATES Causes of certificate revocation Authority to request revocation Revocation request procedures Revocation request Request processing Certificate revocation information query Frequency of issue of certificates (CRL) revocation lists Maximum period of publication of CRL Availability of services of checking online certificate status Check certificate status services... 55

5 Other forms of certificate revocation information Requirements in the event of a compromise of the private key Causes of suspension of certificates Request for suspension Procedures for suspension request Maximum suspension period COMPLETION OF THE SUBSCRIPTION CHECK CERTIFICATE STATUS SERVICES Operational services features Availability of services DEPOSIT AND KEY RECOVERY Policy and practices of deposit and key recovery Policy and practices of encapsulation and recovery of session keys PHYSICAL SECURITY, MANAGEMENT AND OPERATIONAL CONTROLS PHYSICAL SECURITY CONTROLS Location and construction of the facilities Physical access Electricity and air conditioning Exposure to water Prevention and fire protection Media storage Waste treatment Off site backup CONTROL PROCEDURES Reliable features Number of people per task Identification and authentication for each role Roles requiring separation of tasks PKI management system PERSONAL CONTROLS History, qualifications, experience and authorization requirements History investigation procedures Training requirements Requirements and frequency of training update Job rotation frequency and sequence Sanctions for unauthorized actions Recruitment of professional requirements Provision of documentation to the personnel SECURITY AUDIT PROCEDURES Types of reported events Frequency of treatment of audit records Lifetime of audit records Protection of audit logs... 69

6 Backup procedures Localization of the system of accumulation of audit records Audit event notification to the originator of the event Analysis of vulnerabilities INFORMATION FILES Types of archived records Period of recordkeeping Protection of archive Backup procedures Requirements for date and time-stamping Location of the file system Procedures for obtaining and verifying file information RENEWAL OF KEYS COMMITMENT TO KEY AND DISASTER RECOVERY Procedures for managing incidents and commitments Resources, applications, or data corruption Compromise of the private key of the entity Continuity of the business after a disaster ,7.5. Management of reversals TERMINATION OF SERVICE TECHNICAL SECURITY CONTROLS GENERATION AND INSTALLATION KEY PAIR Generation of key pair Sending the signer private key Shipping of the issuer of the certificate public key Distribution of the public key from the provider of certification services Key sizes Public key parameters generation Checking quality of public key parameters Key generation in computer applications or equipment Key usage purposes THE PRIVATE KEY PROTECTION Standards for cryptographic modules Control by more than one person (m n) on the private key The private key deposit Backup of the private key The private key file Introduction of the cryptographic module private key Method of activating private key Method of deactivating private key Method of destroying private key Classification of cryptographic modules Classification of cryptographic modules... 81

7 6.3. OTHER ASPECTS OF KEY PAIR MANAGEMENT The public key file Periods of use of public and private keys ACTIVATION DATA Generation and installation of activation data Activation data protection COMPUTER SECURITY CONTROLS Specific computer security technical requirements Evaluation of the level of computer security LIFE CYCLE TECHNICAL CONTROLS System development controls Security management controls NETWORK SECURITY CONTROLS CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS TIME SOURCES PROFILES OF CERTIFICATES AND CERTIFICATE REVOCATION LISTS CERTIFICATE PROFILE Version number Certificate extensions Identifiers (OID) object of the algorithms Format names The name constraint Identifier (OID) object of the types of certificates THE CERTIFICATE REVOCATION LIST PROFILE Version number OCSP profile COMPLIANCE AUDIT THE COMPLIANCE AUDIT FREQUENCY IDENTIFICATION AND QUALIFICATION OF AUDITOR THE AUDITOR WITH THE AUDITED ENTITY RELATIONSHIP LIST OF ITEMS SUBJECT TO AUDIT ACTIONS TO UNDERTAKE AS A RESULT OF A LACK OF CONFORMITY TREATMENT OF AUDIT REPORTS COMMERCIAL AND LEGAL REQUIREMENTS RATES Rate of issuance or renewal of certificates Rate of access to certificates Rate of access to certificate status information Rates for other services Reinstatement policy FINANCIAL CAPACITY Insurance coverage... 93

8 Other assets Insurance coverage for subscribers and third parties relying on certificates CONFIDENTIALITY Confidential information Non-confidential information Disclosure of information of suspension and revocation Legal information disclosure Disclosure of information at the request of its holder Other circumstances of disclosure of information PROTECTION OF PERSONAL DATA INTELLECTUAL PROPERTY RIGHTS Property of the certificates and revocation information Property of the certification practice statement Information concerning names property Keys property OBLIGATIONS AND LIABILITY Obligations of the certification authority "esfirma" Guarantees offered to subscribers and third parties relying on certificates Rejection of other warranties Limitation of liability inch. Indemnity clauses Unforeseen circumstances and force majeure Applicable law Severability, survival, entire agreement and notice clauses Competent jurisdiction clause Conflict resolution

9 1. Introduction 1.1. Presentation This document states the certification of electronic signature of esfirma practices. The issued certificates are the following: Organization seal Organization seal medium level Organization seal high level Public employee Public employee medium level Public employee high level 1.2. Name of the document and identification This document is the "Declaration of practice of certification of esfirma" Identifiers of certificates OID number Certificate policies Public employee Public Employee - high level

10 Public Employee - medium level Body seal Organization seal - high level Organization seal- medium level In case of contradiction between this statement of certification practices and other practices and procedures documents, will prevail in this statement of practices Participants in the certification services Provider of certification services The certification services provider is the person, whether natural or legal, that issues and manages certificates for end-entities, using a certification body, or provides other services related to electronic signatures. AULOCE S.A.U., residing at Calle Bari 39 (Bldg. Binary Building), C.P , Zaragoza, CIF A , registered in the Registro Mercantil de Zaragoza to volume, Folio 215, sheet Z-28722, and operates under the name commercial EsFIRMA, trade name which will be used throughout this document to designate it, it's a provider of certification services that acts in accordance with the provisions in law 59/ December, electronic signature, and the ETSI standards applicable to the issuance and management of recognized certificates, mainly ETSI TS , at and , in order to facilitate the fulfilment of the legal requirements and international recognition of its services. For the provision of certification services, esfirma has established a hierarchy of certification authorities:

11 ESFIRMA AC RAIZ ESFIRMA AC AAPP AC EsFIRMA root He is the certification authority root of the hierarchy that issues certificates to other certificate authorities, and whose public key certificate has been self-signed. Identification data: CN: ESFIRMA AC RAIZ Fingerprint: c d e7 d4 4b b2 faith 53 fc 34 af 47 Valid from: :54:33 UTC Valid until: :54:33 UTC RSA key length: 4,096 bits EsFIRMA AC AAPP It is the certification body within the hierarchy that issues certificates to end entities, and whose public key certificate has been digitally signed by "esfirma AC RAIZ". Identification data: CN: Fingerprint: Valid from: Valid until: ESFIRMA AC AAPP 24 f1 9b 61 8b f3 DC AC 7e b7 0e 07 f :05:14 UTC :05:14 UTC

12 RSA key length: 4,096 bits Registrars In general, the certification service provider acts as a Registrar of the identity of the subscribers of certificates. They are also registrars certificates subject to this certification practices statement, due to their status as corporate certificates, units designated for this function by the subscribers of the certificates, as the Secretary of the Corporation or the Department of administration staff, since they have authentic records about the linking of the signatories with the Subscriber. Subscribers register functions are performed by delegation and in accordance with the instructions of the provider of certification services, under the terms of article 13.5 of the law 59/2003, of 19 December, electronic signature, and under the full responsibility of the provider of third-party certification services End Entities The end-entities are individuals and Organizationizations benefit from the services of issuance, management, and use of digital certificates for identification and electronic signature applications. End-entities of the esfirma certification services will be as follows: 1. Subscribers. 2. Signatories. 3. Users Subscribers Certification service subscribers are public administrations that take them to esfirma for use in your corporate or Organizationizational level, and are identified on certificates.

13 Certification service subscriber acquires a license of use of the certificate, for its own use - electronic stamp certificates-, or to facilitate the certification of the identity of a specific individual duly authorized for various performances in the Organizationizational field of Subscriber - electronic signature certificates. In the latter case, this person is identified in the certificate, as provided under the next heading. The Subscriber of the service of certification is, therefore, the customer of the provider of services of certification, according to the commercial law, and has the rights and obligations which are defined by the service provider of certification, which are additional and are understood without prejudice to the rights and obligations of the signatories, as it is authorized and regulated in the European technical standards applicable to the issue of recognized digital certificates (in special ETSI TS , section 4.4, maintained in its later versions, and currently, ETSI in , sections and e) Signatories The undersigned are individuals who possess exclusively the signature key digital for identification and electronic signature Advanced or recognized; being typically holders or members of the administrative bodies, in Organization electronic signature certificates, or persons in the service of the public administrations, in public employee certificates. The signatories are duly authorized by the Subscriber and duly identified in the certificate using its name, and tax identification number valid in the jurisdiction of issuance of the certificate, without its being possible, in general, the use of pseudonyms. Given the existence of certificates for different uses of electronic signatures, such as the identification, is also used the more general term of "individual identified in the certificate", always with full respect to the compliance of the legislation of electronic signature in relation to the rights and obligations of the signatory Users Party users are people and Organizationizations receiving digital signatures and digital certificates.

14 Parties as a prelude to trust certificates, users should verify them, as set out in this statement of certification practices and instructions available on the web site of the certification body Use of certificates This section lists the applications for which each type of certificate can be used, establishes limitations on certain applications, and prohibits certain uses of certificates Uses permitted for certificates Should take into account the permitted uses indicated in the various fields of certificates, visible in the web profiles High level public employee certificates This certificate provides the OID for identification and signature. High level public employee certificates are certificates recognized in accordance with in article 11(1), the content prescribed by article 11.2 and issued to fulfilling the obligations of articles 12, 13, and 17 to 20 of law 59/2003, of 19 December, esignature. These certificates are issued to public servants to identify them as persons in the service of the Administration, agency, or entity of public law, linking them with this, fulfilling the requirements laid down in law 11/2007, of 22 June, of electronic access of citizens to public services and its implementing regulations. High level public employee certificates work with device secure signature creation, in accordance with article 24.3 of the law 59/2003, of 19 December, signature, and give compliance provisions of the regulations by the European Telecommunications Standards Institute, technical identified with TS reference. In addition, certificates of individual high level public employees are issued in accordance with the

15 scheme of identification and electronic signature of public administrations in their upto-date version to date of this document. These certificates guarantee the identity of the Subscriber and the signer, and they allow the generation of the "recognized electronic signature"; i.e., the advanced electronic signature based on a qualified certificate and which has been generated using a secure device, which in accordance with the provisions of article 3 of law 59/2003, of December 19, equates signed written by legal effect, without any other additional requirement. They can also be used in applications that do not require the electronic signature equivalent to the written signature, like the applications listed below: a) Safe . b) Other digital signature applications. EsFIRMA does not offer backup and key recovery services. Therefore, esfirma is not liable under any circumstances for loss of encrypted information that can not be recovered. Applications in the profile of certificate information indicates the following: a) The "key usage" field is activated, and therefore allows to perform the following functions: to. Digital signature (Digital Signature to perform the authentication function) b. Commitment to content (Content commintment, to perform the function of electronic signature) b) "Qualified Certificate Statements" field contains the following statement: to. QcCompliance ( ), which advises that the certificate is issued as recognized.

16 b. QcSSCD ( ), which advises that the certificate is used exclusively in conjunction with a secure signature-creation device Mediumlevel public employee certificates This certificate provides the OID for identification and signature. Mediumlevel public employee certificates are certificates recognized in accordance with in article 11(1), the content prescribed by article 11.2 and issued to fulfilling the obligations of articles 12, 13, and 17 to 20 of law 59/2003, of 19 December, esignature. These certificates are issued to public servants to identify them as persons in the service of the Administration, agency, or entity of public law, linking them with this, fulfilling the requirements laid down in law 11/2007, of 22 June, of electronic access of citizens to public services and its implementing regulations. Mediumlevel public employee certificates cannot guarantee its operation with secure creation devices, referred to in article 24.3 of the law 59/2003, of 19 December. Mediumlevel public employee certificates are issued in accordance with the scheme of identification and electronic signature of public administrations in their up-to-date version to date of this document. These certificates guarantee the identity of the subscriber and the person named in the certificate, and allow the generation of the "advanced electronic signature based on a qualified electronic certificate". They can also be used in applications that do not require the electronic signature equivalent to the written signature, like the applications listed below: a) Safe . b) Other digital signature applications.

17 EsFIRMA does not offer backup and key recovery services. Therefore, esfirma is not liable under any circumstances for loss of encrypted information that can not be recovered. Applications in the profile of certificate information indicates the following: a) The "key usage" field is activated, and therefore allows us to perform the following functions: a. Digital signature (Digital Signature to perform the authentication function) b. Commitment to content (Content commintment, to perform the function of electronic signature) b) "Qualified Certificate Statements" field contains the following statement: a. qccompliance ( ), stating that the certificate is issued as recognized High level organization seal certificates This certificate provides the OID High level organization seal certificates are certificates recognized in accordance in article 11(1), the content prescribed by article 11.2 and issued to fulfilling the obligations of articles 12, 13, and 17 to 20 of law 59/2003, of 19 December, esignature. These certificates are issued for identification and authentication of the exercise of jurisdiction in administrative performance in accordance with article 18.1 of the law 11/2007, of 22 June, automated electronic access of citizens to public services. High level organization seal certificates are issued in accordance with the scheme of identification and electronic signature of public administrations in their up-to-date version to date of this document.

18 These certificates guarantee the identity of the Subscriber, of the public body and, where appropriate, of the titular person of the Organization, which is included in the certificate. EsFIRMA does not offer backup and key recovery services. Therefore, esfirma is not liable under any circumstances for loss of encrypted information that can not be recovered. Applications in the profile of certificate information indicates the following: a) The "key usage" field is activated, and therefore allows us to perform the following functions: a. Digital signature (Digital Signature to perform the authentication function) b. Commitment to content (Content commintment, to perform the function of electronic signature) b) "Qualified Certificate Statements" field contains the following statement: a. QcCompliance ( ), which advises that the certificate is issued as recognized. b. QcSSCD ( ), which advises that the certificate is used exclusively in conjunction with a secure signature-creation device Medium level organization seal certificates This certificate provides the OID

19 Medium level organization seal certificates are certificates recognized in accordance in article 11(1), the content prescribed by article 11.2 and issued to fulfilling the obligations of articles 12, 13, and 17 to 20 of law 59/2003, of 19 December, esignature. These certificates are issued for identification and authentication of the exercise of jurisdiction in administrative performance in accordance with article 18.1 of the law 11/2007, of 22 June, automated electronic access of citizens to public services. Medium level organization seal certificates are issued in accordance with the scheme of identification and electronic signature of public administrations in their up-to-date version to date of this document. These certificates guarantee the identity of the Subscriber, of the public body and, where appropriate, of the titular person of the Organization, which is included in the certificate. EsFIRMA does not offer backup and key recovery services. Therefore, esfirma is not liable under any circumstances for loss of encrypted information that can not be recovered. Applications in the profile of certificate information indicates the following: a) The "key usage" field is activated, and therefore allows us to perform the following functions: a. Digital signature (Digital Signature to perform the authentication function) b. Commitment to content (Content commintment, to perform the function of electronic signature) b) "Qualified Certificate Statements" field contains the following statement: a. QcCompliance ( ), which advises that the certificate is issued as recognized.

20

21

22

23 Limits and prohibitions of use of certificates Certificates are used to its own function and purpose established, unless they can be used in other functions and for other purposes. Similarly, certificates must be used only in accordance with applicable law, especially taking into account restrictions on import and export existing at all times. Certificates cannot be used to sign petitions for issuance, renewal, suspension or revocation of certificates, or to sign any public key certificates, or to sign lists of revoked certificates (CRL). Certificates are not designed, do not they can allocate and does not authorize its use or resale as control equipment in hazardous situations or for applications that require actions to be judgment proof, as the operation of nuclear facilities, navigation systems or air communications systems of arms control, where a failure could directly lead to the death, personal injury, or severe environmental damage. Should take into account the limits indicated in the various fields of the certificate profiles, visible on the web ( The use of digital certificates in a way that is a default this DPC and other applicable documentation, especially the contract with the Subscriber and the texts of disclosure, or PDS, has consideration of abuse to the opportune legal effects, and relieve esfirma of any responsibility by this abuse, either the signer or any third party. EsFIRMA does not have authorized access and legal obligation to supervise the data upon which the use of a certified key can be applied. Therefore, and as result of this technical impossibility of access to the contents of the message, is not possible by esfirma rating any content the above, assuming therefore the Subscriber, the signatory or the person responsible for the custody, any resulting liability of content coupled with the use of a certificate.

24 You will also be attributable to the Subscriber, the signatory or the person responsible for the custody, any liability that might arise from the use of the same outside the limits and conditions of use contained in this DPC, binding each certified legal documents, or contracts or agreements with entities registry or with your subscribers, as well as of any other improper use of the same derivative of this section or which can be interpreted as such in function of the legislation in force Administration of the policy Organizationization administering the document AULOCE S.A.U. (esfirma) CALLE BARI 39 (Bldg. Binary Building) ZARAGOZA (+ 34) Identification registry Registro Mercantil de Zaragoza Tomo 2649 Folio 215 Sheet Z CIF A Contact details for the Organizationization AULOCE S.A.U. (esfirma) CALLE BARI 39 (Bldg. Binary Building) ZARAGOZA (+ 34)

25 Document management procedure Documentary and esfirma Organizationization system guarantees, through the existence and application of the relevant procedures, the correct maintenance of this document and the specifications of service related to the same.

26 2. Publication of information and certificate s repository 2.1. Certificate s repository EsFIRMA has a repository of certificates, which publishes information concerning the certification services. This service is available 24 hours 7 days a week and, in case of failure of the system beyond control of esfirma, this will make its best effort so that the service will be available again in the period specified in section this certification practice statement 2.2. Publication of information of the certification service provider EsFIRMA publishes the following information in your deposit: The certificates issued, if consent of the person identified in the certificate was obtained. Lists of revoked certificates and other certificates revocation status information. Applicable certificate policies. The certification practice statement. The texts of disclosure (PKI Disclosure Statements - PDS), at least in Spanish and in English language Frequency of publication Information from the provider of certification services, including policies and certification practices statement, is published as soon as it is available. Changes in the certification practice statement is governed by the provisions of section 1.5 of this document.

27 Status of certificate revocation information is published in accordance with the provisions of sections and of this statement of certification practices Access control EsFIRMA does not limit read access to the information set out in section 2.2, but establishes controls to prevent unauthorized persons can add, modify, or delete records from the tank, to protect the integrity and authenticity of the information, especially the revocation status information. EsFIRMA employs reliable systems for deposit, in such a way that: Only authorized persons can make entries and changes. The authenticity of the information can be checked. Certificates are only available for consultation if the person identified in the certificate has lent his consent. Any technical changes affecting the safety requirements can be detected.

28 3. Identification and authentication 3.1. Initial registration Types of names All certificates contain a distinct name X.501 in the field Subject, including a component Common Name (CN =), the identity of the Subscriber and the individual identified in the certificate, as well as various additional identity information in the SubjectAlternativeName field. The names contained in the certificates are as follows Certificate of high level public employee Country (C) Organizationization (O) Surname Given Name Serial Number Title Common Name (CN) ID number of the person responsible for OID: Number of personal authentication OID: First name OID: "IS" ("Official" name) name of administration, agency or entity of public law certificate subscriber, which is linked employee First and second name, in accordance with document of identity (passport) Name, in accordance with document of identity (passport) ID number of the employee Post or by the physical person, which links you with administration, agency, or entity of public law certificate subscriber. Name surname1 surname2 - NIF of the employee DNI or NIE of the responsible NRP or the person in charge of the Subscriber of the certificate pin Name of the person responsible for the certificate

29 First surname OID: Second surname OID: OID: First name of the person responsible for the certificate Maiden name of the person responsible for the certificate address of the person responsible for the certificate Certificate of mid-level public employee Country (C) Organizationization (O) Surname Given Name Serial Number Title Common Name (CN) "IS" ("Official" name) name of administration, agency or entity of public law certificate subscriber, which is linked employee First and second name, in accordance with document of identity (passport) Name, in accordance with document of identity (passport) ID number of the employee Post or by the physical person, which links you with administration, agency, or entity of public law certificate subscriber. Name surname1 surname2 - NIF of the employee ID number of the responsibility OID: Number of personal authentication OID: First name OID: First surname OID: Second surname OID: OID: DNI or NIE of the responsible NRP or the person in charge of the Subscriber of the certificate pin Name of the person responsible for the certificate First name of the person responsible for the certificate Maiden name of the person responsible for the certificate address of the person responsible for the certificate

30 Certificate of seal body, high level Country (C) Organizationization (O) Surname Given Name Serial Number Common Name (CN) ID number of the person responsible for OID: First name OID: First surname OID: Second surname OID: OID: "IS" The Subscriber name ("official" name of the Organizationization) Name of the responsible creator of seals Name of the responsible creator of seals ID number of the subscribing Organizationization Name of system or application of automatic process. DNI or NIE of the head of the seal Name of the person in charge of the seal First name of the person in charge of the seal Maiden name of the person in charge of the seal of the person in charge of the seal Seal body, medium level certificate Country (C) Organizationization (O) Surname Given Name Serial Number Common Name (CN) ID number of the person responsible for OID: "IS" The Subscriber name ("official" name of the Organizationization) Name of the responsible creator of seals Name of the responsible creator of seals ID number of the subscribing Organizationization Name of system or application of automatic process. DNI or NIE of the head of the seal

31 First name OID: First surname OID: Second surname OID: OID: Name of the person in charge of the seal First name of the person in charge of the seal Maiden name of the person in charge of the seal of the person in charge of the seal

32 Meaning of names The names contained in the SubjectAlternativeName of certificates and SubjectName fields are understandable in natural language, as specified in the previous section Use of anonymous and user IDs Any user IDs can be used to identify an entity/company/organizationization, anonymous certificates, nor a signatory, and in any case are issued to except that, for reasons of public security, electronic signature systems can refer only to the professional public employee identification number Interpretation of names formats The formats of names shall be interpreted in accordance with the law of the country of establishment of the Subscriber, on their own terms. The "country" field will always be Spain by be issued exclusively to Spanish public administrations. The certificate shows the relationship between an individual and the Administration, agency or entity of public law with which it is linked, regardless of the nationality of the individual. This derives from the corporate nature of the certificate, which is Subscriber Corporation, and the individual linked the person authorized to use.

33 The certificates issued to Spanish subscribers, the "serial number" field should include the NIF of the signer, the effect of the admission of the certificate for the completion of formalities with the Spanish authorities Uniqueness of names The names of the subscribers of certificates will be unique for each certificate of esfirma policy. You can assign a name of Subscriber that has already been used, a different subscriber, which in principle is not be given, thanks to the presence of the number of tax identification, or equivalent, in the naming scheme. A Subscriber can request more than one certificate provided that the combination of the following values in the application was different from a valid certificate: Identification number Fiscal (NIF) or other legally valid identifier of the physical person. Identification number Fiscal (NIF) or other legally valid identifier of the Subscriber. Certificate type (field description of the certificate) Resolution of conflicts related to names The requesters shall not include names in applications that may involve a violation, by the future subscriber, of third party rights. EsFIRMA shall not be obliged to first determine that a certificate applicant has intellectual property rights over the name that appears in a certificate request, but in principle proceed to certify it. Likewise, it will not act as arbitrator or mediator, nor in any way it must resolve dispute relating to ownership of names of people or Organizationizations, domain names, trade marks or trade names. However, if you receive a notification regarding a conflict of names, in accordance with the legislation of the country of the Subscriber, may undertake actions relevant to block or withdraw the certificate issued.

34 In any case, the certification service provider reserves the right to reject an application for certificate due to naming conflict. Any dispute or conflict resulting from this document, will be resolved definitively through arbitration of right to an umpire, in the framework of the Spanish Court of arbitration, in accordance with its regulations and statutes, to which is entrusted the administration of the arbitration and the designation of the arbitrator or arbitral tribunal. The parts made to record their commitment to comply with the award rendered in the contractual document that formalizes the service Initial identity validation The identity of the subscribers of certificates is fixed at the time of the signing of the contract between the Subscriber and esfirma, time in which verifies the existence of the Subscriber, and provided supporting documentation of their identity and the charge or condition in which signs, in accordance with stated in the rules of administrative law that applies. The identity of the individuals identified in the certificate subscriber certificates is validated through corporate records management, agency, or entity of public law. The Subscriber, using administrative certification issued by the Secretary of the Town Hall, will produce a certification of the necessary data, and may refer to esfirma, by media that this enabled, for the registration of the identity of the signers. When the Subscriber does not have secretarial, this certification will be issued by the head of the designated certification service. The files of personal data of each administration, agency, or entity of public law must be registered in the protection data agency corresponding, for each of them, being their responsibility, and not that of esfirma, which acts as a processor, as described in section 9.4 of this DPC Proof of possession of private key Possession of the private key is shown under the reliable procedure of delivery and acceptance of the certificate for the signer.

35 Authentication of the identity of the Subscriber acting through a representative Natural persons with capacity to act on behalf of an administration, agency, or entity of public law subscriber certificates, may act as representatives of the same in relation to provisions of this DPC, provided there is a prior legal or voluntary representation between the physical person and the Administration, agency or entity of public law subscriber certificates, which requires its recognition by esfirma, which will be made by the following person: 1 subscriber representative will meet in person with an authorized representative of esfirma, where you will have a form of authentication. Alternatively, the representative of Subscriber product review esfirma form upon completion. 2 representatives shall complete the form with the following information and which will accompany the following documents: or Their identification, as representative data: Name and surname Place and date of birth Document: NIF of the representative or The identification data of the Subscriber that represents: Name of the Administration, agency, or entity of public law. Information about the extent and term of the powers of representation of the applicant. Document: NIF of administration, agency, or entity of public law. Document: Documents that serve to demonstrate the extremes cited in an irrefutable manner in accordance with stated in the rules of administrative law which is application, and its registration in the corresponding public if so log is required. or The data relating to the representation or the ability to act that holds:

36 The validity of the representation or the power to Act (start and end date). The scope and the limits, if any, of the representation and the ability to act: TOTAL. Representation or total capacity. PARTIAL. Representation or partial capacity. 3 completed and signed the form, it will be signed and given to esfirma along with the supporting documentation indicated. 4 esfirma staff will verify the identity of the representative upon presentation of ID, as well as the content of the representation with the documentation. 5 esfirma staff will deliver a proof of authentication and will return the documentation provided. 6 Alternatively, in accordance with article 13(1) of the law 59/2003, of 19 December, you can legitimize notary signing the form, and be sent to esfirma by certified postal mail, in which case the steps 3 to 5 above will not be accurate Authentication of the identity of a natural person This section describes the methods of verification of the identity of an individual identified in a certificate In the certificates The identifying information of individuals identified in the certificate is valid by comparing the information from the request of the Administration, agency, or entity of public law subscriber certificates, records of administration, agency, or entity of public law to which it is linked, generated as indicated in point 3.2, 2nd paragraph of this DPC, ensuring the correctness of the information certify Need for personal presence

37 Certificate request For the request of certificates is not required direct physical presence due to the relationship already accredited between the physical person and Administration, agency, or entity of public law to which it is linked, and that this request is made by an operator authorized by the Subscriber in the contract. Direct physical presence of the signer is not required to accept the certificate that cases in which a subject already previously identified under its relationship with the Administration, agency, or entity of public law concerned, sign the acceptance through its electronic ID. When using electronic ID signature is not possible, the signer must print document sheet of acceptance for his signature before the person in charge of ID, which must check the identity of the natural person identified in the certificate by its physical presence. During this process is irrefutably confirmed the identity of the natural person identified in the certificate. For this reason, it is only necessary to verify the identity of the physical person signing in the case where is not possible signature acceptance using his electronic identity card in person. Certificate renewal If any of the information of the individual identified in the certificate has changed, will be necessary to properly record the new information and there will be an authentication completes, by personal identification before the operator authorized by the Subscriber, which must check the identity of the natural person Bonding of the individual The documentary justification of tying an individual identified in a certificate with the Administration, agency, or entity of public law to which it is linked is given by their perseverance in the administration of personnel records, agency or entity of public law to which the individual is linked.

38 Non verified subscriber information EsFIRMA does not include any subscriber information unverified on the certificates Identification and authentication of renewal applications Validation for the routine of certificate renewal Before you renew a certificate, esfirma checks that the information used to verify the identity and the remaining data of the Subscriber and the individual identified in the certificate remain valid. Acceptable methods for this check are: The use of a "verification of identity phrase", or other methods of personal authentication, which consists of information that only knows the individual identified in the certificate, and that allows you to automatically renew your certificate, provided that the legally established deadline not expired. The use of the certificate valid for its renewal, provided that in the case of a certificate issued by esfirma and it is not over the maximum legally established for this possibility. The use of the electronic ID by the signer. If any of the information of the individual identified in the certificate has changed, will be necessary to properly record the new information and authentication will be complete, in accordance with section identification and authentication of the request for renewal after revocation prior Before generating a certificate to a Subscriber whose certificate was revoked, esfirma will verify that the information used in your day to verify the identity and the remaining data of the Subscriber and the individual identified in the certificate remains valid, in which case applies the provisions of the previous section. The renewal of certificates after the revocation will not be possible in the following cases:

39 The certificate was revoked by erroneous issuance to a person other than the one identified in the certificate. The certificate was revoked by issuing unauthorized by the individual identified in the certificate. The revoked certificate may contain erroneous or false information. If any information of the Subscriber or the person identified in the certificate has changed, the new information is properly recorded and occurs a complete authentication, as specified in the section Identification and authentication for revocation request EsFIRMA authenticates requests and reports relating to the revocation of a certificate, verifying that they come from an authorized person. Acceptable methods for this test are the following: The sending of a request for revocation by part of the Subscriber or the person identified in the certificate, signed electronically. The use of the "verification of identity phrase", or other methods of personal authentication, which consists of information that only knows the individual identified in the certificate, and that allows you to revoke your certificate automatically. The physical representation in an office of the entity Subscriber. Other means of communication, like the telephone, when there is reasonable assurance of the identity of the applicant for revocation, in the view of esfirma Authentication of a request for suspension Suspension request will be made by the Administration, agency, or entity of public law subscriber in 24 x 7 hours.

40 When during office hours the subscriber wishes to initiate a request for revocation and there are doubts for identification, your certificate becomes suspension status.