Signe Certification Authority. Certification Policy Degree Certificates

Transcription

1 Signe Certification Authority Certification Policy Degree Certificates Versión 1.0 Fecha: 2/11/2010

2 Table of contents 1 FOREWORD 1.1 GENERAL DESCRIPTION 1.2 DOCUMENT NAME AND IDENTIFICATION 2 PARTICIPATING ENTITIES 2.1 CERTIFICATION AUTHORITIES (CAS) 2.2 REGISTRATION AUTHORITY (RA) 2.3 APPLICANT 2.4 SUBSCRIBER / SIGNATORY 2.5 KEY CUSTODY 2.6 THIRD PARTY THAT TRUSTS THE CERTIFICATES 3 CERTIFICATES CHARACTERISTICS 3.1 CERTIFICATE VALIDITY PERIOD 3.2 TYPES OF SUPPORT SOFTWARE MEDIA 3.3 SPECIFIC USE OF DEGREE-HOLDER CERTIFICATES APROPIATE CERTIFICATE USES UNAUTHORISED CERTIFICATES USES 3.4 FEES 4 OPERATING PROCEDURES 4.1 CERTIFICATE ISSUING PROCESS 4.2 CERTIFICATES REVOCATION 4.3 CERTIFICATE RENEWAL 5 CERTIFICATE PROFILE 5.1 DISTINGUISHED NAME(DN) INFOMATION ON DEGREE 5.2 CERTIFICATE EXTENSIONS 2

3 1 Foreword 1.1 General Description Degree Holder Certificates are personal digital certificates which make it possible to identify the Subscribers/Signatories thereof by computer, as the holders of a certain academic degree. These certificates may be issued in the following types of media: In software (mid-level), through an application, obtaining a certificate for the purposes of signature and authentication. Degree Holder Certificates are digital certificates recognised in accordance with Act 59/2003 of 19 December 2003 on Electronic Signatures and are compliant with the provisions of the technical regulations of the European Telecommunications Standards Institute, identified by reference number TS Degree Holder Certificates guarantee the identity of the Subscriber and possessor of the private identification and signature key, and they allow for generation of the advanced electronic signature which is based on a recognised certificate. Applications for Degree Holder Certificates may be submitted through the organisations of which each student is a member, acting as SIGNE Registration Authorities, though applications may also be submitted on the Internet through SIGNE. This document provides a description of the Specific Conditions applicable to this type of certificate. This Certification Policy is subordinate to fulfilment of the General Conditions and the SIGNE Certification Practice Statement (CPS).

4 1.2 Nombre del documento e identificación Name: Degree Holder Certificates Policy (CP) Version: 1.0 Description: Certification Policy for Degree Holders Issue Date: 2/11/2010 OID: (in software) Location 4

5 2 Participating entities 2.1 Certification Authorities (CAs) The Degree Holder certificates are issued exclusively by the SIGNE Certification Authority, a certification authority subordinate to the Root CA Firmaprofesional. 2.2 Registration Authority (RA) The handling of the certificate applications shall be performed by the entities which act as SIGNE Registration Authorities or by SIGNE itself. Each entity which acts as an RA of SIGNE may process the degree holder certificate applications of those private individuals who have completed their studies and requested their degree. Each RA must cooperate with SIGNE in handling the application, verifying the necessary information and delivering the electronic certificate, and in particular the following: Identifying the degree holders who apply for the degree holder electroniccertificate and obtaining their consent to have the certificate issued, as well asdefinitively verifying the degree holder when delivering the keys to obtain the degree holder electronic certificate. Verifying that the service request is complete, the data accurate, especially theentity code and study code, and, in the case of incomplete applications,ensuring that they are completed or corrected. Processing the formalisation of the delivery sheet document of receipt and validating the data with the degree holder, under the established terms andconditions. Keeping custody of all the information and documentation handled for eachrecognised certificate processed, always using the utmost diligence in verifying the accuracy and truth of the data and documents kept. Granting SIGNE access to the degree holder s academic information strictly necessary to provide the services, with SIGNE acting as the party responsiblefor handling said information on the RA s account. 5

6 -Employing personnel that have the knowledge, experience and qualifications necessary to provide the identification services assigned to them. 2.3 Applicant An Applicant is a student who has graduated and who has completed his or her studies and holds such a status as to be able to obtain the degree which accredits completion of those studies. Each entity acting as an RA of SIGNE is responsible for determining what groups of users may apply for a Degree Holder Certificate. 2.4 Subscriber/ Signatory The Subscriber / Signatory is the private individual identified by given name, surnames and national identity card number (NIF) to whom a Degree Holder Certificate has been issued. 2.5 Key Custody Custody of the signature creation data associated with each degree holder electronic certificate shall be the responsibility of the private individual Applicant, whose identification data shall be included in the electronic certificate. 2.6 Tercero que confía en los certificados The third parties that trust these certificates must bear in mind the limitations upon their use. 6

7 3 Certificates characteristics 3.1 Certificate validity period The Degree Holder Certificates shall be valid for a period of 3 years. 3.2 Types of support The Degree Holder Certificates shall be generated in a software medium Software Media The private keys of the certificates issued in a software medium are generated and stored in an Internet browser such as Microsoft Internet Explorer. Pursuant to Act 59/2003, The advanced electronic signature based on a recognised certificate and generated using a secure signature creation device is considered a recognised electronic signature. Therefore, the use of Degree Holder Certificates is not compliant with all of the requirements established by Law for the recognised signature. However, pursuant to Article 21 of Act 11/2007, Degree Holder Certificates issued in software being recognised certificates, though they do not produce recognised signatures, shall be accepted by the bodies of the Public Administration, provided that SIGNE makes the required information available to the bodies of the Public Administration under conditions which are technologically feasible, without creating any expenses for them. The Degree Holder Certificates in software may be copied onto other media, and therefore backup copies thereof may be made. The Degree Holder Certificates in Software are identified by way of the OID in the extension X509v3 Certificate Policies. 7

8 3.3 Specific use of degree holder certificates Appropiate Certificate Use The certificates issued by SIGNE may be used under the terms established in the CPS and that which is established in the current laws regarding the matter. Said certificates are used for all of the computer-based relations which may take place between the degree holder and the various realms in which it is necessary to verify degree holder status, though in no case may the attribute contained in the certificate constitute an official declaration of holding a degree, but rather exclusively a statement by the educational entity that a specific party is a degree holder. The Degree Holder Certificates may be used for the following purposes: To provide integrity to an electronically signed document. Non-repudiation of origin. Identification of the Signatory and his or her status as a degree holder Unauthorised Certificate Uses No use other than that which is established in this Policy and in the Certification Practice Statement is permitted. The use of the certificate to perform commercial, economic or financial transactions in a digital medium is not permitted either. Because the certificates were not designed for encrypting information, SIGNE does not recommend their use for that purpose. 3.4 Fees SIGNE shall charge the Subscriber (Entity) the amount agreed to in the service agreement signed by the parties. SIGNE may charge the Subscribers those fees which it deems appropriate, as well as determining the means of payment it deems most appropriate in each case. For further details on the price and payment conditions for this type of certificates, one must consult with SIGNE s Commercial Department. 8

9 4 Operating Procedures 4.1 Certificate Issuing Process The steps to be followed to obtain a certificate are as follows: a) Application The certification request must be filed by the Applicant in fulfilment of everything described in the CPS and the following: The Applicant must be authorised to apply for the certificate; in other words, he or she must have complete his or her studies and have the proper status for obtaining the degree which accredits completion of those studies. The Applicant must submit the required documentation to the RA to process the application. When submitting the application, the Applicant must provide a valid address to which only he or she has access When the Applicant has not yet requested the degree: The Applicant (graduate) must address the service in charge of processing the degrees of the entity at which the studies were completed in order to request that the degree holder electronic certificate be issued. The entity, through the authorised administrative personnel, shall be responsible for processing the application with SIGNE. When the applicant already has the degree or has requested it: The Applicant may: Apply for the certificate by addressing the service responsible for processing the degrees of the entity where he or she completed the studies. In this case, the certificate shall only contain those degrees issued by said entity. Apply for the certificate over the Internet using the SIGNE website, for which purpose he or she must provide proper identification using certain means. In this case, the certificate may contain degrees issued by different schools, 9

10 provided that there is a cooperation agreement between that entity and SIG b) Application Acceptance The RA shall be responsible for verifying the academic information and completing the degree and school codes if necessary, before accepting the application and beginning the processing of the certificate. Once the information on the Applicant s degree has been verified, the Applicant shall receive a notice by informing the Applicant that he or she must appear inperson to continue processing the certificate. c) Processing In order to continue with processing, the Applicant must: Identify himself/herself: In person before the RA Over the Internet at the SIGNE website, using the electronic identity card (DNIe, or other recognised certificates which are accepted). Verify that the RA has his/her address. Read and accept the Delivery and Acceptance Sheet. Read, accept and sign the Delivery Record, which shall remain in the RA s possession. On the Delivery Sheet, the Applicant shall receive an authentication code which, along with an message the he or she shall receive at the address provided, will make it possible to generate the key pair and download the electronic certificate on the Applicant s own computer system. d) Key Generation The Subscriber shall receive confirmation of the application by , along with a link to the online certificate issuance application. In order to access the key generation application, the Applicant must provide the authentication code received on the Delivery and Acceptance Sheet. Once authenticated, the Applicant shall proceed to generate the keys on his/her own 10

11 computer by following the instructions given. e) Issuing and Delivering the Certificate Once the keys have been generated, the RA shall issue the certificate, sending the request to the CA. The user shall then be notified that the certificate has been generated and that it may be securely downloaded onto a computer. In any case, the Applicant must download the certificate from the same computer and using the same browser as those on which the keys were generated, thereby ensuring that the signature creation and verification data are complementary. 4.2 Certificate revocation The Subscriber must request the revocation of his or her certificate if it is lost, ifis lost, if the keys are compromised, or due to any of the causes described in the CPS. To request that the certificate be revoked, the Subscriber may: b)request revocation online by using the revocation code To do this, the Subscriber must: 1. Access the section for revocation in the SIGNE website and select the link corresponding to revocation by using the revocation code. 2. In the proper form, accurately enter the information identifying him or her. 3. Enter the Revocation Code provided during the certificate issuing process. 4. Explicitly accept the processing of the request and the consequences thereof. Once the process has been completed, the certificate shall be revoked immediately. b) Request revocation online by using the DNIe To do this, the Subscriber must: 11

12 1. Access the SIGNE website and be authenticated using the DNIe. 2. Request revocation of the degree holder certificate. 3. Explicitly accept the processing of the request and the consequences thereof. Once the process has been completed, the certificate shall be revoked immediately. c) Request revocation by telephone Call the SIGNE telephone revocation service during office hours, at Once the process has been completed, the certificate shall be revoked immediately. For all complementary information regarding the revocation of certificates, please see the proper section of the CPS. 4.3 Certificate renewal SIGNE Certification Authority shall send a renewal notice to the Subscriber by two months before the certificate s expiration date. The Subscriber must contact SIGNE to request the certificate s renewal. The certificate may be renewed over the Internet or in person at the RA. Internet Renewal Process: 1. The Subscriber shall receive a notice from the RA by to begin the renewal process on the SIGNE website. 2. The Subscriber must access the website using his/her certificate before it expires, or using the DNIe if it has expired. 3.The Subscriber must electronically sign the certificate renewal application. Process for renewal in person at the RA: If the Subscriber is unable to renew the certificate online, he or she may address the 12

13 RA to request the renewal of the certificate. In this case, a new certificate will be generated with a new key pair, but with the same data as the certificate to be renewed. To do this, one must proceed in accordance with Points c), d) and e) of the certificate issuing process, or in other words: Identify himself/herself in person before the RA Verify that the RA has his/her address. Read and accept the Delivery and Acceptance Sheet. Read, accept and sign the Delivery Record, which shall remain in the RA s possession. Generate the key pair on his/her computer using the authentication code provided on the Delivery Sheet, by going to the address provided in the e- mail message received. Download the certificate onto his/her computer. 13

14 5 Certificate Profile 5.1 Distinguished name (dn) The DN of the Degree Holder Certificates must contain at least the elements described below. All of the values of these components shall be verified by the Registration Authority: DN Field Name Description CN, Common Name Name The Signatory s first and last names. SN, surname Surnames The signature s first surname E, The Signatory s address C, Country Country Two-digit country code according to ISO , indicating the degree holder s nationality serialnumber Serial Number National identity card number (NIF), foreign national identity card number (NIE) or code of identifying document submitted by the Signatory X1.1 Degree Official name of the X1 degree earned X1.2 Degree Code Official alphanumerical code of the X1 degree X1.3 Entity Entity which issued the X1 degree, in accordance with the format: <3-number code>-<entity name> X2.1 Degree Official name of the X2 degree earned X2.2 Degree Code Official alphanumerical code of the X2 degree X2.3 Entity Entity which issued the X2 degree, in accordance with the format: <3-number code>-<entity name> X33 Degree Official name of the X3 degree earned X2.2 Degree code Official alphanumerical code of the X3 degree X2.3 Entity Entity which issued the X3 degree, in accordance with the format: 3-number code>-<entity name> X4.1 Degree Official name of the X4 degree earned 14

15 X4.2 Degree code Official alphanumerical code of the X4 degree X4.3 Entity Entity which issued the X4 degree, in accordance with the format: <3-number code>-<entity name> X5.1 Degree Official name of the X5 degree earned X5.2 Degree code Official alphanumerical code of the X5 degree X5.3 Entity Entity which issued the X5 degree, in accordance with the format: <3-number code>-<entity name> Information Regarding the Degree The information on the degree is identified and classified using the following OID: <#TITLE>.<N> In Which: Prefix that indicates that the OID belongs to a prívate company Matches the SIGNE company code 3 I.D. for DN extensions or fields 1 I.D. of field with information on degree <#TITLE> <N> Number which identifies and categorises information corresponding to one same degree 3 possible values: N=1: Indicates field which contains the official name of the degree N=2: Indicates field which contains the official code of the degree N=3: Indicates field which indicates the entity that issued the degree 15

16 5.2 Certificate extensions Extension Crítcal Posible values X509v3 Subject Alternative Name - X509v3 Issuer Alternative Name - URI: X509v3 Basic Constraints Sí CA:FALSE X509v3 Key Usage Sí Digital Signature Non Repudiation Key Encipherment Key Agreement X509v3 Extended Key Usage - TLS Web Client Authentication Protection X509v3 Subject Key Identifier - <ID of the certificate s public key, obtained using the public key s hash> X509v3 Authority Key Identifier - <ID of the public key of the CA s certificate, obtained using its hash> X509v3 Authority Information Access X509v3 CRL Distribution Points - <URI de la CRL> - Access Method: Id-ad-ocsp Access Location: <URI de acceso al servicio OCSP> X509v3 Certificate Policies - <OID of the certification policy corresponding to the certificate> <URL of the CPS> User Notice: This is a recognised degree holder certificate. Consult the usage conditions at + <URL of the CPS QcStatements - Id-etsi-qcs-QcCompliance (indicating that the certificate is recognised) Id-etsi-qcs-QcRetention Period (15 years of custody of the certificate data. 16

17 17