Certificados Empleado Público

Transcription

1 Registro Nacional de Asociaciones. Número CIF G ANF Autoridad de Certificación Gran vía de les Corts Catalanes Barcelona (Spain) Telephone: Fax: Web:

2 Security Level Public Document Important Notice This document is property of ANF Autoridad de Certificación Distribution and reproduction prohibited without authorization by ANF Autoridad de Certificación Copyright ANF Autoridad de Certificación 2013 Address: Gran vía de les Corts Catalanes Barcelona (Spain) Telephone: Fax: Web: 2

3 Index 1 Introduction Certificates description Identification Users community Certification Authorities Registration Authorities Recognized Registration Authority Collaborating Registration Authority Issuance Reports Manager End entities Certificate subscriber Certificate applicant Certificate responsible Relying third parties Certificate usage Allowed use Limits of certificate uses Prohibited uses Certification Entity contact details Definitions and acronyms Information publication and repositories Repositories Information publication Updates frequency Repositories access controls Identification and Authentication Name registration Types of names Specific fields completion guide Need for names to be meaningful Anonymous or pseudonyms Rules for interpreting various name forms

4 3.1.6 Uniqueness of names Conflicts related to names and brands resolution Identity initial validation Method to prove possession of private key Authentication of applicant identity Re-key Revocation requests Operational Requirements Certificate application Processing procedure Identity authentication Applicant Certificate subscriber Certificate responsible Approval or rejection of certificate applications Time to process certificate issuance Certificate issuance Certification Entity actions during certificate issuance process Notification to subscriber Certificate acceptance Acceptance Return Tracing Certificate publication Notification of certificate issuance to third parties Rejection Certificate renewal Valid certificates Authorized persons to request the renewal Routine renewal requests authentication and identification Approval or rejection of applications for renewal Notification of certificate renewal Acceptance of the certificate renewal

5 4.6.7 Publication of the renewed certificate Notification to other entities Identification and authentication of key renewal applications after revocation (uncommitted key) Certificate modification Certificate revocation and suspension Circumstances for revocation Revocation requests identification and authentication Procedure for revocation request Revocation request grace period Time within the revocation request must be processed CRL lists checking requirements CRL lists issuance frequency Revocation On-line checking availability Revocation On-line checking requirements Certificate suspension Suspension requests authentication and identification Keys storage and recovery Facilities, management, physical security and operational controls Physical security controls Procedural controls Personnel controls Technical security controls Key pair generation and installation Private Key Protection Other aspects of key pair management Activation data Computer security controls Life cycle technical controls Network security controls Time-stamping Cryptographic Module Security Controls Certificate profiles, CRL lists and OCSP Certificates profiles

6 7.1.1 Common fields and extensions Specific fields according to the signature algorithm Specific fields according to key length Specific Fields by type of certificate Certificado Empleado Público (Autenticación) High Level Certificado Empleado Público (Autenticación) Medium Level Certificado Empleado Público (Firma) High Level Certificado Empleado Público (Cifrado) High Level CRL profile OCSP profile Compliance audit Each entity compliance controls frequency Identification of the personnel in charge of the audit Auditor relationship to audited entity Topics covered by audit Actions to be taken as a result of compliance deficiency Treatment of audit reports General regulations Fees Financial responsibility Confidentiality of information Privacy of personal information Intellectual property rights Obligations and guarantees Disclaimers of guarantees Limitations of liability Interpretation and execution CP administration...48 Appendix I Electronic Certificate Application Form -Public Employee Appendix II Contract for the Provision of Electronic Certification Services...54 Appendix III Certificate Renewal Application...61 Appendix IV Certificate Revocation Application Form...62 Appendix V Act of Certificate Reception and Acceptance

7 Appendix VI Identity Statement

8 1 Introduction ANF Certification Authority (henceforth, ANF AC) is a corporate entity, constituted under Basic Law 1/2002 March 22nd, and written in the Ministry of the Interior with national number and company tax code G The Public Key Infrastructure (PKI) of ANF AC has been designed and managed in accordance with the legal framework of the European Parliament [UE] 910/2014 Regulation, and with the 59/2003 Law on Electronic Signature of Spain. The ANF AC PKI is in accordance with the ETSI TS (Policy requirements for certification Authorities issuing qualified certificates), ETSI TS (Qualified Certificate Profile), RFC 3739 (Internet X.509 Public Key Infrastructure: Qualified Certificates Profile) and in process of adaptation to the ETSI EN (Certificate Profiles) rule. ANF AC uses OID s in accordance with the standard ITU-T Rec. X.660 and the standard ISO/IEC :2005 Procedures for the Operation of OSI Registration Authorities: General Procedures and ASN.1 Object Identifier tree top arcs. ANF AC has been assigned the SMI Network Management Private Enterprise Code by the international organisation IANA - Internet Assigned Numbers Authority - under the branch iso.org.dod.internet.private.enterprise ( IANA Registered Private Enterprise-). This document is the Certification Policy (CP) corresponding to certificates of the type "Empleado Público" issued by ANF AC, in which the signatory works for the Public Administration (henceforth AA.PP.), being he/she public servant, labour, sporadic or temporary personnel, and the certificate principal subscriber is an AA.PP. To develop its content the IETF RFC 3647 PKIX structure has been followed, including those sections that are specific to this type of certificate. This document contains the regulations to which the uses of certificates defined in this policy are subjected, and defines the directives that ANF AC uses to their issuance, management, renovation, revocation and any other process that affects their life cycle. The roles, responsibilities and relationships between the end-user and ANF AC are described, along with regulations for application, renovation and revocation of certificates. This document is only one of the several documents governing the PKI of ANF AC, it details and supplements the definitions in the Certification Practice Statement and its addendum. ANF AC oversees and supervises that this PC is compatible and consistent with the other documents produced. All documentation is freely available to users and relying parties at This Certification Policy assumes that the reader knows and understands PKI, certificate and electronic signature concepts. If this is not the case, the reader is recommended to be trained in those concepts before continuing to read this document. 8

9 1.1 Certificates description ANF AC, in the framework of its Electronic Certification Service, issues identity certificates of the type: Certificado Empleado Público The purpose of this certificate is to allow its subscribers to authenticate in online services and to generate electronic signatures. This is a certificate in which the subscriber will be an AA.PP. and the certificate responsible, that is in possesion of the signature creation device and acts on behalf of the subscriber, is personnel from the AA.PP., being he/she public servant, labour, sporadic or temporary personnel. In accordance with the provisions of Article 6, point 2 of Law 59/2003 of December 19th, on electronic signature (as Final Provision 4.2 of Law 25/2015, of July 28th). "the signer is the person who owns a signature creation device and acts on its own behalf or on behalf of a natural or legal person he/she represents." Available supports: Cryptographic software token. Token HSM (hardware security module). Certified with ISO Common Criteria EAL 4+ or higher. These certificates will be issued with different use modes: Electronic Signature. Authentication. Encryption. Regarding their consideration, only the "firma electrónica" certificate is issued as qualified. To have this legal consideration, the certificate must incorporate the "qualified" extension as specified in this document in accordance with the ETSI EN rule. All certificates issued under this policy are in accordance with standard X.509 Version 3. The maximum validity of these certificates is 5 years. Identity verification will be done in person before a Registration Authority (RA), and based on original documentation in force. The RA is responsible for processing the application in accordance with the provisions to that effect in the ANF AC Certification Practice Statement. The appearance in person of the applicant may be waived only in cases expressly contemplated and authorized by law. The verification of the information obtained by a Registration Authority, or any other provided by the subscriber, will be conducted by ANF AC or associates classified for the purposes of this document as Issuance Reports Managers (IRM), with which ANF AC subscribe the applicable legal instrument. This policy, in terms of the certificates of the type " Empleado Público", follows the definitions set by the Information Technology and Communications Management in its document "Electronic certificates Profiles" of April Two levels of assurance are defined: 9

10 a. Medium level/substantial: This level corresponds to a configuration of security mechanisms suitable for most applications. The expected risk for this leve is appropriate to access qualified applications in accordance with the ENS in the levels of Integrity and Authenticity as medium and low risk. Also, the expected risk in this level corresponds to the low and substantial security levels of electronic identification systems of the EU regulation 910/2014. Safety levels of the eidas regulations apply only to electronic identification systems. Acceptable security mechanisms include X.509 software certificates. In the case of certificates issued to people, they correspond with a "qualified certificate as defined in EU Regulation 910/2014 on advanced electronic signature, without signature creation qualified device. In the case of certificates issued to legal persons, it corresponds with the "certificado sello cualificado", as defined in the EU regulation 910/2014 on advanced electronic seal, without seal creation qualified device. The use of signature hardware devices (HSM or signature creation qualified device) is also permitted. The maximum validity of these certificates is 5 years. The expected risk for this level corresponds to level 3 guarantee provided in IDABC Authentication Basic Policy * 1. * 1 The IDABC (Interoperable Delivery of Pan-European egovernment Services to Public Administrations, Business and Citizens - Interoperable Delivery of pan- European electronic Administration services to public administrations, businesses and citizens) program. Decision 2004/387 / EC of the European Parliament and of the Council of 21 April 2004 on the Interoperable Delivery of European electronic Administration Services to public administration, businesses and citizens (IDABC) [Official Journal L 144, ] b. High level: This level corresponds to a configuration of security mechanisms suitable for applications that require additional measures, according to the risk analysis performed. The expected risk for this leve is appropriate to access qualified applications in accordance with the ENS in the levels of Integrity and Authenticity as high risk. Also, the expected risk in this level corresponds to the low and substantial security levels of electronic identification systems of the EU regulation 910/2014. Safety levels of the eidas regulations apply only to electronic identification systems. Acceptable security mechanisms include X.509 hardware certificates. In the case of certificates issued to people, they correspond with a "qualified certificate, as defined in EU Regulation 910/2014. The expected risk for this level corresponds to level 4 guarantee provided in IDABC Authentication Basic Policy. The maximum validity of these certificates is 5 years. 10

11 1.2 Identification Document name Certificados Empleado Público Version 1.2 Policy status APPROVED Document reference / Publication date July 31st, 2013 Expiration date Related CPS Location Not applicable Certification Practice Statement (CPS) of ANF AC In order to identify the certificates, ANF AC has assigned the following object identifiers (OID). Certificate Certificado Empleado Público High Level (AUTENTICACIÓN) with SHA-256 algorithm and 2048 bits length Certificado Empleado Público Medium Level with SHA- 256 algorithm and 2048 bits length Certificado Empleado Público High Level (FIRMA) with SHA-256 algorithm and 2048 bits length Certificado Empleado Público High Level (CIFRADO) with SHA-256 algorithm and 2048 bits length OID In the case of Certificado Empleado Público Nivel Alto, the extension CertificatePolicies ( ) will include the OID: In the case of Certificado Empleado Público Nivel Medio, the extension CertificatePolicies ( ) will include the OID: When the certificate is issued with the qualification of qualified, in the extension CertificatePolicies ( ), will include at least one of the following PolicyInformation: qcp-natural ( ). Certificate in software token 11

12 qcp-natural-qscd ( ). When the signature qualified certificate, is stored in qualified device according to Regulation UE 910/ Users Community Certification Authorities As defined in the Certification Practice Statement (CPS) of ANF AC. These are the entities which issue electronic certificates which link a public key with the subscriber identity. They act as a trusted third party between the subscriber and relying third parties Registration Authorities These are entities that perform registration procedures of applicants for end entity certificates. They perform the identification and authentication of individuals involved in the application, and they have the ability to initiate or assist in the procedures for revocation and renewal of certificates. These entities may belong to the organization of the certification, or may be external partners, in which case ANF AC defines two types: Recognized Registration Authority Collaborating Registration Authority Issuance Reports Manager For the purposes of this policy only the President of the PKI Governing Board can intervene as Issuance Reports Manager End entities Certificate subscriber These are entities belonging to the Public Administration and certificates principals. 12

13 Certificate applicant The certificate must be requested by a natural adult person and with legal capacity to assume the representation of the subscriber. Its identity will be included in the certificate as legal representative Certificate Responsible The certificate responsible must have express authorization from the applicant, and his/her identity shall be included in the certificate. This must be an adult with full capacity to act and registering their consent for this responsibility Relying third parties 1.4 Certificate usage Allowed usage Generally, as defined in the CPS of ANF AC, and specifically: Certificado Empleado Público of the type Autenticación, indicated to authenticate against information systems and computer applications in general. The certificate incorporates key usage extension, enabling secure access to computer information systems and computer applications in general. Certificado Empleado Público of the type Firma, particularly suitable for signature operations that do not require repudiation. Certificado Empleado Público of the type Cifrado, particularly suitable for asymmetric encryption operations Limits of certificate uses The subscriber can only use the private key and the certificate for uses authorized on this PC, according to the role and security level granted in accordance with the provisions of the 'KeyUsage' and 'ExtendedKeyUsage' certificate fields. Its use and acceptance must be in compliance with the usage limitations stated in the certificate, assuming the limitation of liability contained in the OID and / or in QcLimitValue OID The subscriber may only use the key pair and the certificate after accepting the conditions of use established in the CPS Prohibited uses 13

14 1.5 Certification Entity contact details 1.6 Definitions and acronyms 14

15 2 Information publication and repositories 2.1 Repositories 2.2 Information publication 2.3 Updates frequency 2.4 Repositories access controls 15

16 3 Identification and Authentication 3.1 Names registration Types of names ETSI has developed European standards pursuant to the Mandate M/460 of the European Commission to streamline standards around electronic signatures. The family ETSI EN specifies the contents of certificates issued to natural persons. Specifically, the part 2 of this document, ETSI EN v2.1.1 (Part 2: Certificate profile for certificates issued to natural persons) defines the requirements for the content of certificates issued to natural persons. The profile is based on the recommendations IETF RFC 5280 and the standard ITU-T X.509. All certificates contain a Distinguished Name (DN) of the owner of the certificate, defined in accordance with the provisions of Recommendation ITUT X.501 and contained in the Subject field, including a Common Name (CN) component. CN (Common Name) field composition criteria is made under the following criteria: Includes the NAME, according to what is indicated in the DNI / NIE, and in capital letters. Blank space Includes FIRST AND SECOND SURNAME, separated only by a blank space, according to what is indicated in the DNI / NIE. In case there is no the second surname, leave it blank (no character). Blank space A dash that separates the name of the number of DNI / NIE, no space between the values nor punctuation marks. Blank space Includes the tax identification number, according to what is indicated in the DNI / NIE. No space between the number and letter of control, control letter in capital letters. E.g. GARCIA ABALOS JUAN ANTONIO G Personal circumstances and attributes of the persons and organizations identified in the certificates are included in predefined attributes in regulations and technical specifications for general recognition. 16

17 3.1.2 Specific fields completion guide According to RFC 5280, which uses UTF-8 * 1 string, since encoding international character sets including Latin alphabet characters with diacritics ( Ñ, ñ, Ç, ç, Ü, ü, etc.). For example, the character eñe (ñ), which is represented in Unicode as 0x00F1. For all variables literal: All literals are entered in capital letters, with the exceptions of the domain name / subdomain and that will be in lowercase. Do not include accent marks in the alphabetic literals Do not include more than one space between alphanumeric strings. Do not include blank characters at the beginning or end of alphanumeric strings. the inclusion of abbreviations based on a simplification is admitted, provided they do not difficulty in the interpretation of information. *1 For more information see RFC 2279 improved in 3629 (UTF-8, a transformation format of ISO 10646) Tax identification numbers (NIF) and personal (PIN, NRP,...) The tax identification number, shall be in accordance with current regulations. Examples: Entities: include the letter and numbers. E.g.: S Persons: include numbers and letter at the end, without dash separation. E.g.: G The Personal Identification Number (PIN) in the Personnel Central Registry is composed by eight numerical positions and a alphanumeric control position. The PIN is the key that identifies people in the Personnel Central Registry Information System. The PIN is built depending on: 1. The kind of document that provided the person in his first relationship with the State General Administration (SGA). 2. The date of incorporation in its first relationship with the SGA. Number (8 positions) PIN Control (1 position) Document presented at the first Service Relationship with the SGA Examples DNI without letter Blank, 1, 2 DNI Sequential generated by the system N From 01/01/ N Built on the basis of the document presented Other document 3, 4, 5, 6, 7, 8, 9 Before 01/01/

18 3.1.3 Need for names to be meaningful In all cases the distinctive names should make sense Anonymous or pseudonyms Not allowed Rules for interpreting various name forms Uniqueness of names Conflicts related to trademarks and trade names resolution Applicants for certificates shall not include names in applications that may involve breach of third party trademark rights by the subscriber. ANF AC reserves the right to refuse a certificate request because of name conflict. 3.2 Identity initial validation Method to prove possession of private key Authentication of applicant identity Certificates issued under this Certification Policy will identify the subscriber under whose name the certificate issuance is request, and the certificate applicant. The Issuance Reports Manager will use appropriate means to ensure the accuracy of the information contained in the certificate. These means include external registry databases and the ability to require information or documents to the subscriber. The fiscal identification of the applicant and subscriber and will be incorporated into the certificate. The documentation, processing, authentication and validation forms and procedures are specified in the following sections. 18

19 3.3 Re-key In the course of re-key, ANF AC shall inform the subscriber about the changes that have occurred in the terms and conditions with respect to the previous issue. A new certificate may be issued to maintain the previous public key, as long as it is considered cryptographically secure. 3.4 Revocation requests All revocation requests must be authenticated. ANF AC checks the applicant's ability to process this requirement. 19

20 4 Operational Requirements 4.1 Certificate application ANF AC only accepts requests with a proper name or third party name, completed by adults with the capacity to work by their own free will. Applicants must complete the Application Form of the certificate by taking responsibility for the accuracy of the information listed, and submit it to ANF AC using any of the following means: a) Electronically: the website includes an application form that should be filled and electronically signed with a qualified certificate, according to Electronic Signature Law 59/2003. The certificate used must have been issued by a Registration Authority recognized by ANF AC. b) In person: the applicant may appear before a Recognized Registration Authority, and shall duly complete and sign the application form. c) By mail: the applicant may submit the application form to the offices of ANF AC certificate, having duly completed and authenticated his signature before a Collaborating Registration Authority. ANF AC does not generate the keys of its users. The applicant must generate his/her own key pair and the request certificate in PKCS#10 / CSR format, providing it to ANF AC along with the certificate Application Form. 4.2 Processing procedure Identity authentication Applicant The applicant identification will be done in person before a Recognized Registration Authority. In that act proves their legal capacity to represent the AA.PP. subscriber of the certificate in the application process. a) Physical Address and other contact data. If deemed necessary by the Registration Authority or the Issuance Reports Manager, additional documents may be included to check the reliability of the information, such as recent utility bills or bank statements. In case the RRA or the IRM know the applicant personally, they should personally issue and sign a Declaration of Identity * 1. b) The RRA, as proof of attendance and in order to preclude the repudiation of the procedure done, can get a set of biometric evidence: photography and / or fingerprints. c) ID card or Passport in case of nationals, whose photograph allows verifying the identity of the person. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). d) In case of foreign nationals, the following will be required: I. To European Union members or European Economic Area members: 20

21 National Identity Card (or local equivalent) or passport with photograph that allows to verify the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). Certificate issued by the Register of the Union Member Citizens. II. To non-eu citizens: Passport, residence permit and work permit with photograph that allows comparing the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). e) The representative must have sufficient power of attorney. f) In the case that the applicant requires to include other personal circumstances, they should be checked by official documents proving that in accordance with its specific regulations. The applicant may be waived of appearing before the Registration Authority in any of the following cases: 1. If the appropriate forms have been properly completed, and the subscriber s signature has been legitimized in the presence of attorney, by attaching certified copies of identity, authorization and legal representation documents. 2. Electronic processing. The website includes an application form that should be filled and electronically sign with a qualified certificate, according to Electronic Signature Law 59/2003, December 19th. The certificate used must has been issued by a CA accepted by ANF AC. * 1 Identity Statement It consists of a sworn formal statement in which the declarant states that he knows personally and directly to a particular individual or a legal entity form. Moreover, notes, to the extent of their direct knowledge, who has verified the data of filiation outlined in the Application Form: address, phone and , and are true. The Identity Statement incorporates the identity of the declarant, his identity card, the information that has been validated, the date and time of verification, the signature of the declarant and the corresponding legal warnings in case of perjury Certificate subscriber The application of certificates defined in this Certification Policy is limited to public authorities or entities with which it has been established a certification agreement, contract or some other formula that implements the service provision by ANF AC. The identification of the administration or public institution is made in the registration process of the Entity, to be signed by a natural person with the capacity to represent the Administration or Entity Certificate Responsible In the application form, the applicant must identify and expressly authorize the certificate Responsible. This authorization shall be perfected with a voluntary and express acceptance by the natural person who assumes the Certificate Responsible qualification. 21

22 The Certificate Responsible must appear before the Registration Authority, prove its identity and present in force, original or certified copy of the following documents: a) Physical address and other data to contact him. If the ARR or RDE deemed necessary, they may request additional documents for checking the reliability of information, such as, e.g., recent utility bills and bank statements. If the ARR or RDE personally know the applicant, they should issue and sign a Declaration of Identity *1. b) The RRA, as proof of attendance and in order to preclude the repudiation of the procedure done, can get a set of biometric evidence: photography and / or fingerprints. c) ID card or Passport in case of nationals, whose photograph allows verifying the identity of the person. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). d) In case of foreign nationals, the following will be required: I. To European Union members or European Economic Area members: National Identity Card (or local equivalent) or passport with photograph that allows to verify the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). Certificate issued by the Register of the Union Member Citizens. II. To non-eu citizens: Passport, residence permit and work permit with photograph that allows comparing the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). * 1 Identity Statement It consists of a sworn formal statement in which the declarant states that he knows personally and directly to a particular individual or a legal entity form. Moreover, notes, to the extent of their direct knowledge, who has verified the data of filiation outlined in the Application Form: address, phone and , and are true. The Identity Statement incorporates the identity of the declarant, his identity card, the information that has been validated, the date and time of verification, the signature of the declarant and the corresponding legal warnings in case of perjury Approval or rejection of certificate applications The Issuance Reports Manager (IRM) assumes the final response assumes the ultimate responsibility to verify the information contained in the Application Form, and to assess the adequacy of the documents provided and of the application, in accordance with the provisions of this Certification Policy. In particular, he/she will check the existence of the subscriber, the applicant, the existence of domain and membership the subscriber to it. Moreover, he/she will determine: That the subscriber has access to the terms and conditions relating to the use of the certificate, as well as to the issuance fees. 22

23 That the subscriber has had access and has permanent access to all documents relating to the duties and responsibilities of the CA, the subscriber, applicant, those responsible for the certificate and relying parties, especially the CPS and Certification Policies. Besides, he/she shall monitor compliance with any requirements imposed by the legislation on data protection, as established in the security document included in the CPS, the purpose of the Data Protection Act as provided in Article 19.3 of Spanish Electronic Signature Law 59/2003, December 19th. The process of issuing the certificate shall not start as long as the Issuance Reports Manager has not issued the corresponding compliance report. The deadline set for the issuance of the report is 15 days. After that period without issuing the mandatory report, the applicant may immediately cancel the order and receive the fees paid. The IRM may require additional information or documentation from the applicant, which will have 15 days to deliver it. After this period, without having completed the requirement, the IRM will issue a report denying the issuance. Should the applicant meet the requirement, the IRM will have 7 days to issue the final report. In case the IRM verifies that the information provided by the applicant is not true, he/she will deny the issuance of the certificate, and will generate an incident report to the Security Coordinator, to determine whether or not to include the applicant in the blacklist of individuals and entities with OID Time to process certificate issuance The issuance of a certificate means the complete and final approval of an application by the Issuance Reports Manager. The issuance of certificate must be made within 72 hours, once issued the report of the IRM, as defined in the CPS of ANF AC. 4.3 Certificate issuance ANF AC will avoid generating certificates that expire after the certificates of the CA that issued them Certification Entity actions during certificate issuance process Once an electronic certificate is issued, its delivery is always done electronically. It must use the same encryption device that the subscriber or his legal representative used to generate the cryptographic key pair and PKCS#10 certificate request. The cryptographic device provides secure connection to the trusted servers of ANF AC. The system automatically performs the appropriate security checks, and in case of confirmation the certificate is automatically downloaded and installed Notification to subscriber ANF AC notifies the subscriber via the certificate issuance and publication. 23

24 4.4 Certificate acceptance Acceptance After the delivery of the certificate, the subscriber shall have a period of seven calendar days to verify the certificate and to determine whether it is appropriate and whether the data are consistent with the required information. The subscriber has a period of 15 days to sign the Act of Reception and Acceptance of the Certificate Return The subscriber has a period of 7 days from the delivery of the certificate, to verify its proper operation. In case of malfunction or due to technical errors in the data contained in the certificate, the applicant or those responsible for the certificate can send an electronically signed to ANF AC, reporting the reason for the return. ANF AC shall verify the causes of return, will revoke the certificate issued and issue a new certificate within 72 hours Tracing ANF AC is not responsible for the monitoring, investigation or confirmation of the accuracy of the information contained in the certificate after issuance. For information on the inaccuracy or no current applicability of the information contained in the certificate, it can be revoked Certificate publication The certificate is published in the repositories of ANF AC, within a maximum period of 24 hours since its emission has occurred Notification of certificate issuance to third parties No notification is made to third parties. 4.5 Rejection 4.6 Certificate renewal Generally as defined in the CPS of ANF AC Valid certificates ANF AC notifies the subscriber and the certificate expiration applicant by , submitting the application form, in order to proceed with its renovation. These notifications are sent at 90, 30 and 15 24

25 days prior to the expiration date of the certificate. Only valid certificates can be renewed Authorized persons to request the renewal The renewal application form must be signed by the same applicant, whether that is the actual subscriber or the legal representative who processed the certificate request. The personal circumstances of the applicant should not have changed, especially its capacity for legal representation and public employee qualification Routine renewal requests authentication and identification Identification and authentication for certificate renewal can be done in person using one of the methods described in this section, or processed electronically by completing this form and signing it with a current certificate electronically issued as qualified, and stating that the holder of the certificate subscriber renewal is requested. In accordance with the provisions of article 13.4 b) of Law 59/2003, of December 19, on Electronic Signature, certificate renewal by digitally signed applications requires expiration of a period less than five years from the personal identification. To ensure the compliance with art B) of the Electronic signature Law and not exceed the period of 5 years from the initial identification, ANF AC applies the following procedures and technical security measures: Certificates of ANF AC shall be always generated using a token to be used also to perform any renewal process. This token is unique to any other provided by ANF AC. And is programmed so that the user may be able to make a single renewal. This technical procedure prevents an automatic processing with period from first identification to 5 years. ANF AC follows a system of registration of applications, distinguishing date of request, which coincides with the identification - and of issuance of the certificate. This control allows a second renewal if you have not reached the period of 5 years from the initial identification. The technical system requires a specific request of the user, the direct intervention of an operator ANF AC which in turn requires validating the application by applying security check of coherence. If exceeded 5 years, the application itself blocks the process, otherwise makes it easier for the operator the process until the certificate renewal Approval or rejection of applications for renewal Same procedure as that performed in the issuance process specified herein Notification of certificate renewal Same procedure as that performed in the issuance process specified herein. 25

26 4.6.6 Acceptance of the certificate renewal Same procedure as that performed in the issuance process specified herein Publication of the renewed certificate Same procedure as that performed in the issuance process specified herein Notification to other entities As specified in paragraph "Notification of the certificate issuance to third parties." Identification and authentication of key renewal applications after revocation (uncommitted key) The renewal of expired or revoked certificates is not authorized. 4.7 Certificate modification Not applicable. 4.8 Certificate revocation and suspension Generally as defined in the CPS of ANF AC Circumstances for revocation Besides those defined in the CPS, ANF AC shall: Provide instructions and legal support for reporting complaints or suspected compromise of the private key, of certificate misuse or about any type of fraud or misconduct. Investigate incidents of which it has knowledge, within twenty four hours of receipt. The Security Manager, based on inquiries and verifications, shall issue a report to the Issuance Reports Manager, which will determine if the corresponding revocation founded by Act, which shall include: - Nature of the incident. - Received information. - Legal rules and regulation on which the revocation order is based. 26

27 4.8.2 Revocation requests authentication and identification Revocation of a certificate can be requested by: The subscriber of the certificate. A legal representative of the subscriber. A duly authorized representative. ANF AC. The Recognized Registration Authority involved in the processing of the certificate issuance application. The identification policy for revocation requests accepts the following methods of identification: Electronically: by electronic signature of the revocation request by the applicant of the certificate or of the operator at the time of the revocation request. By telephone: by replying to questions from the telephone support service available at the number (calls from Spain) International In person: appearing the subscriber or the legal representative of the certificate holder in any of the offices of ANF AC published at the web address Proving their identity through original documentation, and manually signing the appropriate form. ANF AC, or any of the Recognized Registration Authorities that compose its Proximity National Network, may request revocation of a certificate if they knew or suspected compromise of the private key associated with the certificate, or any other fact to recommend take such action. ANF AC must authenticate requests and reports relating to revocation of a certificate, verifying that they come from an authorized person. Such requests and reports will be confirmed following the procedures set out in the Certification Practices Statement Procedure for revocation request Any entity which needs to revoke a certificate must apply to ANF AC or the Registration Authority which issued the certificate. Any revocation application must contain at least the following information: Revocation request date. Identity of subscriber. Detailed reason given for the revocation request. Name and title of the person requesting revocation. Contact information of the person requesting revocation. The revocation application will be processed upon receipt. 27

28 The request must be authenticated in agreement with the requirements established in the corresponding section of this policy before proceeding with the revocation. Once the request is authenticated, ANF AC may directly revoke the certificate and inform the subscriber and, where appropriate, those responsible for the certificate on the certificate's change of status Revocation request grace period Revocation requests shall be processed immediately when reasonably aware of the cause of revocation and the applicant has been authenticated and verified its capacity to act Time within the revocation request must be processed The revocation request will be processed in the shortest possible time, always following the procedure of verification and authentication of the presented request, which is the Issuance Reports Manager s responsibility CRL lists checking requirements The relying parties must check the status of certificates which will rely. For this intent, they can check the latest CRL issued within the period of validity of the certificate of interest CRL lists issuance frequency Revocation On-line checking availability ANF AC offers relying third parties an on-line revocation checking service, which is available 24 hours a day, 7 days a week Revocation On-line checking requirements Trusted third parties must check the status of those certificates they wish to be entrusted to through website. The consultation system requires prior knowledge of some parameters of the certificate of interest, as this procedure prevents massive data collection. This service meets the requirements in terms of protection of personal data and only copies of these certificates provided to third parties duly authorized. Access to this system is free Certificate suspension Not applicable. 28

29 Suspension requests authentication and identification Certificate suspension is not allowed. 4.9 Key storage and recovery ANF AC does not store or has the ability to store the private key of the subscribers, and therefore offers no key recovery service. 29

30 5 Facilities, management, physical security and operational controls ANF AC maintains the following criteria in relation to the information available for audit and analysis of incidents relative to certificates. a) Incident Control and Detection Anyone interested can communicate their complaints or suggestions through the following means: By telephone: (calls from Spain) International By Completing the electronic form available on the website In person at one of the offices of the Recognized Registration Authorities. In person at one of the offices of ANF AC. The annual internal audit protocol specifically requires the completion of a review of the operation of certificates issuance, with a sample of 3% of the issued certificates. b) Incident Registry ANF AC has an Incident Registry entering any incident that has occurred with the certificates issued, and the evidence obtained. These incidents are recorded, analyzed and resolved according to the procedures of the Management System of Information Security ANF AC. The Security Manager determines the severity of the incident and identified as responsible and, in case of significant security incidents, reports to the PKI Governing Board. 5.1 Physical security controls 5.2 Procedural controls 5.3 Personnel controls 30

31 6 Technical security controls 6.1 Key pair generation and installation 6.2 Private Key Protection 6.3 Other aspects of key pair management 6.4 Activation data 6.5 Computer security controls 6.6 Life cycle technical controls 6.7 Network security controls 6.8 Time-stamping As defined in the CPS of ANF TSA CA. 6.9 Cryptographic Module Security Controls 31

32 7 Certificate profiles, CRL lists and OCSP 7.1 Certificate profiles The certificate incorporates information structured in agreement with standard IETF's X.509 v3 as specified in regulations RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Certificates issued as "Qualified" comply with the rules: ETSI TS v.1.2: Qualified Certificate Profile. RFC 3739 Internet X.509 Public Key Infrastructure: Qualified Certificates Profile. and in the process of adaptation to the ETSI EN standard (Certificate Profiles). The certificate validity period is outlined in Universal Coordinated Time, and coded according to RFC The subject public key is encoded according to RFC 5280, and the signature is generated and encoded also in accordance with RFC Within the certificates, besides the standardized common fields, there are also a group of "proprietary" fields which store information relating to the subscriber, or other information of interest. Proprietary fields Internationally unambiguous identifiers have been assigned. Specifically: Fields referenced with OID x.x are ANF AC proprietary extensions. The complete list of associated OID codes can be consulted in Section "proprietary fields" of the Certification Practice Statement of ANF AC. Fields with ISO/IANA of MPR x.x, are proprietary extensions required and identified in the Electronic Signature and Identification Scheme v published by the High Council of Electronic Administration. Fields with OID are proprietary extensions of the Spanish Tax Agency (Agencia Estatal de Administración Tributaria AEAT ). QCStatements Certificates issued by ANF AC follow what is defined in ETSI EN (Certificate Profiles- QcStatements) QcCompliance refers to a declaration of the issuer in which notes the qualification with which the certificate is issued, and the legal framework to which it is submitted. Specifically the certificates submitted to this policy, issued with the qualification of qualified, describe: 32

33 This certificate is issued with the qualification of qualified in accordance with Annex I of Regulation (EU) 910/2014 of the European Parliament ". QcEuRetentionPeriod determines the conservation period of all information relevant to the use of the certificate after it has expired. In the case of ANF AC, this is 15 years. QcSSCD determines that the private key associated to the public key contained in the electronic certificate, is in a signature creation safe device as defined in the as defined in Directive 1999/93 / EC [I.3], or in accordance with Regulation (EU) 910/2014 [I.8]. QcLimitValue informs about the monetary limit which the CA assumes as a responsibility in the attributable loss of transactions. This OID contains the values sequence: coin (encrypted in accordance to the ISO 4217), quantity and exponent. E.g. EUROS 100x10 raised to 1, which presupposes monetary limit of 1000 EUROS. Furthermore, in order to facilitate the consultation of this information, the liability limit is included in the proprietary extension of the OID , absolutely outlining directly. E.g euros. In case of doubt or dispute must always give preference to reading value outlined in the OID QcType, when the certificate is issued with the profile (FIRMA), QcType 1 is described QcPDS, The URL that allows access to all english ANF AC PKI policies is provided. In accordance with ETSI the https protocol will be used Subject Alternative Name The IETF RFC 5280 specification provides for the use of the following data types: Identity based on . Identity based on distinguished name (DN), which is often used to build an alternative name based on owners attributes, that are not ambiguous in any case. Identity based on Internet domain name (DNS). Identitybased on IP direction. Identity based on universal resource identifier (URI). 33