Authorised Operator TrustAssured Service Utility Certificate Policy. Version 5.2

Transcription

1 Authorised Operator TrustAssured Service Utilit Certificate Polic Version 5.2 Authorised Operator TrustAssured Service Utilit Certificate Polic V 5.2 1

2 IMPORTANT NOTE ABOUT THIS DOCUMENT The information contained herein is the propert of The Roal Bank of Scotland plc and ma not be copied, used or disclosed in whole or in part except with the prior written permission of The Roal Bank of Scotland plc. This document is controlled and managed under the authorit of RBS TrustAssured Polic Approval Authorit (PAA). All Rights Reserved Contact TrustAssured, CPB Digital Services, Roal Bank of Scotland, Floor 7, 280 Bishopsgate, London, EC2M 4RB Authorised Operator TrustAssured Service Utilit Certificate Polic V 5.2 2

3 Table of Contents 1. POLICY OUTLINE Communit & Applicabilit Contact Details CP PROVISIONS Obligations Liabilit Interpretation & Enforcement Publication & Repositor Confidentialit Tpes of Information to be Kept Confidential Tpes of Information Not Considered Confidential Identification & Authentication Initial Registration Uniqueness of Names Authentication of Business Customer Identit Routine Reke Reke after Revocation Operational Requirements Certificate Application, Issuance & Acceptance Certificate Dissemination Certificate Suspension & Revocation Circumstances for Certificate Revocation/Suspension Procedure for Suspension or Revocation Request Certificate Re-activation Suspension Period Limitations On-line Revocation Checking Requirements Technical Securit Controls Ke Pair Generation and Installation Private Ke Protection Private Ke Escrow, Backup and Archiving Certificate Profiles Polic Specification and Administration Polic Specification and Change Approval Procedures Items that can change without Notification Changes with Notification Publication and Notification of Procedures Items Whose Change Requires a New Polic Authorised Operator TrustAssured Service Utilit Certificate Polic V 5.2 3

4 POLICY IDENTIFICATION Polic Name Polic Qualifier Authorised Operator TrustAssured Service Utilit Certificate Polic. This Utilit Certificate ma onl be relied upon onl b either (1) a Reling Customer of an IdenTrust Participant, or (2) a part bound to the alternative polic regime specified elsewhere in this Certificate. Polic Version 5.2 Polic Status Live Polic Ref/OID Date of Issue 1st Februar 2018 Date of Expir Authorised Operator TrustAssured Service Utilit Certificate Polic V 5.2 4

5 1. POLICY OUTLINE This Certificate Polic (CP) is applicable to The Roal Bank of Scotland plc TrustAssured Service. Certificate issuance and usage is restricted to Customers of The Roal Bank of Scotland plc who have signed and agreed to the Business Customer Agreement for the TrustAssured Service and, where appropriate, this CP. Authorised Operator TrustAssured Service Utilit Certificates are onl issued to Customers in conjunction with an Identit Certificate, unless otherwise stated. The Roal Bank of Scotland plc has a common set of definitions that are used in this Certificate Polic and the Business Customer Agreement for the TrustAssured Service and associated documents. A definition for all words appearing in capitals in these documents can be found in Schedule A of the Business Customer Agreement for the TrustAssured Service. Onl contracted parties within the IdenTrust Scheme ma use and rel upon an Authorised Operator TrustAssured Service Utilit Certificate Communit & Applicabilit Authorised Operator TrustAssured Service Utilit Certificates are onl to be used b parties contracted with The Roal Bank of Scotland plc. Use of such Certificates outside this communit is not permitted or supported. Authorised Operator TrustAssured Service Utilit Certificates are onl to be used for the purpose of providing the following Identit Validation services: Data confidentialit and integrit; Secure ke distribution; Ke agreement; Non-IdenTrust identit related digital signatures. Authorised Operator TrustAssured Service Utilit Certificates are restricted to those services described above b defined Ke Usage fields within the Certificate Authorised Operator TrustAssured Service Utilit Certificate Polic V 5.2 5

6 1.2. Contact Details TrustAssured, CPB Digital Services, Roal Bank of Scotland, Floor 7, 280 Bishopsgate, London, EC2M 4RB Authorised Operator TrustAssured Service Utilit Certificate Polic V 5.2 6

7 2. CP PROVISIONS 2.1. Obligations The Roal Bank of Scotland plc is responsible for: Making reasonable efforts to ensure it conducts an efficient and trustworth operation in line with the operating rules and guidelines of IdenTrust; Issuing Certificates that are factuall correct from the information presented to them b the Customer at the time of issue, and that the are free from data entr errors; Where appropriate, the revocation/suspension of Certificates and updating its Validation Authorit or other director services as appropriate, in a timel manner, consistent with the requirements of The Roal Bank of Scotland plc. A Subscribing Customer: Is obliged to protect Private Ke(s) at all times, against loss, disclosure to an other part, modification and unauthorised use, in accordance with the Business Customer Agreement for the TrustAssured Service and this CP; Is personall and solel responsible for the confidentialit and integrit of its Private Ke(s); Must ensure its Authorised Operators never store their PIN(s) (Personal Identit Number) or pass phrase(s), used to protect unauthorised use of the Private Ke(s), in the same location as the Private Ke(s) or next to the storage media, or otherwise in an unprotected manner without sufficient protection; Is responsible for the accurac of the data it transmits as part of a Certificate request; Is required to immediatel inform The Roal Bank of Scotland plc of compromise or suspected compromise of its Private Ke(s); Is to immediatel inform The Roal Bank of Scotland plc if there is an change in its information included in its Certificate(s) or provided during the application process; Accepts that its Certificate(s) ma be published in The Roal Bank of Scotland plc owned director services which ma be made available to other Customers within the IdenTrust Scheme; and Is responsible for checking the correctness of the content of its published Certificate(s) within seven (7) das from their issuance. A Reling Customer: Is to exercise due diligence and reasonable judgement before deciding to rel on an Authorised Operator TrustAssured Service Utilit Certificate; Is to acknowledge that the assurance provided b an Authorised Operator TrustAssured Service Utilit Certificate is not guaranteed in an form b The Roal Bank of Scotland plc or IdenTrust; Will ensure that it complies with an local laws and regulations, which ma impact their right to use certain crptographic instruments. Authorised Operator TrustAssured Service Utilit Certificate Polic V 5.2 7

8 2.2. Liabilit This is covered under the Business Customer Agreement for the TrustAssured Service Interpretation & Enforcement Governing Law This is covered under the Business Customer Agreement for the TrustAssured Service. Contractual Infrastructure This CP is a part of and subject to the Business Customer Agreement for the TrustAssured Service. Priorit of Documents In the event that there is a conflict between the documents provided b The Roal Bank of Scotland plc, the order of controlling priorit, in descending order, shall be as follows: 1. Business Customer Agreement for the TrustAssured Service 2. Authorised Operator TrustAssured Service Utilit Certificate Polic Publication & Repositor Paper copies and electronic versions of this CP are available from The Roal Bank of Scotland plc 2.5. Confidentialit Tpes of Information to be Kept Confidential Detailed provisions regarding confidentialit are defined in the Business Customer Agreement for the TrustAssured Service. A Customer shall treat all confidential information as confidential and proprietar to its owner. A Customer shall use at least the same degree of care to protect the confidentialit of another part s confidential information as the Customer uses to protect its own similar confidential information, which degree of care shall be no less than reasonable care. Information supplied to The Roal Bank of Scotland plc as a result of the practices described in this CP ma be subject to national government or other privac legislation or guidelines. Access to confidential information b The Roal Bank of Scotland plc operational staff is on a need-to-know basis. Paper-based records, electronic records, and other documentation containing confidential information are to be kept in secure and locked containers or filing sstems, separate from all other records. Application Records All application records are considered confidential information, including: Certificate applications, whether approved or rejected; Proof of identification documentation and details as applicable; Authorised Operator TrustAssured Service Utilit Certificate Polic V 5.2 8

9 Certificate information collected as part of the application records, but this does not prevent publication of Certificate information in the Certificate repositor. Certificate Information The reason for a Certificate being suspended or revoked is considered confidential information Tpes of Information Not Considered Confidential Certificate Information The information contained in Certificates issued to contracted Customers is not considered confidential. Disclosure of Certificate Suspension Information Status request information on Certificate suspension is not disclosed to the Reling Customer. A suspended Certificate is not considered reliable and The Roal Bank of Scotland plc Validation Authorit reports to Reling Customers that suspended Certificates are, in fact, revoked. Disclosure of Certificate Status Information Where appropriate, Customers Certificate Status information is provided via The Roal Bank of Scotland plc s Validation Authorit or other director services where the following status response is provided: Good Revoked Unknown A revocation reason is not provided with the response. Authorised Operator TrustAssured Service Utilit Certificate Polic V 5.2 9

10 3. Identification & Authentication 3.1. Initial Registration Uniqueness of Names The Authorised Operator common name (cn) component of the Certificate s Distinguished Name (Dname) is unique. The format is as follows: Authorised Operator s forename Authorise Operator s surname Utilit Certificate identifier [Utilit]; Authentication of Business Customer Identit An Authorised Operator TrustAssured Service Utilit Certificate is issued together with an Authorised Operator TrustAssured Service Identit Certificate. On successful application for an Identit Certificate, a Utilit Certificate will be provided on the hardware token provided to the Authorised Operator Routine Reke Certificates and hardware tokens holding Private Kes expire at the same time. The Roal Bank of Scotland plc will automaticall provide the rekeed Certificate and hardware token (if necessar) 30 das prior to its expiration Reke after Revocation Rekeing after Certificate revocation is not permitted. Customers must appl for a new Certificate and complete the initial application process as though the were a new Authorised Operator. Authorised Operator TrustAssured Service Utilit Certificate Polic V

11 4. Operational Requirements 4.1. Certificate Application, Issuance & Acceptance Once a Customer has expressed interest in using Certificates provided b the TrustAssured Service, the Customer must complete and sign an application form to appl for membership of the TrustAssured Service (refer to related documentation). After initial application and Certification of the Identit Public Ke, Customers will obtain their Ke Pairs and a Utilit Certificate on the provided IdenTrust compatible hardware token using the same process detailed for the Identit Certificate. After review of the Utilit Certificate, an Authorised Operator s use of their Ke Pairs/Utilit Certificate shall constitute acceptance of the Ke Pairs and Certificate Certificate Dissemination Certificates on Smartcards are sent to subscribers using the services of a smartcard bureau who undertake all the fulfilment requirements. The smartcard and PIN are dispatched using standard postal services. Hardware Securit Module (HSM) certificates are sent directl to the subscriber b the Registration team Certificate Suspension & Revocation Certificate suspension results in a temporar inabilit to use the Certificate. Where appropriate, The Roal Bank of Scotland plc ma provide director services in order to facilitate the validation of a Utilit Certificate outside of the TrustAssured Service. In such cases as The Roal Bank of Scotland plc implements validation for Utilit Certificates the following will appl. Although the Authorised Operator retains possession of the Certificate; if the use the Certificate within the IdenTrust Scheme, the validit of the Certificate will be returned as revoked and should not be trusted. Certificate revocation results in the permanent inabilit to use the Certificate. All requests for Certificate suspension and revocation will be performed in accordance with the Business Customer Agreement for the TrustAssured Service Circumstances for Certificate Revocation/Suspension The following events will result in the revocation or suspension of a Utilit Certificate: The Roal Bank of Scotland plc initiates suspension or revocation: To protect their, their Customer s or IdenTrust interests; Upon expir of the Suspension Grace Period; Upon receipt of multiple suspension requests; Upon termination of the Business Customer Agreement for the TrustAssured Service. Authorised Operator TrustAssured Service Utilit Certificate Polic V

12 The Customer initiates suspension or revocation due to but not limited to the following: Person/Token Removal - the Authorised Operator has left the position needing the Certificate or if a hardware token used to exercise the Certificate is no longer needed; Person Dismissal - the Authorised Operator has been dismissed or resigned from their Business; Extended Leave - where the Authorised Operator is absent from the Business for an extended period of time. Ke Compromise - the kes associated with the Certificate have been or are believed to be compromised, for example PIN disclosure. Change of Business Compan Name the Business changes its compan name which will require that the Organisation Name, as detailed on each of the Authorised Operators Certificates, reflects the new Business compan name; Affiliation Change - the Authorised Operator has changed functional department / responsibilities where a different or new Certificate must be issued to the Business for that individual; Hardware Token Failure - due to token malfunction the Authorised Operator is unable to use either the Ke Pairs or Certificate or both; Hardware Token Lost/Stolen - the token has been lost or stolen; or Hardware Token Blocked - the pass phrase for the token has been locked due to excessive unsuccessful attempts; Termination of the Business Customer Agreement for the TrustAssured Service Procedure for Suspension or Revocation Request Business Customer Authorised Operator Certificate Management Forms (OCM) are used to indicate the reason for the revocation or suspension. These must be signed b the Authorised Signator(s) and faxed to The Roal Bank of Scotland plc. The signed original cop(s) of the request must be furnished to The Roal Bank of Scotland plc as soon as possible. Valid requests for revocations and suspensions will be processed within 1 hour of The Roal Bank of Scotland plc acknowledging receipt of the request. Where revocation is requested, The Roal Bank of Scotland plc will initiall suspend the Certificate until receipt of the signed original request, upon which the Certificate will be full revoked. The Roal Bank of Scotland plc will provide notice to Customers of an revocation or suspension activit as detailed in the Business Customer Agreement for the TrustAssured Service Certificate Re-activation Business Customer Authorised Operator Certificate Management Forms (OCM) are used to indicate the reason for reactivation of a suspended Certificate. These must be signed b the Authorised Signator(s) and the signed original cop(s) of the OCM form must be furnished to The Roal Bank of Scotland plc. Requests for re-activation will be assessed on a case b case basis Suspension Period Limitations Authorised Operator TrustAssured Service Utilit Certificate Polic V

13 Suspension of Authorised Operator TrustAssured Service Utilit Certificates ma not exceed 30 das for an one period. If the suspension of an Authorised Operator s TrustAssured Service Utilit Certificate is requested more than twice b the Customer or The Roal Bank of Scotland plc, the Certificate will be full revoked following receipt of the third request On-line Revocation Checking Requirements The Roal Bank of Scotland plc, at its discretion ma provide Utilit Status checking facilities for those entities as required Authorised Operator TrustAssured Service Utilit Certificate Polic V

14 5. Technical Securit Controls 5.1. Ke Pair Generation and Installation All Ke Pairs used in relation with the Authorised Operator TrustAssured Service Utilit Certificates are generated in hardware meeting FIPS140-2 Level 3. Kes are securel distributed in Hardware Securit Modules, Personalised Smart Cards or other hardware tokens. Where kes are centrall generated the are installed in compliance with The Roal Bank of Scotland plc ke management policies Private Ke Protection Private Kes are protected in hardware meeting FIPS Level Private Ke Escrow, Backup and Archiving Utilit Private Kes are not escrowed, backed up or archived Certificate Profiles Authorised Operator TrustAssured Service Qualified Utilit Certificate Profile Qualified Business Utilit Hardware Field Content Mandator Critical* 1. X.509v1 Field 1.1. Version v Serial Number Allocated automaticall b the Issuing CA 1.3. Signature Algorithm SHA-256 with RSA Signature 1.4. Issuer Distinguished Name Organization (O) Prod: The Roal Bank of Scotland plc PTE: The Roal Bank of Scotland Plc Organizational Unit (OU) The Roal Bank of Scotland plc TrustAssured Infrastructure Common Name (CN) Prod: The Roal Bank of Scotland Plc TrustAssured CA PTE: pte The Roal Bank of Scotland Plc TrustAssured CA 1.5. Validit 3 ears Not Before e.g., 00:00:01 01 September Not After e.g., 23:59:59 31 August Subject Countr (C) e.g., uk n Organization (O) e.g., The XYZ Compan Organizational Unit (OU) e.g., International Financial Services Common Name (CN) e.g., John Doe - utilit - utilit is appended to utilit certificate onl 1.7. Subject Public Ke Info 2048-Bit Public ke encoded in accordance with IETF RFC3280 & PKCS#1 2. X.509v3 Extensions 2.1. Authorit Ke Identifier n Ke Identifier the Subject Ke Identifier of the Issuer of this Certificate AuthoritCertIssuer Not present n AuthoritCertSerialNumber Not present n Authorised Operator TrustAssured Service Utilit Certificate Polic V

15 Qualified Business Utilit Hardware Field Content Mandator Critical* 2.2. Subject Ke Identifier The ke Identifier is composed of the 160-bit n SHA-1 hash of the value of the BIT STRING subject PublicKe (excluding the tag, length, and number of unused bits) Ke Usage Digital Signature Selected Non Repudiation Not selected Ke Encipherment Selected Data Encipherment Selected Ke Agreement Selected Ke Certificate Signature Not selected CRL Signature Not selected Extended Ke Usage (can define other OIDs for other uses) n n Server Authentication Not selected Client Authentication Selected Code Signing Not selected Protection Selected IPSEC End Sstem Not selected IPSEC Tunnel Not selected IPSEC User Optional Time Stamping Not selected OCPS Server Not selected Cert Trust List Signing Not selected MS Server Gated Crpto Not selected NS Server Gated Crpto Not selected 2.5. Certificate Policies n Polic Identifier Polic Qualifier ID User Notice Prod: This Certificate ma be relied upon onl b either: (1) a Reling Customer of an IdenTrust Participant, or (2) a part bound to the alternative polic regime specified elsewhere in this Certificate PTE: This is a test certificate and ma be used for testing purposes onl. This Certificate ma be relied upon onl b either: (1) a Reling Customer of an IdenTrust Participant, or (2) a part bound to the alternative polic regime specified elsewhere in this Certificate Polic Identifier n Polic Qualifier ID n User Notice Prod: This Certificate is for the sole use of RBS, their customers, and other contracted parties of associated supported Schemes. RBS accepts no liabilit for an claim except as expressl provided in its Business Customer Agreement Terms and Conditions. PTE: This is a test certificate and ma be used for testing purposes onl. This Certificate is for the sole use of RBS, their customers, and other contracted parties of associated supported Schemes. RBS accepts no liabilit for an claim except as expressl provided in its Business Customer Agreement Terms and Conditions n 2.6. Subject Alternate Names n rfc822name e.g., john.doe@xyzcorp.com registeredid Optional, OID TBD n 2.7. Basic Constraints Not present Subject Tpe Not present Path Length Constraint Not present 2.8. Authorit Information Access n Access Description Authorised Operator TrustAssured Service Utilit Certificate Polic V

16 Qualified Business Utilit Hardware Field Content Mandator Critical* Access Method On-line Certificate Status Protocol( ) Alternative Name Prod: PTE: CRLDistributionPoint Not Present No *not used for attributes, onl extensions Authorised Operator TrustAssured Service Utilit Certificate Polic V

17 6. Polic Specification and Administration 6.1. Polic Specification and Change Approval Procedures The Roal Bank of Scotland Polic Approval Authorit (PAA) is responsible for the specification, approval and issue of all changes to this Certificate Polic Items that can change without Notification Tpographical and editorial corrections or changes to the contact details ma be made to this specification without notification Changes with Notification An item in this Certificate Polic ma be changed with 30 das notice as detailed within the Business Customer Agreement for the TrustAssured Service Publication and Notification of Procedures All proposed changes that ma materiall impact users of this Certificate Polic will be notified in writing to Certification Authorities (CAs) registered with the TrustAssured Service. Such CAs shall post notice of such proposed changes and shall advise their registered Subscribers of the proposed changes as detailed in the Business Customer Agreement for the TrustAssured Service Items Whose Change Requires a New Polic If a change to this Certificate Polic is determined b the PAA to have a material impact on users of the polic, the PAA ma, at its sole discretion, assign a new Object Identifier to the modified polic. Authorised Operator TrustAssured Service Utilit Certificate Polic V