Certification Policy for Electronic Seal and Public Administration Electronic Seal. Certificate Profile

Transcription

1 Public Administration Electronic Seal. Profile Registro Nacional de Asociaciones. Número CIF G ANF AC MALTA, LTD Address: B2, Industry Street, Qormi, QRM 3000 (Malta) Telephone: (+356) Fax: (+356) Web:

2 Security Level Public Document Important Notice This document is property of ANF AC MALTA Distribution and reproduction prohibited without authorization by ANF AC MALTA Copyright ANF AC MALTA 2017 Address: B2, Industry Street, Qormi, QRM 3000 (Malta) Telephone: (+356) Fax: (+356) Web: 2

3 Electronic Seal TOKEN BY SOFTWE - HSM TOKEN Field OID value Standard APP Clarification Cri t Man d Version 2 = (V3) RFC 5280 Integer: =2 ([RFC5280] describes version when using extensions, e.g. v3 its value must be 2) Serial number RFC 5280 Automatically set by ANF AC. [RFC5280] positive integer, no more than 20 octets ( ) It is used to univocally identify SignatureAl gorithm sha256withrsaencryption RFC 5280 String UTF8 (40) Signature Algorithm identifier. Identifying algorithm type. SignatureH ashalgorith m sha256 Identifier of signature hash Algorithm Common Name (CN) e.g. ANF Trusted ID CA1 Manager Common name of CA issuing SERIALNUMBER MT Manager ANF AC VAT number Identification of This is VAT number. issuer organization Organisation Identifier At present ANF AC does not include it eidas As specified in clause of ETSI EN [7]. Address (E) info@anfacmalta.com CA Organisational Unit (OU) Organisational unit within Certification Services Provider responsible for issuance Manager As it appears in of issuer. Size [RFC 5280] Organisation (O) e.g. ANF AC Malta, Ltd Official name of Certification Services Provider e.g. Qormi (see current address at Locality/address of Certification Services Provider Locality (L) Size [RFC 5280] 128 3

4 State (ST) e.g. Qormi State of Certification Services Provider Country (C) e.g. MT (2 character ISO 3166 country code [5]) Manager Country of Certification Services Provider (PrintableString) It will be coded according to ISO alpha- 2 code elements Size 2 [RFC 5280] AuthorityCe rt Size 128 Name of CA to which it corresponds keyidentifier AuthorityCe rtserialnum ber (Integer) Serial number of CA Identifier of issuer entity key - Authority KeyIdentifie r Hash with SHA1 of public key used to sign RFC 5280 Identifier derived from using hash function on public key of subject. It is a means to identify public key corresponding to private key used to sign a Alternative Name Valid from NotBefore Valid until NotAfter Validity start date Validity end date Country (C) Subject's country = subscriber Two-digit country code ISO According to ETSI-QC this field must be completed obligatorily See RFC 3739 / ETSI Locality (L) Subject's city Size [RFC 5280] 128 Subject (all fields encoded using UTF- 8) State (ST) Subject's province Address (E) SERIAL NUMBER (SN) Subject's E.g.: IDCMT A. 3 characters to indicate document number (IDC= national identity document) + 2 characters to identify country (MT) + ID number (Printable String)) Size [RFC 5280] 64 Tax Identification number of subscriber Preferably semantics proposed by standard ETSI EN will be used 4

5 VAT number OrganizationId entifier The must include at least= Serial Number or OrganizationIdentifier (VAT number), e.g. VATMT According to technical standard ETSI EN (VATES + VAT number of entity) VAT number, as it appears in official registries. Coded According to European Standard EN Do not confuse with National/Foreign Citizen ID Card, it is VAT number for EU OrganizationN ame (O) e.g. Company name. LTD. ETSI EN [i.4], clause 5 Corporate name, as it appears in official registers Given Name (G) e.g.: JOSEPH Size 40. Mandatory according to ETSI EN First name of person responsible for (representative of entity) according to National Citizen ID Card or in case of a foreigner to passport SurName (SN) e.g.: SMITH RICHDSON A Size 80. Mandatory according to ETSI EN First surname, blank space, second surname of person responsible for, according to identity document (National/Foreign Citizen ID Card / Passport), dash and National / Foreign Citizen ID Card or passport number Common Name (CN) e.g.: VALIDATION AND ELECTRONIC SIGNATURE PLATFORM Size 132 [RFC 5280] Name of system or application of automatic process. Electronic Seal Manager Organisational Unit (OU) Medium Level Public Administration Electronic Seal High Level Public Administration Electronic Seal Only in HSM devices String Size [RFC 5280] 128 The suffix HIGH level is included by Description of type Organisational Unit (OU) e.g.: EXPLOITATION SUBDIRECTION String Size [RFC 5280] 128 Manager Name of unit within organisation providing service Organisational Unit (OU) ONLY in s e.g.: MT String Size [RFC 5280] 128 Manager DIR3code of unit 5

6 Description e.g. Registration Number: XXX / Date of Registration: XXX / Name of Company: XXX / Registered Office: XXX Codification of public document that certifies faculty of signatory or registration data Title (T) e.g. Sole Administrator Type of legal empowerme nt of legal representativ e. SubjectAlternativeName e.g.: peter@cial.com Name RFC822 ) Size [RFC 5280] 255 of person responsible for DNSName Directory Name May include web URL Electronic Seal e.g. Peter First name of legal representativ e SubjectAlter nativename Electronic Seal e.g. Williams First surname of legal representativ e Electronic Seal e.g. Turner Second surname of legal representativ e Electronic Seal e.g A Tax Identification number of legal representativ e Electronic Seal e.g. peterwilliams@anfacmalt a.com address of legal representativ e Electronic Seal e.g. John Name of 6

7 Electronic Seal e.g.: Campbell Electronic Seal e.g.: Parker Electronic Seal e.g A Responsible First surname of Responsible Second surname of Responsible Tax Identification number of Responsible Electronic Seal e.g. om of Responsible HIGH level for Public Administration High Level Electronic Seal String Size = 31 Indicates type of It is HIGH if device is an HSM for Public Administration Medium Level Electronic Seal UTF8 String. HIGH level e.g. Company name. LTD. Size = 80 Name of subscriber entity e.g. Company name. LTD. Size = 80 Name of subscriber entity HIGH level e.g.: MT Size = 9 VAT Number of subscriber entity e.g.: MT Size = 9 VAT Number of subscriber entity HIGH level e.g.: A Size = 9 National or Foreign Citizen ID Card of person responsible 7

8 for Seal e.g.: A Size = 9 National or Foreign Citizen ID Card of person responsible for Seal HIGH level e.g.: VALIDATION AND ELECTRONIC SIGNATURE PLATFORM. Size = 128 Brief description of component that holds seal e.g.: VALIDATION AND ELECTRONIC SIGNATURE PLATFORM. Size = 128 Brief description of component that holds seal HIGH level e.g.: JOHN Size 40 First name of responsible e.g.: JOHN Size 40 First name of responsible HIGH level e.g.: CAMPBELL String Size 40 First surname of responsible e.g.: CAMPBELL String Size 40 First surname of responsible HIGH level e.g.: PKER String Size 40 Second surname of responsible e.g.: PKER String Size 40 Second surname of responsible HIGH level e.g. johncampbell@acmalta.c om ) Size [RFC 5280] 8

9 e.g. om ) Size [RFC 5280] 255 SubjectDirectoryAttributes e.g.: SHA256-gsq33wq/udldyk5ZN84paMeYx e.g.: (localizador =OID ) It is link that allows to download document that accredits mandate or power in favor of representativ e SubjectDire ctoryattribut es e.g e.g Request locator (Sequential of processidentifier of RA or IRM Operator that processed it) Identifier of RA Operator who processed request. NOTE: In case of RA, IRM or PKI Operator s, this OID corresponds to identifier of operator holding, outlined in first part of code Full name of country to which issuance corresponds The is subjected to 9

10 legislation of that country e.g. Qualified e.g. Purchase contracts signing e.g e.g. euros Qualification with which was issued Limitation of liability assumed by CA Use of limited to concept expressed in this field Limitation of use of by amount Currency in which values are expressed Identifier of Recognized Registration Authority to which RA operator belongs RA office holder e.g. = 8&1EB4F96F RA operator department UUID of Electronic Signature Device that stores HSM token model ONLY if it is a HSM token Descriptive 10

11 business or professional aspects of activity professional aspects of interest suffix 01 professional aspects of interest suffix professional aspects of interest suffix Year of origin of activity Own trademarks or tradenames Trademarks it distributes suffix 1 Trademarks it distributes suffix 2 Trademarks it distributes suffix 3 Geographica l scope in which it carries out its activity Addresses places headquarters Offices suffix Offices suffix 02 Offices suffix 03 Companies with which it relates 11

12 e.g.: Manager desktop v.3.6 Companies with which it relates suffix 01 Companies with which it relates suffix 02 Companies with which it relates suffix 03 Banking entities with which it has relationships Current accounts, SWIFT economic information economic information suffix 01 economic information suffix 02 economic information suffix 03 Number of employees Manager program used for processing and version Subject Key Identifier Hash in SHA1 of public key used to sign RFC 5280 In accorda nce with standard s RFC245 9 & PKCS#1 Identifier derived from using hash function on public key of subject SubjectPubl ickeyinfo RSA (2048) RSA in Field to transport public key and to 12

13 accorda nce with RFC 4055 [1 0] and ECC algorith m in accorda nce with RFC 5639 [11] identify algorithm with which key is used. AccessMethod [1] [1] Access to authority information Id-ad-ocsp with OID: (OCSP) Access method = On line status protocol ( ) Access to issuer entity information AccessLocation [1] Alternative name: URL address= OCSP Responder address AccessMethod [2] id-ad-cas with OID AccessLocation [2] URL address= Location of CA [1] CRL distribution point crldistributionpoint [1] Distribution point name: Full name: Indicates CRL download point. CRL distribution points DistributionPoint [2] URL address Distribution point of web where CRL resides (HTTP or LDAP) number 2 DistributionPoint [3] Distribution point of web where CRL resides (HTTP or LDAP) number 3 Qualified s Statements QcComplian ce Present if is issued with recognized qualification. Annex I eidas qcstatements in accordance with ETSI EN TSI EN , before ETSI TS QcSSCD only included with HSM device Present if device is SSCD Secure Signature Creation Determines that private key associated with public key contained in electronic is on a secure signature creation device, 13

14 Device (SSCD) Regulation (EU) 910/2014 [I.8] id-etsi-qcsqctype clause in ETSI EN Follows following encoding: QcTypeeseal QcType 2 QcType 2 is outlined ETSI EN id-etsi-qct-esign (id-etsi-qcs-qctype 1) id-etsi-qct-eseal (id-etsi-qcs-qctype 2) id-etsi-qct-web (id-etsi-qcs-qctype 3) QcPDS facmalta.com It is provided URL that allows access to all policies of PKI in English. Https protocol ETSI EN <QcLimitValue> QcLimitValu e Limit amount of liability assumed by issuer expressed in EUROS <money>eur</money> <qcbase>1</qcbase> <qcexp>3</qcexp> </QcLimitValue> Integer: =15 ([ETSI EN ] QcRetention Period Describes conservation period of all information, relevant to use of a, after its expiration) semnaticsid- Legal To indicate semantics of a legal person defined by EN Policies PolicyIdentifi er Electronic Seal Token software criptográfico Electronic Seal Token SSCD [1] s policy: Policy identifier = [1] s policy: Policy identifier = [1] s policy: ANF AC proprietary OID 14

15 PolicyIdentifi er High Level Electronic Seal Medium Level Electronic Seal High Level Electronic Seal Medium Level Electronic Seal Policy identifier = [1] s policy: Policy identifier = PolicyCPSLo cation [1,1] Policy certifier information: Policy certifier ID =CPS Certifier: User notice [1,2] Policy certifier information: Policy certifier ID = User notice Certifier: Notice text = in compliance with electronic signature legislation. Before accepting it verify integrity, limitations, validity, and authorized uses. Maximum 200 characters. A statement is made by issuing CA, which refers to certain legal norms. PolicyIdentifi er HSM TOKEN qcp-legal-qscd ( ) SOFTWE TOKEN qcp-legal ( ) Qualified signature, per Regulation EU 910/2014 eidas PrivateOrganization for private organization Fields conditioned by use of BusinessCategory JurisdictionOfIncorporationLoc alityname GovernmentEntity BusinessEntity Non-commercialEntity Locality for public entity for company for non-commercial entity locality in which company is registered JurisdictionOfIncorporationStat eorprovincename Province province in which company is registered JurisdictionOfIncorporationCo untryname Country country in which company is registered Basic Constraints Type of matter =End entity Route Length Restriction =None CA = FALSE determines that it is an end-user Y E S Key usage Digital Signature It is used when performing digital asset auntication function of legal person Y E S 15

16 Content Commitment Key Encipherment Data Encipherment It is used when performing function of electronic seal of document issued by legal person It is used for management and transport of keys It is used for data encryption. Client Auntication Extended key usage Protection Server Auntication codesigning Identification algorithm Signature Value sha1 Signature encoded as bit chain Digital fingerprint digital fingerprint ETSI EN v2.1.1 (Part 2: profile for s issued to natural persons) defines content requirements of s issued to natural persons. The profile is based on IETF RFC 5280 recommendations and ITU-T X.509 standard. The information used to define identity and attributes of natural person signatory, without pseudonyms, is broken down into following fields: Field Subject, using attributes commonname, surname (or givenname) and countryname. In attribute SerialNumber, can be include National / Foreign Citizen ID Card of signatory. Extension Subject Alternative Names. No restrictions are included. Extension Subject Directory attributes. The attributes of Subject field should not be included. OIDs for qualified s The coding of certain features of qualified s are outlined by specific OIDs (Object Identifier). 16

17 The technical standard that indicated m was ETSI TS , that reflected with following OID (now obsolete): And defining information of qualified statement (QC-Statement) with OID: At present, standard of application is ETSI EN which has resulted in information on qualified s, not included in previous standard, be reflected with a new OID: Therefore, qualified s will be able to indicate certain features of s with OIDs that begin with (Originally designed for electronic signature of natural persons according to Directive 1999/93, but nowadays also suitable for legal persons due to extension of concepts such as electronic seal of Regulation EU 910/2014 EIDAS) and ors with OID that begin with (specifically to differentiate s of natural and legal person as Regulation EU 910/2014 EIDAS does). These are main OIDs: qcstatement QcCompliance (Mandatory) qcstatement QcLimitValue qcstatement QcRetentionPeriod qcstatement QcSSCD qcstatement QcPDS (Mandatory) qcstatement QcType -- QC type identifiers id-etsi-qct-esign OBJECT IDENTIFIER ::= { id-etsi-qcs-qctype 1 } -- for electronic signatures as defined in Regulation (EU) No 910/2014 id-etsi-qct-eseal OBJECT IDENTIFIER ::= { id-etsi-qcs-qctype 2 } -- for electronic seals as defined in Regulation (EU) No 910/2014 id-etsi-qct-web OBJECT IDENTIFIER ::= { id-etsi-qcs-qctype 3 } 17

18 -- for website auntication as defined in Regulation (EU) No 910/ > id-etsi-qcs-semanticsid-natural -> Natural person semantics (for natural person s electronic signature) > id-etsi-qcs-semanticsid-legal -> Legal person semantics (for legal person s electronic seal) qcstatement QcPDS (Mandatory). It will provide at least one URL to a PDS (PKI Disclosure Statements) in English. Or PDS documents can be referenced in or languages with this QCStatement provided y are equivalent to PDS in English. No reference should be made to more than one PDS per language qcstatement QcType: id-etsi-qct-esign ( ) QcType 1 id-etsi-qct-eseal ( ) QcType 2 id-etsi-qct-web ( ) QcType 3 18