Registration Authority (RA) Operational Guideline

Transcription

1 Registration Authority (RA) Operational Guideline Page 1 of 45

2 REVISION CONTROL AND CHANGE HISTORY Revision Number Approval Date Rev. 0 3 Mac 2014 Rev Aug 2014 Approved by Amir Suhaimi Hassan Amir Suhaimi Hassan Amendment New document release 1. Conversion to SOPP format 2. Include ISMS requirement on the document labelling 3. Change of Department name from Compliance Div. to Compliance Dept. 4. Include reference to Documents and Records Control Procedure Page 2 of 45

3 TABLE OF CONTENTS PURPOSE... 4 SCOPE... 4 RELATED POLICY... 4 LEGISLATIVE CONTEXT... 4 DEFINITIONS AND ACRONYMS ) CERTIFICATE APPLICATION ) CERTIFICATE APPLICATION PROCESS ) REFUSAL OF CERTIFICATE APPLICATION ) REVOCATION OF CERTIFICATE ) RENEWAL OF CERTIFICATE ) SMART CARD AND VIRTUAL SMART CARD MANAGEMENT ) PIN MANAGEMENT ) APPOINTMENT OF AUTHORIZED PERSONNEL ) INVENTORY REQUIREMENT APPENDICES Page 3 of 45

4 PURPOSE This document serves to outline the policies and procedures of DIGICERT when dealing with its appointed Registration Authorities (RA). This includes the certificate application, validation, application process and revocation policies, and movement of physical documents, remittances of funds and movement of other physical items (such as smart cards). Corporate Policies All RA shall adhere to the latest Certification Practice Statement pertaining to certificate application, validation, application process and revocation. To outline policies for the movement of physical items between DIGICERT and the RAs. Each RA shall be audited on an annual basis as per the requirements of the DSA 1997 and DSR Section 20 (1) of the DSA 1997 states that the operations of a licensed certification authority shall be audited a least once a year to evaluate its compliance with this Act, which shall be applicable here. The results of the annual audit conducted shall determine its eligibility to continue to operate as one of DIGICERT s RA. The RA Operative Personnel employed by an RA shall be properly qualified and demonstrate good conduct. SCOPE This document covers detailed process flow for the followings: 1.1 Application process of digital certificates 1.2 Inventory Requirement 1.3 Movement of physical items and documents between DIGICERT and its RA RELATED POLICY Reference. No. Title of Policy Location Clause 4.1 Quality Management System ISO 9001:2008 SI Dept. DQMS-QM-01 Quality Manual SI Dept. Clause 10.0 Registration Authority User Procedure Manual v2.0 Compliance Dept. DQMS-CS-SP-101 Documents and Records Control Procedure Compliance Dept. LEGISLATIVE CONTEXT Reference No. Title of Document Location Nil Nil Nil Page 4 of 45

5 DEFINITIONS AND ACRONYMS Word/Term Definition DSA 1997 Digital Signature Act 1997 (Act 562) is an Act to make provision for, and to regulate the use of, digital signature and to provide for matters connected therewith. DSA 1998 Digital Signature Regulations ) CERTIFICATE APPLICATION In providing public-key certification services to potential subscribers (individuals and legal entities), the RA shall ensure that these subscribers are well informed about digital signatures and certificates; the scope of the digital signature legislation; its certificates policies and practices; obligations and limitations of its services and the responsibilities of the subscribers. This can be achieved by publishing and maintaining an up-to-date CPS in a publicly accessible repository or web site. 1.1 Class 2 certificates (Digisign ID Basic/Enhanced) Class 2 certificate (Digisign ID Basic/Enhanced) application process is not automated and requires human intervention. Below sets out the standard operating procedures or guidelines applicable for Class 2 certificate application process. Appendix 1 provides a flow chart for this application process Mode of establishing application Only persons who are 18 years of age and above may apply for Class 2 certificates Class 2 certificates shall only be used for the purpose described in - Appendix The validity period of a Digisign ID Basic/Enhanced is one (1) to three (3) years or depending on project requirements Applicant can obtain a Class 2 certificate from the RA by being: a) physically present at the outlet/office of the appointed RA or AP b) Upon strict verification & authentication by the RA or its appointed agents c) Online registration The applicant who present himself before the Registration Personnel (RP) at the appointed RAs shall: a) fill-up an application form (see Appendix 3.0) b) present identification documents (see Part ) c) make payment by using one of the following method : i. cash ii. credit card (if applicable) iii. cheque iv. postal order Depending on the project, other supporting documents are required based on the project requirements The token shall be sent to the applicants via courier or any other suitable modes deemed fit. Page 5 of 45

6 Once all the process above is completed, the procedures in Part shall be executed Review application for completeness (by the Registration Personnel) For each application, the RP shall check if the applicant is blacklisted against the blacklist provide by Security Officer (if any). If the applicant is blacklisted, the application shall be cancelled. The applicant shall be notified and the procedures in Part 3.0 shall be executed The RP shall check to ensure that the application form is properly completed The RP shall ensure that the applicant present original identification documents (together with photocopy of these documents) as listed below. Group Document name Points A NRIC 4 each Valid passport B Birth certificate Valid driving license Latest income tax return form (Form J) Referral letter from current employer Valid credit card bill Valid bank statement Certificate of Adoption Any other documentation deemed fit. 2 each Note: The applicant must provide one document from Group A. If the documentation for Group A is not available, the applicant must provide at least two (2) documents from Group B. The total points of all forms of identification documents shall be no less than 4 for the application to be processed The RP shall at least verify the identity of the applicant by physically sighting the applicant and comparing it against the photograph on the identification document If representative of applicant is present, the RP shall verify the application form against the identification document. RP shall verify the representative to his NRIC or Passport and letter of authorisation by applicant RP can refuse to process the application if the application / application form is incomplete and / or application does not provide identification documents Identity validation procedures (by the Registration Officer) The validation requirements for a Class 2 certificate are moderately stringent. DIGICERT s certificate policy for a Class 2 certificate requires at least a validation of legal name and postal address. Page 6 of 45

7 The Registration Officer (RO) shall perform the following validation procedure for Class 2 certificate: a) ensure the relevant identification documents are available; and b) verify the identity of the applicant as stated in the application form against the identification documents If the application form contains illegible written text, under no circumstances shall guesses be made. As a general rule, the applicant shall be referred for clarification If the validation is satisfactory, the RO shall authorise the application and hand over the application form with the certificate. The RP shall then execute the following procedures: a) The application form together with the photocopies of the identification documents shall be returned to the RP for filing. This copy shall be filed in a cabinet and sorted according to class of certificate and alphabetical order of the applicant s name At the end of each business day, the RP shall: a) Consolidate and count the number of application forms; 1.2 Class 2 Server (Digisign Server ID 2048) Below sets out the standard operating procedures or guidelines applicable for Digisign Server ID 2048 certificate application process. Appendix 4.0 provides a flow chart for this application process Mode of establishing certificate application Legal entities which include company (limited and private limited), sole proprietor / partnership, co-operative and society may apply for Digisign Server ID Digisign Server ID 2048 shall only be used for the purpose described in Appendix The validity period of a Digisign Server ID 2048 is one (1) year to three (3) years (depend on project requirements) Applicant may apply for a Digisign Server ID 2048 from the appointed RAs The appointed representative from the company shall: Present the application form (see Appendix 5.0). The application form MUST be signed by the authorised signatory of the legal entity. This form shall be obtained earlier from the RAs Present two forms of identification documents (see Part ) provide the following additional items: i. The Certificate Signing Request (CSR) keys stored in a CD/USB token or send via . RO shall use the CSR to generate the certificate upon successfully verifying the applicants.; and ii. Letter of Authorisation from the management of the legal entity (or the Board of Director s resolution if applicable) that operates the server. This letter shall give the representative (the person making the application) authority to render the application on behalf of the legal entity Page 7 of 45

8 Applicant shall be informed (indicative statement in the application form) that the information provided would be incorporated in the certificate. Applicant indicates acceptance by signing on the application form. By signing the application form, the applicant also indicates acceptance to the terms and condition of DIGICERT s certification services: Once this is completed, the procedures in Part shall be executed Review application for completeness (by the Registration Personnel) For each application, the RP shall first check if the applicant is blacklisted provided by Security Officer (if any). If the applicant is blacklisted, the application shall be cancelled. The applicant is notified and the procedures in Part 3.0 shall be executed The RP shall check to ensure that the application form is properly completed The RP shall ensure the applicant present identification documents (together with photocopy of these documents) as listed below. (THIS PART IS INTENTIONALLY LEFT BLANK) Page 8 of 45

9 Business Type Group Document name Points Sdn Bhd/Bhd A Valid certificate of incorporation 4 - Form 9 for Sdn. Bhd - Form 8 for Berhad B Memorandum of Association (MoA) Articles of 4 Association (AoA) Society Bylaws Booklet Latest audited financial statements Latest income tax return Sole Proprietor A I/C of Sole Proprietor 4 B Business Registration Form (Form A) 4 Business License (Form D) C Company Bank Statement (Last 3 months) 2 Management Account for 2 years (P&L and Balance sheet) Income Tax Form for last 2 years (Form J) Partnership A I/C of all partners 4 Business Registration Form (Form B) 4 B Business License (form D) Company Bank statement (Last 3 months) 2 C Management Account for 2 years (P&L and Balance Sheet) Income Tax from for last 2 years (Form J) Professionals A I/C of all Applicant 4 B Current legal/medical or Accounting Practising 4 Certificate C Bank Statements for the last 3 months of practice. 2 Government Mandatory Letter from Head of Respective Department 8 Non-Government Organization/ Association A Certificate of Registration Constitutions of the company. B List of Office Bearer Official Letter from the organisation 4 4 Note: The applicant shall provide one compulsory document from Group A and either any one or two documents from Group B or Group C. The total points of all forms of identification documents shall be no less than 8 for the application to be processed The RP shall verify the identity of the representative from the legal entity by checking the authorisation letter against his NRIC / Passport RP can refuse to process the application if the application/application form is incomplete and/or application does not provide identification documents After checking the application form for completeness, the RP shall also confirm the payment of subscription fee (see Appendix 6.0): For confirmation on payment by cash, the RP shall check the fee received to ensure that the amount is correct For confirmation on payment by credit card, the RP shall check with the appropriate bank or finance institution to ensure that the credit card number is valid (the account number is valid and the card has not expired) and there is sufficient credit limit on the card to make payment. If payment is not valid at this point, the application shall be rejected Page 9 of 45

10 For confirmation on payment by cheque, the RP shall ensure that the amount written on the cheque matches the fee. Cash cheques are acceptable, and the relevant cheques shall be crossed. It shall be made payable to DIGICERT SDN BHD For confirmation on payment by postal order, the RP shall ensure that the amount written on the postal order matches the fee. It shall be made payable to DIGICERT SDN BHD Identity validation procedures (by the Registration Officer) The RO shall perform the following validation procedure for Class 2 certificate: ensure the relevant identification documents are available; and verify the identity of the applicant as stated in the application form against the identification documents If the application form contains illegible written text, under no circumstances shall guesses be made. As a general rule, the applicant shall be referred for clarification If the validation is satisfactory, the RO shall authorise the application and execute the following procedures: For all payments, RP shall issue an official receipt to the applicant together with the certificate stored in a CD/USB token or smart card The application form together with the photocopies of the identification documents shall be returned to the RP for filing. This copy shall be filed in a cabinet and sorted according to the class of certificates. The sorting shall be in an alphabetical order of the applicant s organisation name or the month of application being requested At the end of each business day, the RP shall: consolidate and count the number of application forms; (THIS PART IS INTENTIONALLY LEFT BLANK) Page 10 of 45

11 2) CERTIFICATE APPLICATION PROCESS 2.1 Class 2 certificate (Digisign ID Basic and Digisign ID Enhanced) Appendix 7.0 provides a flow chart description for Class 2 certificate (Digisign ID Basic and Digisign ID Enhanced) application process. The application process is applicable for individual or bulk purchase The RO shall enter the applicant s particulars into the RA System The RO shall insert his/her smart card into the smart card reader to activate the RA System whenever necessary and remove his card after every usage to deactivate RA System Once the certificate is generated, the system shall automatically published the certificate in a recognised repository and the RP shall provide the applicant with following items: a) Certificate issued in a smart card, USB token or any other applicable token b) Smart card Reader/ USB Cables (if applicable) c) Client API and installation manual (if applicable) d) the photocopy of the application form (if requested by subscriber); e) official receipt; and f) verbally notify the applicant that his / her PIN number shall be sent to him / her in via regular mail/ courier within seven (7) working days Upon completing the application process, a copy of application form (if applicable) and receipt shall be given to the applicant. The tokens shall be issued for delivery to the subscribers within 7 working days or according to project requirements. Applicant who wishes to collect the tokens shall return and show a form of identification and receipt for certificate collection For bulk purchase, RP shall attached and keep a copy of Appendix 8.0. The Delivery Record for each delivery The PIN Mailer would be printed by PKI Engineer/ System Administrator at DIGICERT at the end of the day on a daily basis The RP shall request for the tokens and other related items from the Admin & Accounts department by submitting the Inventory Request Form (Appendix 9.0) before certificate issuance. 2.2 Class 2 Server Certificate ( Digisign Server ID 2048) Appendix 10.0 provides a flow chart description for Digisign Server ID 2048 application process Digisign Server ID 2048 shall be issued immediately upon receiving a complete application with the supporting documents, CSR (if applicable) and payments Once the certificate is generated, the system shall automatically publish the certificate in a recognised repository. Digisign Server ID 2048 would be in the CD or any other applicable tokens Applicant for Digisign Server ID 2048 shall get the certificate in a CD or any other applicable tokens together with a copy of application form (if applicable), Notice of Issuance and official receipt RP shall verbally notify the applicant that his/her PIN number shall be sent to him/her via regular mail/courier. Page 11 of 45

12 3) REFUSAL OF CERTIFICATE APPLICATION 3.1 An application can be refused under the following conditions: Incomplete information/application form; the applicant has knowingly or unknowingly provided false or misleading information in the application; the information contained within the application has changed in such a manner that it shall be grossly inaccurate to allow the certificate to be issued without the information being updated; violation of the DSA or the DSR; the address specified by the applicant for a Digisign ID is not valid; the applicant has been blacklisted by the Finance Department due to huge outstanding amount; the applicant failed to make payment (e.g. defaulted cheque, purchase order without cash or cheque payment); or due to any of the above combinations. 3.2 If application is refused/cancelled, the following Notice of Refusal shall be sent to the subscriber: For Digisign ID, shall be sent to the subscriber indicating the reason of the certificate cancellation For Digisign ID Basic, Enhanced or Digisign Server ID 2048, subscriber shall be notified with verbal notification indicating the reason of the certificate cancellation. 4) REVOCATION OF CERTIFICATE 4.1 Listed below are flow charts for the revocation process of various classes of certificates: Appendix 11.0 for revocation requested by subscriber-class Appendix 12.0 for revocation requested by Registration Authority Appendix 13.0 for revocation requested by Controller 4.2 DIGICERT or Controller initiated In the event that DIGICERT believes or has reason to believe, due to reliable evidence or while acting in good faith, that a certificate shall be revoked, DIGICERT shall take all necessary steps to do so even if this is without the consent of the subscriber. However, subscribers shall be notified via prior to revocation. In most instances, revocation of this case involves: Security breaches that shall materially affect the truth of the information reflected in the certificate and thus possibly mislead a person relying on such information; Certificate was not issued in accordance with sections 29 and 30 of the DSA a) DIGICERT determines that the subscriber did not fulfil a material obligation specified in the CPS b) DIGICERT determines that the certificate was not issued in accordance with the terms of the CPS; c) DIGICERT determines that the subscriber materially misrepresented himself on the certificate application; Page 12 of 45

13 Change in relationship between the CA and the subscriber. For example, the terms of the CPS may require the subscriber to be an employee of a particular entity, and that employment may be terminated prior to the certificate's expiration date; or Certificate is no longer needed for the purpose for which it was issued, but there is no reason to suspect that the private key has been compromised; Certificate became unreliable due to breach of the CA's private key's security including unauthorised use; Other reasons a) the subscriber has used the certificate in an improper manner (for example, for trafficking illegal material, engaging in activities that compromise national security, utilising the certificate for accessing pornographic material etc.); or b) the subscriber failed to collect the certificate within a specified time limit. c) the Controller may, at his discretion, issue an order to DIGICERT to revoke the certificate due to any of the reasons listed above as allowed in Section 33 of the DSA. For this reason, the Controller shall give DIGICERT and the subscriber a reasonable opportunity of being heard. The above list is not meant to be exhaustive but merely to highlight some of the possible reasons for revocation. If the revocation was due to a fault of DIGICERT, DIGICERT shall reissue a new certificate to the subscriber at no cost. Note, however, that under a revocation due to an instruction from the Controller of CA, DIGICERT shall not reissue a new certificate for free When revocation is initiated by DIGICERT s operative personnel, the following procedures are necessary. When a revocation is requested, the Revocation Request Form (see Appendix 15.0) shall be filled up by the personnel requesting it. The personnel shall sign on the form The form shall be forwarded to the RO or relevant department manager who shall then review the form for reasonableness and validity If the related department Manager/ RO find that the revocation request is reasonable and valid, he shall sign on the form. If the Manager/ RO refuse the revocation request, he shall remark on the form and communicate to the personnel who requested the revocation Upon receipt of the instructions, the RO would process the revocation. a) The subscriber shall be notified via upon the completion of revocation process When revocation is initiated by the Controller, the following procedures are necessary: a) The Controller shall advise the COO or Security Officer of DIGICERT on the details via an official letter. b) Upon the receipt of the instruction from the COO or Security Officer, the Registration Officer would perform the revocation. c) The COO or Security Officer would the Controller regarding the revocation status The following individuals would be notified when a certificate is revoked: a) The subscriber - an notice of revocation would be forwarded. Page 13 of 45

14 b) The Controller - at the end of the day, the RO would a status report of the Controller revocations to the Controller, reporting on the outstanding requests and those that are processed during that day Effecting revocation a) The certificate shall be revoked by the RO as soon as the decision to revoke is reached. This shall be completed within 1 business day. b) The Certificate Revocation List (CRL) shall also be updated within 1 business day to reflect this revocation. The updated CRL shall be published at the end of the business day or at least by the end of the next business day. c) Once the certificate has been revoked, an notice of revocation would be forwarded. d) Details of the above procedures can be found in the CA Operations Manual (COM). 4.3 Subscriber initiated Revocation of certificates by a subscriber can occur due to any of the following or combination of the following reasons: Certificate became unreliable due to: a) a change of affiliation of the certificate subject; b) breach of the private key s security including unauthorised use; c) the certificate and/or private key (including the media in which the only copy is stored e.g. smart card) is missing, corrupted or damaged; Other reasons: a) the certificate holder ceases to exist (including death); or b) the subscriber failed to collect the certificate within a specified time limit When revocation is initiated by subscribers, the following procedures are necessary; Class 2 certificate (Digisign ID Basic/Enhanced, Digisign Server ID 2048) a) The subscriber has to come in person, or fax in to DIGICERT or its RA the Revocation Request form (see Appendix b) Via Physical Presence i. The subscribers shall fill in the physical Revocation Request Form ii. The RP shall positively identify the requestor via the NRIC/Passport. However, the RP shall be wary of accepting photocopied documents as proof of identity. Photocopies of the national identity card shall not be accepted as proof of identity. c) Via Fax/ Page 14 of 45

15 i. Subscribers shall / faxes the Revocation Request Form to the designated address at (RA s ) or Fax to (RA s Fax No). ii. Upon receiving the request, RP shall contact the subscriber to confirm the suspension request. RP shall ask the subscribers a few questions to confirm the identity of the subscriber - Questions to be asked shall be based from the CRS database: - Full name of the subscriber as in I/C - I/C number - address (if applicable) - Random information of the subscriber (e.g. The address pin mailer is sent, the company name (if the request is under the company name), usage - of the smart card etc d) The form is passed to the RO who would review the form for reasonableness and validity. If the test fails, he shall remark on the form and communicate to the registration personnel. The contents of the form would then be referred to subscriber at the counter. e) If the subscriber failed the identification process, the Revocation Request form shall be stamped with the words "Failed identification" and date. The RO shall also initial next to the stamped words. f) When the RP finds that the revocation request is reasonable and valid, he would initial on the form and sent the request forms to the RO to revoke. g) The RO would revoke the certificate at RA System. The RO shall be responsible for ensuring that the certificate is promptly revoked within 1 business day of reaching a decision. Please refer to Part Upon completing the revocation process, the Registration Officer shall notify the Registration Personnel to print Notice of Revocation from Certificate Registration System to the subscriber (see Part 4.3.3). h) For revocation of a Digisign Server ID 2048, the information required by the RO include: - company name - company incorporation number - certificate serial number - reason for revocation - authorisation letter i) At the end of each month, the RO shall: - check all the Revocation Request forms received; and Page 15 of 45

16 - perform a reconciliation between revocation request form and the revocation request in RA System. This shall highlight inconsistencies or delays in processing of revocation - Class 2 certificate (Digisign ID Basic/Enhanced, Digisign Server ID 2048) If a revocation has been outstanding for more than 1 business day, the related Manager shall attempt to discover the reason for the delay. Further action to be taken shall depend on each individual case. The Manager may write down remarks on a piece of paper and attach it to the Revocation Request form for this purpose If no inconsistencies are found, the forms shall be filed Notice of revocation A notice of revocation shall be generated from Certificate Registration System to be given to the subscriber after the revocation has been done (see Part 4.3.4) Effecting revocation The certificate shall be revoked within a 1 business day The Certificate Revocation List (CRL) shall also be updated within 24 hours to reflect this revocation. Where time permits, the updated CRL shall be published at the end of the business day or at the latest by the end of the next business day Once the certificate has been revoked, the revocation notice shall be given to the subscriber Once the certificate has been revoked, the revocation notice shall be given to the subscriber 4.4 Issuance of replacement certificates If the revocation was resulted from DIGICERT s fault, DIGICERT shall reissue a replacement certificate at no cost to the subscriber The procedures for issuing a free certificate shall be exactly the same as that of applying for a new certificate except that all forms of payment shall not be required. Therefore, where documentation shall be filled up to account for the payment, the document shall be marked with the word Replacement. 5) RENEWAL OF CERTIFICATE The procedures for certificate renewal are similar to initial certificate application process. Subscriber needs to submit a new application form and confirm a proof of identification (e.g. I/C for Digisign ID Basic or Letter of Authorisation from the company for Digisign Server ID / Digisign Server ID 2048) upon the renewal application. Supporting documents need not be submitted for the renewal process. Page 16 of 45

17 6) SMART CARD AND VIRTUAL SMART CARD MANAGEMENT 6.1 Pre-personalization of Smart Cards Pre-personalization of smart cards shall be done at DIGICERT office only Pre-personalization refers to the step where two key pairs are stored on a smart card. However, the smart card is not bound to any identity as of yet. Actual binding is only performed when the card is personalized DIGICERT has limited to 200 pieces per day for a smart card prepersonalization process Smart cards that arrive at DIGICERT before 10:00 a.m. on Mondays to Fridays shall be pre-personalized and collected on the next business working day Smart cards that arrive at DIGICERT after 10:00 a.m. on Mondays to Fridays shall be pre-personalized and collected on the next two (2) business working days Prior to pre-personalization process, the smart card supplier for RA shall deliver stock of smart cards to HR & Administration Department of DIGICERT Upon arrival of the smart cards, Administration Executive shall count the quantity of smart cards received. He/she shall fill in the Pre-Personalization Request Form (refer Appendix 16.0) and obtain the supplier s acknowledgement on the form as well. Apart from Pre-Personalization Request Form, Administration Executive shall receive and acknowledge the original supplier s delivery order (DO). This DO shall be attached together with the Pre-Personalization Request Form He/she then shall forward the smart cards, Pre-Personalization Request Form and supplier s DO to PKI Engineer/System Administrator of CA Operations Department Pre-personalization process is performed on the KGS (Key Generation System). This process shall be the responsibility of the PKI Engineer/System Administrator When faulty cards are discovered, PKI Engineer/System Administrator shall update the Pre-Personalization Request Form indicating the reasons for the faulty card(s) If inconsistencies or problems occur, the Head CA Operations together with the PKI Engineer/System Administrator shall rectify them and provide sufficient proof or reasonable explanations for the inconsistencies or problems for further action. The pre-personalization process shall stop immediately until the problem is rectified and resolved Once the pre-personalization process is completed, PKI Engineer/System Administrator shall count and record the quantity of pre-personalized cards, including good and faulty cards in the Pre-personalization Request Form The quality assurance (QA) process shall be performed by counter check against KGS event log immediately to confirm the correct quantity of cards being generated and the correct quantity of faulty cards being remitted by System Administrator PKI Engineer/System Administrator shall then inform Administration Executive to collect the successful pre-personalized and faulty smart cards and the updated Pre-personalization Request Form for further action Administration Executive shall re-count the quantity of pre-personalized smart cards and sign on the Pre-personalization Request Form. He/she shall then Page 17 of 45

18 forward the Pre-personalization Request Form to Finance Executive for further acknowledgement Finally, Administration Executive shall inform RA Personnel to collect the ready pre-personalized smart cards at DIGICERT office RA Personnel shall re-count the quantity of pre-personalized smart cards. Upon satisfied, he/she shall acknowledge on the updated Pre-Personalized Request Form. Administration Executive shall make a copy of the completed Pre-Personalized Request Form The completed Pre-Personalization Request Form shall be distributed to the respective party detailed below: a) First (original) kept by Finance Department of DIGICERT for billing purpose b) Second (copy) kept by RA Personnel for future reconciliation 7) PIN MANAGEMENT 7.1 Pre-printed pin mailers shall be provided by DIGICERT to RA. 7.2 Changing PIN Personal Identification Number (PIN) is used to unlock the private key that is kept in the digital certificate token The subscriber may change his / her PIN number with the Client Interface software (if applicable). However, shall the user chose not to do so, the user may change his / her PIN number at DIGICERT. 7.3 PIN Unblocking When a subscriber's digital certificate token is blocked, he shall be presence at DIGICERT or any of its appointed RAs or courier the digital certificate token to DIGICERT or any of its appointed RAs The PIN unblocking facility shall only be used when the PIN code of the token has been blocked e.g. the wrong PIN number was keyed in more than 3 times while attempting to utilise the smart card PIN unblocking shall only be performed by the Registration Officer/ Personnel by using relevant software application. a) Via physical presence The Registration Personnel/ Officer at DIGICERT or the RA shall ascertain the identity of the cardholder via at least one form of identification preferably with a photograph. In addition, the identity associated with the smart card shall also be verified against the identity of the person requesting for the unblocking facility. The cardholder shall then be requested to initial the PIN Activity LogBook b) Via courier The request shall be accompanied with a letter by card holder. Upon unblocking, Registration Officer/ Personnel shall deliver the digital certificate token to the card holder. Card holder shall contact Registration Officer/ Personnel to retrieve the new PIN. Registration Personnel/ Officer shall inform card holder to change the PIN immediately. Page 18 of 45

19 8) APPOINTMENT OF AUTHORIZED PERSONNEL 8.1 Authorised Personnel is appointed to fulfil the verification of the individuals applying for the digital certificates and performs PIN unblocking services. 8.2 The appointment of AP shall consider the political and geographical aspect of the applications to take place. Where appropriate, AP shall be appointed by the Certification Authority (CA) or Registration Authority (RA) as the verification agent for the application of digital certificate. 8.3 The verification of identity is valid for Digisign ID Basic, Digisign ID Enhanced and Digisign Server ID. 8.4 Functions of the AP are as below: To verify the true identification of the applicants against the original documentation upon the application of digital certificates. This shall include physical sighting to ensure that the true identification of the applicants To ensure that the application form is filled up completely with proper and complete supporting documents. The Certificate Signing Request (CSR) shall also be available for Digisign Server ID application To manage temporary safekeeping and delivery to the CA/RA on time To accept the issued certificate package and conduct the delivery to the customer whenever appropriate. 8.5 To enable the AP to perform the duty, there shall be a few requirements that need to be fulfilled: AP shall be an Executive level and above of the organisation. Organisation shall nominate its suitable candidates and submit their name(s) and the corresponding documents to the CA/RA Manager. The company shall send a Nomination Letter to the CA/RA subsequently AP shall be required to fill in the form and provide the: a) Copy of I/C b) Nomination Letter from the company for appointment as AP c) Specimen Signature This is to get the hard copy of the signature of the appointed AP. Since all the applications shall be accompanied by a letter from the AP with a signature, it is best to get a sample of the signature of the AP. If the signature is nowhere similar to the one provided, CA/RA shall call the AP for checking and confirmation CA/RA shall then issue an Appointment Letter to AP (Appendix 17.0) to formally appoint the AP of the CA/RA Authority Verification of Applicant s Information Applicant shall present himself/herself and sign the Digisign ID Basic/Enhanced Digital Certification Form (referred to as Application Form) in front of the AP Page 19 of 45

20 AP shall verify information entered on the Application Form against the details in original documents. Any incorrect entry, mismatch of details or doubt on information must be resolved between the AP and the applicants The AP shall verify the identity of the applicant by physically sighting the applicant and comparing it against the photograph on one of the identification document. If the AP is unable to complete verification using the identification document, the AP shall inform the applicant of this fact and request another form of identification If the AP is still unable to complete verification using the identification document, the applicant shall be informed of the fact that the application shall not proceed The AP shall verify that the photocopies of each identification documents are identical to the originals. If the photocopies do not match the original, the AP shall advise the applicant of this fact and request the correct photocopies Upon successfully verifying the applicants, AP shall compile the applications made for the day and prepare for delivery. The AP shall collect the complete and signed Application Form and photocopies of the supporting documents, payment and issue an original Verification Letter for the applications of the day Payment method used can be by cheque, bank draft or purchase order (PO) stating the names and I/C number of the applicants. Payment shall be made payable to CA/RA At CA/RA, upon receiving the application forms and related documents, RP shall execute the procedures for Bulk Purchase Process. 9) INVENTORY REQUIREMENT 9.1 This section serves to outline the procedures to be performed by the respective authorized personnel of RA in managing the RA related inventory items. These include, among other things smart cards, smart card readers and any related software. 9.2 All items received shall be checked for defects and/or the right quantity prior to accepting them. 9.3 RA shall strive to maintain a minimum reorder level at all times. This manual does not prescribe any reorder levels as this may change from time to time and may require considerable input from experienced personnel. 9.4 At the very least, special arrangements shall be made with the vendors and/or Production team in: a) minimizing lead-time between the dispatch of an order and the receipt of goods; b) providing high quality goods; c) return of defective inventory; and d) Special discount rates for bulk purchases (where applicable). e) All purchased inventories shall be stored in a secure manner at all times. Only when they are required shall access be granted. (THIS PART IS INTENTIONALLY LEFT BLANK) Page 20 of 45

21 APPENDICES Page 21 of 45

22 Page 22 of 45

23 Page 23 of 45

24 Page 24 of 45

25 Page 25 of 45

26 Page 26 of 45

27 Page 27 of 45

28 Page 28 of 45

29 Page 29 of 45

30 Page 30 of 45

31 Page 31 of 45

32 Page 32 of 45

33 Page 33 of 45

34 Page 34 of 45

35 Page 35 of 45

36 Page 36 of 45

37 Page 37 of 45

38 Page 38 of 45

39 Page 39 of 45

40 Page 40 of 45

41 Page 41 of 45

42 Page 42 of 45

43 Page 43 of 45

44 Page 44 of 45

45 Page 45 of 45