CERTIFICATE POLICIES (CP) Natural Person Certificate ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A. CP

Transcription

1 CERTIFICATE POLICIES (CP) Natural Person Certificate ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A. CP

2 INDEX 1. LEGAL FRAMEWORK Legal Base Validation Legal Support INTRODUCTION Document Name Identification Publication Definitions and Acronyms Definitions Acronyms PARTICIPATING ENTITIES Credited Entities (CE) Certification Authority (CA) AC Root Authority Registration Authority (RA) Applicant Subscriber Signatory Password Protection Relaying Party CERTIFICATE CHARACTERISTICS Certificate Validity Period Support Types Page 2

3 4.3. Secure Signature Creation Device (SSCD) Software Support CERTIFICATE TYPES Recognized Corporate Certificates Certificate for the Public Administration Private Certificates Secure Server Certificates NATURAL PERSON CERTIFICATE General Aspects Application field Certificate Data Certificate Use Appropriate Certificate Use Unauthorized Use of Certificates Key and Certificates Generation Tariffs Certificate Request Who can request a Certificate? Certificate Application Process Certificate Application Processing Execution of Authentication and Identification Functions Certificate Application Approval or Rejection Certificate Emission RA Actions CA Actions Certificate Delivery Certificate Acceptance Manners to Accept a Certificate Approval or rejection of the Certificate Applications Page 3

4 6.8. Revocation and Suspension of Certificates Revocation Circumstances Causes for Revocation Who can request a revocation Application Revocation Procedures Period in which the CA should Resolve the Revocation Verification Obligation of Revocations by Third Parties Emission Frequency of the CPSs Maximum Time between the Generation and Publication of the CRLs Availability of the Online Certificate Verification Status System Requirements for Online Revocation Checking CERTIFICATE RENEWAL Suspension Circumstances Who can Request a suspension Suspension Period Limits REVIEW Page 4

5 1. LEGAL FRAMEWORK 1.1. Legal Base The Electronic Commerce, Electronic Signatures and Data Messaging Law, its Regulation; Organic Consumer Defense Law, CONATEL Organic Transparency Law of Information and Accreditation 1.2. Validation The present document will become valid since approval date Legal Support a) The Electronic Commerce, Electronic Signature and Data Messaging Law, published in the Official Register No. 577 April 17, b) According to Art. 37 of the Electronic Commerce, Electronic Signature, and Data Messaging Law, the National Telecommunications Council is the organism for authorization, registry and regulation of Certification Entities Information and Credited Related Services. c) The General Regulation of the Electronic Commerce, Electronic Signature, and Data Messaging Law, was expended by executive decree No 3496 published in the official registry 7435 on December 31, 2002, and its constant reforms in executive decree 1356 on September 29, 2008, published in the Official Registry No. 440 on October 6, d) The second listed article added by article 4 of the executive decree No stated after article 17 of general regulation by the Law of Electronic Commerce, Electronic Signatures and Data Messaging, states that the accreditation as an information certification entity and related services, will consist in an administrative act emitted by CONATEL through a resolution that will be registered in the National Public Registry of Information certification entity. e) Resolution CONATEL-2008 published in October 08, 2008, this resolution model was approved for the Accreditation as an Information Certification and Related Services Entity. f) Resolution No. TEL CONATEL-2010 published on October 22, 2010, approved the Accreditation Petition for the company SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL S.A. as an information certification and related services entity, for which SENATEL subscribed in the respective administrative act, as the model approved by the National Telecommunications Council. Page 5

6 2. INTRODUCTION 2.1. Presentation The present document contains the Certification Policy (CP) of ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL for s. This CP specifies and affirms to what has been established in the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL CPS, which determined a set of rules that indicate the procedures followed by the Certification Entity when presenting its services for digital certificates application, identification, emission, acceptance, and revoke, as well as its limits of use, application range and technical characteristics for this type of certificate. This Certificate Policy (CP) together with the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL CPS, are aimed to anyone who trusts in these types of certificates Document Name Identification Name: Version: 3.0 Description: Certificate Policies for a Natural Person. Emission Date: June 24 th, Publication This document can be freely obtained at Definitions and Acronyms Definitions Electronic Certificates: Is a document signed electronically by a certification service provider which links signature verification data to a signatory and confirms its identity. Recognized Certificate: A certificate issued by a Credited Entity that meets the requirements established by the law regarding identity verification and other circumstances by applicants and reliability of guarantees of certification services given. Page 6

7 Public Key and Private Key: The asymmetric cryptography in which PKI is based on uses key pairs (this could also be two key pairs), which one is encrypted and can only be decrypted with the other and vice versa. One of these keys is called Public and is included in the electronic certificate, while the other is called Private and only is known by the certificate holder. Signature Creation Data (Private Key): Are unique data, such as codes or private cryptographic passwords, which the subscriber uses to create electronic signatures. Data Signature Verification (Public Key): Are data, such as codes or private cryptographic passwords, used to verify the electronic signature. Security Device for Signature Creation (SDSC): Instruments used to apply data for signature creation. Electronic Signature: Is a group of data in electronic form, entered with others, which can be used as a medium for personal identification. Advanced Electronic Signature: Is an electronic signature that establishes personal subscriber identification concerning signed data, and is used to check integrity, being linked exclusively to the subscriber, like referred data, and also it has been created by means to maintain exclusive control. Hash Function: Is an operation that is done in any size data group, so that the obtained result is another data group, regardless of the original size, that has the property of being uniquely associated with the initial data. Certificate Revocation List (CRL): This is a list that contains revoked or suspended certificates. Hardware Security Module (HSM): This is a Hardware Module used to make cryptographic functions and also it is used to store passwords in safe mode. Time Stamping: Electronic annotation signed electronically which is added to a message data that records the date, hour, and the identity of the person making the annotation. Time Stamping Authority (TSA): entity that issues trusted time stamps. Validation Authority (VA): trusted entity that provides information on the validity of digital certificates and electronic signatures Acronyms CA: Certification Authority Page 7

8 Sub CA: RA: CP: DCP: CRL: HSM: LDAP: OCSP: PKI: SPC: TSA: VA: ICE: OID: DN: Certification Authority Subordinate Register Authority Certification Policy Declaration of Certification Practices Certificate Revocation List Hardware Security Module Lightweight Directory Access Protocol Online Certificate Status Protocol Public Key Infrastructure Service Provider for Certification Time Stamp Authority Validation Authority Information Certification Entity Object Identifier Distinguished Name C: Country, Distinguished Name Attribute CN: Common Name, Distinguished Name Attribute O: Organization, Distinguished Name Attribute OU: Organizational Unit, Distinguished Name Attribute SN: ISO: PKCS: UTF8: Surname, Distinguished Name Attribute International Organizational for Standardization Public Key Cryptography Standards Unicode Transformation Format 8 bits. 3. PARTICIPATING ENTITIES 3.1. Credited Entities (CE) Security Data Seguridad en Datos y Firma Digital is a Credited Entity (CE) that emits certificates Page 8

9 recognized by the Electronic Commerce Electronic Signatures and Data Messaging Law. Security Data Seguridad en Datos y Firma Digital is the entity that emits these certificates and is the company responsible of the operation of life cycle certificates. The authorization functions, registry, issuing and revoke of destination entity personal certificates, can be done by other entities associated by contract with Security Data Seguridad en Datos y Firma Digital, which will considered as intermediary. Security Data Seguridad en Datos y Firma Digital also offer electronic signatures validation services and time stamping, which is controlled by their own norms and regulations which are not included in this document Certification Authority (CA) The system of certification of Security Data Seguridad en Datos y Firma Digital is composed of diverse CA or Certification Authority which is organized under a Certification Hierarchy AC Root Authority An AC Root Authority is the entity inside the hierarchy that emits certificates to other certification authorities and whose public key certificate has been self-signed. Its purpose is to sign the certificate of other ACs in the Certification Hierarchy Registration Authority (RA) Security Data Seguridad en Datos y Firma Digital Registration Authority is the entity in charge of: Certificate applications Identify the applicant and check if he/she meets with the necessary requirements for the Certificate Application. Check the situation of the person that will be the certificate signatory. Administrate password generation and certificate emissions. Submit the certificate to the subscriber. A representative for the RA of Security Data Seguridad en Datos y Firma Digital could be: Any Cooperation that is client of Security Data Seguridad en Datos y Firma Digital, for the issuing of certificates under the name of the Corporation or under members of the cooperation. Any trusted entity that reaches an agreement with Security Data Seguridad en Datos y Firma Digital so they can act as representative of Security Data Seguridad en Datos y Firma Digital. Security Data Seguridad en Datos y Firma Digital itself. Security Data Seguridad en Datos y Firma Digital will formalize relations by contract with every one of the entities that act as RA of Security Data Seguridad en Datos y Firma Digital. Page 9

10 The entity that acts as the RA of Security Data Seguridad en Datos y Firma Digital can authorize one or various people as the RA Operator in order to operate with the information system of certificate emissions of Security Data Seguridad en Datos y Firma Digital under the RA name. For the subscribers where geographical location represents a logistic problem for subscriber identification and in the application and delivery of certificates, the RA could appoint these functions to another trusted company. This entity should have a special relationship with the RA and have a trusted relationship with the certificate subscriber which justifies this appointment. This trusted entity should sign a collaborative agreement with the RA in which this appointment is accepted by these functions. Security Data Seguridad en Datos y Firma Digital should know and expressively authorize such agreement Applicant An applicant is the person that, under his/her own name or representing a third party, requests the emission of a certificate by Security Data Seguridad en Datos y Firma Digital. The type of requirements that an applicant must meet depends of the certificate type requested which requirements are published in the Certification Policy of each type of concrete certification Subscriber The subscriber is the person (natural or legal) that has contracted the certification services of Security Data Seguridad en Datos y Firma Digital. Therefore this person will be the owner of the certificate. Generally, the subscriber of a certificate of Security Data Seguridad en Datos y Firma Digital will be a cooperation (private business, public entity, or natural person), whose name will appear on the certificate Signatory The Signatory is the person that possesses a signature creation device and that acts under its own name or in representation of a legal entity. The signatory will be responsible of guarding the data of the signature creation, that is, the personal key which is associated to the certificate Password Protection The protection of creation data of associated firms of each certificate is the responsibility of the natural or Page 10

11 legal person, whose identification will be included in the electronic certificate Relaying Party A relaying party is all (person or organization) that voluntarily trusts in a certificate emitted by Security Data Seguridad en Datos y Firma Digital. The certificates emitted by Data Seguridad en Datos y Firma Digital are accepted by the majority of Ecuadorian State public organizations such as Ministries and Departments etc. The obligations and responsibilities of Data Seguridad en Datos y Firma Digital with relaying parties is limited to the ones stated here in this CPS. Relaying Parties should take note the limitations in its use. 4. CERTIFICATE CHARACTERISTICS 4.1. Certificate Validity Period s are valid for two years according to the Electronic Commerce, Electronic Signature and Messaging Data Law (Decree No. 3469) Support Types The Legal Representation certificates can generate hardware or software support Secure Signature Creation Device (SSCD) The private passwords of the certificates emitted by the hardware support is generated and stored in a Secure Device of Signature Creation as a Smart Card or a Cryptographic Token. The SSCD provided by Security Data Seguridad en Datos y Firma Digital S.A. also contain FIPS certificates. Therefore, the usage of Company Employee Cooperative Certificates with SSCD permits to safely execute Electronic Signatures. These SSCD generated certificate passwords cannot be in any way copied, which means in the case of loss or destruction of the device it will be necessary to start a new certificate emission process. In order to activate the SSCD it will be necessary to introduce the PIN number. If the PIN is for five consecutive times entered incorrectly the device will be blocked and therefore it will be inoperable. In Page 11

12 order to unblock the device, the person must take the blocked device to the RA or send the device back to the company and there the device will be unblocked as well as emitting a new certificate. The PIN is secret and personal for each user; an initial PIN will be given which can be changed by the user by means of a special program Software Support The private keys from the emitted certificates in software support are generated and stored in an internet browser, for example Microsoft Explorer The certificates for natural persons in software can be copied to other formats; therefore it is possible to make security copies of them. 5. CERTIFICATE TYPES 5.1. Recognized Corporate Certificates Cooperative certificates are recognized electronic signature certificates which the subscriber is a Corporation (private business, organization or Public Administration): Legal Representative Cooperation Certificate: Are recognized certificates by the natural person that identifies the subscriber as a corporation and the signatory as a legal representative of this cooperation. Judicial Cooperation Certificate: Are certificates recognized by the judicial person that identifies the subscriber as a Judicial Person. Natural Person Cooperative Certificate: Are certificates that are recognized by the natural person which identifies the subscriber as Corporation and the signatory as associated to the corporation Certificate for the Public Administration The certificate for the Public Administration is an electronic certificate emitted according to the requirements established in the Ecuadorian Electronic Commerce, Electronic Signatures and Data Messaging Law. Public Functionary Cooperate Certificate: Are certificates recognized by the natural person that identifies the subscriber as a cooperation and the signatory as a legal representative of this corporation. Page 12

13 5.3. Private Certificates : Are recognized certificates by the natural person that identifies the subscriber as a natural person who can use these certificates for personal, legal and tax issues Secure Server Certificates Secure Server Certificates: are certificates that announce an Internet domain as a judicial entity or a determined registered merchant. 6. NATURAL PERSON CERTIFICATE 6.1. General Aspects Application field The certificates emitted by the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL under this CP, can be used for the creation of digital signatures and encoding. This can also be used as an identification mechanism for computer services and applications. For this reason, everything related to the Ecuadorian Legislation regarding Electronic Signatures will be applied to this point Certificate Data The information that is included in the Natural person Certificate emitted by the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL are the following: Fields included in the Certificate Description Version Versión Shows the version inside the X.509 standard (v3) Serial number Número de Serie Certificate serial number Signature Algorithm Algoritmo de firma sha256rsa algorithm signature Signature hash algorithm Algoritmo de firma para sha256 HASH Organizational Unit Information Name (OU) Certification Entity (ICE) Domain Domain Page 13

14 Component(DC) Name (securitydata.net.ec) Issuer Emisor Organization Name Certification (O) Organization Name- Security Data Seguridad en Datos y Firma Digital Country Name (c) Country of Certification Authorization - Ecuador (ec) Valid from Válido Desde Certificate emission date Valid to Válido Hasta Certificate expiration date Common Name (CN) Subscriber name Subject Firmante Organizational Unit Information Name (OU) Certification Entity (ICE) Page 14

15 Organization Name (O) Country Name (c) Certification Organization Name- Security Data Seguridad en Datos y Firma Digital Country of Certification Authority - Ecuador (ec) Public Key Clave Pública Subscriber public Key Key Usage Uso de clave Identifies where applicable Access to authority Acceso a información Information where OSCP will be used Information Certificate Policy de autoridad Detailed information of the certificate including the Directivas del Certificado link to the Certificate s CP Names Paternal Last name Mother s Maiden name Ecuadorian ID or Passport number Address City Telephone RUC RUP Country Subject Alternative Nombre Alternativo del Subscriber Name Firmante CRL Distribution Points Puntos de Distribución Distribution CRL points. Address where the CRLs are published. de la CRL Private Key Usage Periodos de uso de The private key time frame Period clave Privada Authority Key Identifier Identificador de clave X509 standard extension de entidad emisora Subject Key Identifier Identificador de clave X509 standard extension de asunto Basic Contrains Restricciones Básicas Determines CA destination, certification routes as ICE final entity. Entrust Version Info Información de Entrust PKI platform information Thumbprint Algorithm Algoritmo de CA signature algorithms identificación Thumbprint Huella Digital Fingerprint associated with the certificate Page 15

16 6.2. Certificate Use Appropriate Certificate Use The subscriber could use the Electronic signature certificate, according to what has been established in this Certificate Policy, in the service contract that subscribes with the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL and the CPS. Improper use of a certificate is when this is used to realize unauthorized operations according to the certificate policies and is applicable to each certificate and the contracts of the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL with its subscriptions, in consequence the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL could revoke the certificate and thus terminating the contract. Authorized use of certificates emitted by the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL could be specified in each type of certificate. If the subscriber certificate in a particular time frame is stolen, i.e. the private password, the user should start the revoke proceedings as mentioned in this CP and the CPS. The certificate of Electronic signatures is emitted by the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL to the subscriber and should be used as intended. The user is prohibited to alter the certificate in any way. The electronic signature certificates cannot be used in illegal actions according to the established in the Ecuadorian legislation. Electronic signature certificates presents the following guarantees: o Authenticity: the document information and its electronic signature undoubtedly corresponds to the person who signed the signed the contract. o Integrity: The information in the electronic document has not been modified or altered after signing. o No repudiation: The person who has electronically signed the document cannot deny his or her signature. o Confidentiality: The contained information has been coded and by the will of the emitter, only the receptor is permitted to decode it Unauthorized Use of Certificates It is prohibited any use that would contradict Ecuadorian and Community Norms, international agreements ratified by the Ecuadorian Government, native customs, and moral and public conduct. It is also prohibited the distinctive use of the stated in this Declaration of Certified Practices or in its corresponding Certification Policy. The certificates has not been designed nor destined to nor permits its use or retail as control Page 16

17 equipment for dangerous situations or for use that requires unerring decisions such as nuclear plant equipment, Systems navigation or aerial communications or army systems control, where an error could directly cause death, personal injury or serious environmental damages. Final user certificates cannot be used to sign public key certificates of any kind, or sign certification revokes lists Key and Certificates Generation The Key and Certificate storage support will be a cryptographic device. Access to the cryptographic device where the private key is stored is done through password (PIN). In order to employ an electronic signature it is necessary to introduce the Pin number which should only be known to the subscriber. When generating keys it is not allowed to make a security copy of generated key Tariffs The price of Company Employee Certificates will depend on their duration. Security Data Seguridad en Datos y Firma Digital S.A. might establish the tariffs, which are considered appropriate for the subscribers as well as establish appropriate payment methods in each case. For more details about price and payment conditions of this type of Certificate Security Data Seguridad en Datos y Firma Digital S.A. should be contacted Certificate Request Who can request a Certificate? The applicant is the person that physically identifies the subscriber as a corporation and the signatory as a legal representative; he requests the emission of a certificate to Data Seguridad en Datos y Firma Digital. The applicant or subscriber must have the following documentation: a) Ecuadorian Identification Card or Passport in the case of foreigners, b) Updated voting card (for foreigners, a registration certificate and for the military a copy of their military book) c) Electricity, Water or telephone invoice of any of the last three months, which certify the home address. d) National Taxpayer Registry (RUC) of the company. e) National Provider Registry (RUP) in case of possessing it f) The subscriber must be a natural person and of legal age. Page 17

18 Certificate Application Process The applicant must contact Security Data Seguridad en Datos y Firma Digital to arrange the certificate application either through the CA web page or any of the associate RAs. The RA will provide the applicant with the following information: Necessary application to hand in, in order to process the application and to verify the subscriber identity. Availability in order to execute the registry process. Information about the emission and revoke process of the private key protection as well as responsibilities and conditions of device and certificate use. How to access and consult the present document and certification policies. The following points specify the required documentation for the certificate application Certificate Application Processing Execution of Authentication and Identification Functions It is the responsibility of the RA to carry out in a reliable way subscriber identification and authorization. This process should be done before the certificate emission Certificate Application Approval or Rejection Once the certificate application is done, the RA should verify the information provided by the applicant, including identity confirmation of the subscriber. If the information is incorrect, the RA will reject the petition and state the reasons why. If the information is correct, the subscriber and/or applicant and Security Data Seguridad en Datos y Firma Digital will sign the corresponding legal document Certificate Emission RA Actions Once the application is approved, the RA will notify the applicant and/or subscriber who must do the following. Page 18

19 a) The applicant and/or subscriber personally present himself/herself to the RA, according to the established protocols. b) Pay the certificate fee or present its receipt to the RA (Software o Hardware). c) Read, accept, and sign the contract, which the RA will archive and the signatory can obtain a copy of this document. d) If the Subscriber requires the certificate via Hardware and does not have the Token, the RA will send it to the subscriber and when the subscriber has his own device, this should be approved by Security Data Seguridad en Datos y Firma Digital before its use. The RA has a list of approved devices. e) The RA will impute data into the system and proceed to emit generation certificate keys which will be delivered in the following manner: The first, Reference Number, will be sent to the applicant and the second, Authorization Code, are printed for the applicant at that moment together with the receipt CA Actions Once the application is approved, the key pairs are emitted (Authorization Code and Reference Number) and must be delivered to the subscriber safely. The CA will carry out the following actions: a) Key Pair Generation: it will generate key pairs in the CA, which will be sent to the client, the first key (reference number) will be sent via and the second (Authorization Code) will be printed and given directly to the RA. b) Receipt Emission: The receipt will be emitted to the client and attaching it to the printed document described in the previous Certificate Delivery When the subscriber has both passwords generated (Authorization code and reference number), he can now generate the certificate. a) In Software Page 19

20 Both passwords must be entered on the web page and must follow the procedure described in the Certificate Activation Manual via software found on the web page once this procedure is done a certificate is issued, one that the applicant will install on his computer. b) In Hardware Both passwords must be entered on the web page and must follow the procedure described in the Certificate Activation Manual via Hardware that is found on the web page the procedure is concluded, the Certificate is issued, program which will then install the Token Certificate Acceptance Manners to Accept a Certificate The certificate will be accepted the moment a legal instrument linked between the subscriber and Security Data Seguridad en Datos y Firma Digital has been signed and the certificate has been physically delivered, either personally or by any secure means. As evidence to this acceptance there must be an acceptance sheet signed by the applicant. The certificate will be considered valid since the day the acceptance sheet was signed. The acceptance sheet must be delivered to the RA physically Approval or rejection of the Certificate Applications Once the certificate has been generated and accepted by the subscriber or signatory, the certificate can be published in the certificates repositories that are considered necessary 6.8. Revocation and Suspension of Certificates Revocation Circumstances The revocation of a certificate means the loss of its validity, and is irreversible. The suspension means a temporary loss of a certificate and is reversible. The revocations and suspensions come into effect the moment they appear published in the CRL. Page 20