CAEDICOM - Certification Practices Statement Drafted according to specification RFC 3647 and ETSI EN (V1.2.0)

Transcription

1 Drafted according to specification RFC 3647 and ETSI EN (V1.2.0)

2 Title CAEDICOM - Certification Practices Statement File name CAEDICOM01_CPS_CertificationPracticeStatement.odt Version: 1.2 Status: VALID Date: 13/02/2017 Author: Antonio García Gonzáles OID: Revision, Approbation Revised by José Vilata, Raul Santisteban Date: 20/06/2016 Approved by: José Vilata Date: 20/06/2016 Change archive Version Date Action description Pages /04/2014 Initial version All /06/2016 Changes to meet the Regulation UE Nº 910/ /02/2017 Clarification of the mechanism for consulting the status of certificates at point All 58 CAEDICOM - Certification Practices Statement 2

3 Table of content 1 INTRODUCTION PRESENTATION DOCUMENT NAME AND IDENTIFICATION PKI PARTICIPANTS, COMMUNITY OF CERTIFIED USERS Certification Authorities Registration Authorities End Users USE OF CERTIFICATES Typical uses of certificates Prohibited uses Reliability of the electronic signature over time ADMINISTRATION OF THE POLICIES AND PRACTICES Entity responsible Contact person Competence to determine CPS compliance with the different Certification Policies Approval procedure DEFINITIONS AND ACRONYMS Definitions Acronyms INFORMATION PUBLICATION AND CERTIFICATE REPOSITORY REPOSITORIES PUBLICATION UPDATE FREQUENCY CERTIFICATE REPOSITORY ACCESS CONTROLS CERTIFICATE HOLDER IDENTIFICATION AND AUTHENTICATION NAME REGISTRATION Name types Meaning of names Name format interpretation Uniqueness of names Resolution of name-related conflicts Recognition, authentication and function of registered trade names INITIAL IDENTITY VALIDATION Private key possession proof methods Individual identity authentication Authenticating the identity of an organization KEY RENEWAL REQUEST IDENTIFICATION AND AUTHENTICATION Identification and authentication of routine renewal requests KEY REVOCATION REQUEST IDENTIFICATION AND AUTHENTICATION LIFE CYCLE OF CERTIFICATES CERTIFICATE APPLICATIONS CERTIFICATE REQUEST TRANSACTIONS ISSUING CERTIFICATES ACCEPTING CERTIFICATES USE OF THE PAIR OF KEYS AND THE CERTIFICATE CERTIFICATE RENEWAL...32 CAEDICOM - Certification Practices Statement 3

4 4.7 KEY RENEWAL CERTIFICATE MODIFICATION CERTIFICATE REVOCATION AND SUSPENSION Circumstances for revocation Entity that may apply for revocation Revocation request procedure Revocation request grace period Circumstances for suspension Entity that may apply for suspension Suspension request procedure Suspension period limits Frequency of issue of CRLs CRL checking requirements Other revoked certificate notification methods Special renewal requirements for compromised keys CERTIFICATE STATUS CHECKING SERVICES Operating Features Service Availability CONCLUSION OF SUBSCRIPTION KEY DEPOSIT AND RECOVERY CA CERTIFICATE EXPIRY PHYSICAL SECURITY, MANAGEMENT AND OPERATIONAL CONTROLS PHYSICAL SECURITY CONTROLS Location and construction Physical access Power supply and air conditioning Exposure to water Fire protection and prevention Storage system Waste disposal Remote backup PROCEDURAL CONTROLS rusted roles Number of people required per task Identification and authentication for each role PERSONNEL SECURITY CONTROLS Background, qualification, experience, and accreditation requirements Background vetting procedures Training requirements Training update requirements and frequency Task rotation frequency and sequence Sanctions for unauthorized actions Staff hiring requirements Documentation provided to personnel Periodic compliance checks Termination of contracts SECURITY PROCEDURE CONTROLS Event types recorded Log processing frequency...45 CAEDICOM - Certification Practices Statement 4

5 5.4.3 Audit logs retention period Audit log protection Audit log backup procedures Audit information collection System (internal vs. external) Notification to the subject cause of the event Vulnerability analysis INFORMATION AND RECORDS FILE Type of information and events recorded Archive retention term Archive protection Archive backup procedures Record time stamping requirements Audit information compilation system (internal vs. external) Procedures to obtain and verify archived information CA KEY CHANGE RECOVERY IN CASE OF KEY COMPROMISE OR DISASTER Alteration of hardware, software and/or data resources The public key of an entity is revoked The key of an entity is compromised Security installation following natural disaster or other types of disaster CESSATION OF A CA TECHNICAL SECURITY CONTROLS KEY PAIR GENERATION AND INSTALLATION Key pair generation Delivery of public key to end entity Delivery of public key to certificate issuer CA public key delivery to the users Key size Public key generation parameters Parameter quality check Key generation hardware/software Key usage purposes PRIVATE KEY PROTECTION Standards for cryptographic modules Multi-person private key control Private key custody Private key security copy Private key archive Entering the private key in the cryptographic module Private key activation method Private key deactivation method Private key destruction method Classification of cryptographic modules OTHER KEY PAIR MANAGEMENT ASPECTS Public key archive Public and private key usage periods ACTIVATION DATA Activation data generation and activation Activation data protection...54 CAEDICOM - Certification Practices Statement 5

6 6.5.3 Other activation data aspects IT SECURITY CONTROLS Specific IT security technical requirements IT security level assessment SERVICE LIFE SECURITY CONTROLS Systems development controls Security management controls NETWORK SECURITY CONTROLS CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS REVOKED CERTIFICATE AND CERTIFICATE LIST PROFILES CERTIFICATE PROFILE Version number Certificate extensions Object identifiers (OID) of algorithms Name formats constraints Certification Policy Object Identifier (OID) Policy Constraints extension use Policy qualifier syntax and semantics Critical Certificate Policy extension semantic treatment CRL profile Version number CRL and extensions REVOKED CERTIFICATE LIST Time limit of certificates in CRLs OCSP PROFILE OCSP responder certificate profile Version number Name formats Certification Policy Object Identifier (OID) Certificate extensions and fields OCSP request format Response format CONFORMITY AUDIT FREQUENCY OF CONFORMITY CHECKS FOR EACH ENTITY AUDITOR IDENTIFICATION/QUALIFICATION RELATION BETWEEN AUDITOR AND ENTITY AUDITED TOPICS COVERED BY CONFORMITY AUDIT ACTIONS TO BE TAKEN AS A RESULT OF A DEFICIENCY COMMUNICATION OF RESULTS COMMERCIAL AND LEGAL REQUIREMENTS TARIFFS Certificate issue or renewal fees Certificate access fees Fees for access to status or revocation information Fees for other services such as information on policies Refund policy FINANCIAL STANDING...65 CAEDICOM - Certification Practices Statement 6

7 9.2.1 Indemnification to third parties trusting certificates issued by CAEDICOM Fiduciary relations Administrative processes CONFIDENTIALITY POLICY Confidential information Non-confidential information Disclosure of certificate revocation /suspension information PERSONAL DATA PROTECTION Personal Data Protection Plan Information deemed private Information not deemed private Responsibilities Consent given for personal data use Communication of information to administrative and/or judicial authorities Other information disclosure situations INTELLECTUAL PROPERTY RIGHTS OBLIGATIONS AND CIVIL RESPONSIBILITY Obligations of the Certification Entity Registration Authority Obligations Subscriber obligations Obligations of third parties trusting certificates issued by CAEDICOM Repository obligations GUARANTEE WAIVERS RESPONSIBILITY LIMITATIONS Guarantees and limitations of guarantees Definition of responsibilities Loss limitations TERM AND CONCLUSION Term Conclusion Survival NOTIFICATIONS MODIFICATIONS Change specification procedures Publication and notification procedures Certification Practice Statement approval procedures RESOLUTION OF CONFLICTS Extrajudicial resolution of conflicts Competent jurisdiction APPLICABLE LEGISLATION COMPLIANCE WITH APPLICABLE LAW DIVERSE CLAUSES CAEDICOM - Certification Practices Statement 7

8 1 INTRODUCTION 1.1 PRESENTATION EDICOM is constituted as Certification Service Provider or Certification Authority by virtue of the document sent to the Ministry of Industry, Commerce and Tourism in accordance with that set forth in Law 59/2003 of 19th December on electronic signature, in article 30, being authorized in the publication service anticipated in Article 30.2, November 5, By virtue of this fact, and considering that on 1 July 2016, Regulation (EU) 910/2014 of the European Parliament and Council of 23 July 2014 on electronic identification and trust services for e-transactions in the internal market comes into force, EDICOM becomes a Trust Services Provider, maintaining the publishing service provided for in Article 22 of Regulation EDICOM issues CAEDICOM certificates, which may be Qualified certificates for identification and advanced electronic signature, for the use of physical persons or legal organisations (known collectively as subscribers) that need to engage in relations with the Public Administrations and other institutions or companies in the Electronic Data Interchange area and/or to equip themselves with certified storage systems. The CAEDICOM certificate may be an acknowledged certificate in accordance with that laid down in Regulation UE Nº 919/2014 of the European Parliament, and meet the requirements of Articles 28, 38 and 45 of the Regulation and its various annexes. Likewise, the certificates comply with the standards on the subject of recognised certificates, specifically: ETSI EN : Qualified Certificate Profile. RFC 3739 Internet X.509 Public Key Infrastructure: Qualified Certificates Profile CAEDICOM also issues server certificates and other types of certificates for uses other than "electronic signature". These cannot be considered subject to the provisions of Regulation (EU) 910/2014, and are not suitable to support the "Electronic Signature" defined therein. They are mentioned in this document exclusively because they form part of the pool of certificates issued by CAEDICOM, although they are not subject to the criteria and procedures required for qualified certificates, although they do share the whole physical and security infrastructure established for said certificates. This document is considered the mandatory Certification Practice Statement (CPS) from the EDICOM Certification Authority. CAEDICOM - Certification Practices Statement 1 INTRODUCTION 8

9 In accordance with the above and in compliance with the legal provision, this Certification Practice Statement (CPS) details the rules and general conditions of the certification services provided by the EDICOM Certification Authority, in relation with the management of the data for creation and verification of electronic signature and certificates, the conditions applicable to the requesting, issue, use, suspension and extinction of the validity of certificates, technical and organizational security measures, profiles and the information mechanisms on the use of certificates and, where indicated, the existence of coordination procedures with the corresponding public registries to allow the interchange of information immediately on the validity of the powers indicated in the certificates and which must appear recorded in said registries. To this end, this Certification Practice Statement constitutes the general compendium of rules applicable to all certifying activities of the EDICOM Certification Authority as Trust service providers. However, the different specialities applicable to each of the different types of certificates that are issued are stipulated in the different Certification Policies which, as complementary and specific standards, will prevail over this Certification Practice Statement as regards each type of certificate. This Certification Practice Statement is drafted in line with the RFC 3647 specifications Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework proposed by Network Working Group and completed with aspects stipulated in: ETSI EN : Policy Requirements for trust service providers issuing qualified certificates. ETSI EN : Qualified Certificate Profile. ETSI EN : Policy Requirements for certification authorities issuing public key certificates. Likewise, the following are considered as basic standards applicable on the issue: European Parliament legislative resolution of 3 April 2014, on the proposal for Regulation of the European Parliament and the Council on electronic identification and trust services for e-transactions in the internal market (COM(2012)0238 C7-0133/ /0146(COD)) Organic Law 15/1999, of 13 th December, on Protection of Data of a Personal Nature. Royal Decree 1720/2007, of 21 st December, whereby the Regulation of development of Organic Law 15/1999, of 13 th December, on protection of personal data, is approved. Royal Legislative Decree 1/1996, of 12 th April, whereby the Revised Text of the Intellectual Property Law is approved. The general architecture of EDICOM PKI at hierarchic level is as follows: CAEDICOM - Certification Practices Statement 1 INTRODUCTION 9

10 Nivel 0 CAEDICOM Root Nivel 1 CAEDICOM01 A first level (0), in which the root CA that represents the trusted point of the whole system is located and which will allow, as set forth in article 15 of the Law on Electronic Signature, all physical or legal, public or private persons to recognise the effectiveness of EDICOM certificates for electronic signature. A second level (1), consisting of the subordinate CA of the Root CA that will issue certificates of identity and signature of the subscribers. 1.2 DOCUMENT NAME AND IDENTIFICATION Document name CAEDICOM - Certification Practices Statement Document version 1.2 Document status Valid OID (Object Identifier) Date of issue 20/06/2016 Expiry date Localization No applicable PKI PARTICIPANTS, COMMUNITY OF CERTIFIED USERS This certification practice declaration regulates a community of users, who obtain certificates for diverse administrative and private relations, in accordance with the corresponding administrative norm. CAEDICOM - Certification Practices Statement 1 INTRODUCTION 10

11 1.3.1 CERTIFICATION AUTHORITIES The Certification Service Provider is EDICOM. In this Certification Practice Statement, the acronym CAEDICOM is used to designate the set of Certification Authorities that make up CAEDICOM. The functions of the EDICOM Certification Authority are assigned to the EDICOM Systems Department. The Certification Authorities that make up CAEDICOM are: CAEDICOM Root" as first level Certification Authority. Its function is to establish the root of the confidence model of the Public Key Infrastructure or PKI. This CA does not issue certificates for end-user entities. This first level Certification Authority signs for itself. The most relevant data are: Field Contents I C T Version v3 S F Serial Number FB:71:26:58:AD:99:E5 S F Signature Algorithm SHA256withRSAEncryption S F Issuer Distinguished Name Validity Subject Public Key Info CN=CAEDICOM Root, O=EDICOM, C=ES S F From 21/05/ :06:35 GMT Until 21/05/ :20:00 GMT Key type: RSA Key length: 4096 bits Subject DN S D CommonName (CN) CAEDICOM Root S D Organization (O) EDICOM S D Country (C) ES S D SubjectKeyIdentifier 14:CD:2A:59:78:63:AB:61:19:E8:B8:3D:A1:E0:5A:C0:75:E7:F9:CB S D AuthorityKeyIdentifier KeyId: (Same as the SubjectKeyIdentifier, as the certificate is self-signed) BasicConstraints S X F CA True S X F pathlength - (No limitation) N KeyUsage Certificate Sign, CRL Sign S X F Digital Fingerprint C EA F D7 E3 7C E2 4B F5 01 F2 20 Captions used in the tables: I = Included. Possible values: S=Always, O=Optionally, C=Conditionally C = Critical. If the box is ticked, indicates that it is critical. T = Type. Possible values: D = Dynamic, F = Fixed. Fixed means that the value is the same for all certificates of this type. S S S F F F CAEDICOM - Certification Practices Statement 1 INTRODUCTION 11

12 CAEDICOM01: CAEDICOM Root subordinate CA. It's function is to issue end-user entity certificates for CAEDICOM subscribers. The most relevant data are: Field Content I C T Version v3 S F Serial Number 2789BAEB6C594B5A S F Signature Algorithm SHA256withRSAEncryption S F Issuer Distinguished Name Validity Subject Public Key Info CN=CAEDICOM Root, O=EDICOM, C=ES S F From 22/07/ :00:43 GMT Until 22/05/ :20:00 GMT Key type: RSA Key length: 4096 bits Subject DN S F CommonName (CN) CAEDICOM01 S F Organization (O) EDICOM S F Country (C) ES S F SerialNumber (SN) Locality (L) Subject Alternative Name SubjectKeyIdentifier AuthorityKeyIdentifier B Calle Charles Robert Darwin Paterna RFC822Name:acedicom@edicomgroup.com S F 6D:6A:88:F8:2E:EA:7F:2F:CD:C0:F4:76:77:93:E6:45:32:EF:8B:05 Certificate Public Key Identifier KeyId: 14:CD:2A:59:78:63:AB:61:19:E8:B8:3D:A1:E0:5A:C0:75:E7:F9:CB Belonging to CAEDICOM Root BasicConstraints S X F CA True S X F pathlength 0 S KeyUsage DigitalSignature, Certificate Sign, CRL Sign S X F Certificate Policies S F policyidentifier S F CPSuri S F CRLDistributionPoints S F distributionpoint S F Authoritity Information Access CAIssuers S F accessmethod OCSP S F AccessLocation S F Digital fingerprint DE 25 7D BA 53 DA E A D 64 D7 C1 34 S S S S S F F D F F REGISTRATION AUTHORITIES CAEDICOM - Certification Practices Statement 1 INTRODUCTION 12

13 The Registration Authorities are those physical or legal persons to whom the CAEDICOM entrusts the identification and verification of the personal circumstances of the certificate applicants. To this end, the Registration Authorities will be responsible for guaranteeing that the certificate application contains truthful and complete information on the Applicant, and meets the requirements demanded in the corresponding Policy. The main company EDICOM and its different subsidiaries, authorized formally by the same, may be Registration Authorities. These Registration Authorities are designated User Registration Points or PRUs in the documentation relative to the EDICOM Certification Authority, and are entrusted with the confirmation of the applicant s identity and issuing of the certificate. The functions of these Registration Authorities, which act on behalf of CAEDICOM, extend to: Checking the identity and any personal circumstances of the pertinent certificate applicants for their own purposes. Informing the person who applies for the certificate prior to its issue of the precise conditions for the use of the certificate and its limitations of use. Verifying that the information contained in the certificate is exact and includes all the information prescribed for a recognised certificate. Ensuring that the signer is in possession of the signature creation data corresponding to those verified and recorded in the certificate END USERS End Entities or Users are the physical or legal persons authorized to apply for and obtain an electronic certificate in the conditions laid down in this Certification Practice Statement and in the Certification Policies in force for each type of certificate. For the purposes of this Certification Practice Statement and the Certification Policies that implement it, the following are End Users of the CAEDICOM certification system: Applicants. Subscribers. Trusted third parties. CAEDICOM - Certification Practices Statement 1 INTRODUCTION 13

14 Applicants Applicant is the physical person who, in their own name or on behalf of a third party, and following identification, requests the issue of a Certificate. In the case of a Certificate Applicant whose Subscriber is a legal person, said physical person may only be an administrator or legal representative of the legal person who is to be the subscriber of the certificate or, where indicated, a voluntary representative with sufficient power of attorney containing a special clause requesting the Certificate of Legal Personality from CAEDICOM. Subscribers For the purposes of this CPS, the subscriber of CAEDICOM certificates corresponds to the term Signer or creator of a stamp or seal provided for in Article 3 of Regulation UE Nº 919/2014 The holder of the certificate will have the condition of subscriber. This means the physical or legal person whose personal identity is linked with the signature creation and verification data or stamp, signed electronically, through a public key certified by the Trust Service Provider. The signer or stamp creator, assumes the responsibility for safekeeping of the signature or stamp, creation data, without ceding their use to any other person under any circumstances. The group of users who can apply for the issue of CAEDICOM certificates is defined and limited by each Certification Policy. Generically, and notwithstanding that stipulated by the Certification Policy applicable in each case, it is established that the possible subscribers are the set of EDICOM services and applications clients. Trusting parties All those who voluntarily trust certificates issued by CAEDICOM will be considered trusting parties or trusting third parties. The Certification Policies applicable in each case limit the right to trust in certificates issued by CAEDICOM. Generically, and notwithstanding that stipulated by the Certification Policy applicable in each case, the employees, systems and applications of EDICOM are established as third parties that trust CAEDICOM certificates. 1.4 USE OF CERTIFICATES This section lists the applications for which each type of certificate can be used, establishing limitations and prohibiting some applications of the certificates. CAEDICOM - Certification Practices Statement 1 INTRODUCTION 14

15 1.4.1 TYPICAL USES OF CERTIFICATES The Certification Policies corresponding to each specific type of certificate issued by CAEDICOM constitute the documents in which the uses and limitations of each certificate are determined, although in this section, given its special relevance, we describe the main use of CAEDICOM qualified certificates based on secure signature, or stamp, creation devices. The main purpose of certificates issued by CAEDICOM is to enable the subscriber to sign or stamp documents. This qualified certificate allows substitution of the handwritten signature for electronic in the subscriber s relations with third parties ( Regulation UE Nº 919/2014). It can also be used to provide security in certain certified storage applications ( substitutive in other legislations). The signature, or stamp, certificates issued by CAEDICOM may be qualified certificates in accordance with that set forth in 28, 38, y 45 of Regulation UE Nº 919/2014 and Annexes, and comply with the technical regulations of the European Telecommunications Standards Institute, identified by reference EN Certificates issued by CAEDICOM are published on qualified signature creation device, as indicated in the certificate Certification Policies, in accordance with article 29 and 39, of Regulation UE Nº 919/2014. They therefore guarantee the identity of the subscriber holder of the private identification key and signature, and enable generation of the "recognised electronic signature or stamp"; i.e., the advanced electronic signature or stamp based on a qualified certificate and which has been generated using a qualified device, whereby, in accordance with that stipulated in article 25 of Regulation, is compared to the handwritten signature for legal purposes, with no need to fulfil any other additional requirement. CAEDICOM also issues server certificates and different types of certificates for purposes other than "electronic signature". They cannot be considered subject to that laid down in Regulation UE Nº 919/2014, since they do not fall under the concept of "electronic signature or stamp certificate" defined in article 3 of said law. They are mentioned in this page exclusively because they form part of the pool of certificates issued by CAEDICOM, although they are not subject to the criteria and procedures required for qualified certificates, although they do share the whole physical and security infrastructure established for said certificates The use of these certificates provides the following guarantees: No rejection of origin Ensuring that the document comes from the subscriber that it purports to. This feature is obtained by means of electronic signature or stamp by Signature or Stamp Certificate. The receiver of a message signed electronically can verify the certificate used for the signature using the CAEDICOM validation service. In this way, they guarantee that the document comes from a certain subscriber. CAEDICOM - Certification Practices Statement 1 INTRODUCTION 15

16 Integrity Use of the Signature or Stamp Certificate lets you check that the document has not been modified by any person outside of the communication. To guarantee integrity, cryptography provides solutions based on functions of special features called hash functions, which come into play whenever an electronic signature or stamp is used. The use of this system lets you check that a signed message has not been altered between sending and reception. To this end, a unique hash of the document is signed with the private key so that any alteration of the message results in an alteration of its hash PROHIBITED USES Certificates issued by CAEDICOM will only be used for the function and purpose stipulated in this Certification Practice Statement and in the corresponding Certification Policies, in accordance with the regulation in force. The contracting of certificates from CAEDICOM admits only the use of the certificate in the area of activity of the Holder or the organisation to which they are linked, in accordance with the purpose of the type of Certificate requested. Once the Certificate is issued, the Holder may not, except by specific agreement between the parties, make use of the same for commercial purposes. Commercial use of the certificate is understood as any action whereby the Holder offers services to third parties not signatories to the present contract, whether for a consideration or gratuitously, requiring the use of the contracted certificate. In any case, CAEDICOM certificates have not been designed, nor may be destined or authorized for resale as equipment for control of dangerous situations or for uses that require foolproof actions, such as the operation of nuclear facilities, positioning systems or air services, or armament control systems, where an error could directly entail death, personal injuries or severe environmental damage RELIABILITY OF THE ELECTRONIC SIGNATURE OVER TIME In order to guarantee the reliability of an electronic signature or stamp over time, it must be complemented with the information on the status of the associated certificate at the moment at which the same took place and/or non-repudiable information incorporating a time seal, as well as the certificates that make up the chain of confidence. This means that if we want to have a signature or stamp that can be validated over time, the electronic signature or stamp that is generated must include evidence of its validity so that it cannot be repudiated. For this type of signature or stamp there must be a service that maintains the evidence, and it will be necessary to ask for the signature or stamp update before the keys and the associated cryptographic material become vulnerable. Generation of a long lasting signature or stamp must include the following elements: CAEDICOM - Certification Practices Statement 1 INTRODUCTION 16

17 Time stamp: The signature must include a time stamp issue by a Trusted Third Party, TSA (Time Stamping Authority). The time stamp ensures that both the original data of the document and the information on the status of the certificates were generated before a certain date. The time stamp format must comply with the standard defined in RFC3161. Revocation information: The signature must include an element that ensures that the signature or stamp certificate is valid. This element will be generated by a Trusted Third Party, in this case by CAEDICOM. The signatures or stamps must be able to be renewed (re-signed) and the confidence elements (time stamps) updated to make the electronic signatures or stamps valid over time, guaranteeing their reliability. 1.5 ADMINISTRATION OF THE POLICIES AND PRACTICES ENTITY RESPONSIBLE Name: address Address Telephone number Fax number EDICOM Technical Management acedicom@edicomgroup.com C/ Charles Robert Darwin,8 Parque Tecnológico, Paterna (Valencia) SPAIN CONTACT PERSON Name: address Address Telephone number Fax number EDICOM Systems Department acedicom@edicomgroup.com C/ Charles Robert Darwin,8 Parque Tecnológico, Paterna (Valencia) SPAIN COMPETENCE TO DETERMINE CPS COMPLIANCE WITH THE DIFFERENT CERTIFICATION POLICIES The EDICOM Technical Management is the competent organ to determine the compliance of this CPS with the different Certification Policies from the EDICOM Certification Authority APPROVAL PROCEDURE The CAEDICOM documentary and organization system guarantees, by the existence and application of the corresponding procedures, the correct maintenance of the Certification Practice Statement and the service specifications related with it. In this way, the service specification modification procedure and the publication procedure service specifications are anticipated. CAEDICOM - Certification Practices Statement 1 INTRODUCTION 17

18 The final policy modifications are approved by CAEDICOM after verifying the fulfilment of the requirements established in the corresponding sections of this CPS. 1.6 DEFINITIONS AND ACRONYMS DEFINITIONS To determine the scope of the concepts that are used in this Certification Practice Statement, and in the different Certification Policies, the following must be understood: Trust Services Provider: A natural or legal person who provides one or more trust services, either as a qualified provider or unqualified supplier of trust services. In this Certification Practices Statement, it will correspond to the Certification Authorities belonging to the CAEDICOM hierarchy. Registration Authority: Physical or legal person appointed by CAEDICOM to verify the identity of certificate applicants and subscribers, and, where indicated, the power of representatives and the subsistence of the legal personality or voluntary representation. Certification Practice Statement. CAEDICOM declaration made available to the public and free of charge as Certification Service Provider in compliance with that stipulated by Law. Certification Policy: Document that completes the Certification Practices Statement, setting out the conditions of use and the procedures followed by CAEDICOM to issue Certificates. Certification chain: List of certificates that contains at least one certificate and the root certificate from CAEDICOM. Certificate of e-signature or digital stamp: An electronic statement linking the validation data of a signature with a natural person or a stamp/seal with a legal person, and confirms at least the name or pseudonym of said person. In this Certification Practice Statement, when certificate is mentioned it is understood to mean a Certificate issued by CAEDICOM. Root certificate: Certificate whose subscriber is CAEDICOM and which belongs to the CAEDICOM Trust Service Provider hierarchy, and contains the signature verification data of said Authority signed with the signature creation data of the same as Trust Service Provider. Qualified certificate: Certificate issued by a Trust Service Provider that fulfils the requirements stipulated by Law concerning the verification of the identity and other circumstances of the applicants and the reliability and the guarantees of the certification services rendered, in accordance with that set forth in Regulation UE Nº 919/2014 CAEDICOM - Certification Practices Statement 1 INTRODUCTION 18

19 Advanced electronic signature or stamp: An e-signature or digital stamp univocally linked with the signer or stamp creator for identification of the same. Created using e-signature or digital stamp creation data which the signer or creator can use with a high degree of confidence, under their exclusive control. Linked with the data signed or stamped in such a way that any subsequent modification of the same is detectable. Qualified e-signature or digital stamp: An advanced e-signature or digital stamp created using a qualified device for creation of e-signatures or stamps and based on a qualified signature or digital stamp certificate. e-signature: Data in electronic format annexed to other electronic data or linked logically with them and used by the signer to sign. Digital stamp: Data in electronic format annexed to other data in electronic format, or logically associated with them, to guarantee the source and integrity of the latter. Qualified digital stamp creation device: A device for creating electronic stamps/seals which, mutatis mutandis, meets the requirements listed in Annex II of EU Regulation No. 910/2014. Certificate Directory: Repository of information that follows the ITU-T X.500 standard. Electronic document: All content stored in electronic form, especially text or sound, visual or audio-visual recording. Security document: Document demanded by Organic Law 15/99 on Protection of Data of a Personal Nature whose purpose is to establish the safety measures implanted, for the purposes of this document, by CAEDICOM as Certification Service Provider, for the protection of the data of personal nature contained in the certification activity. Files that contain personal data (hereafter the Files). Security Manager: Responsible for coordinating and controlling the measures imposed on the files by the security document. Responsible for Processing: The physical or legal person, public authority, service or any other organism that deal with personal data on behalf of the person in charge of processing the files. File Manager (or File Processing Manager): Person who decides on the purpose, content and use of the file processing. Hash function: an operation carried out on a data set of any size, so that the result obtained is another data set of fixed size, independently of the original size, and which has the property of being associated univocally to the initial data. This means that it is impossible to find two different messages that generate the same result when applying the Hash Function. CAEDICOM - Certification Practices Statement 1 INTRODUCTION 19

20 Hash or digital fingerprint: Fixed size result that it is obtained after applying a hash function to a message and which fulfils the property of being univocally associated with the initial data. Public Key Infrastructure (PKI): Infrastructure that supports the issue and management of keys and certificates for authentication, coding, integrity, or non repudiation services. Certificate Revocation Lists or Revoked Certificate Lists: List where only the revoked or suspended certificates appear (not those expired). Security Hardware Cryptographic Module: Hardware module used to carry out cryptographic functions and store keys securely. Certificate serial number: Whole and unique value that is associated unequivocally with a certificate issued by CAEDICOM. OCSP (Online Certificate Status Protocol): IT protocol that enables verification of the state of a certificate at the moment it is used. OCSP Responder: IT server that responds, following OCSP protocol, to OCSP requests with the status of the certificate being consulted. OID (Object Identifier) Value, of hierarchic nature and consisting of a variable components sequence although always constituted by non-negative whole numbers separated by a point, which can be assigned to registered objects and have the property of being unique among the rest of the OIDs. OCSP request: Consultation request on the state of a certificate to the OCSP Responder following OCSP protocol. PIN: (Personal Identification Number) specific number known only by the person that has to access a resource that is protected by this mechanism. PKCS#10 (Certification Request Syntax Standard): Standard developed by RSA Labs, and accepted internationally as standard, which defines the syntax of a certificate request. Recertification: Revocation of a user certificate before issuing the user with a new certificate with the same features as the revoked one, not necessarily signed with the same CA that issued the revoked certificate. SHA-256 Secure Hash Algorithm (secure summary algorithm -hash-). Developed by NIST in The algorithm consists of taking messages of less than 512 bits and generating a summary of 256 bits in length. The likelihood of finding two different messages that produce the same summary is practically zero. This is why it is used to ensure integrity of documents during the electronic signature process. CAEDICOM - Certification Practices Statement 1 INTRODUCTION 20

21 Time stamp: Establishment of the date and time in an electronic document by means of indelible cryptographic procedures, based on the Request For Comments specifications: Internet X.509 Public Key Infrastructure Time Stamp Protocol (TSP), which dates the document objectively. Applicant: The physical person who, in their own name or on behalf of a third party, and following identification, applies for a Certificate to be issued. In the case of a Certificate Applicant whose Subscriber is a legal person, said physical person may only be an administrator or legal representative of the legal person who shall be the certificate subscriber or, where indicated, a voluntary representative with sufficient power of attorney containing a special clause requesting the Certificate of Legal Personality from CAEDICOM. Subscriber: For the purposes of this CPS, the subscriber of CAEDICOM certificates corresponds to the stamp signer or creator terms provided for in Article 3 of Regulation No. 910/2014 EU. The condition of subscriber applies to the certificate holder. This means the physical or legal person whose personal identity is linked with the signature or stamp creation and verification data, signed electronically, using a public key certified by the Trust Services Provider. Cryptographic card: Card used by the subscriber to store private signature and deciphering keys and generate electronic signatures and decipher data messages. The cryptographic card is considered a secure signature creation device in accordance with the Law and enables the generation of recognised electronic signature. Trusting third parties or trusting parties: Those persons who deposit their confidence in an CAEDICOM certificate, verifying the validity and use of the certificate according to that described in this Certification Practice Statement and in the Certification Policies associated with each type of certificate. X.500: Standard developed by the UIT that defines the directory recommendations. Corresponds with the ISO/IEC standard: Gives rise to the following series of recommendations: X.501, X.509, X.511, X.518, X.519, X.520, X.521 and X ACRONYMS CAEDICOM CA CP CPS CRL FIPS EDICOM Certification Authority Certification Authority Certificate Policy Certification Practice Statement Certificate Revocation List Federal Information Processing Standards CAEDICOM - Certification Practices Statement 1 INTRODUCTION 21

22 IETF OID OCSP OPRU PKI PKIEDICOM RA RFC Sub CA HSM Internet Engineering Task Force Object Identifier Online Certificate Status Protocol Registration Point Operator Public Key Infrastructure EDICOM PKI Registration Authority Request For Comment Subordinate Certification Authority Hardware Security Module CAEDICOM - Certification Practices Statement 1 INTRODUCTION 22

23 2 INFORMATION PUBLICATION AND CERTIFICATE REPOSITORY 2.1 REPOSITORIES The CAEDICOM repository service will be available 24 hours of a day, 7 days a week, and in the event of interruption due to force majeure, the service will be recovered in the shortest possible time. Understanding by availability the ability to access the service on demand, independently of the speed or rate at which it is provided. In no case may this availability be less than 99.5%, measured over a monthly period. EDICOM reserves up to a maximum of 8 hours monthly out of prime time and at the point of minimum activity to carry out maintenance tasks, system backups, etc. This time will be excluded from the service level calculations. The entire period is considered primary schedule, except Sundays from 05: 00UTC to 15: 00UTC. If there is a faulty operation of the systems that run the Services, EDICOM will inform the Client as soon as reasonably possible about the problem and the time anticipated for normal service to resume. EDICOM will provide the Client with user attention centre resources and will do everything possible to solve the problem in the shortest possible time. In the event of disasters, action shall be taken as stipulated in paragraph 5.7. The CAEDICOM repository does not contain any information of a confidential nature. CAEDICOM does not use any other repository operated by any entity other than CAEDICOM. 2.2 PUBLICATION This CPS is public and available on the CAEDICOM website: in PDF format. CAEDICOM Certification Policies are public and available in PDF format on the CAEDICOM website: The CAEDICOM CA certificate is public and available in the CAEDICOM repository in X.509 v3 format. It is also available at The CAEDICOM revoked certificate list is public and available in CRL v2 format. Also available at CAEDICOM - Certification Practices Statement 2 INFORMATION PUBLICATION AND CERTIFICATE REPOSITORY 23

24 2.3 UPDATE FREQUENCY The CPS and the Certification Policies will be published whenever they are modified. The CA will add revoked certificates to the pertinent CRL within the period of time stipulated in point CRL issuing frequency. 2.4 CERTIFICATE REPOSITORY ACCESS CONTROLS Access to reading the information in the CAEDICOM repository and their website is free. Only CAEDICOM is authorized to modify, replace or delete information from the repository and website. In this sense, CAEDICOM uses suitable means of control to restrict the writing or modification capacity of these elements. CAEDICOM - Certification Practices Statement 2 INFORMATION PUBLICATION AND CERTIFICATE REPOSITORY 24

25 3 CERTIFICATE HOLDER IDENTIFICATION AND AUTHENTICATION 3.1 NAME REGISTRATION. This section sets out requirements relating to the identification procedures and authentication that are used during the registration of Subscribers, which must be done prior to the issue and delivery of certificates NAME TYPES The Subject DN (Distinguished Name) field contains all the identification information of the entity, or legal, physical person, or any other type, for which the certificate is issued. This information must univocally identify a certificate issued by the same CA for Qualified Certificates, in other words: There must not be certificates issued by the same CA whose Subject is identical. It is very important in the case of recognised certificates (Qualified Certificates) to take into account that the commonname (CN) content must be a valid name of the certificate subject. Only the business name or name and surname will be considered as valid. The use of pseudonyms is not allowed MEANING OF NAMES The rules defined in the previous section guarantee that the distinguishing names (DN) of certificates are sufficiently significant to link the public key with an identity NAME FORMAT INTERPRETATION The rule used by CAEDICOM to interpret the distinguishing names of certificates it issues are those contained in ISO/IEC 9595 (X.500) Distinguished Name (DN) UNIQUENESS OF NAMES Distinguishing names for Qualified certificates must be unique and must not give rise to ambiguity. The DN of certificates cannot be repeated. Use of the CIF number of the company and the NIF of the applicant guarantees the uniqueness of the DN. In the event that a holder has several certificates, a suffix "_2","_3", etc., will be added to maintain the uniqueness. Certification Policies may include the substitution of this uniqueness mechanism RESOLUTION OF NAME-RELATED CONFLICTS CAEDICOM - Certification Practices Statement 3 CERTIFICATE HOLDER IDENTIFICATION AND AUTHENTICATION 25

26 The inclusion of a name in a certificate does not imply the existence of any right over the same, notwithstanding the better right that may be held by third parties. CAEDICOM does not act as arbitrator or mediator, nor resolve any dispute relating to the ownership of names of persons or organizations, domain names, brand or commercial names, etc. CAEDICOM reserves the right to refuse a certificate request due to conflict over the name RECOGNITION, AUTHENTICATION AND FUNCTION OF REGISTERED TRADE NAMES CAEDICOM cannot guarantee that the names included in the certificates will contain the trademarks or intellectual property rights requested. CAEDICOM will not automatically verify the trademark or the intellectual property rights of the name that appears on the certificates, the domain name or any other field of the certificate. CAEDICOM may reject or suspend any certificates with no liability whatsoever in the event of dispute. 3.2 INITIAL IDENTITY VALIDATION For policies where it is required, the CA shall ensure that signatories and holders are properly identified and authenticated, and that the data associated with the applicant s certificate request are complete and accurate PRIVATE KEY POSSESSION PROOF METHODS It will be necessary to rely on what is established in each case in the Certification Policy applicable for each request INDIVIDUAL IDENTITY AUTHENTICATION The individual identification process is defined by the Certification Policy applicable to each type of certificate. As a general rule, either physical appearance to the Operator of the Point of Registry or else remote identification can be used for this purpose. When the authentication of the identity of the applicant for a certificate is done by means of their appearance before the Registration Point Operator, it will be accredited by presentation of a valid official identity document and in vigour, such as National Identity Document, passport, or the Foreigner Identification Number (NIE) of the applicant and will explicitly verify the date and the place of birth. CAEDICOM - Certification Practices Statement 3 CERTIFICATE HOLDER IDENTIFICATION AND AUTHENTICATION 26

27 When the authentication is done remotely, in general no methods of identification other than the digital signature with certificates issued by CAEDICOM or some other Services of Trust Service Provider that issues qualified certificates will be used. It is also possible to do without the physical presence if the signature contained in the request for issue of a certificate has been legitimized by notary, and in the cases anticipated by Regulation UE Nº 919/2014 art. 24 d AUTHENTICATING THE IDENTITY OF AN ORGANIZATION. In the case of qualified certificates, the identity of an organization or entity shall be authenticated by submission to the Registry Operator qualified to issue this kind of certificates on behalf of the applicant for the organization certificate signer (administrator, legal representative or voluntary representative with sufficient authorization), once their identity is accredited as defined in point 3.2.2, and the extent and validity of their empowerment to represent said organization. The CAEDICOM Registry Operator checks the data relating to the constitution and legal personality and the extent and currency of the faculties of representation or voluntary representation of the applicant by means of the public documents reliably accrediting the details cited and their inscription in the corresponding public registry, if required. Said verification may also be implemented by consultation in the public register where the constitution and empowerment documents are inscribed, using the remote means provided by said public registers. If the qualified certificates admit other forms of representation, accreditation of the circumstances on which they are based will be required previously, in the same way as anticipated above. When the qualified certificate contains other personal circumstances or attributes of the signer or stamp creator, such as their condition as holder of a public post, membership of a professional school or holder of a degree awarded by the same, these must be verified by means of the official documents of accreditation, in accordance with the specific regulation in force. The documentation required to carry out the checks may vary depending on the type of entity for which the certificate is requested. To this end, and in general, the following documentation shall be submitted: When applying for an electronic certificate for any trading company or any company of obligatory inscription in the Mercantile Registry (Joint-stock Company, Public Limited Company, Limited Liability Company, Worker-owned Limited Company, Sporting Associations, Partnerships, Limited Partnerships or Cooperatives, Economic Interest Groupings, Joint Ventures, others.), a certificate must be provided from the Mercantile Register relating to the constitution, legal personality, appointment and term of the position of administrator or legal representative, issued during the 10 days prior to the date of presentation of the certificate application in CAEDICOM. If the representation is voluntary, the certificate of appointment and term of the position may be replaced by the sufficient power of attorney, with the special clause authorizing the Legal Person/Body Corporate Certificate application. CAEDICOM - Certification Practices Statement 3 CERTIFICATE HOLDER IDENTIFICATION AND AUTHENTICATION 27