Certification Policy for Legal Representatives of Legal Persons Certificate. Certificate Profile

Transcription

1 Certificate. Certificate Profile Registro Nacional de Asociaciones. Número CIF G ANF AC MALTA, LTD Address: B2, Industry Street, Qormi, QRM 3000 (Malta) Telephone: (+356) Fax: (+356) Web:

2 Security Level Public Document Important Notice This document is property of ANF AC MALTA Distribution and reproduction prohibited without authorization by ANF AC MALTA Copyright ANF AC MALTA 2017 Address: B2, Industry Street, Qormi, QRM 3000 (Malta) Telephone: (+356) Fax: (+356) Web: 2

3 Certificate (AUTHENTICATION) (SIGNATURE) (ENCRYPTION) TOKEN BY SOFTWE - HSM TOKEN Field OID value Standard APP Clarification Cri t Man d Version 2 = (V3) RFC 5280 Integer: =2 ([RFC5280] describes the certificate version when using extensions e.g. v3 its value must be 2) Serial number RFC 5280 Automatically set by ANF AC. [RFC5280] positive integer, no more than 20 octets ( ) It is used to univocally identify the certificate SignatureAl gorithm sha256withrsaencryption RFC 5280 String UTF8 (40) Signature Algorithm identifier. Identifying the algorithm type. SignatureH ashalgorith m sha256 Identifier of the signature hash Algorithm Common Name (CN) e.g. ANF Trusted ID CA1 Common name of the CA issuing the certificate SERIALNUMBER MT ANF AC s VAT number This is the VAT number. Identification of the Organisation Identifier At present ANF AC does not include it. eidas issuer organization. As specified in clause of ETSI EN [7]. Address (E) info@anfacmalta.com CA Organisational Unit (OU) Organizational unit within the Certification Services Provider responsible for the certificate issuance As it appears in the certificate of the issuer. (String UTF8) Size [RFC 5280] Organisation (O) e.g. ANF AC Malta, Ltd Official name of the Certification Services Provider Locality (L) e.g. Qormi (see current address at Locality/address of the Certification Services Provider 3

4 (String UTF8) Size [RFC 5280] 128 State (ST) e.g. Qormi State of the Certification Services Provider Country (C) e.g. MT (2 character ISO 3166 country code [5]) Country of the Certification Services Provider (PrintableString) It will be coded according to ISO alpha- 2 code elements Size 2 [RFC 5280] AuthorityCe rt (String UTF8) Size 128 Name of the CA to which it corresponds the keyidentifier AuthorityCe rtserialnum ber (Integer) Serial number of the CA certificate Identifier of the issuer entity key - Authority KeyIdentifie r Hash with SHA1 of the public key used to sign the certificate RFC 5280 (String UTF8) Identifier derived from using the hash function on the public key of the subject. It is a means to identify the public key corresponding to the private key used to sign a certificate Alternative Name Valid from NotBefore Valid until Validity start date NotAfter Validity end date Country (C) Subject's country = subscriber Two-digit country code ISO According to ETSI-QC this field must be completed obligatorily See RFC 3739 / ETSI Locality (L) Subject's city (String UTF8) Size [RFC 5280] State (ST) Subject's state Address (E) Subject's SERIAL NUMBER (SN) E.g.: IDCMT A. 3 characters to indicate the (Printable String)) Size [RFC 5280] 64 Tax Identification number of the subject Preferably the semantics proposed by the standard ETSI 4

5 document number (IDC= national identity document) + 2 characters to identify the country (MT) + ID number EN will be used OrganisationId entifier The certificate must include at least= Serial Number or OrganizationIdentifi er (VAT number), e.g. VATMT According to the technical standard ETSI EN (VATES + VAT number of the entity) VAT number. VAT number, as it appears in the official registries. Coded According to the European Standard EN Do not confuse with the National /Foreign Citizen ID Card (DNI), it is the VAT number for the EU OrganizationN ame (O) e.g. Company name. ETSI EN [i.4], clause 5 Corporate name, as stated in official registries Given Name (G) First name of the legal representative, according to identity document (National/Foreign Citizens ID Card / Passport) (String UTF8) Size 40. Mandatory according to ETSI EN Name of legal representative (as it appears on his/her National/Foreign Citizens ID Card / Passport). Surname(s) of the legal representative SurName (SN) First surname, blank space, second surname of the person responsible for the certificate in accordance with the National ID Card or in case of a foreigner the passport (String UTF8) Size 80. Mandatory according to ETSI EN Surname(s) (as it appears on his/her National/Foreign Citizens ID Card / Passport) Common Name (CN) (String UTF8) Size 132 [RFC 5280] The name and two surnames must be entered in accordance with an identity document (National/Foreign Citizens ID Card / Passport) Organisational Unit (OU) AUTHENTICATION SIGNATURE Cryptographic software token SIGNATURE SSCD token SIGNATURE Centralized Service ENCRYPTION Legal Representative of a Legal Person Certificate (AUTHENTICATION) Legal Representative of a Legal Person Certificate (SIGNATURE). Legal Representative of a Legal Person Certificate (SIGNATURE) SSCD Legal Representative of a Legal Person Certificate (SIGNATURE) CS Legal Representative of a String UTF8) Size [RFC 5280] 128 the concept. the suffixes SIGNATURE AUTHENTICATIO N, and ENCRYPTION Description of certificate type 5

6 Description e.g. Legal Person Certificate (ENCRYPTION). Registration Number: XXX / Date of Registration: XXX / Name of Company: XXX / Registered Office: XXX Codificatio n of the public document that certifies the faculty of the signatory or the registration data Title (T) e.g. Sole Administrator Type of legal empowerm ent of the legal representat ive. SubjectAlternativeName e.g.: peter@cial.com Name RFC822 (String) Size [RFC 5280] 255 of the person responsible for the certificate DNSName Directory Name e.g.: May include web URL SubjectAlter nativename UTF8 String. UTF8 String. First name of legal representative First surname of legal representative UTF8 String. Second surname of legal representative UTF8 String. National/Foreig n Citizens ID Card of legal representative e.g.: passport UTF8 String. Type of identity document submitted by the legal representative 6

7 e.g.: Maltese UTF8 String. Nationality of the legal representative SubjectDirectoryAttributes TelephoneNumber Facsimile StreetAddress PostalAddress PostalCode e.g.: SHA256-gsq33wq/udldyk5ZN84paMeYx Subscriber's telephone Subscriber's fax Subscriber's address Subscriber s postal address Subscriber s postal code It is the hash of the document that accredits mandate or power in favor of the subject SubjectDire ctoryattribut es e.g.: localizador =OID ) It is the link that allows to download the document that accredits mandate or power in favor of the representative e.g Request locator (Sequential of processidentifier of RA or IRM Operator that processed it) Identifier of RA Operator who processed the request e.g NOTE: In the case of RA, IRM or PKI Operator certificates, this OID corresponds to the identifier of the operator holding the certificate, outlined in the 7

8 first part of the code Full name of the country to which the issuance corresponds The certificate is subjected to the legislation of that country e.g. Qualified certificate e.g. Purchase contracts signing e.g Qualification with which the certificate was issued Limitation of liability assumed by the CA Use of the certificate limited to the concept expressed in this field Limitation of use of the certificate by amount Currency in which values are expressed e.g. euros Identifier of the Recognized Registration Authority to which the RA operator belongs Automatically completed by RA office holder Automatically completed by RA operator department 8

9 Automatically completed by UUID of the Electronic Signature Device that stores the certificate Automatically completed by ONLY if it is a HSM token Descriptive business or professional aspects of the activity professional aspects of interest suffix 01 professional aspects of interest suffix professional aspects of interest suffix Legal form of the subscriber Year of origin of the activity Own trademarks or tradenames Trademarks it distributes suffix 1 Trademarks it distributes suffix 2 Trademarks it distributes suffix 3 Geographical scope in which it carries out its activity Addresses places headquarters Offices suffix 9

10 e.g.: desktop v.3.6 Offices suffix 02 Offices suffix 03 Companies with which it relates Companies with which it relates Companies with which it relates suffix 01 Companies with which it relates suffix 02 Banking entities with which it has relationships Current accounts, SWIFT economic information economic information suffix 01 economic information suffix 02 economic information suffix 03 Number of employees program used for processing and version Subject Key Identifier Hash in SHA1 of the public key used to RFC 5280 In accorda nce with standard Identifier derived from using the hash function on the public key of the subject 10

11 sign the certificate s RFC245 9 & PKCS#1 (String UTF8) SubjectPubl ickeyinfo RSA (2048) RSA in accorda nce with RFC 4055 [1 0] and ECC algorith m in accorda nce with the RFC 5639 [11] Field to transport the public key and to identify the algorithm with which the key is used. AccessMethod [1] [1] Access to authority information Id-ad-ocsp with OID: (OCSP) Access method = On line certificate status protocol ( ) Access to issuer entity information AccessLocation [1] Alternative name: URL address= OCSP Responder address AccessMethod [2] id-ad-cas with OID AccessLocation [2] URL address= Location of CA certificate [1] CRL distribution point crldistributionpoint [1] Distribution point name: Full name: Indicates CRL download point. CRL distribution points DistributionPoint [2] URL address Distribution point of the web where the CRL resides (HTTP or LDAP) number 2 DistributionPoint [3] Distribution point of the web where the CRL resides (HTTP or LDAP) number 3 Qualified Certificate Statement QcComplian ce SIGNATURE / AUTHENTICAT ION Present if the certificate is issued with the recognized qualification. Annex I eidas qcstatements in accordance with 11

12 ETSI EN TSI EN , before ETSI TS QcSSCD Only included in the SIGNATURE type ONLY if the device is SSCD Secure Signature Creation Device (SSCD) It is not included in the ENCRYPTION, nor AUTHENTICATION one. Determines that the private key associated with the public key contained in the electronic certificate is on a secure signature creation device, Regulation (EU) 910/2014 [I.8] id-etsi-qcsqctype clause in ETSI EN Not included in the ENCRYPTION, nor in the AUTHENTICATION one QcTypeesign SIGNATURE QcType 1 ONLY in the profile (SIGNATURE), QcType 1is outlined ETSI EN It allows automatic systems to determine that it is a certificate of the type SIGNATURE. It follows the following encoding: id-etsi-qct-esign (id-etsi-qcs-qctype 1) id-etsi-qct-eseal (id-etsi-qcs-qctype 2) id-etsi-qct-web (id-etsi-qcs-qctype 3) QcPDS SIGNATURE / AUTHENTICAT ION m URL which allows Access to all the PKI policies in English. Https protocol It is not included in the ENCRYPTION type ETSI EN QcLimitValu e SIGNATURE / AUTHENTICAT ION Limit amount of liability assumed by the issuer expressed in EUROS <QcLimitValue> <money>eur</money> <qcbase>1</qcbase> <qcexp>3</qcexp> </QcLimitValue> Not included in the ENCRYPTION type QcRetention Period SIGNATURE / AUTHENTICAT ION Integer: =15 ([ETSI EN ] Describes the conservation Not included in the ENCRYPTION type 12

13 period of all information, relevant to the use of a certificate, after its expiration) semnaticsid- Natural SIGNATURE / AUTHENTICAT ION To indicate the semantics of a natural person defined by the EN Not included in the ENCRYPTION type PolicyIdentifi er PolicyIdentifi er (AUTHENTICATION) (SIGNATURE) Cryptographic software token (ENCRYPTION) (SIGNATURE) HSM token (SIGNATURE) Centralized Service [1] Certificates policy: Policy identifier = [1] Certificates policy: Policy identifier = [1] Certificates policy: Policy identifier = [1] Certificates policy: Policy identifier = [1] Certificates policy: Policy identifier = (AUTHENTICATION) (SIGNATURE) [1,1] Policy certifier information: ANF AC proprietary OID Certificate Policies PolicyCPSLo cation Policy certifier ID =CPS Certifier: [1,2] Policy certifier information: User notice Policy certifier ID = User notice Certifier: Notice text = Certificate in compliance to electronic signature legislation. Before accepting it verify integrity, limitations, validity, and authorized uses. Maximum 200 characters. A statement is made by the issuing CA, which refers to certain legal norms. PolicyIdentifi er ONLY FOR SIGNATURE TYPE HSM TOKEN SOFTWE TOKEN qcp-naturalqscd ( ) qcp-natural ( ) Qualified signature certificate, according to Regulation EU 910/2014 According to Regulation eidas Fields conditioned by the use of the BusinessCategory PrivateOrganization GovernmentEntity for private organization for public entity 13

14 certificate BusinessEntity for company Non-commercialEntity for non-commercial entity JurisdictionOfIncorporationLoc alityname Locality locality in which the company is registered JurisdictionOfIncorporationStat eorprovincename Province province in which the company is registered JurisdictionOfIncorporationCo untryname Country country in which the company is registered Basic Constraints Type of matter =End entity Route Length Restriction =None CA = FALSE determines that it is an enduser certificate Y E S Key usage Certificate Type: SIGNATURE Certificate Type: AUTHENTICATION Non-repudiation (c0) Electronic signature, Nonrepudiation (c0) KeyEncipherment, Y E S Certificate Type: ENCRYPTION dataencipherment Extended key usage Signature / Authenticati on Client Authentication Secure mail Identification algorithm sha1 Signature Value Signature encoded as bit chain Digital Fingerprint Certificate digital fingerprint Descriptive Name Automatically completed by The name and two surnames must be entered in accordance with an identity document (National/Foreign Citizens ID Card). ETSI EN v2.1.1 (Part 2: Certificate profile for certificates issued to natural persons) defines the content requirements of certificates issued to natural persons. The profile is based on the IETF RFC 5280 recommendations and the ITU-T X.509 standard. The information used to define the identity and attributes of the natural person certificate signatory, without pseudonyms, is broken down into the following fields: 14

15 Field Subject, using the attributes commonname, surname (or givenname) and countryname. In the attribute SerialNumber, can be include the National / Foreign Citizen ID Card of the signatory. Extension Subject Alternative Names. No restrictions are included. Extension Subject Directory attributes. The attributes of the Subject field should not be included. OIDs for qualified certificates The coding of certain features of the qualified certificates are outlined by specific OIDs (Object Identifier). The technical standard that indicated them was the ETSI TS , that reflected with the following OID (now obsolete): And defining the information of the qualified certificate statement (QC-Statement) with the OID: At present, the standard of application is the ETSI EN which has resulted in the information on qualified certificates, not included in the previous standard, be reflected with a new OID: Therefore, qualified certificates will be able to indicate certain features of the certificates with OIDs that begin with (Originally designed for electronic signature of natural persons according to the Directive 1999/93, but nowadays also suitable for legal persons due to the extension of concepts such as the electronic seal of Regulation EU 910/2014 EIDAS) and others with OID that begin with (specifically to differentiate the certificates of natural and legal person as the Regulation EU 910/2014 EIDAS does). These are the main OIDs: 15

16 qcstatement QcCompliance (Mandatory) qcstatement QcLimitValue qcstatement QcRetentionPeriod qcstatement QcSSCD qcstatement QcPDS (Mandatory) qcstatement QcType -- QC type identifiers id-etsi-qct-esign OBJECT IDENTIFIER ::= { id-etsi-qcs-qctype 1 } -- Certificate for electronic signatures as defined in Regulation (EU) No 910/2014 id-etsi-qct-eseal OBJECT IDENTIFIER ::= { id-etsi-qcs-qctype 2 } -- Certificate for electronic seals as defined in Regulation (EU) No 910/2014 id-etsi-qct-web OBJECT IDENTIFIER ::= { id-etsi-qcs-qctype 3 } -- Certificate for website authentication as defined in Regulation (EU) No 910/ > id-etsi-qcs-semanticsid-natural -> Natural person semantics (for natural person certificates electronic signature) > id-etsi-qcs-semanticsid-legal -> Legal person semantics (for legal person certificates electronic seal) qcstatement QcPDS (Mandatory). It will provide at least one URL to a PDS (PKI Disclosure Statements) in English. Other PDS documents can be referenced in other languages with this QCStatement provided they are equivalent to the PDS in English. No reference should be made to more than one PDS per language qcstatement QcType: id-etsi-qct-esign ( ) QcType 1 id-etsi-qct-eseal ( ) QcType 2 id-etsi-qct-web ( ) QcType 3 16