Servidor Seguro SSL, Servidor Seguro SSL con Validación Extendida (SSL EV), Sede Electrónica, and Sede Electrónica con Validación Extendida (Sede EV)

Transcription

1 National Register of Associations. Number CIF G Servidor Seguro SSL, Servidor Seguro SSL con Validación Extendida (SSL EV), Sede Electrónica, and Sede Electrónica con Validación Extendida (Sede EV) ANF Autoridad de Certificación Gran vía de les Corts Catalanes Barcelona (Spain) Telephone: Fax: Web:

2 Security Level Public Document Important Notice This document is property of ANF Autoridad de Certificación Distribution and reproduction prohibited without authorization by ANF Autoridad de Certificación Copyright ANF Autoridad de Certificación 2013 Address: Gran vía de les Corts Catalanes Barcelona (Spain) Telephone: Fax: Web: 2

3 Index 1 Introduction Certificates description Identification Support type Users community Certification Authorities Registration Authorities Recognized Registration Authority Collaborating Registration Authority Issuance Reports Manager End entities Certificate subscriber Certificate applicant Certificate responsible Relying third parties Usage field Allowed use Limits of certificate usage Prohibited usage Certification Entity contact details Definitions and acronyms Information publication and repositories Repositories Information publication Updates frequency Access controls on repositories Identification and Authentication Name registration Types of names Need for names to be meaningful Anonymous or pseudonyms Rules for interpreting various name forms

4 3.1.5 Uniqueness of names Conflicts related to names and brands resolution Identity initial validation Method to prove possession of private key Authentication of applicant, certificate responsible and subscriber identity Re-key Revocation request Operational Requirements Certificate application Processing procedure Identity authentication Applicant Subscribers Legal persons Natural persons Certificate responsible Approval or rejection of certificate applications Certificados SSL EV and Sede EV Certificados Sede Certificados SSL EV and Sede EV Time to process certificate applications Certificate issuance Certification Entity actions during certificate issuance Notification to subscriber Certificate acceptance Acceptance Certificate return Tracing Certificate publication Notification of certificate issuance to third parties Rejection Certificate renewal Valid certificates

5 4.6.2 Persons authorized to request the renewal Routine renewal requests authentication and identification Certificate renewal with rekeying Certificate renewal without rekeying Approval or rejection of renewal applications Notification of certificate renewal Certificate renewal acceptance Publication of the renew certificate Notification of certificate renewal Identification and authentication of key renewal applications after revocation (uncommitted key) Certificate modification Certificate revocation and suspension Circumstances for revocation Revocation applications identification and authentication Procedure for revocation request Revocation request grace period Time within which CA must process the revocation request CRL lists verification requirements CRL issuance frequency Revocation online checking availability Revocation online checking requirements Certificate suspension Suspension requests authentication and identification Key storage and recovery Good practices Facilities, management and operational controls Physical security controls Procedural controls Personnel controls Technical security controls Key pair generation and installation Private Key Protection Other aspects of key pair management

6 6.4 Activation data Computer security controls Life cycle technical controls Network security controls Time-stamping Cryptographic Module Security Controls Certificates and CRLs profiles Certificates profiles Common fields and extensions Specific fields according to the signature algorithm Specific fields according to key length Specific Fields by type of certificate Certificado de Servidor Seguro SSL DV (With SHA-256) Certificado de Servidor Seguro SSL OV (With SHA-256) Certificado de Servidor Seguro SSL EV (with SHA-256) Certificado de Sede Electrónica Nivel Medio (with SHA-256) Certificado de Sede Electrónica Nivel Alto (with SHA-256) Certificado de Sede Electrónica EV Nivel Medio (with SHA-256) Certificado de Sede Electrónica EV Nivel Alto (with SHA-256) CRL profile OCSP profile Compliance audit Each entity compliance controls frequency Personnel in charge of the audit identification Auditor relationship to audited entity Topics covered by audit Actions to be taken as a result of compliance deficiency Treatment of audit reports General orders Fees Financial responsibility Confidentiality of business information Privacy of personal information

7 9.5 Intellectual property rights Obligations and guarantees Disclaimers of guarantees Limitations of liability Interpretation and execution CP administration...52 Appendix I Certificate Application Form...53 Appendix II Contract for the Provision of Electronic Certification Services...59 Appendix III Act of Authorization and Acceptance of Responsibility in the Certificate Use...66 Appendix IV Certificate Renewal Application Letter...67 Appendix V Certificate Revocation Application Form...68 Appendix VI Act of Certificate Reception and Acceptance...70 Appendix VII Identity Statement

8 1 Introduction ANF Certification Authority (henceforth, ANF AC) is a legal entity, constituted under Basic Law 1/2002 of the 22nd of March, and written in the Ministry of the Interior with national number and company tax code G The Public Key Infrastructure (PKI) of ANF AC has been designed and managed in accordance with the legal framework of the European Parliament [UE] 910/2014 Regulation, and with the 59/2003 Law on Electronic Signature of Spain. The ANF AC PKI is in accordance with the ETSI TS (Policy requirements for certification Authorities issuing qualified certificates), ETSI TS (Qualified Certificate Profile), RFC 3739 (Internet X.509 Public Key Infrastructure: Qualified Certificates Profile) rules, and in process of adaptation to the ETSI EN (Certificate Profiles) rule. ANF AC uses OID s in accordance with the standard ITU-T Rec. X.660 and the standard ISO/IEC :2005 Procedures for the Operation of OSI Registration Authorities: General Procedures and ASN.1 Object Identifier tree top arcs. ANF AC has been assigned the SMI Network Management Private Enterprise Code by the international organisation IANA - Internet Assigned Numbers Authority - under the branch iso.org.dod.internet.private.enterprise ( IANA Registered Private Enterprise-). This document is the Certification Policy (CP) corresponding to the certificates issued by ANF AC, of the type " Servidor Seguro SSL ", Servidor Seguro SSL con Validación Extendida (EV) Sede Electrónica nivel medio y nivel alto y, Sede Electrónica con Validación Extendida (EV) nivel medio y nivel alto. These certificates are issued with consideration of qualified in accordance with the provisions of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and with consideration of recognized as defined in Law 59/2003 of electronic signature. To develop its content the IETF RFC 3647 PKIX structure has been followed, including those sections that are specific to this type of certificate. This document defines the operational and procedural requirements to which the usage of these certificates is subjected, and defines the guidelines that ANF AC uses for its issuance, management, revocation, renewal and any other process that affects the life cycle. The roles, responsibilities and relationships between the end user, ANF AC and trusted third parties are described, as well as the application, renewal and revocation rules that must be met. In the scope of the Google Certificate Transparency project (CT), the certificates issued with the EV (Extended Validation) qualification will be published in different CT Log operators, to comply with the policy defined by Google. This document is only one of the several documents governing the PKI of ANF AC, it details and supplements the definitions in the Certification Practice Statement and its addendum. ANF AC oversees and supervises that this PC is compatible and consistent with the other documents produced. All documentation is freely available to users and relying parties at 8

9 1.1 Certificates description ANF AC, in the framework of its Electronic Certification Service, issues identity certificates of the type: Servidor Seguro SSL The purpose of this certificate is to establish data communications through TLS / SSL protocols in services and applications, especially for: - The identification of the organization holding the domain (DNS) to provide reasonable assurance to the user of a web browser that the website being accessed is owned by the organization identified in the certificate through its name and address. - Encryption of communications between the user and the website, facilitating the exchange of encryption keys necessary for encryption of information through Internet. The maximum validity of these certificates is 5 years. This type of cetificates can be issued in the following modes: - DV and DV Wildcard This certificate, with the consideration of unqualified according eidas will be used for the identification of the ownership of the domain hosting the website, providing reasonable assurance to the user of an Internet browser. The DV Wildcard contains a "wild card" in the hostname (e.g.: *.frater.com). They are issued according to ETSI EN The validity of these certificates can be up to 3 years. - OV and OV Wildcard This certificate, with the consideration of unqualified according to eidas will be used for identifying ownership of the domain and accreditation of the organization, providing reasonable assurance to the user of an Internet browser that the web site being accessed is owned by the organization identified in the certificate. The OV Wildcard contains a "wild card" in the hostname (e.g.: *.frater.com). They are issued according to the policy OVCP of ETSI EN The validity of these certificates can be up to 3 years. Servidor Seguro SSL con Validación Extendida (EV) This certificate, with consideration of unqualified according to eidas will be used for identifying ownership of the domain and accreditation of the organization, providing a strong guarantee to the user of an Internet browser that the web site being accessed is owned by the organization identified in the certificate. They are issued according to the policy EV of ETSI EN The validity of these certificates can be up to 2 years. In addition to the utilities provided by the SSL certificate, Extended Validation (EV) aims to provide a better level of authentication for organizations, to secure transactions on their websites. 9

10 The purpose of EV SSL Certificates is their use in TLS / SSL protocols, in order to ensure the validity of the constitution of the organization identified in the certificate, and therefore avoiding phishing or other cases of online identity fraud. ANF AC meets the guidelines stated by the CA / Browser Forum and published on its website including the acceptance of audit programs specified therein. Sede electrónica Sede Electrónica In the field of Law Public Sector Legal Regime, ANF AC issues certificates of the type sede electrónica. They are issued according to the policy ETSI EN and the profile of the office certificate defined by the Ministry of Finance and Public Administrations. This is a certificate with the consideration of qualified according to eidas in which the owner Public Administration, administrative body or entity office is identified. The validity of these certificates is 2 years. The purpose of this certificate is to establish data communications through TLS / SSL in services and applications. Sede electrónica con Validación Extendida (EV) In addition to the utilities provided by the Electronic Office certificate, Extended Validation (EV) aims to provide a better level of authentication for Public Administration, body or administrative entity to secure transactions on their websites avoiding phishing cases or any other online identity fraud. In addition, ANF AC meets the guidelines stated by the CA / Browser Forum and published on its website including the acceptance of audit programs specified therein. 1.2 Identification Document name Certification Policy for certificados de Servidor Seguro SSL, Servidor Seguro SSL con Validación Extendida (EV), Sede Electrónica y Sede Electrónico con Validación Extendida (EV) Version 1.2 Policy status APPROVED Document reference / Publication date January 15 th 2013 Expiration date Not applicable 10

11 Related CPS Location Certification Practice Statement (CPS) of ANF AC In order to identify the certificates, ANF AC has assigned the following object identifiers (OID): Certificado Servidor Seguro SSL DV With SHA-256 algorithm and 2048-bit key length Servidor Seguro SSL OV With SHA-256 algorithm and 2048-bit key length OID Servidor Seguro SSL EV With SHA-256 algorithm and 2048-bit key length Sede Electrónica Nivel Medio With SHA-256 algorithm and 2048-bit key length Sede Electrónica EV Nivel Medio With SHA-256 algorithm and 2048-bit key length Sede Electrónica Nivel Alto With SHA-256 algorithm and 2048-bit key length Sede Electrónica EV Nivel Alto With SHA-256 algorithm and 2048-bit key length When the certificate is of the type Servidor Seguro SSL, in the extension CertificatePolicies ( ), will include at least one of the following PolicyInformation: If it is performed exclusively domain validation (Compliant with Baseline Requirements No entity identity asserted) [CA/B FORUM - SSL DV]: If the subscriber is a legal person, organization or institution (Compliant with Baseline Requirements Organization identity asserted) [CA/B FORUM - SSL OV]: If the subscriber is a natural person (Compliant with Baseline Requirements Individual identity asserted): In the case of certificates of Sede Electrónica Nivel Alto Nivel Alto, the extension CertificatePolicies ( ) will include the OID: 11

12 In the case of Sede Electrónica Nivel Medio, the extension CertificatePolicies ( ) will include the OID: All certificates meet the standard ETSI TS and ETSI requirement, in relation to certificate policies identified: Advanced Certificate Policy (Individual or Professional) Advanced Certificate Policy (Individual or Professional) issued on cryptographic device TLS/SSL Certificate Policy with Organization validation TLS/SSL Certificate Policy with Domain validation Qualified Certificate Policy 5 1 Normalized Certification Policy (NCP) in accordance with standard ETSI TS Extended Normalized Certification Policy (NCP+) in accordance with standard ETSI TS Organization validation certificates policy (OVCP) in accordance with standard ETSI TS Domain validation certificates policy (DVCP) in accordance with standard ETSI Referred to QCP+SSCD (Qualified Certificate Policy + Secure Signature Creation Device) in accordance with standard ETSI TS Moreover, in the case of including the extension Extended Validation, the extension CertificatePolicies ( ) will include the OID of SSL EV [ETSI TS EVCP]: Moreover according to [CA/B FORUM - SSL EV] will include the OID of SSL EV And, when the certificate is issued with the qualification of qualified of website according to eidas, meets the requirements of the Policy QCPW of ETSI EN , and the eidas IV annex. In the extension CertificatePolicies ( ), will include at least on of the following PolicyInformation: qcp-web ( ) 1.3 Support type These certificates can be issued in two support types: Cryptographic software token. Token HSM (hardware security module). Certified with ISO Common Criteria EAL 4+ or higher. This policy, regarding certificados Sede Electrónica, follows the definitions of the present policy, regarding certificados "Empleado Público", follows the definitions established by the Communications and 12

13 Information Technologies Management in its document "Perfiles de certificados electrónicos of April Two different levels of assurance are defined: a. Medium level: This level corresponds to a configuration of security mechanisms suitable for most applications. The expected risk for this leve is appropriate to access qualified applications in accordance with the ENS in the levels of Integrity and Authenticity as medium and low risk. Acceptable security mechanisms include X.509 software certificates. In the case of certificates issued to people, they correspond with a "qualified certificate as defined in EU Regulation 910/2014 on advanced electronic signature, without signature creation qualified device. In the case of certificates issued to legal persons, it corresponds with the "certificado sello cualificado", as defined in the EU regulation 910/2014 on advanced electronic seal, without seal creation qualified device. The use of signature hardware devices (HSM or signature creation qualified device) is also permitted. The maximum validity of these certificates is 5 years, except for certificates issued with Extended Validation, whose maximum validity period is 27 months. The expected risk for this level corresponds to level 3 guarantee provided in IDABC Authentication Basic Policy * 1. * 1 The IDABC (Interoperable Delivery of Pan-European egovernment Services to Public Administrations, Business and Citizens - Interoperable Delivery of pan- European electronic Administration services to public administrations, businesses and citizens) program. Decision 2004/387 / EC of the European Parliament and of the Council of 21 April 2004 on the Interoperable Delivery of European electronic Administration Services to public administration, businesses and citizens (IDABC) [Official Journal L 144, ] b. High level: This level corresponds to a configuration of security mechanisms suitable for applications that require additional measures, according to the risk analysis performed. The expected risk for this leve is appropriate to access qualified applications in accordance with the ENS in the levels of Integrity and Authenticity as high risk. Also, the expected risk in this level corresponds to the low and substantial security levels of electronic identification systems of the EU regulation 910/2014. Safety levels of the eidas regulations apply only to electronic identification systems. Acceptable security mechanisms include X.509 hardware certificates. In the case of certificates issued to people, they correspond with a "qualified certificate, for "qualified electronic signature", as defined in EU Regulation 910/2014. In the case of certificates issued to legal persons, it corresponds with the "certificado sello cualificado", as defined in the EU regulation 910/2014. The expected risk for this level corresponds to level 4 guarantee provided in IDABC Authentication Basic Policy. The maximum validity of these certificates is 5 years, except for certificates issued with Extended Validation, whose maximum validity period is 27 months. 13

14 1.4 Users community Certification Authorities As defined in the Certification Practice Statement (CPS) of ANF AC. These are the entities which issue electronic certificates which link a public key with the subscriber identity Registration Authorities These are entities that perform registration procedures of applicants for end entity certificates. They perform the identification and authentication of individuals involved in the application, and they have the ability to initiate or assist in the procedures for revocation and renewal of certificates. These entities may belong to the organization of the certification entity, or may be external partners, in which case ANF AC defines two types: Recognized Registration Authority Collaborating Registration Authority Issuance Reports Manager End entities Certificate subscriber The subscriber is the natural or legal person that is the certificate holder. Natural persons must be of legal age; in the case of legal entities applying for the issuance of a certificado SSL EV, these must be older than two years Certificate applicant The certificate must be requested by an adult, in his/her own behalf or, if acting on behalf of a third party, with legal capacity to assume the representation of the subscriber. His/her identity will be included in the certificate as a legal representative. 14

15 Certificate responsible The certificate responsible holds the signature creation device and is responsible for its use and custody. The certificate responsible must be a legal age physical person, with total ability for acting and has to state his/her constent to assume this responsibility. The certificate responsible must have express authorization from the applicant, and his/her identity shall be included in the certificate Relying third parties 1.5 Usage field Allowed usage Certificates issued under this Policy shall be used with the following purposes: DNS Identification. Certificates issued under this Policy allow to identify and link a determined DNS (Domain Name System) domain to the entity owning that domain, which is the certificate subscriber. Encryption of communications between the user and the website, facilitating the exchange of encryption keys necessary for encryption of information through Internet Limits of certificate usage Prohibited usage No other uses than the ones stated in this Policy and the CPS of ANF AC are allowed. 1.6 Certification Entity contact details 1.7 Definitions and acronyms 15

16 2 Information publication and repositories 2.1 Repositories 2.2 Information publication 2.3 Updates frequency 2.4 Access controls on repositories 16

17 3 Identification and Authentication 3.1 Name registration Types of names All certificates require a Distinguished Name (DN) under the X.500 standard. Personal circumstances and attributes of the persons and organizations identified in the certificates are included in attributes predefined in regulations and generally recognized technical specifications Need for names to be meaningful All the certificados Servidor Seguro SSL and Servidor Seguro SSL EV contain a distinguished name (DN) that identifies the DNS domain and the holder person or organization that holds it, according with provision of the ITU-T X.501 reccomendation, and contained in the Subject field, including a Common Name. The CN (Common Name) attribute of the DN must refer to the DNS domain name Anonymous or pseudonyms This is not allowed Rules for interpreting various name forms In any case, standard X.500 (referred in the ISO/IEC 9594 rule) name will be attended Uniqueness of names The certificate will be issued with the full name of the service that will be provided with SSL features. This name must be unique in the network. Partial names will not be accepted Conflicts related to names and brands resolution Applicants for certificates shall not include names in applications that may involve breach of third party trademark rights by the subscriber. ANF AC reserves the right to refuse a certificate request because of name conflict. ANF AC shall check if the requested domain name may be misleading under another existing name exists in the network, and if available, will determine in its sole discretion on whether to issue or refuse to issue the requested certificate. 17

18 3.2 Identity initial validation Method to prove possession of private key Authentication of applicant, certificate responsible and subscriber identity Certificates issued under this Certification Policy will identify the subscriber under whose name a DNS domain has been registered. They will also indentify the certificate subscriber (if a legal representative has processed the application in the subscriber name) and the certificate responsible (if any other person who is not the subscriber or applicant). The Issuance Reports Manager will use appropriate means to ensure the accuracy of the information contained in the certificate. These means include external registry databases and the ability to require information or documents to the subscriber. The fiscal identification of the applicant and subscriber and device owner will be incorporated into the certificate. Types of documentation, processing modality, authentication and validation procedures are specified in the following sections. 3.3 Re-key In the course of re-key, ANF AC shall inform the subscriber about the changes that have occurred in the terms and conditions with respect to the previous issue. A new certificate may be issued to maintain the previous public key, as long as it is considered cryptographically secure. 3.4 Revocation request All cancellation requests must be authenticated. ANF AC checks the applicant's ability to handle this requirement. 18

19 4 Operational Requirements 4.1 Certificate application ANF AC only accepts requests with a proper name or third party name, completed by adults with the capacity to work by their own free will and with enough legal representation. Applicants must complete the Application Form of the certificate, that will be able to be authenticated through: -Handwritten signature -Recognized electronic signature In the form will be stated that the applicant takes the responsibility of the accuracy of the information outlined. He/she will be able to submit it to ANF AC using any of the following means: a) Electronically: the website includes an application form that should be filled and electronically signed with a qualified certificate, according to Electronic Signature Law 59/2003, December 19th. The certificate used must have been issued by a CA approved by ANF AC. b) In person: the applicant may appear before a Recognized Registration Authority, and shall duly complete and sign the application form. c) By mail: the applicant may submit the application form to the offices of ANF AC certificate, having duly completed and authenticated his signature before a Collaborating Registration Authority. ANF AC does not generate the keys of its users. The applicant must generate his/her own key pair and certificate request in PKCS#10 /CSR format, delivering it to ANF AC together with the certificate Application Form. 4.2 Processing procedure Identity authentication Applicant Apart from the certificados de Servidor Seguro SSL DV, the applicant must prove his/her identity and validity of the applicant entity: a) Physical Address and other contact data. If deemed necessary by the Registration Authority or the Issuance Reports Manager, additional documents may be included to check the reliability of the information, such as recent utility bills or bank statements. In case the RRA or the IRM know the applicant personally, they should personally issue and sign a Declaration of Identity * 1. b) The RRA, as proof of attendance and in order to preclude the repudiation of the procedure done, can get a set of biometric evidence: photography and / or fingerprints. 19

20 c) ID card or Passport in case of nationals, whose photograph allows verifying the identity of the person. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). d) In case of foreign nationals, the following will be required: I. To European Union members or European Economic Area members: National Identity Card (or local equivalent) or passport with photograph that allows to verify the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). Certificate issued by the Register of the Citizen Members of the Union. II. To non-eu citizens: Passport, residence permit and work permit with photograph that allows comparing the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). In case of acting in the name and representation of a third part, the following will be required: Enough representation power. In addition to administrators and legal representatives, voluntary representatives shall be accepted when they demonstrate sufficient power to carry out acts of administration or concluding contracts on behalf of the entity. The applicant may be waived of appearing before the Registration Authority in any of the following cases: 1. If the appropriate forms have been properly completed, and the subscriber s signature has been legitimized in the presence of attorney, by attaching certified copies of identity, authorization and legal representation documents. 2. Electronic processing. The website includes an application form that should be filled and electronically sign with a qualified certificate, according to Electronic Signature Law 59/2003, December 19th. The certificate used must has been issued by a CA approved by ANF AC Subscribers Legal persons Except in the case of certificados de Servidor Seguro SSL DV, it is required: Physical address and other contact details of the entity. If the RRA or the IRM deem it necessary, additional documents, such as recent utility bills or bank statements, may be requested in order to check the reliability of the information. If the RRA or the IRM known the subscriber personally, they shall issue and sign a Declaration of Identity * 1. Tax identification (CIF) of the entity. According to legal form: 20

21 Corporations or other legal persons whose registration is required under the Commercial Register, shall prove their valid constitution by providing: - For applications of certificados SSL, simple registry note on constitution data and current management of the entity. - For applications of certificados SSL EV, original or certified copy of the Register data on current constitution and management of the entity. Associations, foundations and cooperatives shall prove their valid constitution by providing original or certified copy of a certificate of public record in which they are inscribed on its constitution. Civil societies and other legal persons, shall provide original or certified copy of the public document attesting to their constitution in a reliable way. Public Administrations and public sector entities: - Entities whose enrollment is mandatory in a register, shall prove their valid constitution by providing original or certified copy of a certificate of incorporation data and legal personality. - Entities created by rule, shall provide reference to the creation norm Natural persons Same procedure as in the previous section Certificate responsible In the application form, the applicant must identify and expressly authorize the device owner and responsible of the certificate. This authorization must be perfected with a voluntary and express acceptance by the person who will be responsible for the certificate. This must appear before the Registration Authority and present proof of identity, effective, original or certified copy of the following documents: a) Physical Address and other contact data. If deemed necessary by the Registration Authority or the Issuance Reports Manager, additional documents may be included to check the reliability of the information, such as recent utility bills or bank statements. In case the RRA or the IRM know the applicant personally, they should personally issue and sign a Declaration of Identity * 1. b) The RRA, as proof of attendance and in order to preclude the repudiation of the procedure done, can get a set of biometric evidence: photography and / or fingerprints. c) ID card or Passport in case of nationals, whose photograph allows to verify the identity of the person. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). d) In case of foreign nationals, the following will be required: I. To European Union members or European Economic Area members: 21

22 National Identity Card (or local equivalent) or passport with photograph that allows to verify the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). Certificate issued by the Register of the Citizen Members of the Union. II. To non-eu citizens: e) Passport, residence permit and work permit with photograph that allows comparing the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). * 1 Declaration of Identity It consists of a formal declaration under oath, in which the respondent says he knows personally and directly a particular individual or a legal entity. Besides, it notes, up to their direct knowledge, that the address, telephone and outlined in the application form are true Approval or rejection of certificate applications The Issuance Reports Manager (IRM) assumes the final response assumes the ultimate responsibility to verify the information contained in the Application Form, and to assess the adequacy of the documents provided and of the application, in accordance with the provisions of this Certification Policy. In particular, it will check the existence of the subscriber, the applicant, the existence of the domain and ownership of this to the subscriber Depending on the type of certificate: Type of certificate Procedure DV OV EV Sede Electrónica The owner must match the applicant organization. Otherwise, the applicant must prove the right of use by the subscriber. Verification that the applicant has the right to use the domain or subdomain: Dominios.es: Dominios.eu: Dominio.eus: whois.nic.eus Resto dominios: whois.icann.org Checking of the CAA in case they are registered and in any case following the guidelines of the RFC In the case of certificates SSL DV and SSL OV the wildcard in subdomains or hostnames will be allowed, but not in top-level domains (TLD) or in the domain name. The applicant entity must be able to demonstrate their legitimate control of the entire domain, otherwise the application will be rejected. For example, *.co.uk, *.local or ejemplo.* can not be issued but *.ejemplo.com can be issued to the company Ejemplo S.A. 22

23 DV OV EV Sede Electrónica Verification of identity and validity the applicant entity Checking of the competence of the applicant to use the name of the entity Checking via that the applicant is aware of the processing of the certificates. Verification of postal address in: Data Protection Agencies. Telephone operators pages. Companies Register In the case of discrepancy between the documentation provided and verification the IRM will verify that the address stated on the request corresponds to a location in which the applicant Organization operates stably. Country verification in: AGPD Yellow Pages Companies Register Checking of the denied list in ANF AC internal data bases Checking of high risk requests in Mcafee TrustedSource Sede Electrónica EV Checking of belonging of the landline number (not mobile) to the applicant entity in: Telephone operators Pages, Data Protection Agencies. Via direct call Checking of operational existence. Private entities must certify that perform banking transactions with a regulated financial institution. ANF AC performs a dual verification, intervening Technical Area and the Legal Advisory. Also in the same cases all validations are reviewed by the Head of the Technical Area Moreover, he/she will determine: That the subscriber has access to the terms and conditions relating to the use of the certificate, as well as to the issuance fees. That the subscriber has had access and has permanent access to all documents relating to the duties and responsibilities of the CA, the subscriber, applicant, those responsible for the certificate and relying parties, especially the CPS and Certification Policies. Besides, he/she shall monitor compliance with any requirements imposed by the legislation on data protection, as established in the security document included in the CPS, the purpose of the LOPD as provided in Article 19.3 of Spanish Electronic Signature Law 59/2003, December 19th. The process of issuing the certificate shall not start as long as the Issuance Reports Manager has not issued the corresponding compliance report. The deadline set for the issuance of the report is 15 days. After that period without issuing the mandatory report, the applicant may immediately cancel the order and receive the fees paid. The IRM may require additional information or documentation from the applicant, which will have 15 days to deliver it. After this period, without having completed the requirement, the IRM will issue a report denying the issuance. Should the applicant meet the requirement, the IRM will have 7 days to issue the final report. In case the IRM verifies that the information provided by the applicant is not true, he/she will deny the issuance of the certificate, and will generate an incident report to the Security Coordinator, to determine whether or not to include the applicant in the blacklist of individuals and entities with OID The validation procedure to be followed, by type of certificate, is the following: 23

24 Certificados SSL EV and Sede EV The IRM shall check the documentation given by the applicant and the Registration Authority. He/she will check, in accordance with the standards of CAB Forum, that the subscriber is not a natural person Certificados Sede The IRM shall check the norm of Office creation and its holder Certificados SSL EV and Sede EV The IRM shall check the documentation provided by the applicant and the Registration Authority. The validation process will be supported by the Legal Department and the Technical Department, which will review and technically validate the certificate request PKCS#10 / CRS. In the process of verification of the information and documentation received, the following means may be used: Consultation to official public records in which the entity must be registered in order to check availability, effect of charges and other legal issues such as activity and date of establishment. Official Journals of national or regional public bodies belonging to public bodies and enterprises. With regard to Internet addresses and domains, ANF AC consult recorders attached only by ICANN / IANA domain names and addresses associated with the certificate. In this query, it is verified verify: - That the holder (registrant) matches the subscriber. - People and contact information associated with that domain registration. One of the contact persons listed in the whois query shall be reached in order to verify compliance of the certificate issuance request associated with that domain. Verification of the subscriber, applicant and device owner contact details: o Telephone: - Subscriber: a landline (not mobile) shall be used. This shall be checked in yellow pages, AEPD (Spanish Data Protection Agency), and by personal call. - Applicant and device owner: through personal call. o Postal Address: it shall be checked in Yellow Pages, AEPD or Informa service. o it shall be verified by sending an requesting confirmation of receipt. It is verified that none of the individuals associated with the request are recorded in the blacklist of individuals and entities with OID or is operating in a place where the CA policies forbids the certificate issuance (document with OID ). 24

25 It is verified that the domain is not included as suspicious in the Anti Phishing Workgroup website or similar ones. It is verified that none of the individuals associated with the request is listed as a criminal in public records. ANF AC regularly updates its database with all persons appearing on search and seizure, and links this control blacklist certificate request. Also, for domain associated to names that may create in relying third parties by: Confusion of identity or activity. The certificate issuance will not be authorized when the domain name may create confusion about the real activity of the subscriber, (eg. where the subscriber's activity does not correspond to that of a financial institution). Specially relevant trademarks. In the case of domain associated to a specially relevant trademark, the Patent and Trademark Register shall be checked. When the domain name associated with a brand of relevance and public awareness, it will be verified if the owner of the trademark is related to the subscriber. In negative case, the IRM shall ask clarification and authorization to the subscriber. No person may issue this certificate when the name is associated with a relevant brand whose domain is not owned by the subscriber, or has permission form the owner of the mark, since it may cause confusion to third parties (eg etc.). In cases where validation cannot be performed on the terms and sources defined above, this will be noted in the verification act issued by the IRM, and the alternative source used shall be included Time to process certificate applications The issuance of a certificate means the complete and final approval of an application by the Issuance Reports Manager. The issuance of certificate must be made within 48 hours, once issued the report of the IRM, as defined in the CPS of ANF AC. 4.3 Certificate issuance ANF AC will avoid generating certificates that expire after the CA that issued them Certification Entity actions during certificate issuance ANF AC will deliver the certificate, by signed electronic mail, to the Technical Responsible that is stated in the Issuance Application Form. 25

26 4.3.2 Notification to subscriber ANF AC notifies the subscriber via , the certificate issuance and publication. 4.4 Certificate acceptance Acceptance After the delivery of the certificate, the subscriber shall have a period of seven calendar days to verify the certificate and to determine whether it is appropriate and whether the data are consistent with the required information. The subscriber has a period of 15 days to sign the Act of Reception and Acceptance of the received Certificate. Through the Act of Reception and Acceptance, the subscriber confirms receipt of the certificate, acceptance to the issuance made, the correct functionality of the product, its ability to use it to sign the minutes with this certificate; reaffirms its submission to the ANF AC CPS and Policies, to use it in accordance with the limitations in the use and purpose for which it was issued, the responsibility to maintain the confidentiality of the private key, and the commitment to cease use after the loss of force, either by expiration or revocation Certificate return The subscriber has a period of 7 days from the delivery of the certificate, to verify its proper operation. In case of malfunction or due to technical errors in the data contained in the certificate, the applicant or those responsible for the certificate can send an electronically signed to ANF AC, reporting the reason for the return. ANF AC shall verify the causes of removal revoke the certificate issued and issue a new certificate within 72 hours Tracing ANF AC is not responsible for the monitoring, investigation or confirmation of the accuracy of the information contained in the certificate after issuance. For information on the inaccuracy or no current applicability of the information contained in the certificate, it can be revoked Certificate publication The certificate is published in the repositories of ANF AC, within a maximum period of 24 hours since its emission has occurred Notification of certificate issuance to third parties No notification is made to third parties. 26

27 4.5 Rejection 4.6 Certificate renewal Generally, as defined in the CPS of ANF AC Valid certificates ANF AC notifies the subscriber and the certificate expiration applicant by , submitting the application form, in order to proceed with its renovation. These notifications are sent at 90, 30 and 15 days prior to the expiration date of the certificate. Only valid certificates can be renewed Persons authorized to request the renewal The renewal application form must be signed by the same applicant, whether that is the actual subscriber or the legal representative who processed the certificate request. The personal circumstances of the applicant should not have changed, especially its capacity for legal representation Routine renewal requests authentication and identification The process for reference / renewal is the same as for new issuance. The documentation to be provided by the applicant and the validation steps, issuance and delivery of certificates are the same as for the issuance of a new certificate. Two ways of renewal are considered: Certificate renewal with rekeying As defined in ANF AC CPS Certificate renewal without rekeying As defined in ANF AC CPS Approval or rejection of renewal applications Same procedure as that performed in the issuance process specified herein Notification of certificate renewal Same procedure as that performed in the issuance process specified herein. 27

28 4.6.6 Certificate renewal acceptance Same procedure as that performed in the issuance process specified herein Publication of the renew certificate Same procedure as that performed in the issuance process specified herein Notification of certificate renewal Same procedure as that specified in the section Notification of certificate issuance to third parties Identification and authentication of key renewal applications after revocation (uncommitted key) The renewal of expired or revoked certificates is not authorized. 4.7 Certificate modification Not applicable. 4.8 Certificate revocation and suspension As generally defined in the CPS of ANF AC Circumstances for revocation Besides those defined in the CPS, ANF AC shall: Provide instructions and legal support for reporting complaints or suspected compromise of the private key, of certificate misuse or about any type of fraud or misconduct. The instructions are published and permanently updated in: You may file directly your suspicion or complaint in: Anyone who sets out technical instructions or legal support in this field, can make your consultations for free by one of the following procedures: o Via telephone call in office hours: (calls from Spain) (monday to friday from 9 h. to 18 h.) (International) o Online procedure. The applicant must fill the form published in the website: 28

29 o Sending an to: ANF AC will investigate incidents of which it has knowledge, within twenty four hours of receipt. The Security Manager, based on inquiries and verifications, shall issue a report to the Issuance Reports Manager, which will determine if the corresponding revocation founded by Act, which shall include: - Nature of the incident. - Received information. - Legal rules and regulation on which the revocation order is based. Every applicant can open an incident through any of the following procedures:: o Via telephone call in office hours: (calls from Spain) (monday to friday from 9 h. to 18 h.) (International) o Online procedure. The applicant must open an incident in the Webservice: Revocation applications identification and authentication Revocation of a certificate can be requested by: The subscriber of a certificate. The applicant. The Responsible for the certificate usage. The Recognized Registration Authority. The identification policy for revocation requests accepts the following methods of identification: Electronically: by electronic signature of the revocation request by the applicant of the certificate or of the operator at the time of the revocation request. By telephone: by replying to questions from the telephone support service available at the number (calls from Spain) or (International). In person: appearing the subscriber or the legal representative of the certificate holder in any of the offices of ANF AC published at the web address proving their identity through original documentation, and manually signing the appropriate form. ANF AC, or any of the Recognized Registration Authorities that compose its National Proximity Network, may request revocation of a certificate if they knew or suspected compromise of the private key associated with the certificate, or any other fact to recommend take such action. 29