ECA Trusted Agent Handbook

Transcription

1 Revision 8.0 September 4, 2015

2 Introduction This Trusted Agent Handbook provides instructions for individuals authorized to perform personal presence identity verification of subscribers enrolling for Symantec External Certificate Authority (ECA) digital certificates. Symantec is a U.S. Government-approved Certification Authority (CA) authorized to issue ECA certificates to entities needing to conduct business with government organizations. Subscribers of ECA certificates include government (federal, state and local) contractors, government (state and local) employees and other entities doing electronic transactions with government agencies. ECA certificates enable secure electronic communication and transactions with government entities and departments. Symantec ECA certificates can be used for authentication at government Web sites and to digitally sign and encrypt , documents, and electronic forms. A digital certificate is an electronic credential that uses public key cryptography. Each holder of a digital certificate has a public/private key pair. The private key, which is held securely by the holder, is used for creating digital signatures. The public key, which may be widely distributed, is used to enable other users to encrypt messages to the holder of the private key. In order to rely on a public key, it is necessary that it be certified by an entity called a CA. The CA binds a user s public key to their identity, certifies the public key, and creates the electronic credential called a digital certificate. Government policy requires that before an individual can be issued an ECA certificate, the subscriber s identity must be verified by appearing before a notary, a Trusted Agent, a U.S. consular officer or an authorized DoD employee. For verification purposes, government policy permits the use of an authorized Trusted Agent to perform in-person identity verification of your organization s certificate subscribers. As a Trusted Agent for your organization, you will be performing a key role in the validation of the identity of subscribers enrolling for Symantec ECA certificates. Your responsibilities include: Verifying subscriber identity and country of citizenship Electronically submitting enrollment, revocation, and key recovery requests to Symantec Archiving subscriber enrollment, revocation, and key recovery forms 2

3 Enrolling as a Trusted Agent The following instructions define the procedures and policies for becoming a Trusted Agent and executing the duties of a Trusted Agent. To become a Trusted Agent (repeat for each new Trusted Agent in your organization): 1) Complete the Trusted Agent Authorization Form The Trusted Agent Authorization From (found in Exhibit 1 at the end of this handbook) identifies you to Symantec as a designated representative of your organization. It verifies that you are authorized to perform the role of Trusted Agent for certificate subscribers at your organization. 2) Enroll for your own Symantec ECA Certificate Enroll for an ECA Certificate at For the Enrollment Method, select Subscriber Enrollment Using Notary. Note: When you enroll for your ECA Certificate, you are required to appear before a notary to verify your identity. After you become a Trusted Agent, you are authorized to perform the function of the notary for your organization s ECA Certificate subscribers. 3) Send the completed forms to Symantec Mail the Trusted Agent Authorization Form, the Subscriber Enrollment Form, and your company documentation (if applicable) to Symantec at the address specified on the Subscriber Enrollment Form. Note: If you already have an ECA Certificate, you only need to fax the Trusted Agent Authorization Form to the authentication team of Symantec at ) Install your ECA Certificate and configure your client After Symantec approves your application, you will receive an with instructions for downloading and installing your ECA Certificate. Install your ECA Certificate and set up your client (for example, Microsoft Outlook) to sign and encrypt messages. You are now ready to function as your organization s Trusted Agent. Note: For details on configuring your client to sign and encrypt messages with your ECA Certificate, go to 3

4 Trusted Agent Procedures 1) Send the ECA Certificate enrollment instructions to each subscriber Before you can validate a subscriber s identity, the subscriber must enroll on the Symantec ECA Web site and select Subscriber Enrollment Using Trusted Agent. Provide your subscribers with the following enrollment information: ECA enrollment and installation instructions Follow the forms found on ECA enrollment form Your Symantec ECA Sales Order Number If you do not have your ECA sales order number, contact Symantec at eca_sales@symantec.com or (option 3). Also ensure your subscribers know your organization s legal name, exactly as it should be entered in the enrollment form. All subscribers must have their identity verified in person, either by appearing before a Trusted Agent (preferred method), a notary, or a U.S. consular officer. 2) Verify the subscriber s identity Your responsibilities include ensuring that the subscriber s identity is verified according to the ECA policy. You can meet directly with the subscriber or review the subscriber s notarized documentation: 2.1) If you meet face-to-face with the subscriber: a) The subscriber must present the enrollment form generated and printed during certificate enrollment. Review the form and make sure the form contains the subscriber s name, address, and your organization name. Section 1, Subscriber Information, must not contain any changes or modifications. b) Examine the following forms of identification presented by the subscriber. Acceptable forms of identification are: One government-issued photograph ID for proof of identity, such as a driver's license or military ID. One document for proof of citizenship, such as a passport, certified birth certificate, or certificate of naturalization or citizenship. **One document for proof of organizational affiliation, such as an employee ID that includes a photograph and which identifies the organization name. **Important: If the subscriber does not present an employee ID, you are responsible for verifying that the subscriber is a current member of the organization. Make sure there are no signs of forgery or modification of the IDs. c) On the Subscriber Enrollment Form, record the type, serial number, and expiration date for each ID presented by the subscriber. d) Have the subscriber sign the Subscriber Enrollment Form in Section 1, acknowledging 4

5 that he or she has read the Symantec ECA Subscriber Agreement and understands and accepts the responsibilities, including protection of the private key and using the ECA Certificate according to the terms and conditions set forth in the External Certificate Authority Certificate Practices Statement (CPS). e) Complete and sign Section 2 of the Subscriber Enrollment Form. f) Make a copy of the Subscriber Enrollment Form for the subscriber. g) File the original Subscriber Enrollment Form. h) Advise the subscriber that the encryption key will be escrowed at Symantec and may be recovered by the organization or a duly authorized law enforcement agent. 2.2) If you do not meet face-to-face with the subscriber: a) The subscriber must visit a public notary or a U.S. consular officer to present all forms of identification (as described above in section 2.1, step b), and have the Subscriber Enrollment Form notarized. b) The subscriber then sends you the notarized form he or she presented to the public notary or U.S. consular officer. c) Carefully examine the Subscriber Enrollment Form for accuracy, completeness, and to ensure that the form was properly signed and notarized. Make sure there are no signs of forgery or modification of the IDs. Important: If the subscriber does not use an employee ID for the second form of identification, you are responsible for ensuring the subscriber is a current member of the organization. 3) Enter subscriber enrollment information in the Bulk Enrollment Data Form Upon the approval of your application for enrolling as a Trusted Agent, you should have received the Bulk Enrollment Form Excel workbook. If you do not have this document, contact Symantec at eca-authentication@symantec.com. The Bulk Enrollment Form is an Excel workbook used to submit your subscribers enrollment data to Symantec. It includes the Bulk Enrollment Data Form and the Bulk Transmittal Form. The Bulk Enrollment Data Form contains one line for each subscriber. Insert additional lines as necessary for the total number of subscribers you are entering in the form. Important: Carefully enter the first name, last name, address, and country of citizenship for each subscriber exactly as shown on the Subscriber Enrollment Form. It is very important that this data is correct and current, as it will be used to approve the subscriber s ECA Certificate. 4) Complete the Bulk Transmittal Form The Bulk Transmittal Form is also located in the Bulk Enrollment Form Excel workbook. It contains the Trusted Agent (submitter) information, your corporate information, and your Sales Order Number. If you do not have your Sales Order Number, get it from your purchasing department or contact Symantec at eca_sales@symantec.com or , option 3. You must include your Dun and Bradstreet (D&B) number, as Symantec is required to verify the legitimacy of your organization. Also read the submitter acknowledgement to confirm that you have followed the required procedures for the Bulk Enrollment Form. 5

6 5) Securely send the Bulk Enrollment Form to Symantec Compose an and send the Bulk Enrollment Form Excel workbook to Digitally sign and encrypt this to protect the privacy of the subscriber data and enable Symantec to verify that the form was submitted by an authorized Trusted Agent (you). Important: Symantec will not open or respond to an that has not been signed and encrypted. If you send an unsigned, unencrypted , you will need to re-submit the form. Therefore, we recommend that you send a test before submitting actual subscriber data for the first time. To test the security of the bulk submittal process: a) Access the Symantec ECA repository at search.htm to download the encryption certificate for. i. In the Search by address section, enter ecatrustedagent@symantec.com and click Search. ii. Click the link for ECA TRUSTED AGENT (Valid). The Digital ID Information page appears. iii. Click Download. The Select Format page appears. iv. For ID Format, select Someone Else s ID for Microsoft IE/Outlook Express/Outlook and click Submit. The File Download window appears. v. Click Save. b) Create an entry in your mail client address book or contacts list for Symantec ECA using for the address. Associate the public key certificate with this entry. c) Compose a message with the subject Test ECA Submission. d) Address the message to. e) In the Bulk Enrollment Form, complete the Bulk Transmittal Sheet, but do not enter any subscriber data in the Bulk Enrollment Data Form. f) Attach a Bulk Enrollment Form to the . g) Select the options to sign and encrypt the message. If you have multiple certificates on your computer, make sure you use your ECA Certificate. h) Send the message and wait for an reply from Symantec indicating that the message was received. i) After you have successfully processed a test message, submit the actual Bulk Enrollment Form. 6) Archive the Subscriber Enrollment Forms For each subscriber entered on the Bulk Enrollment Form, archive the original copy of the completed Subscriber Enrollment Form, signed either by the pubic notary, U.S. consular officer, or you. You may need to reference these forms in the event of a problem with subscriber enrollment data. Also, ECA policy requires that these forms are archived and retrievable upon request for a period of at least ten years and six months. 7) Revoke a Subscriber s ECA Certificate Send the Revocation Notice Forms to your HR Department 6

7 Complete the Revocation Notice Forms and send them to the appropriate Human Resource Department(s) (or equivalent) in your organization to ensure that Symantec is notified of events requiring certificate revocation, such as termination of a subscriber from your organization. Revoke an ECA Certificate Important: You must immediately notify Symantec and request that a certificate be revoked if: (1) any information or fact material to the reliability of the certificate is no longer accurate, current, complete, or becomes misleading; or (2) you or your organization suspects any loss, disclosure, or other compromise of the subscriber's private key; or (3) the subscriber is no longer employed by, associated with, authorized by, or affiliated with the organization. To request revocation of a subscriber certificate, send a digitally signed and encrypted with the subject Certificate Revocation Request by TA to. The must contain the first and last name and address of the subscriber whose certificate is to be revoked. The must also indicate the reason for the revocation request. 8) Recover a Subscriber s Encryption Key A copy of the private key associated with the subscriber s ECA Encryption Certificate is securely escrowed at Symantec. If a subscriber loses access to the encryption private key, he or she can request the recovery of the escrowed copy of the key. Other than the subscriber, only an organization s legal officer, security officer, or human resources representative, or a law enforcement official (with a court-authorized order) may request recovery. The person requesting the key recovery (Key Requestor) must complete the Key Recovery Request Form and sign it in the presence of a notary or the Trusted Agent. If you cannot meet face-to-face with the Key Requestor (because the person works at a different facility or branch office), you can instruct the requestor to complete the Key Recovery Request Form, gather the necessary documentation, and go to a notary public to have the form notarized. The Key Requestor should send you the notarized form. After you verify that the previous steps have been completed successfully, send a digitally signed and encrypted with the subject Key Recovery Request by TA to ecatrustedagent@symantec.com. The must contain: The first and last name and address of the subscriber whose key is to be recovered. The reason for the recovery request. The Requestor Information as entered in Section A of the Key Recovery Request Form. When Symantec processes the key recovery request, the original ECA Certificate key pair will be revoked. Symantec then s the encrypted private key, and faxes the password needed to decrypt it, to the Key Requestor. 7

8 Exhibit 1 Trusted Agent Authorization Form I,, am an employee, partner, member, agent, or other associate [Insert Name} of ( Organization ) and I am authorized by the Organization [Insert Organization Name] to act as a Trusted Agent to validate the identity of employees and other authorized representatives of Organization ( Subscribers ) who are eligible to receive ECA digital certificates ( Certificates ) in accordance with the ECA Certificate Policy and Symantec s ECA Certificate Practices Statement. I acknowledge and agree that: (a) I am authorized to act on behalf of the Organization to perform the responsibilities as set forth in the Symantec ; (b) I have reviewed and I am familiar with the, the Symantec ECA CPS, and can carry out the responsibilities of a Trusted Agent accordingly; (c) All information I provide to Symantec will be accurate, current, complete, and not misleading, and Symantec is authorized to rely on the information submitted by me in identifying Subscribers as being employed, associated, affiliated with and/or authorized by Organization to receive Certificates; (d) I will immediately notify Symantec and request that a Subscriber(s) Certificate be revoked if: (1) any information or fact material to the reliability of the Certificate becomes misleading or is no longer accurate, current, or complete, (2) I, or the Organization, suspects any loss, disclosure, or other compromise of a Subscriber's Private Key, or (3) a Subscriber is no longer employed by, associated with, authorized by, or affiliated with the Organization. (e) I will immediately notify Symantec and request that a Subscriber(s) Encryption Private Key be recovered if: (1) the Subscriber formally acknowledge he/she lost access to his/her Encryption Private Key (2) or an authorized Organization official (other than me) or Law Enforcement Agent with Court Order requests the recovery of a Subscriber's Private Key (Signature) (Printed Name) (Title) (Date) 8

9 Exhibit 2 Revocation Notice Form (PUT IN EMPLOYEE S HR FILE) Employee s Name: The employee named in this file is a Subscriber of a Symantec ECA Certificate. This certificate was authorized by your organization and as such it may be revoked at the organization s sole discretion at any time and for any reason. In the event that this Subscriber is no longer employed, associated, affiliated with, or authorized by this organization to hold this certificate, the certificate should be revoked. Symantec, the issuer of the certificate, will revoke the Certificate promptly upon confirming that the person making the revocation request is authorized to do so or upon otherwise determining that the Certificate should be revoked To revoke the certificate, contact the subscriber s ECA Trusted Agent at your organization: Trusted Agent: Phone Number: In the event that the Trusted Agent is no longer available, contact Symantec promptly by sending a notice on company letterhead identifying the name and address of the employee whose certificate is to be revoked and the reason for the revocation request. Please FAX the revocation request to Symantec ECA Authentication at

10 Instructions to Requestor: Exhibit 3 ECA Key Recovery Request Form 1. Print out this form. 2. Complete Sections A & B of the form. Do not sign the form yet. This form can only be signed by the certificate Subscriber or the company representative (e.g. organization s legal officer, security officer, or human resources representative) in the presence of your corporate notary or other notary public. You are responsible for all fees (if any) charged by the notary. 3. Bring two forms of identification with you to the notary as follows: One widely recognized, government-issued Photo ID such as a Driver s License or Passport; and, One other type of identification (photo not required) such as a valid national credit card, an employee ID, a utility or tax bill, or insurance card. 4. Instruct the notary to read the instructions below and complete the Acknowledgement. 5. Sign your name (section A) in the presence of the notary. 6. Make and retain a copy of this form and the Subscriber Agreement for your records. 7. Provide the fee: The price of a key recovery is $ In the case that the requestor is also the subscriber, it is possible to request a replacement ECA certificate pair for no additional charge (as indicated in section A below). The fee is payable by check or your organization's valid sales order number (if applicable). If paying by check, indicate "ECA Key Recovery" in the Memo section of your check and mail payment separately to: ECA Key Recovery Processing & Fulfillment Symantec Corporation PO Box Dallas, TX Send the completed (original) notarized form along with a copy of the Photo ID presented to the notary by First Class Postal Mail, Federal Express, or other equivalent means to: Symantec Corporation Attn: Symantec ECA Authentication Support 350 Ellis Street Mountain View, California A. Requestor Information: Fields with a * must match the information in the ECA subscriber certificate. Ensure that the entries in these fields are accurate and legible. Check the appropriate box below: I am the subscriber of an ECA certificate associated with the encryption private key to be recovered. I want to revoke my existing ECA certificate pair and get a new ECA certificate pair as part of the recovery process. recovery process. OR I do not want a new ECA certificate pair as part of the I am not the subscriber of an ECA certificate to be recovered [Note: Other than the Subscriber, only an organization s legal officer, security officer, or human resources representative, or a law enforcement official (with a Court authorized order) may request recovery] B. Information about the ECA Certificate associated with the encryption key being recovered: - *First Name - *Last Name 10

11 - * Address - Valid From - Valid To - Serial Number - Status (Valid, Revoked, Expired) Payment Information: (select payment type): Check: Name on check Check # Organization s Valid Sales Order: Sales Order Number: Payment Amount: C. Declaration (to be signed in the presence of a notary) I do hereby make oath and/or affirm that all the information contained in this document is true and correct and that I am duly authorized to recover the encryption key for the certificate described in Section B. As a condition of receiving the recovered key, I hereby agree to comply with all laws and the subscriber s organization policies relating to protection and release of the recovered key. Your signature, made in the presence of a notary - First Name - Last Name - Organization - Postal Address - Address - Phone Number - Fax Number - Job Title Instructions to Notary: The document you are notarizing is part of the Key Recovery Request process for a Symantec Digital ID used in conjunction with programs authorized by the U.S. Department of Defense (DoD). The DoD requires that the personal identity of the applicant be validated. If you would like more information about Digital IDs or the enrollment process, visit Symantec at or contact Symantec Sales at , option Modify this form where necessary to assure compliance with the laws of your jurisdiction. Use the back side of this form if necessary. 2. Complete the Acknowledgement below. 3. Request and examine at least two pieces of Subscriber identification as follows: One government-issued photograph ID such as a driver s license, passport, or military ID, One valid employee ID that must include a photograph and identify organizational affiliation. 4. You must check the Subscriber s forms of identification even if you are acquainted with the Subscriber. C. Acknowledgement This section is to be completed by Notary Public State/Commonwealth/Province of ), County of ), Country ) 11

12 On (date), before me, (notary) personally appeared (subscriber), and proved to me on the basis of the presentation of the two forms of identification listed below, to be the person whose name is subscribed to the instrument, and acknowledged to me that he/she executed the same, and that by his/her signature on the instrument the person executed the instrument in my presence. ID# Type of ID Identifying Number Expiration Date 1* 2 * ID #1 must be accompanied by photo. - Notary Phone - Notary Address (optional) - My Commission Expires on 12

13 Instructions for Installing the Renewed ECA Trusted Agent Encryption Certificate In order to continue submitting bulk enrollments once the encryption certificate expires or upon notification from ECA Support, you will need to follow these steps. Step 1: Download the new Trusted Agent Certificate 1. Go to and enter in the address. 2. Select the Valid checkbox and click Search. 3. The search results will return two (1) certificates. Click the link for ECA TRUSTED AGENT On the next page, click Download at the bottom of the page. 5. In the ID Format list, select Someone Else s ID for Microsoft IE/Outlook Express/Outlook. If you are not using Microsoft Office Outlook, select the appropriate format for your application. Click the green Submit button. 6. A dialog box appears asking you if you want to open or safe this file. Select Save and save the certificate to your desktop (we recommend renaming it if you have any other certificates stored to your desktop). Step 2: Install the new Trusted Agent Certificate 1. Open Microsoft Office Outlook. 2. Select Go and click Contacts from the menu bar. 3. Double-click on the mail account for the ECA Trusted Agent. 4. Click the Certificates tab. 5. Click the Import button. 6. Select the new certificate you downloaded to your desktop and click on the Open button. A message will appear to confirm that you have successfully imported the certificate. 7. In the list, you will have two certificates listed. To set the new certificate you just imported as your default, select the new certificate and then click the Set as Default b utton. 8. Click Save and Close to save your changes 9. You can now submit your bulk enrollment requests encrypted to ecatrustedagent@symantec.com as you have done so in the past. 13