1 Title INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Customer Aristotle University of Thessaloniki PKI ( To WHOM IT MAY CONCERN Date 18 March 2011 Independent Audit Report for Aristotle University of Thessaloniki PKI Page 1 of 11
2 To whom it may concern, This is an official document to declare the following facts upon request by The Aristotle University of Thessaloniki ( The Aristotle University of Thessaloniki PKI is a trusted third-party entity that certifies the identities of network users and servers affiliated with it. The first Aristotle University of Thessaloniki PKI began in 2001 from the Network Operations Center. After seven years of successful operation and having published more than digital certificates, the Infrastructure was upgraded in order to support new features some of which are listed below: Usage of special crypto-devices (etokens) for the signing process of digital certificates including special parameters for secure logon of University Staff to computers that handle sensitive data (eg grades) but also for Faculty members that securely transmit exam grades to the School's or Faculty's registrar Support for distributed Certification and Registration Authorities through a new framework of policies and procedures Participation to the broader Hellenic Academic and Research Institutions Certification Authority - HARICA in order for the academic and research communities of Greece to fully utilize the numerous benefits of digital certificates which are the unobstructed secure exchange, the and document encryption of sensitive information etc. 1. Deventum has been selected by AUTH PKI as the auditor for the electronic certificate services provided by AUTH PKI. 2. AUTH PKI has been audited by our company under the standards and technical specifications based on ETSI TS AUTH PKI has disclosed its key and certificate life cycle management business and information privacy practices in its Certification Practice Statement and provided such services in accordance with its disclosed practices and, 4. Maintained effective controls to ensure that: i) subscriber information is properly authenticated ii) the integrity of keys and certificates it manages are established and protected thought their life cycles iii) subscriber and relying party information are restricted to authorized qualified personnel. iv) the continuity of key and certificate life cycle management operations is maintained v) the use of trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them Independent Audit Report for Aristotle University of Thessaloniki PKI Page 2 of 11
3 vi) CA systems development maintenance and operations are properly authorized and performed to maintain CA systems integrity based on the ETSI TS , Electronic Signatures and Infrastructures Policy requirements for Certification Authorities. Based on our audit and source code audit of the website, scripts and procedural documents we specifically can conclude on the following results. AUTH PKI personnel was found qualified and able to perform proper changes to ensure the security of the website ( ) as well as prepared on all issues described by the ETSI TS requirements. Our findings are based on the requirements of the ETSI TS and are described on the following Audit Report. On demonstrating the reliability necessary for providing certification services a) Policy and practices The CA s policy is fully described on the Certification Policy and Certification Practices Statement document and published accordingly . The documentation covers the practices and procedures used to address all the requirements and identifies the obligations of all external organizations supporting CA services including policies and practices. Documentation  as well as terms and conditions and the administrative structure  are publicly available on the web for subscribers and relying parties and on the website of the CA, The management body and authority statuses responsible for approving the certification practice statement are well documented and presented on the university administration documentation . b) On business continuity management and incident handling AUTH PKI presented the documentation on the business continuity plan addressing disaster recovery plan as well the compromise or suspected compromise of CA s private singing key as disaster. The document  can be acquired upon request from the CA. c) CA Termination Procedures on the CA s termination can be found on the administrative document  for the relying parties and on the CP/CPS documentation for the CA available at section 5 paragraph 8 of the CP/CPS documentation . d) Organizational structure Under the administrative structure documentation  AUTH PKI s legal body is described as well as the management and organizational structure. Detailed information covering the personnel experience, knowledge and background can be disclosed under request and given a need to know basis from the CA s archives. On ensuring the operation of a prompt and secure directory and a secure and immediate revocation service a) Certificate dissemination AUTH PKI as described on the CPS documentation  section 4 paragraph 2, Certificate Application Processing, ensures that certificates are made available as necessary to the subscribers, subjects and relying parties. More on the certificate lifecycle is publicly available under chapter 4 of the CPS documentation . Independent Audit Report for Aristotle University of Thessaloniki PKI Page 3 of 11
4 b) Certificate revocation and suspension The auditor can confirm that based on the source code audit and procedural audit of the CA, digital certificates are revoked in a timely manner based on authorized and validated certificate revocation requests as described on  section 4 paragraph 9 Certificate Revocation and Suspension. c) System Access Management Under our audit procedures we were able to verify the continuous monitoring and alarm facilities as they are described on section 5 of document , Administrative, Technical and Operational Controls. Ensuring that the date and time when a certificate is issued or revoked can be determined precisely a) Precise time As defined in the CA s CPS documentation  section 6 paragraph 8, we were able to verify that proper NTP servers were used and timestamps are logged on every action performed by the CA systems. Verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued Even though AUTH PKI is not defined as a qualified certificate authority and the certificates are not meant to be qualified, the following procedures are performed to verify the identity of the subject issued a certificate in order to meet the technical specifications for qualified CAs. a) Subject registration Based on the CPS document  section 3, paragraph 2 Initial identity validation and Authentication of Individual person identity on section 3 paragraph 2.3 of the same document: The certificates of individuals that are issued by AUTH must be checked for identification. There are two classes of user certificates. Class A includes certificates whose private key is generated and resides in a secure cryptographic device (etoken or smartcard) and are issued under the presence of authorized personnel of the RA. Class B includes certificates whose private key has been generated using some software (software certificate store). Note that there is a secure identification of the recipient with her/his physical presence and an acceptable official document proving his identity in both classes of certificates. The Registration Authority relies on the control of identity performed by the academic/administration units the subscriber belongs to and uses authentication ways of user identities that are available in these units in order to check the identity. The collaborating academic/administration units are compelled to have certified users identity by means of an official document that bears the photograph of the beneficiary (e.g. police identity, passport, driving license, student identity, no student public transportation card PASO), which is considered reliable by the corresponding unit. Alternatively, the RA of AUTH can execute the above process of applicant identification. In case the user s academic/administration unit has already performed a procedure of physical identity verification in the past, according to its policy (e.g. for the provision of a user account or address), there is no need to repeat the procedure but a typical confirmation through the officially certified user s e- mail address is sufficient. Certificates of Class A are recommended to include an extra organizational unit (OU) in the subject field with the value Class A - Private Key created and stored in hardware CSP. Certificates of Class B are recommended to include an extra organizational unit (OU) in the subject field with the value Class B - Private Key created and stored in software CSP. . Independent Audit Report for Aristotle University of Thessaloniki PKI Page 4 of 11
5 b) Certificate renewal, rekey and update To ensure that requests renewal, rekey and update requests are coming from a subject who has already previously registered and properly authorized, the procedures on the CA s CPS  section 4 paragraph 6 Certificate Renewal, section 4 paragraph 7 Certificate Re-keying and section 4 paragraph 8 Certificate Modification are described and followed as such. On employing personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided, in particular competence at managerial level, expertise in electronic signature technology and familiarity with proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognized standards We found the following: a) Security management and b) Personnel security Administrative and management procedures are applied which are adequate and correspond to recognized standards. Specifically, we found that AUTH PKI describes at the CPS document , section 5 paragraph 3.1, Personnel handling roles of Certification Authorities and Registration Authorities must have experience in digital certificates and Public Key Infrastructure issues. They must also have experience in managing classified information in general. c) Operations management We found that the CA operates with responsibility on the following topics as described on the ETSI TS , operational procedures and responsibilities; secure systems planning and acceptance; protection from malicious software; housekeeping; network management; active monitoring of audit journals, event analysis and follow-up; media handling and security; data and software exchange and documented on CP/CPS documentation  section 5 paragraph 1 under Physical security and access controls. Use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the processes supported by them As we mentioned above the CA systems are limited to individuals with the proper authorization access. Especially according to ETSI TS policy, a) System management access A full network layout and the levels of security implementation by the means of firewalling, process accounting, internal and external IDS monitoring and availability monitors were demonstrated by the CA authorized personnel, as described on  section 6 paragraph 7 Network Security Controls. b) Trustworthy Systems Deployment and Maintenance As described on the CPS and given the level of access that we as auditors could have we were able to verify the use of trustworthy systems and products that are protected against modification. Also proper Independent Audit Report for Aristotle University of Thessaloniki PKI Page 5 of 11
6 documentation was provided on analysis and business continuity plan  on the proper handling of critical services. c) Certification authority key generation We were able to verify that the generation of the Certification Authority key meets the requirements identified in FIPS PUB level 3 and the physical environment is secured during the process. The detailed description of the device is described on  section 6 paragraph 1.1. d) Certification authority key storage, backup and recovery As we could observe the CA follows the CPS documentation , section 6 paragraph 2.4, The private key must be kept at a backup copy. The backup copy of the private key must be encrypted and the procedures referenced at section 5 paragraph 1.6 must be followed. Access to the backup copy is allowed only by authorized personnel. e) CA provided subject key management services During our code audit review we found the CA compliant with the ETSI TS policy and acting accordingly to the CPS documentation under , section 6 paragraph 2 Private key protection and Cryptographic Module Engineering controls. Take measures against forgery of certificates, and, in cases where the certification-serviceprovider generates signature-creation data, guarantee confidentiality during the process of generating such data During the audit procedure and based on  specifications, the CA is acting accordingly to the CPS documentation on the following topics: a) Certification authority key storage, backup and recovery The CA private keys remain confidential and maintain their integrity, as defined on  section 6 under Technical security controls. b) Certification authority public key distribution Based on , CAs provide mechanisms for the secure digital delivery of all certificates. Each digital certificate contains the public key when it is requested by interested entities. Interested entities may send a request by . The CA can also send a certificate via snail-mail in a magnetic media device, which contains the public key. All certificates of each CA are published through a secure web site, whose identity is certified by a different trusted third party. Detailed description provided on section 6 paragraph 1.4 of  c) CA provided subject key management services As defined on the CPS documentation  we can verify that the use of SHA1 algorithm is used for the generation of the subject keys. Detailed description of the algorithm is provided on section 7 paragraph 1.3 of . d) Subject registration As described above on Verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued. [above] e) Certificate renewal, rekey and update As described above on Verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued. [above] f) Certificate generation Independent Audit Report for Aristotle University of Thessaloniki PKI Page 6 of 11
7 The CA complies with the standard format for non-qualified certificates and follows the documentation of the , as described on section 6 Technical security controls and section 7 Certificate, CRL and OCSP Profiles. Maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive , in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance As described on the CPS documentation  section 9 paragraph 14 Governing law and section 9 paragraph 8 Limitation of liability, CPS  section 9 paragraph 14: AUTH PKI is focused on serving the Academic Community of AUTH. Each certificate issued, clearly states in the Certificate Policy Notice field that This certificate is subject to Greek laws and our CPS. This Certificate must only be used for academic, research or educational purposes. No financial transactions will take place with AUTH PKI unless otherwise specified in a subca with a separate CP/CPS. The operation of the AUTH PKI as well as the interpretation of the CP/CPS is subject to the Academic ethics and in the national Greek Legislation. Particularly as far as the Presidential Decree 150/2001 «Adaptation to directive 99/93/EE of European Parliament and Council with regard to the Community frame for electronic signatures» is concerned, the certificates that are issued they ARE NOT generally considered as Qualified Certificates, although the CAs and the issued certificates MEET the technical requirements for Qualified Certificates. Under specific conditions and treaties, the certificates that are issued can be used as qualified - like these that are defined at the Presidential Decree 150/2001- in closed teams of entities, as for example in certain administrative units of AUTH. These procedures must be described on a separate Certification Policy/Certificate Practice Statement (CP/CPS) document that corresponds to that particular subordinate Certification Authority, taking account and meeting all the requirements (including the liability issues) described in the Presidential Decree 150/2001. As stated in section 1.3.3, the CP/CPS document must not conflict with any condition of the present document. Basic conditions for this qualification and accordingly the qualification of the relative produced digital signature as equivalent to a handwritten signature include a) the use of secure environment for the creation of digital signatures in the subscriber s side (e.g. smart card exclusively in which the private key is created, stored and used) and b) the official approval of each responsible body (e.g. senate). Under specific conditions and treaties, the certificates that are published can be used as qualified in closed teams of entities, as for example in certain administrative service of Academic Institutions.  CPS : section 9 paragraph 8 AUTH PKI cannot be held liable for any problems or damages that may arise from its services or from wrongful, negligent or improper use of the issued certificates. Using AUTH PKI and its certification services requires that users unconditionally accept the terms and services of this CP/CPS and that AUTH PKI is not liable and does not undertake any financial, civil or other responsibilities, except for cases where there is evidence of fraudulent intent or serious negligence by its operators.  Record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically Based on  we have the following requirements, a) Recording of Information Concerning Qualified Certificates. Since AUTH PKI is not issuing qualified certificates the CA is not required by law to keep recordings of information. Still, AUTH PKI retains information that can be used when needed as described on  section 5 paragraph 4.3, section 9 paragraph 4.5. Independent Audit Report for Aristotle University of Thessaloniki PKI Page 7 of 11
8 b) CA termination As described on the CPS documentation  section 5 paragraph 8, Certification Authority or Registration Authority termination, Upon its termination, each CA informs its subscribers, revokes all issued certificates, updates the relevant CRL and revokes its own certificate. Finally, the persons in charge of the CA security are informed and the end of its operation is announced. The log files of the CA and RA are kept for two (2) years in order to be available for any lawful control. This period may be modified depending on the relevant legislation.  Not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services We were able during the audit to verify the following: a) CA provided subject key management services As described above on Verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued. [above] Before entering into a contractual relationship with a person seeking a certificate to support his electronic signature, inform that person by a durable means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing and in readily understandable language. Relevant parts of this information must also be made available on request to third-parties relying on the certificate ETSI documentation  requirements on, a) Subject registration As described above on Verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued. [above] b) Dissemination of Terms and Conditions During the request and at the process of obtaining a certificate, the subject must accept the terms and conditions. Furthermore the documentation can be publicly accessed on the following addresses: i) Use trustworthy systems to store certificates in a verifiable form so that: - only authorized persons can make entries and changes; - information can be checked for authenticity; - certificates are publicly available for retrieval in only those cases for which the certificateholder's consent has been obtained; and - any technical changes compromising these security requirements are apparent to the operator. As we covered earlier during our audit review, a) Certification authority public key distribution As we covered above on Take measures against forgery of certificates and, in cases where the certificationservice-provider generates signature-creation data, guarantee confidentiality during the process of generating such data. [above] Independent Audit Report for Aristotle University of Thessaloniki PKI Page 8 of 11
9 b) Certificate dissemination As we covered above On ensuring the operation of a prompt and secure directory and a secure and immediate revocation service [above] c) Certificate revocation and suspension As covered above, On ensuring the operation of a prompt and secure directory and a secure and immediate revocation service [above] d) System Access Management As covered above, On ensuring the operation of a prompt and secure directory and a secure and immediate revocation service [above] e) Trustworthy Systems Deployment and Maintenance As covered above, Use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the processes supported by them. [above] Conclusion Based on our audit on the procedures and policy as well as on the code audit performed over the web site, scripts and functions of the CA, we found AUTH PKI to be compliant with the ETSI TS technical specifications, as non-qualified Certificate Authority, issuing non-qualified certifications. Although it meets the technical requirements for qualified CAs, AUTH PKI chose not to be qualified because it is used only for academic and educational purposes. No financial transactions will take place with certificates issued by AUTH PKI unless otherwise specified in a sub-ca with a separate CP/CPS. This Audit Report is based on the requirements and guidelines specifically described on ETSI TS and does not include any professional opinion whatsoever as regards to the quality of the services rendered by AUTH PKI, nor of their suitability for the specific objectives of any subscriber, beyond the ETSI TS criteria for Certification Authorities that are covered herein. Due to limitations inherent to the control systems themselves, there may be undetected errors or instances of fraud. Moreover, the reaching of any conclusions in periods subsequent to the date of our report, based on our statements, is subject to the risk that there may be: 1) Changes in the source code, controls or the established system, 2) Changes in processing requirements, 3) Changes brought about by the passage of time itself, or 4) That the degree of compliance for policies or procedures may alter the validity of our conclusions. Independent Audit Report for Aristotle University of Thessaloniki PKI Page 9 of 11
10 INDEX 1. Certification Policy and Certification Practices Statement for the Hellenic Academic and Research Institutions Public Key Infrastructure, 2. UNIVERSITY ADMINISTRATION, 3. AUTH PKI procedures and regulations, PKI Disaster Recovery Plan by Dimitris Zacharopoulos. 4. Authentication of individual person identity section 3 paragraph ETSI TS technical specification Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing qualified certificates. 6. The Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures. Independent Audit Report for Aristotle University of Thessaloniki PKI Page 10 of 11
11 This Audit Report has been prepared for Deventum by: Nicolas Krassas, CISSP Certification Number: Dimitrios Stergiou, CISA Certification Number: , CISSP Certification Number: , CISM Certification Number: Dimitrios Papapetros, CISA Certification Number: Nicolas Krassas, CISSP 18 March 2011 Independent Audit Report for Aristotle University of Thessaloniki PKI Page 11 of 11
Title ANNUAL INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS 101 456 Customer Aristotle University of PKI ( www.pki.auth.gr ) To WHOM IT MAY CONCERN Date 20 June 2013 Annual Independent Audit
Document history Version Date Remarks 1.0 19-05-2011 finalized 1.01 15-11-2012 URL updated after web page restructuring. 2 Table of Contents 1. Introduction... 4 2. Policy administration... 4 2.1 Overview...
CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.
STATUTORY INSTRUMENTS 2002 No. 318 ELECTRONIC COMMUNICATIONS The Electronic Signatures Regulations 2002 Made - - - - - 13th February 2002 Laid before Parliament 14th February 2002 Coming into force - -
GmbH NOTE: The information contained in this document is the property of TC TrustCenter GmbH. This document may not be copied, distributed, used, stored or transmitted in any form or by any means, whether
Apple Inc. Certificate Policy and Certification Practice Statement Version 2.0 Effective Date: April 10, 2015 Table of Contents 1. Introduction... 4 1.1. Trademarks... 4 1.2. Table of acronyms... 4 1.3.
SSLPost Electronic Document Signing Overview What is a Qualifying Advanced Electronic Signature (QAES)? A Qualifying Advanced Electronic Signature, is a specific type of digital electronic signature, that
COMPANY INFO 1 (23) Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 2 (23) Contents 1 Ericsson Certificate Value Statement... 3 2 Introduction... 3 2.1 Overview... 3 3 Contact information...
Qualified Electronic Signatures Act (SFS 2000:832) The following is hereby enacted 1 Introductory provision 1 The purpose of this Act is to facilitate the use of electronic signatures, through provisions
Greek Universities Network (GUnet) H ee l l ee nn i cc A cc aa dd ee mi cc aa nn dd R ee ss ee aa rr cc hh II nn ss tt i tt uu tt i oo nn ss P uu bb l i cc K ee yy II nn ff rr aa ss tt rr uu cc tt uu rr
CERTIMETIERSARTISANAT and C@RTEUROPE ELECTRONIC SIGNATURE SERVICE SUBSCRIPTION CONTRACT SPECIFIC TERMS AND CONDITIONS Please fill in the form using BLOCK CAPITALS. All fields are mandatory. 1 1. SUBSCRIBER
ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION This can be a complex subject and the following text offers a brief introduction to Electronic Signatures, followed by more background on the Register of
This is an official translation. The original Icelandic text published in the Law Gazette is the authoritative text. Merchants and Trade - Act No 28/2001 on electronic signatures Chapter I Objectives and
EN 319 401 V1.1.1 (2013-01) European Standard Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers supporting Electronic Signatures 2 EN 319 401 V1.1.1
Certipost Trust Services Version 1.2 Effective date 03 May 2012 Certipost NV ALL RIGHTS RESERVED. 2 13 Definitions : Activation Data Certificate Certificate Holder Certificate Public Registry Certificate
Certification Practice Statement Date: February 21, 2008 Version: 1.0.1 Table of Contents Document History... 1 Acknowledgments... 1 1. Introduction... 2 1.1 Overview... 3 1.2 Ford Motor Company Certificate
FernUniversität in Hagen: Certification Authority (CA) Certification Practice Statement VERSION 1.1 Ralph Knoche 18.12.2009 Contents 1. Introduction... 4 1.1. Overview... 4 1.2. Scope of the Certification
Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015 Table of Contents 1. Introduction... 5 1.1. Trademarks...
National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy Version 1.1 February 2, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents TABLE OF CONTENTS I 1 INTRODUCTION
CERTUM QCA PKI Disclosure Statement v1.1 1 Certum QCA PKI Disclosure Statement Version 1.1 Effective date: 1 st of April, 2016 Status: valid Asseco Data Systems S.A. ul. Żwirki i Wigury 15 81-387 Gdynia
THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Last Revision Date: June 28, 2007 Version: 3.0 Published By: RSA Security Inc. Copyright 2002-2007 by
TS 102 640-3 V1.1.1 (2008-10) Technical Specification Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Architecture, Formats and Policies; Part 3: Information Security
Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.8 Effective Date: June 11, 2012 Table of Contents 1. Introduction... 4 1.1. Trademarks... 4 1.2.
NCDC GOVERNMENT-CA PKI DISCLOSURE STATEMENT Document Classification: Public Version Number: 1.5 Issue Date: June 11, 2015 Copyright 2015 National Center for Digital Certification, Kingdom of Saudi Arabia.
Fraunhofer Corporate PKI Certification Practice Statement Version 1.1 Published in June 2012 Object Identifier of this Document: 18.104.22.168.4.1.722.214.171.124.1 Contact: Fraunhofer Competence Center PKI Fraunhofer
(CP) (For SSL, EV SSL, OSC and similar electronic certificates) VERSION : 09 DATE : 01.12.2014 1. INTRODUCTION... 10 1.1. Overview... 10 1.2. Document Name and Identification... 11 1.3. Participants...
Application ID Number (For Official Use only) APPLICATION FOR DIGITAL CERTIFICATE Instructions: 1. Please fill the form in BLOCK LETTERS ONLY. 2. All fields are mandatory. 3. Present one (1) copy and the
REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS To the Management of Internet Security Research Group: We have examined the assertion by the management of the Internet Security Research Group ( ISRG
No. 248/71 (4) Regulation for the Provision of Electronic Signature Certification Services THE HELLENIC TELECOMMUNICATIONS & POST COMMISSION (EETT) Taking into account: a. Law No. 2867/2000 "Organization
Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4
CERTIFICATE POLICY/ CERTIFICATION PRACTICE STATEMENT May 22, 2006 Version 2.00 SECOM Trust Systems Co.,Ltd. Revision History Version Date Description V1.00 2003.08.01 Initial Draft (Translated from Japanese
TR-GRID CERTIFICATION AUTHORITY CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT Version 2.1 January, 2009 Table of Contents: TABLE OF CONTENTS:...2 1. INTRODUCTION...7 1.1 OVERVIEW...7 1.2 DOCUMENT
Post.Trust Certificate Authority Certification Practice Statement CA Policy and Procedures Document Issue date: 03 April 2014 Version: 126.96.36.199 Release Contents DEFINITIONS... 6 LIST OF ABBREVIATIONS...
REGISTRATION AUTHORITY (RA) POLICY Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A. INDEX Contenido 1. LEGAL FRAMEWORK... 4 1.1. Legal Base...
Globe Hosting Certification Authority Globe Hosting, Inc. 501 Silverside Road, Suite 105, Wilmington, DE 19809, County of New Castle, United States www.globessl.com TABLE OF CONTENTS 1. INTRODUCTION...
Starfield Technologies, LLC Certificate Policy and Certification Practice Statement (CP/CPS) Version 3.8 April 15, 2016 i Starfield CP-CPS V3.8 Table of Contents 1 Introduction... 1 1.1 Overview... 1 1.2
User Manual Internet Access for the public key certification service Version 1.2 / October 2014 1 Content TABLE OF CONTENTS 1 GENERAL INFORMATION... 3 1.1 INTRODUCTION... 3 2 IDENTIFICATION DATA... 3 2.1
HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 2.1 Date : 12 November 2003 Prepared by : Information Technology Services Center Hong Kong University of
TC TrustCenter GmbH Certification Practice Statement NOTE: The information contained in this document is the property of TC TrustCenter GmbH. This Certification Practice Statement is published in conformance
Certification Practice Statement 1.0 INTRODUCTION 1.1 OVERVIEW The Federal Reserve Banks ( FRBs ), utilizing Public Key Infrastructure ( PKI ) technology and operating as a Certification Authority ( FR-CA
Republic of Albania National Authority for Electronic Certification Guidelines for the use of electronic signature Guide Nr. 001 September 2011 Version 1.3 Guidelines for the use of electronic signature
Federal Reserve Certification Authority (FR-CA) Certification Practice Statement for United States Treasury Auctions 1.0 INTRODUCTION 1.1 OVERVIEW The Federal Reserve Bank of New York ( FRBNY ) acts as
Gandi CA Certification Practice Statement Gandi SAS 15 Place de la Nation Paris 75011 France Version 1.0 TABLE OF CONTENTS 1.INTRODUCTION...10 1.1.Overview...10 1.2.Document Name and Identification...10
Certificate Policy for SSL Client & S/MIME Certificates OID: 188.8.131.52.11.1 Copyright Actalis S.p.A. All rights reserved. Via dell Aprica 18 20158 Milano Tel +39-02-68825.1 Fax +39-02-68825.223 www.actalis.it
ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0 June 30, 2004 Table of Contents Table of Contents...2 1 Introduction...3 1.1 Overview...3 1.1.1 General Definitions...4
OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES Table of contents 1.0 SOFTWARE 1 2.0 HARDWARE 2 3.0 TECHNICAL COMPONENTS 2 3.1 KEY MANAGEMENT
[Draft] Bangladesh Bank Certification Authority (BBCA) Certification Practice Statement (CPS) Version: 1.00 August, 2015 Bangladesh Bank Page 2 of 42 Document Reference Title Document Type Bangladesh Bank
E-TUGRA INFORMATIC TECHNOLOGIES AND SERVICES CORP (E-TUGRA) QUALIFIED CERTIFICATE POLICY AND PRACTICE STATEMENT (CP-CPS) VERSION 1.0 DATE OF ENTRY INTO FORCE : JUNE, 2008 OID 2.16.7184.108.40.206.1.1.2 E-TUGRA
TS 102 640-3 V2.1.1 (2010-01) Technical Specification Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail (REM); Part 3: Information Security Policy Requirements for REM Management
PKI Tutorial Jim Kleinsteiber February 6, 2002 Page 1 Outline Public Key Cryptography Refresher Course Public / Private Key Pair Public-Key Is it really yours? Digital Certificate Certificate Authority
COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES BSI TR-03139 Version 2.1 27 May 2013 Foreword The present document
Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure 1.0 INTRODUCTION 1.1 Overview The Federal Reserve Banks operate a public key infrastructure (PKI) that manages
Class 3 Registration Authority Charter Version 1.0 applicable from 09 November 2010 Building A, Cambridge Park, 5 Bauhinia Street, Highveld Park, South Africa, 0046 Phone +27 (0)12 676 9240 Fax +27 (0)12
TR 102 458 V1.1.1 (2006-04) Technical Report Electronic Signatures and Infrastructures (ESI); Mapping Comparison Matrix between the US Federal Bridge CA Certificate Policy and the European Qualified Certificate
TC TrustCenter GmbH Certificate Policy for SAFE NOTE: The information contained in this document is the property of TC TrustCenter GmbH. This Certificate Policy is published in conformance with international
CERTIFICATION PRACTICE STATEMENT (CPS) OF SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A. Version.0 (CPS) INDEX 1. LEGAL FRAMEWORK... 10 1.1. Legal Base... 10 1.. Validation... 10 1.. Legal Support...
Law on the electronic signature 94.0 Notice This English translation has no official character. The only authentic texts are the German, French and Italian versions published in the Official Compendium
TR-GRID CERTIFICATION AUTHORITY CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT Version 2.3 May 15, 2014 Table of Contents TABLE OF CONTENTS:... 2 1. INTRODUCTION... 7 1.1 OVERVIEW... 7 1.2 DOCUMENT
VeriSign Trust Network Certificate Policies Version 2.8.1 Effective Date: February 1, 2009 VeriSign, Inc. 487 E. Middlefield Road Mountain View, CA 94043 USA +1 650.961.7500 http//:www.verisign.com - 1-
Malaysian Identity Federation and Access Management Certification Authority Certificate Policy and Certification Practice Statement Version 2.2 Document OID: 220.127.116.11.4.1.36318.104.22.168.2 February 2012 Contents
CIS 3 EDITION 2 February 2014 UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme CONTENTS SECTION PAGE 1 Introduction 2 2 Requirements for Certification
SPECIFIC CERTIFICATION POLICIES AND PRACTICES APPLICABLE TO ELECTRONIC CERTIFICATION AND SIGNATURE SERVICES FOR PUBLIC ORGANIZATIONS AND ADMINISTRATIONS, THEIR BODIES AND ATTACHED OR DEPENDENT ENTITIES
ELECTRONIC SIGNATURE LAW Purpose (Published in the Official Journal No 25355, 2004-01-23) CHAPTER ONE Purpose, Scope and Definitions Article 1 The purpose of this Law is to regulate the legal and technical
WEBTRUST FOR CERTIFICATION AUTHORITIES SSL BASELINE REQUIREMENTS AUDIT CRITERIA V.1.1 [Amended 1 ] BASED ON: CA/BROWSER FORUM BASELINE REQUIREMENTS FOR THE ISSUANCE AND MANAGEMENT OF PUBLICLY-TRUSTED CERTIFICATES,
SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates Version March 2004 Version 2004-03 SwissSign Gold CP/CPS Page 1 of 66 Table of Contents 1. INTRODUCTION...9 1.1 Overview...
Trustis FPS PKI Glossary of Terms The following terminology shall have the definitions as given below: Activation Data Asymmetric Cryptosystem Authentication Certificate Certificate Authority (CA) Certificate
STATUTORY INSTRUMENTS 2012 No. _ THE ELECTRONIC SIGNATURES REGULATIONS 2012 ARRANGEMENT OF REGULATIONS Regulation PART I-PRELIMINARY 1. Title. 2. Interpretation PART II - LICENSING AND RECOGNITION OF CERTIFICATION
TACC ROOT CA CERTIFICATE POLICY AND CERTIFICATE PRACTICES STATEMENT (In RFC 3647 format) January 20, 2009 OID: 22.214.171.124.4.1.179126.96.36.199.1 Version 1.2 1 INTRODUCTION... 3 1.1 Overview...3 1.2 Document Name
CERTIFICATE HUNGUARD Informatics and IT R&D and General Service Provider Ltd. as a certification authority assigned by the assignment document No. 001/2010 of the Minister of the Prime Minister s Office