REGISTRATION AUTHORITY (RA) POLICY. Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.

Transcription

1 REGISTRATION AUTHORITY (RA) POLICY Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.

2 INDEX Contenido 1. LEGAL FRAMEWORK Legal Base Validation Legal Support INTRODUCTION Presentation Document Name Identification Publication Definitions and Acronyms Definitions Acronyms General Provisions RA functions Authentication of the RA Validation Personnel control General Provisions RA authorities Document Requirements Capacitating Requirement Suspension or Disassociation Procedure Physical Control Physical Security minimal requirements Logical Control Work Station Security Controls Information Security Control General Document storage, handling, elimination procedure Life cycle certificate control Operational Agreements Version: Substitutes: Emission Date: Revision Date: Initials: Page 2

3 11. REVIEWS Version: Substitutes: Emission Date: Revision Date: Initials: Page 3

4 1. LEGAL FRAMEWORK 1.1. Legal Base The Electronic Commerce, Electronic Signatures and Data Messaging Law, its Regulation; Organic Consumer Defense Law, CONATEL Organic Transparency Law of Information and Accreditation Validation The present document will become valid since approval date Legal Support a) The Electronic Commerce, Electronic Signature and Data Messaging Law, published in the Official Register No. 577 April 17, b) According to Art. 37 of the Electronic Commerce, Electronic Signature, and Data Messaging Law, the National Telecommunications Council is the organism for authorization, registry and regulation of Certification Entities Information and Credited Related Services. c) The General Regulation of the Electronic Commerce, Electronic Signature, and Data Messaging Law, was expended by executive decree No 3496 published in the official registry 7435 on December 31, 2002, and its constant reforms in executive decree 1356 on September 29, 2008, published in the Official Registry No. 440 on October 6, d) The second listed article added by article 4 of the executive decree No stated after article 17 of general regulation by the Law of Electronic Commerce, Electronic Signatures and Data Messaging, states that the accreditation as an information certification entity and related services, will consist in an administrative act emitted by CONATEL through a resolution that will be registered in the National Public Registry of Information certification entity. e) As stated in the resolution CONATEL-2008 published in October 08, 2008, this resolution model was approved for the Accreditation as an Information Certification and Related Services Entity. f) As stated in the resolution No. TEL CONATEL-2010 published on October 22, 2010, approved the Accreditation Petition for the company SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL S.A. as an information certification and related services entity, for which SENATEL subscribed in the respective administrative act, as the model approved by the National Telecommunications Council. Version: Substitutes: Emission Date: Revision Date: Initials: Page 4

5 2. INTRODUCTION 2.1. Presentation The present document regulates operation and minimal procedures adopted by the Registration Authority (RA) that administrate certificates for the Information Certification Entity of (ICE) SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL. The Registration Authority is the entity responsible of communication between the user and the Certification Authority. This is linked to an CA and has the purpose of receiving, validating, verifying, and managing emission or revoke digital certificates applications, fulfilling with the established in the Electronic Commerce, Electrical Signatures and Messaging Data Law and according to procedures and policies defined by ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL Document Name Identification Name: Registration Authority Policies (RAP). Version: 1.0 Description: Registration Authority Policies Emission Date: January 10, Publication This document can be freely obtained at Definitions and Acronyms Definitions Electronic Certificates: Is a document signed electronically by a certification service provider which links signature verification data to a signatory and confirms its identity. Recognized Certificate: A certificate issued by a Credited Entity that meets the requirements established by the law regarding identity verification and other circumstances by applicants and reliability of guarantees of certification services given. Public Key and Private Key: The asymmetric cryptography in which PKI is based on uses key pairs (this could also be two key pairs), which one is encrypted and can only be decrypted with the other and vice versa. One of these keys is called Public and is included in the electronic Version: Substitutes: Emission Date: Revision Date: Initials: Page 5

6 certificate, while the other is called Private and only is known by the certificate holder Signature Creation Data (Private Key): Are unique data, such as codes or private cryptographic passwords, which the subscriber uses to create electronic signatures. Data Signature Verification (Public Key): Are data, such as codes or private cryptographic passwords, used to verify the electronic signature. Security Device for Signature Creation (SDSC): Instruments used to apply data for signature creation. Electronic Signature: Is a group of data in electronic form, entered with others, which can be used as a medium for personal identification. Advanced Electronic Signature: Is an electronic signature that establishes personal subscriber identification concerning signed data, and is used to check integrity, being linked exclusively to the subscriber, like referred data, and also it has been created by means to maintain exclusive control. Hash Function: Is an operation that is done in any size data group, so that the obtained result is another data group, regardless of the original size, that has the property of being uniquely associated with the initial data. Certificate Revocation List (CRL): This is a list that contains revoked or suspended certificates. Hardware Security Module (HSM): This is a Hardware Module used to make cryptographic functions and also it is used to store passwords in safe mode. Time Stamping: Electronic annotation signed electronically which is added to a message data that records the date, hour, and the identity of the person making the annotation. Time Stamping Authority (TSA): entity that issues trusted time stamps. Validation Authority (VA): trusted entity that provides information on the validity of digital certificates and electronic signatures Acronyms CA: Sub CA: RA: CP: Certification Authority Certification Authority Subordinate Register Authority Certification Policy Version: Substitutes: Emission Date: Revision Date: Initials: Page 6

7 CPS: Declaration of Certification Practices CRL: Certificate Revocation List HSM: Hardware Security Module LDAP: Lightweight Directory Access Protocol OCSP: Online Certificate Status Protocol PKI: Public Key Infrastructure SPC: Service Provider for Certification TSA: Time Stamp Authority VA: Validation Authority ICE: Information Certification Entity OID: Object Identifier DN: Distinguished Name C: Country, Distinguished Name Attribute CN: Common Name, Distinguished Name Attribute O: Organization, Distinguished Name Attribute OU: Organizational Unit, Distinguished Name Attribute SN: ISO: PKCS: UTF8: Surname, Distinguished Name Attribute International Organizational for Standardization Public Key Cryptography Standards Unicode Transformation Format 8 bits. 3. General Provisions In this present document the following concepts must be clarified: a) RA Operator: Is the person responsible for the carrying out all RA-related activities. This person must carry out all validations and verifications defined in the appropriate certificate policy. b) Confirm applicant identity: Is the process to check if the applicant is the person has the authority to apply for a certificate, according to its certificate policy. c) Operator Suspension: Is when an employee that has a registry agent role has temporarily stopped fulfilling his/her tasks, and thus altering his/her licenses within the CA system. Version: Substitutes: Emission Date: Revision Date: Initials: Page 7

8 d) Disassociating an operator: This is the process of suspending a Registration Agent from his/her functions eliminating his/her licenses within the CA system. This process occurs when: 1. The employee has resigned his/her position within the organization. 2. The employee has been fired from his/her position within the organization. 3. The registration authority employee that has been relocated to another department within the organization. 4. The registration authority employee who has been sanctioned through and administrative process or through a disciplinary procedure, which prevents him/her in fulfilling his/her functions. e) Chief RA: Person responsible for registration authority functions supervisions and the CA coordination. f) Operator File: Is the collection of registry authority related documents. g) Installation files: Is the collection of RA installations documents such as RA business continuity plan, risk analysis, sanction regulation, active inventory and termination continuity plans. Installations: Is the RA physical environment where they are specially authorized to carry out validation and verification activities of certificate application. i) Certificate application validation: Is the verification of a person s identity or organization that presents himself/herself/itself before an RA to apply for a certificate. This validation requires for the applicant to personally go to an RA to apply a certificate. This validation requires the physical presence of the applicant and he/she must give proof that permits to determine his/her authority to grant the respective certificate application. 4. RA functions RA activities and functions include: Verify and validate all identity documents Register subscribers Deliver codes for the emission of digital certificates Manage subscriber certificate approval Manage certificate revokes. Register log events. Control and supervise Registration Authorities Control incident reports The RA should establish guidelines and procedures to assure the fulfillment of the certification policy and of this document as well as taking decisions that prevents any RA deficiency including termination or suspension of his/her duties. Each Registration Authority, according to the Certification Policy of each RA certificate types, should require from the applicants: Natural Person Certificate: Version: Substitutes: Emission Date: Revision Date: Initials: Page 8

9 a) Ecuadorian ID card or passport in the case of foreigners, b) Actualized voting card (for foreigners a register certificate and for military a copy of their military book). c) Any utility bill (Water, Electric or Telephone) emitted within the last three months that certifies the person s current address. d) National Taxpayer Registry (RUC) if in possession of one. e) The person must also be a natural person and of legal age. Legal Person Certificate: a) National Taxpayer Registry (RUC) of the company. b) Certified and legible copy of the appointment of the legal representative and attaching a clear copy of his/her Ecuadorian ID card. A certified copy of the applicant s company constitution in which states the name of the person or people that will legally represent it, this should be notarized. d) Pay Roll of all company partners or a certification affirming the number of associates of the company. e) Signed authorization by the legal representative. Public Functionary Certificate: a) Ecuadorian ID card or passport in the case of foreigners. b) Actualized voting card (for foreigners a register certificate and for military a copy of their military book). c) Certified and legible copy of the appointment or personal action of the applicant or a work certificate that certifies the public functionary position, this should be recent and signed by the legal representative emitted by the human resource department of the company. d) National Taxpayer Registry (RUC) of the company. A certified and legible copy of the legal representative appointment and attached a clear copy of his/her Ecuadorian ID card. f) Authorization signed by the legal representative. There should also be the number of applications, name and position of all company applicants in order to emit an electronic signature. Company Functionary Certificate: a) Ecuadorian ID card or passport in the case of foreigners. b) Actualized voting card (for foreigners a register certificate and for military a copy of their military book). c) Certified and legible copy of the appointment or personal action of the applicant or a work certificate that certifies the public functionary position, this should be recent and signed by the legal representative emitted by the human resource department of the company. d) National Taxpayer Registry (RUC) of the company. Version: Substitutes: Emission Date: Revision Date: Initials: Page 9

10 e) A certified and legible copy of the appointment of the legal representative and attached a clear copy of his/her Ecuadorian Identity Card. Certified copy of the company constitution in which states the name of the person or people that will legally represent it, this should be notarized. f) Authorization signed by the legal representative. There should also be the number of applications, name and charge of all company applicants in order to emit an electronic signature. Legal Representative Certificate: a) Ecuadorian ID card or passport in the case of foreigners. b) Actualized voting card (for foreigners a register certificate and for military a copy of their military book). c) National Taxpayer Registry (RUC) of the company. d) Certified and legible copy of the appointment of the legal representative and attached a clear copy of his/her Ecuadorian ID card. e) Certified copy of the applicant s company constitution in which states the name of the person or people that will legally represent it, this should be notarized. Secure Server Certificate: a) Certified and legible Copy of the appointment or work certificate that states the applicant s charge of the person, which should be updated, signed by the legal representative or emitted by human resources of the applicant entity. b) National Taxpayer Registry (RUC) of the company c) Legible and certified copy of the appointment of the legal representative, and attached a clear copy of his/her Ecuadorian ID card. d) Certified copy of the applicant s company constitution. e) Authorization signed by the legal representative Authentication of the RA When appointing a new RA, the following actions will be taken: Security Data Seguridad en Datos y Firma Digital will verify the existence of the entity by its own sources. An authorized representative of the company must sign a contract with Security Data Seguridad en Datos y Firma Digital, where will specify particular aspects of the delegation responsibility of each agent. Also the RA will require the compliance of the following regarding to RA operators: o Verify and validate the identity of new RA operators. The RA must send to Security Data Seguridad en Datos y Firma Digital the required documentation to the new operator, as well as legal authorization to act as an RA operator. o o Assure that the RA operators have received enough training to ensure their correct duties fulfillment, and having attended at least to one session of operator training. Ensure that the communication between the RA and the Security Data Seguridad en Version: Substitutes: Emission Date: Revision Date: Initials: Page 10

11 Datos y Firma Digital is done in a secure way by the use of the operator s digital certificates Validation In general, signatories are people that are linked to the Registry Authority (for example banks, companies, etc.) In these cases it isn t the signatory who requests a determined to be included in the certificate but it is the RA that does so, by consulting its own databases and thus obtains that . In cases in which the author does not have any relation with the RA, control is done by request and response of the requested address. 5. Personnel control 5.1. General Provisions The registry authority is the one responsible of its correct operation and should send to the CA updated information of the active RA operators, its profiles, qualifications and the reasons why it should access information. Registry Agents should be employees of the organization that operates as Registry authority RA authorities Document Requirements For each RA operator, according to responsibility roles in section and of the DPC of Security Data Seguridad en Datos y Firma Digital, the corresponding RA must have a record with: a) A work contract or document that permits to check his/her employment situation. b) Criminal background certificate. c) Credit situation certificate. d) Previous employment certificate, including employment in other RAs and all applied sanctions, if applicable. e) Training certificates related to Registry Authority roles and functions. f) A signed declaration that affirms the role he/she assumes and his/her duty to meet with the national certification policy and maintaining confidentiality and privacy with the CA or RA data. g) Results of periodic evaluations h) Contract that commits the person in RA registry agent related work. i) CA or RA registry from the moment he/she was included in the certification system agent role. When an operator is disassociated or suspended from his/her RA activities, then that person s file must state: Application registry in order to remove the Registry authority from the certification system. Version: Substitutes: Emission Date: Revision Date: Initials: Page 11

12 AC registry from the moment or the registry agent is suspended from the certification system Capacitating Requirement All registry agent and personnel involved must receive training and documentation from the following topics: a) Basic concept of digital certificates and Tokens. b) Basic RA security mechanisms. c) Disaster recuperation and Business continuity procedures. d) Identity validation and verification procedures. This should be located in the Registration Authority personal file. When significant changes appear in the RA operations, the personnel involved must receive appropriate training Suspension or Disassociation Procedure When an operator is suspended or disassociated, the RA in charge should immediately with the AC suspend or revoke its access license to the CA Systems and its related work to the RA. These procedures should be documented. 6. Physical Control 6.1. Physical Security minimal requirements All Registration Authority should meet with the following security requirements. a) Fire alarm devices b) Cabinets or closets with key for exclusive RA use. c) The RA equipment should be protected against electric fluid leaks and other energy abnormalities. d) Environmental Monitor and Security of the RA during operating hours. e) A security perimeter in the building where RA installations are found with an assigned security guard during working hours. f) Coercion Controls for each Registration Authority. g) Emergency lighting 7. Logical Control 7.1. Work Station Security Controls All work stations of the RA including portable machinery, should be protected against threats and Version: Substitutes: Emission Date: Revision Date: Initials: Page 12

13 unauthorized actions. SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL S.A. RA work stations should meet the following security requirements: a) Logical access control to the operating system. b) Strong Authentication (for example using digital certificates) in order to use the work station. c) The ability of blocking user session d) Auditing log of the active operating system, registering: 1. Login and logoff of operating system sessions. 2. Attempts to create, renovate, define passwords or modify operating system privileges. Work station configuration modification 3. Login y de logoff of the operating system. 4. Unauthorized attempts to the operating system e) Installed, updated and active antivirus programs f) Minimally access permissions which permit to activate only strictly necessary activities. g) Activate screen saver at two minutes at the most after being in stand-by and requiring user authorization device in order to unblock it. h) Actualized operating system and with the correct applications (patches, hotfix, etc.) i) Hardening1 j) Install only authorized application and related to its use. k) Use licensed software in the RA work stations. l) Limit remote access to the RA work station through other computer on the RA network, except for remote support activities of the CA. The logs must remain locally stored for a period at least for sixty days and later eliminate them. The RA work stations should contain an administrator profile which will be responsible in administering computer configuration and this work should be separate from the RA Registry Agent functions. 8. Information Security Control 8.1. General All information and related documents with RA installation and RA should be classified and stored according to the established in section 6 in the CPS of Security Data Seguridad en Datos y Firma Digital and in section 6.1 of the present document that guarantee information confidentiality and privacy. The RA should keep in writing (privately and confidentially) the following information: a) RA contracts with Security Data Seguridad en Datos y Firma Digital. b) RA active inventory Additionally the following documentation should be on hand for registry agent use: Version: Substitutes: Emission Date: Revision Date: Initials: Page 13

14 Copy of the Certification Practice Declaration. Copy of certification policies Document storage, handling, elimination procedure Documents that are on paper that consists of application files of certificates should be stored in the Security Data repository signed with an emitted certificate from ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL. Safely store and never for a period of time less than 15 years, the supported the supported documentation in the emission certificate and if in the case of suspension/ revoke in the same terms and conditions that this CPS in the CP of each certificate type and in if applicable in the Registration Authority agreement. The RA permits the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL access to archive and the conservation of procedures of the assumed RA archives and will give the right to investigate any suspicion of infraction of the CPS and/or CP by the RA or any one in possession of a certificate. The RA and its possession of a certificate should inform the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL immediately of any infraction suspicion. 9. Life cycle certificate control The RA should respect the life cycle of the certificate defined in section 5.2 of the CPS of Security Data Seguridad en Datos y Firma Digital. 10. Operational Agreements The CA has to celebrate an operational agreement in order for the RA to execute validation and verification activities of the certificate application. This agreement should contain at least: a) Identification and qualifications of the parties according to the RA b) Identification of the RA duties according to the agreement c) Identification of the RA responsible d) RA commitment according to defined norms and procedures e) Time frame which the agreement take place f) RA obligations to verify execution processes. Version: Substitutes: Emission Date: Revision Date: Initials: Page 14

15 11. REVIEWS Document: RA policies Review Published 24/01/ /01/2011 Author(s) LV/XC LV/XC Review Dates 18/02/ /03/2011 Reviewed by: XC XC 02/03/ /03/2011 Version: Substitutes: Emission Date: Revision Date: Initials: Page 15

16 Approval Date Approved By CS CS Version: Substitutes: Emission Date: Revision Date: Initials: Page 16