Eskom Registration Authority Charter

Transcription

1 REGISTRATION Eskom Registration Authority Charter Version 2.0 applicable from 20 November 2009 Megawatt Park Maxwell Drive Sunninghill, SOUTH AFRICA, 2157 Phone +27 (0) Fax +27 (0) Website: X Page 1 of 11

2 REGISTRATION Page 2 of 11

3 REGISTRATION Table of Contents 1. Introduction Scope Appointment Document Name and Publication Applicant and Subscriber Domain of Use (Eligibility for Certification) Purpose of Certification Ownership of Charter Private Key Infrastructure Hierarchy Certificate Content Application for an Eskom Certificate Advising on the Outcome of the Application Process of Request Verification Process of Enrolment Certificate Use Verification Acceptance of Certificate Revocation of Certificates Revocation Processes Eskom Certificate Suspension Eskom Certificate Annual Renewal RA Annual Audit References Page 3 of 11

4 REGISTRATION 1. Introduction Eskom Holdings Limited (Eskom) has a responsibility to the country to ensure that sustainable development becomes a reality. Eskom therefore plays a major role in accelerating growth in the South African economy by providing a high-quality supply of electricity to satisfy the needs of the country. In order to deliver on their strategic objectives, including quality and continuity of electricity supply, capacity expansion and funding and financial resourcing, Eskom will make use of technology solutions in the electronic environment including the Internet and Information Systems. Eskom needs to provide their employees, contractors, suppliers and clients with a secure electronic environment to facilitate the exchange of information and documents, electronic communications, and a secure user community. Eskom will preserve high levels of confidentiality and integrity in this public medium, and align with the regulations and provisions of the Electronic Communications and Transactions Act, by choosing to use an internationally established standard in secure communication, namely, the Entrust Public Certification Services. The Certification Services will be managed for Eskom by the Certificate Authority who is signed into the trust hierarchy of the Entrust Root Certification Authority. The terms contained in this Charter are subject to the terms and conditions contained in the Certification Practice Statement (CPS). Combined, this Charter and the CPS specify the digital certification process and provide the required trust in Eskom as a digital certificate issuer. All persons are required to adhere to the terms and conditions contained in the CPS as well as any other requirements imposed by Eskom that do not conflict with the CPS. 2. Scope This document is part of Eskom s Information Security Policy and is applicable to Eskom as well as to all parties taking part in the Eskom digital certification process. Eskom s Information Risk Management is the final authority on all Eskom IT related security within the Eskom sphere of IT operations. 3. Appointment appoints Eskom as a Registration Authority (-RA) to: 1. Accept applications for Eskom Certificates. 2. Perform authentication of identities and verification of information submitted by applicants when applying for the issuance of a digital certificate by the CA in terms of the provisions of this Charter, which has been approved by the Policy Authority. Page 4 of 11

5 REGISTRATION 3. Where such authentication and verification is successful, submit the request to the CA, in accordance with the provisions of this Charter and the CPS. The -RA is appointed exclusively for the purposes of authenticating the identity and verifying supporting and ancillary information of applicants (new certificates) or subscribers (certificate revocations) using the services provided by Eskom. 4. Document Name and Publication This document is called the Eskom Registration Authority Charter. The latest version of the Charter may be accessed at the website 5. Applicant and Subscriber In this Charter a natural person applying for an Eskom Certificate shall be described as an applicant until the application for the Eskom Certificate has been granted. Once an Eskom Certificate has been issued the natural person to whom it has been issued shall be referred to as a subscriber. 6. Domain of Use (Eligibility for Certification) Eskom employees can be digitally certified under the following conditions: 1. The applicant has an Eskom Employee Number. 2. The applicant has a valid Eskom account. 3. The applicant has a cellular phone number. 4. The applicant is in good standing with Eskom. 5. The applicant is fully aware of the responsibilities regarding the care and use of digital certificates and keys (as contained in the CPS, this Charter and any other Eskom governance policies). 7. Purpose of Certification Digital certification is to be used to provide the subscribers with trusted identity credentials for, amongst other uses: 1. Secure Digitally sign documents or transactions. Page 5 of 11

6 REGISTRATION The above will ensure authentication, authorisation, privacy, message integrity and non-repudiation. The subscriber may only use the Eskom Certificate for legitimate business purposes. An Eskom Cost Centre Manager or Divisional Information Manager will determine if an Eskom employee is eligible to be issued an Eskom Certificate. 8. Ownership of Charter Eskom s Information Risk Management is responsible for the upkeep of this Charter. Changes to this Charter are to be authorised by Eskom s Information Risk Manager and approved by the Policy Authority. Eskom s Information Risk Management takes full responsibility for the upkeep and content of this Charter, but limits its liability to the use of this Charter as described in the CPS, this Charter and any other Eskom governance policies. The day to day business operations related to certificate lifecycle would be executed by Eskom s Corporate Information Management. The technical operations related to certificate lifecycle would be executed by Eskom s Outsourced ICT Service Provider. 9. Private Key Infrastructure Hierarchy The trust hierarchy is as follows: ٠۰ Entrust.net Secure Server Certification Authority Root Certification Authority (RCA) ٠۰ LAWtrust CA Local Certification and Issuing Authority (ICA) ٠۰ -RA Local Registration Authority (LRA) The root key hierarchy is as follows: ٠۰ Entrust.net Secure Server Certification Authority ROOT CA ٠۰ LAWtrust CA (Eskom Certificates to be signed by this CA) ISSUING CA 10. Certificate Content ٠۰ Common Name (First Name and Surname) Page 6 of 11

7 REGISTRATION ٠۰ Eskom Employee Number ٠۰ Eskom address ٠۰ Issuing Authority: LAWtrust CA ٠۰ Organisation: Eskom Holdings Limited 11. Application for an Eskom Certificate The -RA shall be entitled to accept and process applications for natural persons for the issue of an Eskom Certificate. As a minimum the -RA shall require from the natural person applicant: ٠۰ A duly completed Eskom Certificate Application Form signed by the Eskom Line Manager and approved by an Eskom Divisional/Regional Information Manager. ٠۰ A duly completed and signed Eskom Subscriber Agreement. ٠۰ Copy of the applicant s ID, Passport or Driver s License. The -RA shall retain the application together with all of the documentation relevant to the authentication of the identity of the applicant as well as the verification of supporting information centrally and securely in the Eskom Corporate Archive, in conformance with the requirements of the Policy Authority, for a period of 3 (three) years after the expiry or revocation of the Eskom Certificate. 12. Advising on the Outcome of the Application If the application is refused the -RA shall give the applicant notice of the refusal by the -RA to issue a certificate to the applicant. The notice shall be addressed to the address provided in the application, failing which in the manner deemed most expedient by the -RA and shall provide the reasons for the refusal. If the application is granted the -RA within 10 (ten) days of the receipt of the application by the -RA, will advice the applicant via at the address provided in the application. Page 7 of 11

8 REGISTRATION Process of Request Verification Duly appointed Eskom Divisional/Regional Information Managers, who falls under Eskom Information Management, or Help Desk Managers will: 1. Receive a request (Eskom Certificate Application Form), which has been authorised by a Line Manager. 2. Physically verify the applicant s identity with face-to-face verification against the user s ID, Passport or Driver s License and the information in the submitted Eskom Application Form. 3. Request the certificate applicant to sign an Eskom Subscriber Agreement. 4. Approve the applicant s certificate application. 14. Process of Enrolment Online electronic enrolment will be done and the following enrolment fields are compulsory: 1. Common Name (First name & surname) (CN) 2. Eskom Employee Number (Serial Number) 3. Eskom Address (E) 4. Eskom Holdings Limited (O) The -RA Certificate Administrator, who falls under the authority of Eskom s Information Management, will perform the following steps to issue a certificate: 1. Receive the applicant s approved certificate application form. 2. Register the subscriber and create the reference code and authorisation code on the Certificate Management System. 3. Inform the subscriber via , at the address supplied on the Eskom Application Form, that a certificate has been issued. This will contain the reference code will be required to initiate the download of the certificate. The authorisation code that is required to complete the download of the certificate will be sent via SMS to the cell number provided on the Eskom Application Form. 4. Create and send the SMS and containing the relevant information to the subscriber. 5. The -RA shall, if required by the subscriber, provide assistance to the subscriber in the activation of the Eskom Certificate. Page 8 of 11

9 REGISTRATION Certificate Use Verification ٠۰ The certificate validity can be verified in the CRL [website: ٠۰ The CRL profile will be a full CRL. ٠۰ The certificate is valid for a maximum period of one year from date of issue. 16. Acceptance of Certificate After the issuance of the Eskom Certificate and notification addressed to the subscriber, the subscriber shall check that the content of the Eskom Certificate is correct. Unless notified to the contrary by the subscriber of any inaccuracies in the Eskom Certificate, the Eskom Certificate shall be deemed to have been accepted by the subscriber and the information contained in the Eskom Certificate deemed to be accurate. 17. Revocation of Certificates Eskom Certificates may be revoked under authority from the Eskom s Divisional/Regional Information Manager or a subscriber s Eskom Line Management under the following circumstances: 1. Subscriber s request. 2. Subscriber s formal relationship with Eskom ends. 3. Subscriber s role change in Eskom (certificate requirement no longer necessary). 4. Any changes in information contained in the Eskom Certificate issued to the subscriber. 5. Breach by subscriber of any terms of the CPS or the Eskom Subscriber Agreement entered into with the subscriber. 6. Loss, compromise, or suspected compromise, of a subscriber s private key or workstation. 7. Issue or use of the certificate not in accordance with the CPS. 8. The CA or Entrust CA expires. 9. Any other reason that the CA or the -RA reasonably believes may affect the integrity, security or trustworthiness of an Eskom Certificate. Page 9 of 11

10 REGISTRATION Revocation Processes An Eskom Certificate Revocation Request may be submitted by a subscriber, the -RA or the LAWtrust CA if any of the above occurs. The Eskom Divisional/Regional Information Manager or subscriber s Line Management shall authenticate a request for revocation of an Eskom Certificate and upon verification send a revocation request to the Eskom RA who will generate a revocation request to the LAWtrust CA. The LAWtrust CA shall within 48 hours of receiving a revocation request, post the serial number of the revoked Eskom Certificate to the CRL in the repository. The Eskom Certificate Administrators shall make a commercially reasonable effort to notify the subscriber by if the subscriber s Eskom Certificate is revoked. Revocation of an Eskom Certificate shall not affect any of the subscriber s contractual obligations under the CPS or the Eskom Subscriber Agreement entered into by the subscriber. 19. Eskom Certificate Suspension The -RA may suspend an Eskom Certificate if: 1. The subscriber is not in good standing with the -RA or LAWtrust CA. 2. The subscriber fails to adhere to the provisions of the CPS or the Eskom RA Charter. 3. Temporary suspension of the subscriber s role that requires the use of an Eskom Certificate. The Eskom Divisional/Regional Information Manager may request the LAWtrust CA to suspend an Eskom Certificate without prior notice to the subscriber. The -RA shall make a commercially reasonable effort to notify the subscriber of the suspension by sending an to the address provided in the certificate application. 20. Eskom Certificate Annual Renewal The Eskom Certificate will be renewed annually on the approach of the expiry date for the certificate. This renewal is an automated process (for active certificates that are not revoked or suspended) and will require no interaction from the subscriber. Page 10 of 11

11 REGISTRATION RA Annual Audit The -RA shall be audited once per calendar year for compliance with the practices and procedures set out in this Charter and the CPS. If the results of an audit report recommend remedial action, the -RA shall initiate corrective action within 30 (thirty) days of receipt of such audit report. 22. References 1. All Eskom Related Information Security Policies 2. ECTA (Electronic Communications and Transactions Act No.25 of 2002) 3. ISO 17799:2005 & 27001:2005 Information Technology Code of Practice for Information Security Management 4. Eskom Certificate Application Form 5. Eskom Subscriber Agreement 6. Certificate Practices Statement ( Page 11 of 11