National Register of Associations. Number CIF G

Transcription

1 Certificate Policy for Secure Server (SSL), Extended Validation (EV) SSL, Electronic Office and Extended Validation (EV) Electronic Office Certificates National Register of Associations. Number CIF G ANF Autoridad de Certificación Paseo de la Castellana, Madrid (Spain) Teléfono: (calls from Spain) (International) Fax: Web:

2 Security Level Public Document Important Notice This document is property of ANF Autoridad de Certificación Distribution and reproduction prohibited without authorization by ANF Autoridad de Certificación Copyright ANF Autoridad de Certificación 2015 Dirección: Paseo de la Castellana, Madrid (España) Teléfono: (llamadas desde España) (Internacional) Fax: Web: 2

3 Index 1 Introduction Certificates description... Error! Marcador no definido. 1.2 Identification Storage types Users Community Certification Authorities Registration Authorities Recognized Registration Authority Collaborating Registration Authority Issuance Reports Manager End entities Certificate Subscriber Certificate Applicant Certificate responsible Relying third parties Usage field Allowed usage Limits of certificate usage Prohibited usage Certification Entity contact details Definitions and acronyms Information publication and repositories Repositories Information publication Uptades frequency Access controls on repositories Identification and Authentication Name registration... Error! Marcador no definido Types of names Need for names to be meaningful Anonymous or pseudonyms Rules for interpreting various name forms Uniqueness of names Names and brands conflicts solution Initial identity validation Method to prove possession of private key

4 3.2.2 Authentication of applicant, certificate responsible and subscriber identity Re-key Revocation requests Operational requirements Certificate application Processing procedure Identification authentication Applicant Subscriber Legal persons Natural persons Certificate responsible Approval or rejection of certificate applications SSL Certificates Headquarters Certificates SSL EV y and Headquarters EV Certificates Time to process certificate issuance Certificate issuance CA actions during certificate issuance process Notification to subscriber Certificate acceptance Acceptance Certificate Return Tracing Certificate publication Notification of certificate issuance to third parties Rejection Certificates renewal Valid Certificates Persons authorized for requesting the renewal Identificaton and authentication of the routine renewal applications Certificate renewal with rekeying Certificate renewal without rekeying Approval or rejection of applications for renewal Notification of certificate renewal Acceptance of the certificate renewal Publication of the renewal certificate Notification of certificate renewal

5 4.6.9 Identification and authentication of key renewal applications after revocation (non-compromised key) Certificate modification Certificates revocation and suspension Circumstances for revocation Revocation application identification and authentication Procedure for revocation request Revocation request grace period Time within which CA must process the revocation request CRL lists checking requirement CRL issuance frequency On-line revocation checking availability On-line revocation checking requirements Certificate suspension Suspension requests identification and authentication Key storage and recovery Good practices Facilities, physical security, management and operational controls Physical security controls Procedural controls Personnel controls Technical security controls Key pair generation and installation Private Key Protection Other aspects of key pair management Activation data Computer security controls Life cycle technical controls Network security controls Time-stamping Cryptographic Module Security Controls Certificate profiles and revoked certificates lists Certificate profiles Common fields and extensions Specific fields according to the signature algorithm Specific fields according to key length Specific Fields by type of certificate SSL Secure Server Certificate (with SHA-1)

6 SSL Secure Server Certificate (with SHA-256) SSL EV Secure Server Certificate (with SHA-1) SSL EV Secure Server Certificate (with SHA-256) Electronic Office Medium Level Certificate (with SHA-1) Electronic Office Medium Level Certificate (with SHA-256) Electronic Office High Level Certificate (with SHA-1) Electronic Office High Level Certificate (with SHA-256) Medium Level Certificate (with SHA-1) Medium Level Certificate (with SHA-256) High Level Certificate (with SHA-1) High Level Certificate (with SHA-256) CRL profile OCSP profile Compliance audit Each entity compliance controls frequency Identity of personnel in charge of the audit Auditor relationship to audited entity Topics covered by audit Actions taken as a result of lack of compliance Audit reports treatment General regulations Fees Financial responsibility Confidentiality of information Privacy of personal information Intellectual property rights Obligations and guarranties Disclaimers of guarranties Limitations of liability Interpretation and execution... Error! Marcador no definido CP management Appendix I Certificate Application Form Appendix II Contract for the Provision of Electronic Certification Services Special Conditions

7 Appendix III Act of Authorization and Acceptance of Responsibility in the Certificate Use Appendix IV Certificate Renewal Application Letter Appendix V Certificate Revocation Application Form Appendix VI Act of Certificate Reception and Acceptance Appendix VII Identity Statement

8 1 Introduction ANF Certification Authority (henceforth, ANF AC) is a corporate entity, constituted under Basic Law 1/2002 of the 22nd of March, and written in the Ministry of the Interior with national number and company tax code G ANF AC has been assigned the SMI Network Management Private Enterprise Code by the international organisation IANA - Internet Assigned Numbers Authority - under the branch iso.org.dod.internet.private.enterprise ( IANA Registered Private Enterprise-). This document is the Certification Policy (CP) corresponding to Secure Server (SSL), Extended Validation (EV) SSL, Electronic Office and Extended Validation (EV) Electronic Office Certificates issued by ANF AC. This documentation contains the regulations to which the uses of certificates defined in this policy are subjected, and defines the directives that ANF AC uses to their issuance, management, renovation, revocation and any other process that affects their life cycle. The roles, responsibilities and relationships between the end-user and ANF AC, such as application rules, renewal and revocation that have to be attended are described. This Certification Policy only one of several documents governing the PKI of ANF AC, and it details and supplements the definitions in the Certification Practice Statement and its addendum. ANF AC oversees and supervises this PC is compatible and consistent with the other documents produced. All documentation is freely available to users and relying parties at In accordance with the IETF RFC 3647 PKIX framework, this Certification Policy is divided in nine sections that allow security controls, practices and procedures for certification or time stamping services in the PKI of ANF AC. To preserve the recommended template in document RFC 3647, the titles of each section have been respected. Not applicable is added in case they do not apply to this PKI, and As defined in, is included in case the section is defined in another ANF AC document. This document indicates the policies ANF AC employs to meet the requirements of the "Guidelines for the Issuance and Management of Extended Validation Certificates" published by the CA/Browser Forum. ANF AC always conforms to the latest version of the EV Guidelines published by the CA/Browser Forum in In case of incompatibility, the Guidelines override this document. The Timestamping processes employeed conform to standards IETF RFC 5816, ANSI X9.95, ETSI , and ETSI This Certification Policy assumes a series of commitments that are in accordance with the recommendations published by Mozilla at about controversial CA Practices. ANF AC is certified by the WebTrust service under their Principles and Criteria for Extended Validation Certificates guidelines and the CA / Browser Forum Guidelines for the Issuance and Management of Extended Validation Certificates. These guidelines indicate the minimum requirements to apply for certification authorities to issue SSL-EV certificates with the aim of providing reliability in the identification and control of the identity of the services accessed. This Certification Policy assumes that the reader knows and understands PKI, certificate and electronic signature concepts. If this is not the case, the reader is recommended to be trained in those concepts before continuing to read this document. 8

9 1.1 Certificates description ANF AC, in the framework of its Electronic Certification Service, issues: Secure Server SSL The purpose of this certificate is to establish data communications through TLS / SSL protocols in services and applications, especially for: - The identification of the organization holding the domain (DNS) to provide reasonable assurance to the user of a web browser that the website being accessed is owned by the organization identified in the certificate through its name and address. - Encryption of communications between the user and the website, facilitating the exchange of encryption keys necessary for encryption of information through Internet. The maximum validity of these certificates is 2 years. Extended Validation (EV) Secure Server SSL Certificates In addition to the utilities provided by the SSL certificate, Extended Validation (EV) aims to provide a better level of authentication for organizations, to secure transactions on their websites. The purpose of EV SSL Certificates is their use in TLS / SSL protocols, in order to ensure the validity of the constitution of the organization identified in the certificate, and therefore avoiding phishing or other cases of online identity fraud. ANF AC meets the guidelines stated by the CA / Browser Forum and published on its website including the acceptance of audit programs specified therein. The maximum validity of these certificates is 2 years. Electronic Office The purpose of this certificate is to establish data communications through TLS / SSL in services and applications, especially for: - The identification of the public administration, administrative body or entity that owns the domain. - Encryption of communications between the user and the website, facilitating the exchange of encryption keys necessary for encryption of information through Internet. This is a certificate issued as qualified, which identifies the public administration, administrative body or administrative entity owner of the office. The maximum validity of these certificates is 2 years. 9

10 In addition to the utilities provided by the Electronic Office certificate, Extended Validation (EV) aims to provide a better level of authentication for Public Administration, body or administrative entity to secure transactions on their websites avoiding phishing cases or any other online identity fraud. In addition, ANF AC meets the guidelines stated by the CA / Browser Forum and published on its website including the acceptance of audit programs specified therein. The maximum validity of these certificates is 2 years. 1.2 Identification Document name Certificate Policy for Secure Server (SSL), Extended Validation (EV) SSL, Electronic Office and Extended Validation (EV) Electronic Office Version 1.9 Policy status APPROVED Document reference / Publication date December 31 th, 2014 Expiration date Related CPS Location Not applicable Certification Practice Statement (CPS) of ANF AC In order to identify the certificates, ANF AC has assigned the following object identifiers (OID): Certificado Secure Server SSL With SHA-1 algorithm and 2048-bit key length Secure Server SSL With SHA-256 algorithm and 2048-bit key length Secure Server SSL EV With SHA-1 algorithm and 2048-bit key length EV SSL Secure Server With SHA-256 algorithm and length 2048 bits Middle Level With SHA-1 algorithm and length 2048 bits Middle Level With SHA-256 algorithm and length 2048 bits EV High Level Electronic Office With SHA-1 algorithm and length 2048 bits EV High Level Electronic Office With SHA-256 algorithm and length 2048 bits OID

11 Middle Level Electronic Office With SHA-1 algorithm and 2048-bit key length Electronic Office Medium Level With SHA-256 algorithm and 2048-bit key length Electronic Office High Level With SHA-1 algorithm and 2048-bit key length Electronic Office High Level With SHA-256 algorithm and 2048-bit key length Storage types Secure Server (SSL), Extended Validation (EV) SSL, Electronic Office and Extended Validation (EV) Electronic Office are issued in three types of containers, depending on where the key pair is made and stored: Cryptographic software token. The signature creation data are contained in a cryptographic token in PKCS#15 format. This token is built in the 1.1 version of PKCS#15. Tokens authorized by ANF AC are only those published on the website. Cryptographic hardware storage. Stored in a signature creation device. Cryptographic hardware with biometric data capture storage. Stored in a signature creation device. This policy, in relation of Electronic Office certificates, follows the definition of assurance levels for electronic certificates profiles, collected in the Anexo II: Perfiles de certificados electrónicos ("Appendix II: Profiles of electronic certificates") document, approved by the Spanish Council for Electronic Administration on May 30, Two different levels of assurance are defined: a. Medium level: This level corresponds to a configuration of security mechanisms suitable for most applications. The expected risk for this level (following the recommendations of the OECD) is: - Security breach (e.g. identity theft). - May cause moderate economic losses. - Loss of sensitive or critical information. - Refutation of a transaction with significant economic impact. Besides, the expected risk for this level corresponds to level 3 warranty provided in Basic Authentication IDABC Policy * 1. 11

12 Acceptable security mechanisms include X.509 software certificates. In the case of certificates issued to people, they correspond with a "qualified certificate as defined in Spanish Law 59/2003 on electronic signature, about advanced electronic signatures, with no signature creation device. b. High level: This level corresponds to a configuration of security mechanisms suitable for applications that require additional measures, according to the risk analysis performed. The expected risk for this level (following the recommendations of the OECD) is: - Security breach. - May cause important economic losses. - Loss of highly sensitive or critical information. - Refutation of a transaction with highly significant economic impact. Besides, the expected risk for this level corresponds to level 4 warranty provided in Basic Authentication IDABC Policy * 1. Acceptable security mechanisms include X.509 software certificates. In the case of certificates issued to people, they correspond with a "recognized electronic signature, as defined in Spanish Law 59/2003 on electronic signature. The support needs to be approved by ANF Certification Authority. According to these specifications, keys of medium level certificates are created and stored in software support. ANF AC has a time stamping service as determined by the ETSI TS , according to ANF Time Stamping Authority OID CPS. When the subscriber choses software storage, systems that store private keys must meet a number of requirements for physical and logical security. ANF AC may, at its discretion, ask the subscriber evidences of the mechanisms used for the hardening of such systems. In reviews carried out on these systems, ANF AC shall follow the recommendations published by the NCC (National Cryptologic Centre) of Spain, in its CCN-STIC series, geared specifically to ensure the safety of the systems of information technology and communications. 12

13 * 1 Decision 2004/387/EC of the European Parliament and of the Council of 21 April 2004 on the interoperable delivery of pan-european egovernment services to public administrations, businesses and citizens (IDABC). [L144 of Official Diary] 1.4 Users community Certification Authorities As defined in the Certification Practice Statement (CPS) of ANF AC. These are the entities which issue electronic certificates which link a public key with the subscriber identity. They act as a trusted third party between the Subscriber and relying Third parties Registration Authorities These are entities that perform registration procedures of applicants for end entity certificates. They perform the identification and authentication of individuals involved in the application, and they have the ability to initiate or assist in the procedures for revocation and renewal of certificates. These entities may belong to the organization of the certification, or may be external partners, in which case ANF AC defines two types: Recognized Registration Authority Collaborating Registration Authority Issuance Reports Manager End entities Certificate subscriber The subscriber is the natural or legal person that is the certificate holder. Natural persons must be of legal age; in the case of legal entities applying for the issuance of an EV SSL certificate, these must be older than two years Certificate applicant The certificate must be requested by an adult, in his/her own behalf or, if acting on behalf of a third party, with legal capacity to assume the representation of the subscriber. His/her identity will be included in the certificate as a legal representative. 13

14 Certificate responsible The certificate responsible holds the signature creation device and is responsible for its use and custody. This must be an adult with full capacity to act and registering their consent for this responsibility. The certificate responsible must have express authorization from the applicant, and his/her identity shall be included in the certificate. The certificate responsible must be a legal age physical person, with total ability for acting and has to state his/her constent to assume this responsibility Relying third parties 1.5 Usage field Allowed usage Certificates issued under this Policy shall be used with the following purposes: DNS Identification. Certificates issued under this Policy allow to identify and link a determined DNS (Domain Name System) domain to the entity owning that domain, which is the certificate subscriber. Encryption of communications between the user and the website, facilitating the exchange of encryption keys necessary for encryption of information through Internet Limits of certificate usage Prohibited usage No other uses than the ones stated in this Policy and the CPS of ANF AC are allowed. 1.6 Certification Entity contact details 1.7 Definitions and acronyms 14

15 2 Publication and repository responsibilities 2.1 Repositories 2.2 Information publication 2.3 Updates frequency 2.4 Access controls on repositories 15

16 16

17 3 Identification and Authentication 3.1 Name registration Types of names All certificates require a Distinguished Name (DN) under the X.500 standard. Personal circumstances and attributes of the persons and organizations identified in the certificates are included in attributes predefined in regulations and generally recognized technical specifications Need for names to be meaningful All SSL and SSL EV certificates contain a distinguished name (DN) that identifies the DNS domain and the holder person or organization that holds it, according with provision of the ITU-T X.501 reccomendation, and contained in the Subject field, including a Common Name. The CN (Common Name) of the DN must refer to the DNS domain name Anonymous or pseudonyms This is not allowed Rules for interpreting various name forms In any case, standard X.500 (referred in the ISO/IEC 9594) name will be attended Uniqueness of names The certificate will be issued with the full name of the service that will be provided with SSL features. This name must be unique in the network. Partial names will not be accepted Conflicts related to names and brands resolution Applicants for certificates shall not include names in applications that may involve breach of third party trademark rights by the subscriber. ANF AC reserves the right to refuse a certificate request because of name conflict. ANF AC shall check if the requested domain name may be misleading under another existing name exists in the network, and if available, will determine in its sole discretion on whether to issue or refuse to issue the requested certificate. 17

18 3.2 Initial identity validation Method to prove possession of private key Authentication of individual identity Certificates issued under this Certification Policy will identify the subscriber under whose name a DNS domain has been registered. They will also indentify the certificate subscriber (if a legal representative has processed the application in the subscriber name) and the certificate responsible (if any other person who is not the subscriber or applicant). The Issuance Reports Manager will use appropriate means to ensure the accuracy of the information contained in the certificate. These means include external registry databases and the ability to require information or documents to the subscriber. The fiscal identification of the applicant and subscriber and device owner will be incorporated into the certificate. Types of documentation, processing modality, authentication and validation procedures are specified in the following sections. 3.3 Re-key requests In the course of re-key, ANF AC shall inform the subscriber about the changes that have occurred in the terms and conditions with respect to the previous issue. A new certificate may be issued to maintain the previous public key, as long as it is considered cryptographically secure. 3.4 Revocation requests All cancellation requests must be authenticated. ANF AC checks the applicant's ability to handle this requirement. 18

19 19

20 4 Operational Requirements 4.1 Certificate application ANF AC only accepts requests with a proper name or third party name, completed by adults with the capacity to work by their own free will. Applicants must complete the Application Form of the certificate by taking responsibility for the accuracy of the information listed, and submit it to ANF AC using any of the following means: a) Electronically: the website includes an application form that should be filled and electronically signed with a qualified certificate, according to Electronic Signature Law 59/2003, December 19th. The certificate used must have been issued by a CA approved by ANF AC. b) In person: the applicant may appear before a Recognized Registration Authority, and shall duly complete and sign the application form. c) By mail: the applicant may submit the application form to the offices of ANF AC certificate, having duly completed and authenticated his signature before a Collaborating Registration Authority. ANF AC does not generate the keys of its users. The applicant must generate his/her own key pair and certificate request in PKCS#10 /CSR format, using in this process a device approved by ANF AC, together with the certificate Application Form. 4.2 Processing procedure Identity authentication Applicant Apart from the SSL certificates, when the processing is done in person before a Registration Authority, the applicant must prove his/her identity and submit, in effect, original or certified copy of the following documents: a) Physical Address and other contact data. If deemed necessary by the Registration Authority or the Issuance Reports Manager, additional documents may be included to check the reliability of the information, such as recent utility bills or bank statements. In case the RRA or the IRM know the applicant personally, they should personally issue and sign a Declaration of Identity * 1. b) The RRA, as proof of attendance and in order to preclude the repudiation of the procedure done, can get a set of biometric evidence: photography and / or fingerprints. c) ID card or Passport in case of nationals, whose photograph allows verifying the identity of the person. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). d) In case of foreign nationals, the following will be required: 20

21 I. To European Union members or European Economic Area members: National Identity Card (or local equivalent) or passport with photograph that allows to verify the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). Certificate issued by the Register of the Citizen Members of the Union. II. To non-eu citizens: Passport, residence permit and work permit with photograph that allows comparing the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). In case of acting in the name and representation of a third part, the following will be required: Enough representation power. In addition to administrators and legal representatives, voluntary representatives shall be accepted when they demonstrate sufficient power to carry out acts of administration or concluding contracts on behalf of the entity. The applicant may be waived of appearing before the Registration Authority in any of the following cases: 1. If the appropriate forms have been properly completed, and the subscriber s signature has been legitimized in the presence of attorney, by attaching certified copies of identity, authorization and legal representation documents. For public entities, the figure of attorney may be replaced by the presence of an officer with powers of a public notary, according to local legal effect. 2. Electronic processing. The website includes an application form that should be filled and electronically sign with a qualified certificate, according to Electronic Signature Law 59/2003, December 19th. The certificate used must has been issued by a CA approved by ANF AC Subscribers Legal persons The following data and documentation are required: Physical address and other contact details of the entity. If the RRA or the IRM deem it necessary, additional documents, such as recent utility bills or bank statements, may be requested in order to check the reliability of the information. If the RRA or the IRM known the subscriber personally, they shall issue and sign a Declaration of Identity * 1. Tax identification (CIF) of the entity. According to legal form: Corporations or other legal persons whose registration is required under the Commercial Register, shall prove their valid constitution by providing: 21

22 - For SSL certificates applications, simple registry note on constitution data and current management of the entity. - For SSL EV certificates applications, original or certified copy of the Register data on current constitution and management of the entity. Associations, foundations and cooperatives shall prove their valid constitution by providing original or certified copy of a certificate of public record in which they are inscribed on its constitution. Civil societies and other legal persons, shall provide original or certified copy of the public document attesting to their constitution in a reliable way. Public Administrations and public sector entities: - Entities whose enrollment is mandatory in a register, shall prove their valid constitution by providing original or certified copy of a certificate of incorporation data and legal personality. - Entities created by rule, shall provide reference to the creation norm Natural persons Same procedure as in section Applicant Certificate responsible In the application form, the applicant must identify and expressly authorize the device owner and responsible of the certificate. This authorization must be perfected with a voluntary and express acceptance by the person who will be responsible for the certificate. This must appear before the Registration Authority and present proof of identity, effective, original or certified copy of the following documents: a) Physical Address and other contact data. If deemed necessary by the Registration Authority or the Issuance Reports Manager, additional documents may be included to check the reliability of the information, such as recent utility bills or bank statements. In case the RRA or the IRM know the applicant personally, they should personally issue and sign a Declaration of Identity * 1. b) The RRA, as proof of attendance and in order to preclude the repudiation of the procedure done, can get a set of biometric evidence: photography and / or fingerprints. c) ID card or Passport in case of nationals, whose photograph allows to verify the identity of the person. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). d) In case of foreign nationals, the following will be required: I. To European Union members or European Economic Area members: National Identity Card (or local equivalent) or passport with photograph that allows to verify the identity of the person appearing. In case of low sharpness of the picture, 22

23 another official document with picture may be requested (e.g. driver s license). Certificate issued by the Register of the Citizen Members of the Union. II. To non-eu citizens: e) Passport, residence permit and work permit with photograph that allows comparing the identity of the person appearing. In case of low sharpness of the picture, another official document with picture may be requested (e.g. driver s license). * 1 Declaration of Identity It consists of a formal declaration under oath, in which the respondent says he knows personally and directly a particular individual or a legal entity. Besides, it notes, up to their direct knowledge, that the address, telephone and outlined in the application form are true. The Declaration of Identity incorporates the identity of the declarant, his ID card number, the data verified, the date and time of verification, the signature of the declarant and the appropriate legal warnings in case of perjury Approval or rejection of certificate applications The Issuance Reports Manager (IRM) assumes the final response assumes the ultimate responsibility to verify the information contained in the Application Form, and to assess the adequacy of the documents provided and of the application, in accordance with the provisions of this Certification Policy. Moreover, he/she will determine: That the subscriber has access to the terms and conditions relating to the use of the certificate, as well as to the issuance fees. That the subscriber has had access and has permanent access to all documents relating to the duties and responsibilities of the CA, the subscriber, applicant, those responsible for the certificate and relying parties, especially the CPS and Certification Policies. Besides, he/she shall monitor compliance with any requirements imposed by the legislation on data protection, as established in the security document included in the CPS, the purpose of the LOPD as provided in Article 19.3 of Spanish Electronic Signature Law 59/2003, December 19th. The process of issuing the certificate shall not start as long as the Issuance Reports Manager has not issued the corresponding compliance report. The deadline set for the issuance of the report is 15 days. After that period without issuing the mandatory report, the applicant may immediately cancel the order and receive the fees paid. The IRM may require additional information or documentation from the applicant, which will have 15 days to deliver it. After this period, without having completed the requirement, the IRM will issue a report denying the issuance. Should the applicant meet the requirement, the IRM will have 7 days to issue the final report. In case the IRM verifies that the information provided by the applicant is not true, he/she will deny the issuance of the certificate, and will generate an incident report to the Security Coordinator, to determine whether or not to include the applicant in the blacklist of individuals and entities with OID

24 The validation procedure by type of certificate is the following: SSL Certificates The IRM shall check the documentation by consulting the whois database, verifying that the domain is registered, by consulting valid registrars. A copy of the whois query is attached to the validation act Electronic Office Certificates The IRM shall check the norm of Office creation and its holder SSL EV y and Certificates The IRM shall check the documentation provided by the applicant and the Registration Authority. The validation process will be supported by the Legal Department and the Technical Department, which will review and technically validate the certificate request PKCS#10. In the process of verification of the information and documentation received, the following means may be used: Consultation to official public records in which the entity must be registered in order to check availability, effect of charges and other legal issues such as activity and date of establishment. Official Journals of national or regional public bodies belonging to public bodies and enterprises. With regard to Internet addresses and domains, ANF AC consult recorders attached only by ICANN / IANA domain names and addresses associated with the certificate. In this query, it is verified verify: - That the holder (registrant) agrees with the subscriber. - People and contact information associated with that domain registration. One of the contact persons listed in the whois query shall be reached in order to verify compliance of the certificate issuance request associated with that domain. Verification of the subscriber, applicant and device owner contact details: o Telephone: - Subscriber: a landline (not mobile) shall be used. This shall be checked in yellow pages, AEPD (Spanish Data Protection Agency), and by personal call. - Applicant and device owner: through personal call. o Postal Address: it shall be checked in Yellow Pages, AEPD or Informa service. 24

25 o it shall be verified by sending an requesting confirmation of receipt. It is verified that none of the individuals associated with the request are recorded in the blacklist of individuals and entities with OID or is operating in a place where the CA policies forbids the certificate issuance (document with OID ). It is verified that the domain is not included as suspicious in the Anti Phishing Workgroup website or similar ones. It is verified that none of the individuals associated with the request is listed as a criminal in public records. ANF AC regularly updates its database with all persons appearing on search and seizure, and links this control blacklist certificate request. Also, for domain names associated with relying third parties: In case of confusión of identity of activity the certificate issuance will not be authorized, (eg. where the subscriber's activity does not correspond to that of a financial institution). In case of relevant trademarks, the Spanish Patent and Trademark Office shall be checked. When the domain name associated with a brand of relevance and public awareness, it will be verified if the owner of the trademark is related to the subscriber. In negative case, the IRM shall ask clarification and authorization to the subscriber. No person may issue this certificate when the name is associated with a relevant brand whose domain is not owned by the subscriber, or has permission form the owner of the mark, since it may cause confusion to third parties (eg etc.). In cases where validation cannot be performed on the terms and sources defined above, this will be noted in the verification act issued by the IRM, and the alternative source used shall be included Time to process certificate applications The issuance of a certificate means the complete and final approval of an application by the Issuance Reports Manager. The issuance of certificate must be made within 48 hours, once issued the report of the IRM, as defined in the CPS of ANF AC. 4.3 Certificate issuance ANF AC will avoid generating certificates that expire after the CA that issued them Certification Entity actions during certificate issuance ANF AC will deliver the certificate, by signed electronic mail, to the Technical Responsible that is stated in the Issuance Application Form. 25

26 4.3.2 Notification to subscriber ANF AC notifies the subscriber via , the certificate issuance and publication. 4.4 Certificate acceptance Acceptance After the delivery of the certificate, the subscriber shall have a period of seven calendar days to verify the certificate and to determine whether it is appropriate and whether the data are consistent with the required information. The subscriber has a period of 15 days to sign the Act of Reception and Acceptance of the received Certificate. Through the Act of Reception and Acceptance, the subscriber confirms receipt of the certificate, acceptance to the issuance made, the correct functionality of the product, its ability to use it to sign the minutes with this certificate; reaffirms its submission to the ANF AC CPS and Policies, to use it in accordance with the limitations in the use and purpose for which it was issued, the responsibility to maintain the confidentiality of the private key, and the commitment to cease use after the loss of force, either by expiration or revocation Certificate return The subscriber has a period of 7 days from the delivery of the certificate, to verify its proper operation. In case of malfunction or due to technical errors in the data contained in the certificate, the applicant or those responsible for the certificate can send an electronically signed to ANF AC, reporting the reason for the return. ANF AC shall verify the causes of removal revoke the certificate issued and issue a new certificate within 72 hours Tracing ANF AC is not responsible for the monitoring, investigation or confirmation of the accuracy of the information contained in the certificate after issuance. For information on the inaccuracy or no current applicability of the information contained in the certificate, it can be revoked Certificate publication The certificate is published in the repositories of ANF AC, within a maximum period of 24 hours since its emission has occurred Notification of certificate issuance to third parties No notification is made to third parties. 26

27 4.5 Rejection 4.6 Certificate renewal Generally, as defined in the CPS of ANF AC Valid certificates ANF AC notifies the subscriber and the certificate expiration applicant by , submitting the application form, in order to proceed with its renovation. These notifications are sent at 90, 30 and 15 days prior to the expiration date of the certificate. Only valid certificates can be renewed Persons authorized to request the renewal The renewal application form must be signed by the same applicant, whether that is the actual subscriber or the legal representative who processed the certificate request. The personal circumstances of the applicant should not have changed, especially its capacity for legal representation Routine renewal requests authentication and identification The process for reference / renewal is the same as for new issuance. The documentation to be provided by the applicant and the validation steps, issuance and delivery of certificates are the same as for the issuance of a new certificate. Two ways of renewal are considered: Certificate renewal with rekeying As defined in ANF AC CPS Certificate renewal without rekeying As defined in ANF AC CPS Approval or rejection of renewal applications Same procedure as that performed in the issuance process specified herein Notification of certificate renewal Same procedure as that performed in the issuance process specified herein. 27

28 4.6.6 Certificate renewal acceptance Same procedure as that performed in the issuance process specified herein Publication of the renew certificate Same procedure as that performed in the issuance process specified herein Notification of certificate renewal Same procedure as that specified in the section Notification of certificate issuance to third parties Identification and authentication of key renewal applications after revocation (uncommitted key) The renewal of expired or revoked certificates is not authorized. 4.7 Certificate modification Not applicable. 4.8 Certificate revocation and suspension As generally defined in the CPS of ANF AC Circumstances for revocation Besides those defined in the CPS, ANF AC shall: Provide instructions and legal support for reporting complaints or suspected compromise of the private key, of certificate misuse or about any type of fraud or misconduct. The instructions are published and permanently updated in: You may file directly your suspicion or complaint in: Anyone who sets out technical instructions or legal support in this field, can make your consultations for free by one of the following procedures: o Via telephone call in office hours: (calls from Spain) (monday to friday from 9 h. to 18 h.) (International) o Online procedure. The applicant must fill the form published in the website: 28

29 o Sending an to: ANF AC will investigate incidents of which it has knowledge, within twenty four hours of receipt. The Security Manager, based on inquiries and verifications, shall issue a report to the Issuance Reports Manager, which will determine if the corresponding revocation founded by Act, which shall include: - Nature of the incident. - Received information. - Legal rules and regulation on which the revocation order is based. Every applicant can open an incident through any of the following procedures:: o Via telephone call in office hours: (calls from Spain) (monday to friday from 9 h. to 18 h.) (International) o Online procedure. The applicant must open an incident in the Webservice: Revocation applications identification and authentication Revocation of a certificate can be requested by: The subscriber of a certificate. The applicant. The device owner and responsible for the certificate usage. ANF AC. The Recognized Registration Authority. The identification policy for revocation requests accepts the following methods of identification: Electronically: by electronic signature of the revocation request by the applicant of the certificate or of the operator at the time of the revocation request. By telephone: by replying to questions from the telephone support service available at the number (calls from Spain) or (International). In person: appearing the subscriber or the legal representative of the certificate holder in any of the offices of ANF AC published at the web address proving their identity through original documentation, and manually signing the appropriate form. 29

30 ANF AC, or any of the Recognized Registration Authorities that compose its National Proximity Network, may request revocation of a certificate if they knew or suspected compromise of the private key associated with the certificate, or any other fact to recommend take such action. ANF AC must authenticate requests and reports relating to revocation of a certificate, verifying that they come from an authorized person. Such requests and reports will be confirmed following the procedures set out in the Certification Practice Statement Procedure for revocation request Any entity which needs to revoke a certificate must apply to ANF AC or the Registry Authority which issued the certificate. In the event of revocation made by , it shall be sent to the address info@anf.es. Any revocation application is to contain at least the following information: Revocation request date. Identity of subscriber. Reason given for the revocation request. Name and title of the person requesting revocation. Contact information of the person requesting revocation. The revocation application will be processed upon receipt. The request must be authenticated in agreement with the requirements established in the corresponding section of this policy before proceeding with the revocation. Once the request is authenticated, ANF AC may directly revoke the certificate and inform the subscriber and, where appropriate, those responsible for the certificate on the certificate's change of status Revocation request grace period Revocation requests shall be processed immediately when reasonably aware of the cause of revocation and the applicant has been authenticated and verified its capacity to act Time within which CA must process the revocation request The revocation request will be processed in the shortest possible time, always following the procedure of verification and authentication of the request, which is the Issuance Reports Manager s responsibility CRL lists verification requirements The relying parties must check the status of certificates which will rely. For this intent, they can check the latest CRL issued within the period of validity of the certificate of interest. 30

31 4.8.7 CRL issuance frequency Revocation online verification availability ANF AC offers relying third parties an on-line revocation checking service, which is available 24 hours a day, 7 days a week Revocation online verification requirements Trusted third parties must check the status of those certificates they wish to be entrusted to through website. The consultation system requires prior knowledge of some parameters of the certificate of interest. As this procedure prevents massive data collection. This service meets the requirements in terms of protection of personal data and only copies of these certificates provided to third parties duly authorized. Access to this system is free Certificate suspension Not applicable Suspension requests authentication and identification Certificate suspension is not allowed. 4.9 Key storage and recovery ANF AC does not store or has the ability to store the private key of the subscribers, and therefore offers no key recovery service Good practices a) Private keys stored in PKCS#12 files. Some issuers generate the key pair for their subscribers, and then deliver the validated SSL certificate in a PKCS #12 file. This is considered an unsafe practice and, as outlined in this CP, this CA does not generate the keys of subscribers. The subscriber is the one that generates his own key pair, in any of the software or hardware forms. ANF AC does not have in any case access to the private key of its users. 31