Certification Practice Statement For Non-Qualified Certificates

Transcription

1 Malta Electronic Certification Services Ltd For Non-Qualified Certificates Government of Malta Certification Authority Date: 14/09/2012 Version: 1.3 Unclassified Malta Electronic Certification Services Ltd, Gattard House, National Road, Blata l-bajda HMR 02 Malta Telephone: (+356) Facsimile: (+356) Web Site:

2 Document control information 1. Document Reference GM CA Practice Statement.doc 2. Document Type Statement of Practices 3. Security Classification Unclassified 4. Synopsis This document is the for the Certification Authority established by the Malta Electronic Certification Services Ltd on behalf of the Government of Malta acting through the Ministry of Information Technology and Investments. 5. Document Control Author Change controller Distribution controller CA Manager CA Manager CA Manager 6. Authorisation Issuing authority Approval authority Signature date: Signature date: 7. Modification History Version Date Comments Version /08/2007 For release Page i

3 Version /10/2008 Modifications as follows: - Page 1, Introduction, Overview, Paragraph 1 Changed the Ministry s Information (from MIIIT to MITC) - Page 1, 01.3 PKI Participants, Certification Authorities Changed reference to the Ministry (from MIIIT to MITC) - Page 9, 04.9 Certificate Revocation and Suspension, Paragraph 4 Changed CRL update from frequently within minimum intervals of four hours to every twenty four (24) hours - Page 22, 09.7 Limitations of Liability, Paragraph 2 Removal of Maltese Lira amount (LM 860) Version /09/2009 Modifications as follows: - Page 23, Individual Notices and Communications with Participants Changed address of Civil Registration to Evans Building, Merchant Street, Valletta VLT Certificate Life-Cycle Operational Requirements, subsection 04.1 Certificate Application, paragraph 5: Change in text from: If the Electronic Identity Account owner fails to apply for a Certificate within such period of time, the individual must re-activate the online facility for Certificate Application by going in person to the appointed RA as described above. To: If the Electronic Identity Account owner fails to apply for a Certificate within such period of time, the individual must re-activate the online facility for Certificate Application. Such re-activation may require that the person is to present one s self in person to the appointed RA as described above. Version /09/2012 Changed notafter in section 07.1 from + 5 years to + maximum of 5 years 8. References N/A 9. Acknowledgements Page ii

4 Executive Summary This document is the for the Certification Authority established by the Malta Electronic Certification Services Ltd on behalf of the Government of Malta acting through the Ministry of Information Technology and Investments. It states the practices that the Certification Authority employs in providing certification services that include, but are not limited to, issuing, managing, revoking, and renewing Certificates in accordance with the requirements of the Government of Malta Certificate Policy (GMICT P 0061:2007). Page iii

5 Table of Contents Document control information i Executive Summary iii Table of Contents iv 01. Introduction Overview Document Name and Identification PKI Participants Certification authorities Registration authorities Subscribers Relying parties Other participants Certificate Usage Appropriate certificate uses Prohibited certificate uses Policy Administration Organisation administering the document Contact Person Person determining CPS suitability for the policy CPS approval procedures Definitions Publication and Repository Responsibilities Access Controls Identification and Authentication Naming Initial Identity Validation Identification and Authentication of Renewal Requests Identification and Authentication of Revocation Requests Certificate Life-Cycle Operational Requirements Certificate Application Certificate Application Processing Certificate Issuance Certificate Acceptance Key Pair and Certificate Usage Subscriber duties Relying Party duties Certificate Renewal Certificate Re-key Certificate Modification Certificate Revocation and Suspension Certificate Status Services End of Subscription Key Escrow and Recovery Facility, Management, and Operational Controls Physical Security Controls Procedural Controls Personnel Controls Audit Logging and Procedures Records Archival Key Changeover Compromise and Disaster Recovery CA or RA Termination Technical Security Controls 13 Page iv

6 06.1 Key Pair Generation and Installation Key pair generation Private key delivery to subscriber Public key delivery to certificate issuer CA public key delivery to relying parties Key sizes Public key parameters generation and quality checking Key usage purposes Private Keys Protection and Cryptographic Module Engineering Controls Cryptographic module standards and controls Private key (n out of m) multi-person control Private key escrow Private key backup Private key archival Private key transfer into or from a cryptographic module Private key storage on cryptographic module Method of activating the private key Method of deactivating the private key Method of destroying the private key Other Aspects of Key Pair Management Public key archival Certificate Operational Periods and Key Pair Usage Periods Activation Data Computer Security Controls Life Cycle Security Controls Network Security Controls Timestamping Certificate, CRL and OCSP Profiles Certificate Profile CRL Profile OCSP Profile Compliance Audit and Other Assessment Other Business and Legal Matters Fees Financial Responsibility Confidentiality of Information Intellectual Property Rights Representations and Warranties CA Representations and Warranties RA Representations and Warranties Subscriber Representations and Warranties Relying Party Representations and Warranties Disclaimers of Warranties Limitations of Liability Indemnities Term and Termination Individual Notices and Communications with Participants Amendments Dispute Resolution Procedures Governing Law Compliance with Applicable Law Miscellaneous Provisions Other Provisions 24 Page v

7 01. Introduction 01.1 Overview This document is the ( CPS ) for the Certification Authority established by the Malta Electronic Certification Services Ltd ( MECS Ltd ) on behalf of the Government of Malta acting through the Ministry for Infrastructure, Transport and Communications ( MITC ). It states the practices that the Certification Authority ( CA ) employs in providing the Certification Services in accordance with the requirements of the Government of Malta Certificate Policy (GMICT P 0061:2007) ( CP ). The CP is the principal statement of policy governing the Certification Authority. It establishes the business, legal, and technical requirements for approving, issuing, managing, using, revoking, and renewing Certificates. To ensure the identity of the technical infrastructure and to facilitate the building of trust, the CA has setup a Public Key Infrastructure ( PKI ) hierarchy. At the top or root of the PKI hierarchy, there is the Government of Malta Root CA, the purpose of which is to build trust in the underlying PKI hierarchy within the Government domain. The self-signed Government of Malta Root CA certificate certifies the private key of the Government of Malta Intermediate CA the purpose of which is to segregate the lower tiers of the PKI hierarchy from the root. The Government of Malta Intermediate CA certificate certifies the private key of the Electronic Identity CA, the purpose of which is to issue the Certificates for the Subscribers. MECS Ltd is the trusted agent responsible for all the PKI hierarchy established on behalf of the Government of Malta under an agreement between the Government of Malta and MECS Ltd. According to this agreement, MECS Ltd agrees to provide the Certificate Services. This CPS addresses in detail the technical, procedural and organisational policies and practices of the CA with regard to the Certification Services it provides Document Name and Identification This document is the of the Certification Authority established by the MECS Ltd on behalf of the Government of Malta. The Certificates issued under this CPS shall have a CPS Identifier. This Identifier shall be PKI Participants Certification authorities The Certification Authority (CA), is the authority trusted by the users of the Certification Services (i.e. Subscribers as well as Relying Parties) to create and assign Certificates, The CA has overall responsibility for the provision of the Certification Services as described in this CPS. The MITC has appointed MECS Ltd the role of Certification Authority Registration authorities A Registration Authority (RA) is an entity which may be assigned by the CA to perform applicant authentication, to assist Certificate applicants in applying for Certificates, to approve or reject Certificate applications, to revoke Certificates and to renew Certificates. The Registration Authority is the Government of Malta as represented by the Director General (Land and Public Registry). Page 1

8 Subscribers A Subscriber is the natural person whose name appears as the subject in a Certificate, and who asserts that s/he uses his/her key and Certificate in accordance with this CPS. The targeted Subscribers include, but are not limited to, Citizens of Malta who may wish to utilise the electronic services offered by the Government of Malta Relying parties A Relying Party is the entity who, by using a Certificate having another entity as its subject for client authentication, relies on the validity of the link between the Subscriber's name to a Public Key. A Relying Party may use information in the Certificate to determine the suitability of the Certificate for a particular use. Relying Parties include, but are not limited to, Departments and other Entities of the Government of Malta that provide on-line services Other participants The Policy Management Authority (PMA) is the entity responsible for the administration of the Certificate Policy. The PMA may amend the Certificate Policy, or any part thereof, at any time at its discretion. The PMA is the Government s Core ICT Advisory Committee (CITAC) which is chaired by the MITC Certificate Usage Appropriate certificate uses The Certificate provides a medium degree of assurance of the electronic identity of a Subscriber. The Certificate ensures the proper authentication since the individual applying for the Certificate must go to the appointed RA in person for official registration before a Certificate can be issued by the CA. For applications to be validated the person applying for the Certificate must present his/her identity card for verification. Certificates are not issued to individuals acting on behalf of a legal person. Certificates are personal to the relevant Subscriber and they are non-transferable. If a Relying Party relies upon a Certificate from an individual purporting to act on behalf of a person other than the Subscriber, the Relying Party does so entirely at its own risk. The Certificates are intended solely for client authentication to electronic services offered through the portal of the Government of Malta. While the Certificate is technically capable of use for other Advanced Electronic Signature (or digital signature) purposes, such use is entirely at the Subscriber s risk. Any use or reliance upon Certificates for purposes not expressly approved in this CPS is entirely at the parties own risk. The CA offers no express or implied warranties regarding the performance of the portal site operated by the Government of Malta. In this CPS, references to Certificates means the Certificates described in the CPS and does not extend to Qualified Certificates within the meaning of the Electronic Commerce Act (Chapter 426 of the Laws of Malta) Prohibited certificate uses Certificates are to be used only to the extent the use is consistent with applicable law. They are not designed, intended, or authorised for use in hazardous circumstances or for uses requiring fail-safe performance. CA certificates may not be used for any functions except CA functions. In addition, Certificates are not to be used as CA certificates. Page 2

9 01.5 Policy Administration Organisation administering the document MECS Ltd, Gattard House, National Road, Bbajda, HMR Contact Person The CA Manager MECS Ltd, Gattard House, National Road, B Bajda, HMR02 Tel: (356) Fax: (356) Person determining CPS suitability for the policy The CPS and any changes thereof shall be subject to audit and review by the PMA who may direct the CA to amend this CPS at any time CPS approval procedures Approval of this CPS and subsequent amendments shall be made by the PMA. Amendments shall be in the form of a document containing an amended form of this CPS Definitions Advanced Electronic Signature has the meaning ascribed to the term under Section 2 of the Electronic Commerce Act, Chapter 426. Certificate shall mean a Public Key Certificate issued by the CA to a Subscriber in accordance with the Certificate Policy. The parties acknowledge that the Certificates issued by the CA to a Subscriber pursuant to this CPS do not, and are not intended to, meet the criteria of a Qualified Certificate. Certificate Chain shall mean an ordered list of Public Key Certificates containing a Certificate and CA certificates, which terminates in a root certificate. Certificate Policy ( CP ) shall mean the named set of rules that indicates the applicability of a Certificate to a particular community and/or class of application with common security requirements, and for the purposes of this CPS shall mean the Government of Malta Certificate Policy (GMICT P 0061:2007). Certificate Revocation List ( CRL ) shall mean a signed list indicating a set of Certificates that are no longer considered valid by the CA. Certification Authority ( CA ) shall mean the authority trusted by one or more users to create and assign Certificates, and for the purposes of this CPS shall mean MECS Ltd on behalf of the Government of Malta. Certificate Applicant shall mean an individual who requests the issuance of a Certificate by submitting a Certificate Application using the facilities provided by the Portal upon logging with an Electronic Identity Account. Certificate Application shall mean a request submitted by a Certificate Applicant to the RA for the issuance of a Certificate. Page 3

10 ( CPS ) shall mean the statement of the practices owned and operated by the CA which the CA employs in issuing Certificates. Certification Services shall mean the provision of the service of issuing Certificates in accordance with the Certificate Policy and the CPS, and shall include the verification of identity of Certificate Applicants, the creation and signing of Certificates based on the identity, the dissemination of Certificates to Subscribers, the processing of requests for revocation, and the provision of Certificate revocation status information. Electronic Identity Account shall mean an electronic account to access the Portal. Portal shall mean the web site provided by the Government of Malta for the provision of electronic services and currently located at the Uniform Resource Locator Public Key Certificate shall mean the Public key of a user, together with some other information, rendered un-forgeable by encipherment with the private key of the Certification Authority which issued it. Public Key Infrastructure ( PKI ) shall mean the architecture, organisation, techniques, practices and procedures that collectively support the implementation and operation of the Certification Services. "Qualified Certificate" shall mean a Public Key Certificate which meets the requirements established by or under the Electronic Commerce Act (Chapter 426 of the Laws of Malta) and is provided by a Certification Authority which fulfils the requirements established by or under the Electronic Commerce Act. Relying Party ( RP") shall mean a recipient of a Certificate who acts in reliance on that Certificate and/or Advanced Electronic Signatures verified using that Certificate. Subscriber shall mean a natural person identified in a Certificate as the holder of the private key associated with the public key given in the Certificate. Page 4

11 02. Publication and Repository Responsibilities The CA maintains an online repository of documents where it makes certain disclosures about its practices and procedures including its CPS, which will be accessible at The CA publishes CRLs at regular intervals at Certificate status information is published in accordance with section The CA does not presently provide a public repository of the Certificates it issues Access Controls The CA provides its document repository and the CRLs free of charge. Parties are required to agree to the Relying Party Agreement before accessing the CRLs. Any party who purports to rely upon a Certificate without first agreeing to the Relying Party Agreement shall do so entirely at its own risk and the CA shall accept no responsibility or liability in relation thereto. Page 5

12 03. Identification and Authentication 03.1 Naming Each Subscriber has a clearly distinguishable and unique x.501 Distinguished Name (DN) in the Certificate subject name field, which consists of the components specified below: Attribute Common Name (CN) Address (E) Country (C) Serial Number (SN) Value Name address 2 letter ISO country code Unique random number The Subject name in a Certificate is meaningful to the extent that the CA has associated the Certificate with a Subscriber. The name is not necessarily unique but cannot be anonymous Initial Identity Validation A request by an individual seeking to be a Subscriber must be presented by the individual in person. The identity of a prospective Subscriber is authenticated in any manner sufficient to satisfy the CA or the RA that the individual has the identity he or she claims to possess. The individual shall be required to present the Government-issued identity card, and/or other identifying documents Identification and Authentication of Renewal Requests All requests for re-key are handled as requests for renewal of the Certificate. All requests for renewal are authenticated by the CA, and the subsequent response is required to be authenticated by the Subscriber. Where the key pair has expired, the request for renewal is authenticated in the same way as initial identity validation Identification and Authentication of Revocation Requests The CA or RA authenticates a request for revocation of a Certificate using privately shared information. A Subscriber may request the revocation of the Certificate to the RA by using the helpdesk established by the RA for such purposes. Page 6

13 04. Certificate Life-Cycle Operational Requirements 04.1 Certificate Application The person applying for the Certificate must have previously obtained an Electronic Identity Account, in accordance with the procedures for obtaining, and terms and conditions for, such an account. An individual applying for an Electronic Identity Account must apply by going in person to the appointed RA, taking the following documents: The order form, duly filled in and signed; The applicant s valid identity card, passport or equivalent official document. The RA approves an application for an Electronic Identity Account upon the successful identification and authentication of all required Subscriber information. The RA rejects an Electronic Identity Account application if identification and authentication of all required Subscriber information cannot be completed, or if the applicant fails to furnish supporting documentation upon request. Once the applicant obtains the account, upon successful login to the Portal, an on-line facility is provided to apply for a Certificate. The Certificate Applicant is required to read and understand the Subscriber Agreement provided online. The Certificate Application is complete once the terms and conditions are accepted. The Certificate Applicant generates the key pair and sends a certificate request to the RA. The owner of the Electronic Identity Account is allowed a period of twelve (12) months to apply for a Certificate upon activation of the Electronic Identity Account. If the Electronic Identity Account owner fails to apply for a Certificate within such period of time, the individual must re-activate the online facility for Certificate Application. Such re-activation may require that the person is to present one s self in person to the appointed RA as described above. At the point of making a Certificate Application, the owner of the Electronic Identity Account will be required to accept the terms of the Subscriber Agreement which include obligations to ensure that the data provided is accurate and up to date Certificate Application Processing The RA verifies the physical identity of the Certificate Applicant by ensuring the personal information provided for the Electronic Identity Account application (explained in section 04.1) is still true and correct. The RA sends its approval of the Certificate application to the CA using the facilities provided by the CA upon the successful identification of the applicant. The RA may reject the application for a Certificate if this may bring the CA or the Government of Malta into disrepute Certificate Issuance The CA relies on the correctness of the information on each Certificate application, as and when approved by the RA. On receipt of the approval of the Certificate Request from the RA, the CA issues the Certificate to the Subscriber. The CA, through the RA, informs the Subscriber using electronic communication that it has issued such Certificate, and provides the Subscriber with access to the Certificate and the procedure for obtaining and activating it. Page 7

14 04.4 Certificate Acceptance The Certificate is deemed to have been accepted by the Subscriber when it is downloaded and when either (i) the Subscriber fails to object to it or its content within seven (7) working days or (ii) the Subscriber uses the Certificate within the seven day period, whichever is the earlier. The Subscriber Agreement is accepted by the Subscriber electronically at the point where the subscriber applies for the Certificate. The Subscriber is required to immediately notify the RA of any errors in the content of the Certificate. In this case, the RA shall revoke the Certificate and take the appropriate measures for the CA to reissue a Certificate for the Subscriber Key Pair and Certificate Usage The responsibilities relating to the use of keys and certificates include the ones addressed below: Subscriber duties Unless otherwise stated in this CPS, the Subscriber s duties include the following: a) Refraining from tampering with the Certificate; b) Taking all reasonable measures to prevent the loss, disclosure, modification or unauthorised use of any private keys or passwords; c) Only using the Certificate to the extent consistent with this CPS and applicable law Relying Party duties A party relying on a Certificate will: a) Validate a Certificate by using a CRL; b) Trust a Certificate only if it has not expired or has not been suspended or revoked; c) Rely on a Certificate for the usage as specified in this CPS Certificate Renewal A Subscriber may request the renewal of a Certificate during the 6 weeks prior to the expiry of the Certificate by using the online facility provided through the Portal. If the Subscriber s keys and Certificate are still valid (i.e. not revoked, suspended, or expired), upon submitting a request for renewal, the Subscriber is required to enter a password to confirm his/her identity to the RA. The CA issues a new Certificate to the Subscriber upon receipt of the RA s acceptance of the Subscriber s request. In the case of renewal of a revoked, suspended or expired Certificate, the RA reconfirms the identity of the Subscriber and ensures that the information used to check the Subscriber s identity in the past is still valid. The same validation procedure is followed for renewal as that used for the initial registration. The Certificate is deemed to have been accepted by the Subscriber when it is downloaded and when the Subscriber fails to object to it or its content within seven (7) working days Certificate Re-key Section not applicable. Page 8

15 04.8 Certificate Modification Section not applicable Certificate Revocation and Suspension The RA immediately revokes a Certificate using the facilities provided by the CA if: a) the Subscriber so requests; or b) upon being informed by the Subscriber that any of the information in the Certificate has changed; or c) the RA knows or has reason to suspect that the private keys or password of the Subscriber have been compromised; or d) the Subscriber fails to comply with the obligations under the Subscriber Agreement; or e) the Subscriber dies. The CA reserves the right to revoke a Certificate: a) If any of the information in the Certificate changes; or b) If the CA knows or has reason to suspect that the private keys or password of the Subscriber have been compromised; or c) the Subscriber fails to comply with the obligations under the Subscriber Agreement; or d) For any other reasons the CA deems necessary. In this case, the CA notifies the RA and the affected individual of any revocation of a Certificate assigned to him/her. The CA makes available correct Certificate Revocation Lists to Subscribers and Relying Parties as specified in section of this CPS. Relying Parties must use on-line resources that the CA makes available through its repository to check the status of certificates before relying on them. CRLs are updated every twenty four (24) hours. The RA immediately suspends a Certificate using the facilities provided by the CA when so notified by the Subscriber upon identification of the Subscriber by the RA. The Certificate shall remain suspended until the Subscriber requests the RA to unsuspend the Certificate. The suspension may last for a maximum of 14 days after which the Certificate is automatically revoked by the CA. In this case, the CA, through the RA, informs the Subscriber of such revocation Certificate Status Services The CA makes available certificate status checking services including CRLs on the following website: CRLs are signed and time-marked by the CA. A CRL is issued each twenty four (24) hours, at an established time. The CRLs have an overlap period of twelve (12) hours. The CA allows a Certificate check on all CRLs issued in the previous 12 months available on its website End of Subscription The subscription of the Subscriber will end with the expiry of the Certificate. The Subscriber may also end the subscription to the CA services at any time by requesting revocation of the Certificate to the RA. Page 9

16 04.12 Key Escrow and Recovery Key escrow and recovery are not allowed. Page 10

17 05. Facility, Management, and Operational Controls 05.1 Physical Security Controls The computing facilities hosting the CA services are located in a Security Zone which is monitored for unauthorised intrusion at all times. The location has adequate power and air conditioning facilities, and is protected against flooding and fire. The CA servers are hosted in the Data Centre of the Government of Malta, and therefore adopt all the established physical controls. In addition, the CA servers are hosted in a dedicated rack. Only approved personnel are allowed access to the CA servers, and third parties are properly escorted and supervised. An off-line backup of the contents of the CA servers is maintained using tape media and smart cards in the assigned Disaster Recovery Site Procedural Controls The critical CA functions are separated to prevent any one person from maliciously using the CA system without detection. Each user s system access is strictly limited to the actions that are required for fulfilling their roles and responsibilities. The CA segregates the distinct personnel roles, distinguishing between the day-to-day operation of the CA system, the management and audit of those operations, and the management of major changes to the system s policies, procedures or personnel Personnel Controls Persons are selected for any trusted role in the operation of the CA on the basis of their trustworthiness and integrity. In addition, selected personnel have successfully completed and are kept updated with appropriate training, and have demonstrated their ability to perform the assigned duties. They also have never previously been denied a security clearance, or been convicted of any felony offense. Access to the CA private keys requires intervention from at least two individuals authorised by the CA management to participate and be present. The CA ensures that any contracted personnel satisfy the same personnel security requirements with respect to appointment, training and background checks as those applicable to CA employees. The CA provides appropriate documentation to the PKI personnel, namely this CPS and any policies, procedures and contracts as applicable to their respective positions Audit Logging and Procedures The CA records the: Generation of the CA and subordinate entity keys; Changes to CA details and/or keys; Changes to Certificate creation policies; CA application start-up and shutdown; CA configuration; Backup and restore; Page 11

18 Key archival and recovery; Login and logout attempts; Creation and revocation of Certificates; and Attempts to initialise, remove, enable, and disable Subscribers. The logs are retained for a period of five (5) years.the CA ensures that the audit logs are regularly reviewed by its personnel Records Archival The Certificates stored by the CA, including the CA (self-signed) Certificates, as well as the CRLs generated by the CA, are retained for at least two years after their expiration. The CA archives for one year the audit logs generated by the CA software. The older versions of the documentation which defines the Governance and the Operation of the CA, including the Certificate Policy, the and all the Agreements, are also retained for at least one year Key Changeover Section not applicable Compromise and Disaster Recovery The CA has appropriate emergency and/or disaster recovery plans and procedures. These include the re-establishment of the CA installation, including the initialisation of the CA equipment, the generation of the new private and public keys, and the re-issuing of all Certificates. Without prejudice to section 09.7, if the CA equipment is damaged and becomes inoperative, the CA operations are to be re-established as quickly as possible, giving priority to the ability to revoke Subscribers Certificates. If the CA cannot re-establish revocation capabilities, a decision is taken by the CA declaring the CA s private signing key as compromised and the CA installation is rebuilt completely. The CA is also completely rebuilt in the case of a disaster in which the installation is physically damaged and all copies of the CA signature key are destroyed as a result CA or RA Termination In the event the CA ceases operation or makes a major change in operations, the CA shall immediately notify the PMA as to all Subscribers for which it has issued Certificates. In the event the CA ceases operations, the CA shall arrange for the retention of the CA s records, including copies of the Certificates, Private Keys, CRLs and audit information. In the event that the RA ceases operation, the CA shall appoint another RA. Page 12

19 06. Technical Security Controls 06.1 Key Pair Generation and Installation Key pair generation The CA key generation is performed by personnel in trusted roles under multiple controls, and carried out using a device as described in section Private key delivery to subscriber Each digital signature key pair is generated using an algorithm approved by the PMA. The private signing key of the prospective Subscriber is generated by the holder and is not stored by the CA Public key delivery to certificate issuer The Public Key is generated by the Subscriber and is transmitted to the CA in an on-line transaction in a secure manner using HTTPS CA public key delivery to relying parties The CA public verification key will be available for download from the CA website to Subscribers and Relying Parties using an on-line transaction in a secure manner using HTTPS Key sizes The CA uses a 2048 bit RSA for its own CA signing key pair. Subscribers use 2048 bit RSA for their key pairs Public key parameters generation and quality checking Section not implemented Key usage purposes Keys may be used for authentication and digital signing. CA signing keys are the only keys permitted to be used for signing Certificates and CRLs Private Keys Protection and Cryptographic Module Engineering Controls Cryptographic module standards and controls All CA digital signature key generation, including key storage and Certificate signing operations are performed in a Hardware Security Module rated as specified in FIPS level 3. Page 13

20 Private key (n out of m) multi-person control Access to the CA private key requires intervention from two individuals authorised by the CA management to participate and be present. This is achieved by having an Operator Card Set (OCS) with a 2-out-of-3 mechanism for the Hardware Security Modules, with each card holding a secret password which is known exclusively to the individual owning the card. Two out of the three individuals must present their cards to the CA to access the private key Private key escrow The CA does not escrow CA or Subscriber private keys Private key backup The CA private keys are stored on the host encrypted using AES encryption, and backed-up on tape in encrypted format. The cryptographic keys that protect the CA private key are stored on a set of smart cards called the Administrator Card Set (ACS). To use the ACS to reconstitute the cryptographic keys, 3 out of 5 cards are required. A Subscriber may back-up his/her own private key. If so, the key must be copied and stored in encrypted form and protected in the same manner as the primary version of the key. The CA shall not back-up private signing keys of the Subscribers Private key archival CA private keys shall be archived in encrypted form for a period of ten (10) years Private key transfer into or from a cryptographic module All CA private keys shall be generated directly in the CA s cryptographic modules Private key storage on cryptographic module All CA private keys are stored on Hardware Security Modules rated as specified in FIPS level 3. The keys are kept in clear only inside the HSM Method of activating the private key The CA private key can only be activated by using 2 out of 3 OCS cards (OCS explained in section ) Method of deactivating the private key The CA private key is de-activated once the OCS card is removed from the card reader (OCS explained in section ) Method of destroying the private key Upon the termination of use, the Subscriber must securely destroy all copies of his/her private key. Page 14

21 06.3 Other Aspects of Key Pair Management Public key archival The CA shall retain all public keys of the certificates it generates Certificate Operational Periods and Key Pair Usage Periods Key/Certificate Key Length in Bits Maximum Validity Period Government of Malta Root CA years Government of Malta Intermediate CA years Electronic Identity CA years Subscriber years 06.4 Activation Data The activation data is unique and unpredictable. It is protected from unauthorised use by a combination of cryptographic and physical access control mechanisms. Where a reusable password scheme is used, the mechanism includes a facility to temporarily lock the account after a predetermined number of login attempts Computer Security Controls The following computer security functions are provided by the operating system, or through a combination of operating system, software, and physical safeguards: Require authenticated logins Provide discretionary access control Provide a security audit capability Enforce separation of duties for roles Require identification and authentication of roles and associated identities Require use of cryptography for session communication and database security Require a recovery mechanisms for keys and the CA system 06.6 Life Cycle Security Controls The CA utilises CA software that has been designed and developed under a structured development methodology, and has passed the necessary quality assurance. The CA has policies and procedures in place to prevent malicious software from being loaded onto the CA equipment. The CA hardware and software is dedicated to performing only CA-related tasks. There are no other applications, hardware devices, network connections or component software, which are not part of the CA operation Network Security Controls The CA has adequate security controls in place to provide CA integrity and availability through any open or general purpose network with which it is connected. Page 15

22 The root and intermediate CA servers are kept disconnected from the network at all times, and the issuing servers are accessed only by specified servers through appropriately configured firewalls Timestamping Section not implemented. Page 16

23 07. Certificate, CRL and OCSP Profiles 07.1 Certificate Profile X.509 v3 Field Field OID Value Value OID signaturealgorithm SHA1 with RSA encryption signaturevalue CA Signature TBSCertificate Version 2 Serial number Auto generated during key generation Issuer commonname Electronic Identity CA Country MT Validity NotBefore Key Generation Date NotAfter Key Generation Date + maximum of 5 years Subject commonname Title givenname Surname deviceserialnumber Subject public key info Algorithm SHA1 with RSA encryption Value RSA 2048 bits X.509 v3 Extensions Authority key identifier KeyID= Subject key identifier KeyUsage digitalsignature Asserted Certificate policies [1] Policy Identifier Policy Qualifier Info Policy Qualifier Id=CPS Qualifier Extended key usage Client Authentication Asserted Secure Asserted CRL distribution points Distribution Point Name Full Name Page 17

24 07.2 CRL Profile The CA issues X.509 version 3 Certificates. The CA software supports all the base X.509 fields: Field Name Certificate List Version Signature Issuer Effective date Next Update Revoked Certificates Signature Algorithm Signature Value Description Sequence of fields Version of the encoded CRL The identifier for the algorithm used to sign the CRL The CA which has issued and signed the CRL. The issue date of this CRL. The date by which the next CRL will be issued List of Revoked Certificates, identified by the serial number, including date/time revoked. The identifier for the algorithm used to sign the CRL Digital signature computed on the Certificate List OCSP Profile Section not implemented. Page 18

25 08. Compliance Audit and Other Assessment The CA shall be audited on a periodic basis. The PMA shall appoint the auditors required for this function. The appointment of the auditors shall be final and binding upon the CA. The CA has the right to request periodic and ad hoc inspections of the subordinate operations such as the RA function. The CA shall state the reason for any ad hoc inspection. The purpose of a compliance audit shall be to verify that the audited party has in place a system in accordance with this CPS, in order to assure the quality of the services that it provides, and that it complies with all of the requirements of this CPS. Page 19

26 09. Other Business and Legal Matters 09.1 Fees The CA does not charge any fees for the issuance, renewal, revocation and suspension of Certificates, and for the download of CRL. The CA charges no fee for the publication and retrieval of this CPS Financial Responsibility The CA is Malta Electronic Certification Services Ltd, Gattard House, Blata l-bajda a limited liability company established under the laws of Malta. In providing the Certification Services, the CA requires Subscribers to accept a Subscriber Agreement which includes warranties and indemnities regarding Subscribers usage of Certificates and their compliance with those Agreements and with the terms of this CPS. These Subscriber Agreements also disclaim the CA s liability in relation to the use of the Certificates outside of the Portal environment and limit the CA s liability in relation to any loss or damage arising. The CA also requires those Relying Party s who rely upon Certificates on the Portal to enter into a Relying Party Agreement with the CA and again this Relying Party Agreement includes limits and exclusions on the CA s liability in relation to any loss or damage arising. While the Certificate is technically capable of use for other Advanced Electronic Signature (or digital signature) purposes, such use is entirely at the Subscriber s risk. Accordingly the CA will not be responsible to any third party who chooses to rely upon a Certificate outside of the Portal environment. The RA provides services relating to applicant authentication, assisting Certificate applicants in applying for Certificates, approving or rejecting Certificate applications, revoking Certificates and renewing Certificates. It does so pursuant to its contract with the Government of Malta and a further contract with the CA and these contracts also exclude and limit the RA s liability Confidentiality of Information The CA shall collect and use personal information to deliver the services to carry out the transactions necessary for the issuing of Certificates, in accordance with any obligations stipulated under the Data Protection Act. Except as described in this CPS, the CA shall not disclose personal information without the subject s consent. The CA may access and/or disclose personal information if such action is necessary to: comply with the laws of Malta; protect and defend the rights or property of the Government of Malta; act in urgent circumstances to protect the personal safety of Subscribers or members of the public. The owner of private information may correct any inaccuracies or request any corrections in the private information provided by the data subject at any time Intellectual Property Rights All right, title and interest in all intellectual property rights in or associated with this CPS, CRLs, Distinguished Names, Service Arrangements, CA Public Keys and certificates as well as Subscriber Page 20

27 Certificates, including all modifications and enhancements thereof, are and shall remain the exclusive property of the Government of Malta Representations and Warranties CA Representations and Warranties The CA warrants that it: is responsible for the creation and signing of Certificates binding Subscribers with their public verification keys; is responsible for promulgating Certificate status through the Certificate Revocation List (CRL); guarantees that all the requirements set out in the applicable CP are complied with. It also assumes responsibility for ensuring such compliance and providing these services in accordance with its CPS; uses its certificate signing Private Key only to sign Certificates and CRLs and for no other purpose; endeavours to provide Subscribers and Relying Parties with notice of their respective rights, privileges and obligations pertaining to their use of the Certificates it provides and any changes thereof; provides appropriate notice to all interested parties as to its procedures concerning the expiry, suspension, revocation and renewal of Certificates; protects the privacy of the persons concerned. The CA ensures that the personal data it receives is used solely for the provision of certification services, and that the Subscriber may consult and change this data; provides Subscribers and Relying Parties with the URL of its website where this CPS is published RA Representations and Warranties The RA warrants that it: complies with the applicable provisions of the CPS currently in effect, and with the terms and conditions of its agreement with the CA; guarantees that Subscribers are properly identified and authenticated as regards the personal identity of the Subscriber as a natural person; guarantees that any applications for Certificates submitted to the CA are complete, accurate, valid and duly authorised; informs Subscribers of their respective rights, privileges and obligations pertaining to their use of keys, and the CA's procedures for the expiry, suspension, revocation and renewal of keys and Certificates; has a contractual obligation to implement appropriate measures for the physical security of the information and systems concerned, and the employees dealing with registration. protects the privacy of the persons concerned. The RA ensures that the personal data it receives is used solely for the provision of certification services, and that the Subscriber may consult and change this data Subscriber Representations and Warranties The Subscriber warrants that s/he: accepts the procedures set by the CA in the CPS currently in effect for the provision of Certificates; Page 21

28 when applying with the RA for the Certificate, submits precise, accurate and complete information, and comply with the corresponding registration procedures; will use or rely on keys or Certificates only for purposes permitted by this CPS and for no other purpose; is responsible for generation of the key pair using an algorithm and given key length (minimum 2048 bits) meeting the criteria set out in this CPS; gives an undertaking that s/he is the sole holder of the Private Key linked to the Public Key to be certified; protects the Private Key at all times against loss, disclosure, alteration or unauthorised use; will immediately notify the CA in such manner as specified by the CA in the event of the compromise or suspected compromise of the Private Key or the activation data (e.g. PIN code); immediately informs the CA of any changes to the data on the Certificate Relying Party Representations and Warranties The Relying Party warrants that it: verifies the validity, suspension or revocation of the Certificate using current revocation status information as indicated in this CPS; takes account of any limitations on the usage of the Certificate indicated either in the Certificate or the relevant terms and conditions; takes all the other precautions prescribed in published agreements Disclaimers of Warranties The CA does not warrant the complete, timely, secure, error free or uninterrupted availability of the service to Subscribers and Relying Parties. The CA offers no express warranties regarding the fitness for purpose of the Certificates for any application not specifically approved in this CPS. The CA offers no express or implied warranties or representations regarding the performance of the portal site operated by the Government of Malta. To the fullest extent permitted by law, the CA disclaims any implied warranties to the contrary Limitations of Liability To the extent permitted by law, the CA shall not be under any liability in respect of any loss or damage (including, without limitation, consequential loss or damage) which may be suffered or incurred or which may arise directly or indirectly in relation to the use or reliance upon Certificates issued under this CPS or associated Public/Private Key pairs for any use that is not in accordance with this CPS. The total liability which may be incurred by the CA for damages sustained by the Subscriber or the Relying Party for any use or reliance on a Certificate as specified in this CPS shall be limited, in the aggregate, to 2000 EUR. This limitation shall be the same regardless of the number of digital signatures, transactions or claims relating to such Certificate. System maintenance or factors outside the control of the CA may affect such availability of services provided by the CA. The CA disclaims all liability of any kind whatsoever for matters outside of its control including the connectivity, availability or working of the Internet, or telecommunications or other infrastructure systems Indemnities The Subscriber agrees to indemnify, defend and hold harmless the CA from all claims, costs, damages and expenses relating to this CPS, arising from failure of the Subscriber to act in accordance with this CPS and the Subscriber Agreement. Page 22