CERTIFICATE POLICY CIGNA PKI Certificates Version: 1.1 Effective Date: August 7, 2001 a Copyright 2001 CIGNA
1. Introduction...3 1.1 Important Note for Relying Parties... 3 1.2 Policy Identification... 3 2. Policy Outline...4 3. CP Provisions...4 3.1 Community and Applicability... 4 3.2 Rights and Obligations... 5 3.3 Liability Statement... 6 3.4 Interpretation and Enforcement... 6 3.5 Publication and Repository... 6 3.6 Privacy/Confidentiality... 7 4. Identification and Authentication (Procedures)...7 4.1 Initial Registration... 7 5. Operational Requirements...8 5.1 Key Generation... 8 5.2 Key Archival... 8 5.3 Certificate Acceptance... 9 5.4 Certificate Validity Period... 9 5.5 Certificate Revocation... 9 5.6 Certificate Renewal... 9 5.7 Certificate Use... 9 2
1. Introduction A Certificate Policy (CP) is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. This Certificate Policy (CP) governs the lifecycle and use of digital certificates issued within the CIGNA Certificate Authority (CA) hierarchy, specifically S-MIME certificates issued by the internal sub-ca to facilitate secure e-mail for CIGNA employees and agents, and also authentication of clients. "CIGNA" refers to CIGNA Corporation and/or one or more of its subsidiaries. Products and services are provided by operating subsidiaries and not by CIGNA Corporation. "CIGNA" is also a registered service mark of CIGNA Intellectual Property, Inc., licensed for use. 1.1 Important Note for Relying Parties Before using/trusting the certificate(s) related to this Certificate Policy (CP), please ensure you have read and understood the provisions described within this document. 1.2 Policy Identification Policy name CIGNA PKI Certificate Policy Policy qualifier Policy version 1.0 Policy status Policy reference/oid (Object Identifier) This Certificate Policy governs all use of certificates involved in the conduct of CIGNA business for the following: (1) encrypting for privacy, (2) digitally signing e-mail messages to intended recipients for data integrity and authorship controls, (3) identifying persons, and (4) authentication of computing resources. No other use is authorized. CIGNA CORPORATION AND ITS AFFILIATES SHALL NOT BE LIABLE FOR ANY DAMAGES ARISING FROM AUTHORIZED OR UNAUTHORIZED USE. Pilot 2.16.840.1.114239.11.1.1 and 2.16.840.1.114239.11.1.2 Date of issue August 7, 2001 Date of expiry Related Certificate Practice Statement (CPS) N/A Baltimore Technologies Ltd. Boston Certificate Practice Statement (Company) COE Boston v0.4 3
(herein the CPS ) available on request. CP Universal Resource Locator (URL) http://www.cigna.com/encryption/policy/ca_poli cy.htm For more information please contact: PKIAdministrator@cigna.com 2. Policy Outline This policy governs only certificates used for (1) encryption of e-mail messages for privacy/confidentiality, (2) digital signatures applied to e-mail messages for user authentication and data integrity, and (3) authentication of computing resources. In this CP, Certificate means a certificate issued under this CP and used in compliance with all relevant agreements, policies and procedures. A Certificate may be used only for CIGNA-approved purposes. In this CP, Subscriber means (1) an employee of CIGNA, (2) an individual agent or an employee of an agent of CIGNA acting with CIGNA s authorization, (3) an application or service acting as an agent of CIGNA, (4) a legal person with whom CIGNA does business (a Business Partner ) or (5) a computing resource controlled by a Business Partner. Only Subscribers may request issuance of Certificates. All persons with whom Subscribers intend to correspond for CIGNA-approved purposes via e-mail may rely on Certificates. No Subscriber agreements or relying party agreements other than agreements made in the subscription process are required to rely upon a Certificate. The registration method for a Certificate is remote and requires authentication via a CIGNA-issued user identification and password presented at the registration Web site where the transaction is logged for exception review. This CP is implemented in conjunction with, and supported by, a CPS in conformance with the Baltimore Technologies Ltd. Boston Certificate Practice Statement (Company) COE Boston v0.4, which may be obtained by request. 3. CP Provisions 3.1 Community and Applicability This CP and Certificates are valid only for (1) encryption of e-mail messages for privacy, (2) digital signatures applied to e-mail messages for Subscriber authentication and data integrity, and (3) authentication of computing resources. Certificates may only be used to provide privacy/confidentiality, user and/or computing resource authentication, and data integrity for CIGNA-approved purposes. Certificates may only be used and relied upon by (1) CIGNA or Business Partner employees and 4
agents, or (2) by CIGNA or Business Partner computing resources. No use of Certificates by others, or for other purposes, is permitted or supported. Key usage fields within Certificates are as follows: Key encipherment, digital signature Enhanced/Extended Key Usage fields within Certificates are as follows: Secure e-mail, client authentication 3.2 Rights and Obligations Subscriber Obligations Subscribers must: protect their private key at all times, against loss, disclosure to any other party, modification and unauthorized use, in accordance with the current CPS and this CP; utilize, at minimum, the Medium private key protection option in the Microsoft Internet Explorer Web browser (or equivalent levels of minimum protection where other key stores are used), and adhere to all CIGNA Information Protection Policy password requirements; never store the Personal Identity Number (PIN) or pass-phrase, used to protect unauthorized use of the private key in the same location as the private key itself, nor store the PIN or pass-phrase unprotected, nor fail to sufficiently protect the PIN or pass-phrase; take full responsibility for the accuracy of data given as part of a Certificate request, and for verifying that the contents of the published Certificate are correct; notify the CIGNA PKI Owner immediately of any compromise of their private keys or any change in their information included in their certificate or provided during the registration process; comply with all national and local laws regarding the use of digital signatures, cryptographic technology and electronic information in utilizing Certificates; and permit publication of the Certificate in directory services and/or through exchange of standard format files with CIGNA s business partners. Relying Party Obligations Any person or persons relying upon Certificates must: 5
securely obtain the certificates of the CAs they trust in the trust hierarchy, which should include verifying each CA's public key hash (thumbprint) and validity (active, revoked, or expired); verify that non-cigna employees or agents, or non-cigna computing resources, are engaged in CIGNA-approved activities; establish trust in each Certificate by verifying trust of the certificate issuer (CA), validity (active, revoked or expired), and appropriate key usage; be fully responsible, to the exclusion of CIGNA, for their reliance on any Certificatebased service; and comply with all national and local laws regarding the use of digital signatures, cryptographic technology and electronic information in utilizing Certificates. Restrict its reliance to the appropriate uses of the Certificates in accordance with this CP. CA (CIGNA) Obligations CIGNA will: issue Certificates in compliance with this CP and the CPS, subject to contractual obligations with its customers; and comply with the other requirements of this CP and the CPS. 3.3 Liability Statement CIGNA will not be liable for any damages or costs arising from the use of Certificates, whether authorized or unauthorized. 3.4 Interpretation and Enforcement This CP shall be interpreted under the laws of the Commonwealth of Pennsylvania, in the United States of America. In the event of a conflict between this CP, the CPS and, if any, the written contract between CIGNA and the Subscriber or Subscriber s agent, the order of increasing precedence shall be: this CP, the CPS, and the contract. 3.5 Publication and Repository The certificates for CIGNA s CAs will be published to CIGNA s Enterprise LDAP directory and CIGNA s Internet Web server. Publication is configured to automatically occur within five minutes after CA certificate issuance. Subscriber Certificates will be published to CIGNA s Enterprise LDAP directory server and CIGNA s mail system s Global Address List as appropriate. Publication to the 6
Enterprise LDAP directory server is configured to automatically occur within five minutes after the certificate s issuance. Publication to the Global Address List for the appropriate Certificates is configured to occur at that time in which the Subscriber maintaining control of the private key elects to do so using the subscription graphical user interface. Certificate Revocation Lists (CRLs) will be published to CIGNA s Enterprise LDAP directory and CIGNA s Internet Web server. Publication is configured to automatically occur on a periodic basis. In addition, CRL publication may occur on an as-needed basis. 3.6 Privacy/Confidentiality This CP and the use of Certificates must conform to applicable laws, rules and regulations pertaining to CIGNA s business. This may include, among others, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 15 U.S.C. 6801-6810 (the Gramm-Leach-Bliley (GLB) Financial Services Modernization Act) and U.S. state privacy laws. 4. Identification and Authentication (Procedures) 4.1 Initial Registration Subscribers will submit registration requests as follows: 1. Subscriber authenticates through an SSL(Secure Sockets Layer)-secured Web site connection using a CIGNA-issued and CIGNA-administered user identification and password from commercial access control facilities. 2. Subscriber provides identification and authentication information through the SSLsecured connection. Subscriber receives an alphanumeric CIGNA-issued and administered Single Sign On (SSO) ID and password and intranet access to certificate enrollment. Subscriber authenticates through an SSL-secured connection using their SSO identification and password pair. 3. Subscriber initializes the Web-based certificate enrollment process by agreeing to Terms and Conditions and this CP. This transaction is logged by the intranet application for exception review. 4. The Certificate Enrollment process verifies that the Subscriber does not already have a valid Certificate for digital signature, SSL authentication, or key encipherment purposes. 5. The Certificate enrollment process interfaces with the Subscriber s Web browser to create an asymmetric key pair for digital signature and SSL client authentication. The public key of the key pair is combined with identification information and transformed into a certificate request, which is sent by the Web browser to the certificate enrollment server process. 7
6. The Certificate enrollment server process continues by creating a second asymmetric key pair on behalf of the Subscriber. This key pair will be designated for key encipherment. The public key of the key pair is combined with identification information and transformed into a certificate request. 7. The Certificate enrollment server process sends both certificate requests to the appropriate CIGNA CA for certificate issuance. 8. The appropriate CIGNA CA issues the certificates corresponding to the Subscriber s two certificate requests and returns them to the Certificate enrollment server process. 9. The Certificate enrollment server process publishes both certificates, copies the key encipherment key pair and certificate to a secure archive server, and installs the key encipherment key pair and both certificates in the Subscriber s Web browser. 10. The Subscriber is required to use their new SSL authentication certificate to authenticate to an SSL-protected Web page for proof of receipt. This transaction is logged by the application for exception review. 11. The Certificate enrollment server process finishes by automatically sending an e- mail to the Subscriber, thereby confirming the certificate registration process has been completed. 5. Operational Requirements 5.1 Key Generation The Subscriber invokes the generation process from a client application. One of two 1024-bit RSA key pairs is created locally through a Microsoft Internet Explorer (IE) 5.x or higher Web browser (or through Netscape 5.X or higher if desired by non-cigna employees, agents or computing resources) for the purposes of digital signature and client authentication. The second key pair for the purpose of key encipherment is created by server-side processes. The key pairs are passed to the CA to be transformed into certificates and a copy of the key-encipherment keys and certificate are archived. The certificates are passed back to the client. 5.2 Key Archival CIGNA may keep a protected copy of the Subscriber s key-encipherment key and certificate for CIGNA business purposes. CIGNA does not keep any copies of the signing key or the authentication key. 8
5.3 Certificate Acceptance The Subscriber is required to use their new SSL authentication Certificate to authenticate to an SSL-protected Web page for proof of receipt. The Subscriber is also given an opportunity to refute the request by responding to the automated e-mail event. 5.4 Certificate Validity Period A Subscriber Certificate is valid for a period of up to three years. Certificates are signed by the CIGNA Root CA (which certificate is valid for a period of 12 years) and the CIGNA Internal Sub CA (which certificate is valid for a period of six years). 5.5 Certificate Revocation The process for revoking a Subscriber Certificate can be performed by the Subscriber to whom the certificate in question was issued, or by a PKI administrator. In both cases, revocation will not be communicated and available to the public until the next CRL is published. A Subscriber must authenticate using their SSO user ID and password to access the key administration application. The Subscriber then selects the Certificate(s) to revoke; then, indicates a reason for revocation and provides further authentication information. This transaction is audited for exception review. A PKI administrator must authenticate to the certificate revocation administrative interface using a digital certificate on a smart card. From there, the administrator may select the Certificate(s) to revoke and provide the reason for revocation. 5.6 Certificate Renewal The process for renewing a Subscriber Certificate will include equivalent steps to the foregoing. Subscriber will register for new Certificates upon expiration of valid Certificates. 5.7 Certificate Use A Subscriber is required to use their new SSL authentication certificate during the registration process to authenticate to an SSL-protected Web page for proof of receipt. This transaction is logged by the application for exception review. No further proof of possession of a private key is required for Certificate use. 9