Land Registry. Version /09/2009. Certificate Policy

Transcription

1 Land Registry Version /09/2009 Certificate Policy

2

3 Contents 1 Background 5 2 Scope 6 3 References 6 4 Definitions 7 5 General approach policy and contract responsibilities Background Certificate Policy and Certification Practice Statement Purpose Level of specificity Approach 10 6 Introduction to the Certificate Policies for Land Registry Overview Identification Policy changes Conformance Contact details 11 7 Obligations and liability Certification Authority obligations Subscriber obligations Relying Party obligations Certification Authority liability 13 8 Annex A Registered Land Registry Certificate Policies 14 9 Annex B Requirements on Certification Authority Practice for Land Registry Local Signing Certificate Policy Subscriber obligations Key usage Certification Practice Statement Key Management Life Cycle Generation of Certification Authority Keys Certification Authority Key storage, backup and recovery Certification Authority Public Key distribution Key Escrow Certification Authority Key usage End of Certification Authority Key life cycle Life cycle management of cryptographic hardware used to sign Certificates CA provided Subject Key management services Hardware Key storage device preparation Certificate Management life cycle Subject registration Certificate renewal, re-key and update Certificate generation Dissemination of terms and conditions Certificate dissemination Certificate revocation and suspension Management and operation Security management Asset classification and management Personnel security Physical and environmental security Operations management System access management Trustworthy systems deployment and maintenance Business continuity management and incident handling Certification Authority termination 27 3

4 Compliance with legal requirements and Land Registry s policies and practices Recording of information concerning Certificates Organisational Annex C Requirements on Certification Authority Practice for Land Registry Central Signing Certificate Policy Deviation from the original policy Key Escrow Certificate Authority Provided Subject Key Management Services Annex D Requirements on Certification Authority Practice for Land Registry Individual Authentication Certificate Policy Deviation from the original policy Subscriber obligations Key usage Annex E Requirements on Certification Authority Practice for Land Registry Device Authentication Certificate Policy Deviation from the original policy Subscriber obligations Key usage CA Provided Subscriber Key Management Services Hardware Key Storage Device Preparation Subject registration 35

5 1. Background Public Key Infrastructure (PKI) has been widely accepted by the market and governments worldwide as an important electronic business enabler. PKI can ensure, in a cost-effective manner, the confidentiality and integrity of digital data, as well as guarantee the identities of communicating or transacting entities or persons. Confidentiality is achieved through encryption, whereas identification and integrity are achieved through digital signatures. These critical internet trust techniques are supported by Certificates issued by a Certification Authority. Such Certificates bind a person or legal entity to a cryptographic key that is published within a relevant community. This Public Key corresponds in a unique manner to another key, which for PKI to work must be kept strictly confidential (the Private Key). Digital signatures are created by using the Private Key of the sender, while confidentiality is achieved by use of the Public Key of the receiver. For users of PKI to have confidence in the Certificates that identify their counterparts in for example web transactions, they need to have confidence that the Certification Authority has properly established procedures and protective measures in order to minimise the operational and financial threats and risks associated with PKI. This document specifies the policy requirements on the operation and management of Land Registry and their customers to give users this confidence in relation to the Land Registry E-services. 5

6 2. Scope This document specifies policy requirements relating to Land Registry Certification Authority. It defines policy requirements on the operation and management of its Certification Authority issuing Certificates such that Subjects certified by the Certification Authority and Relying Parties may have confidence in the reliability of the Certificate. Subscribers and Relying Parties should consult the Land Registry Certification Practice Statement to obtain further details of precisely how this Certificate Policy is implemented by Land Registry for a particular class of Certificate. 3. References The following documents contain provisions which, through references in this text indicated by [n], constitute provisions of the present document. References are either specific (identified by date of publication, edition number, version number, etcetera) or non specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. 1. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. 2. ETSI TS : Policy requirements for issuing qualified certificates. 3. IETF RFC 3739: Internet X.509 Public Key Infrastructure: Qualified certificate profile. (Also ETSI TS ). 4. IETF RFC 3647 (2003): Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. 5. Data Protection Act ISO/IEC 9000: 2000 Quality Management Systems. 7. ISO/IEC 17799:2005: Information Technology Security Techniques Code of Practice for Information Security Management. 8. ISO/IEC 15408:2005 (parts 1 3): Information Technology Security Techniques Evaluation Criteria for IT Security. 9. FIPS PUB (2001): Security Requirements for Cryptographic Modules. 10. CEN Workshop Agreement : Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures Part 2: Cryptographic Module for CSP signing operations with backup Protection Profile (CMCSOB-PP). 6

7 11. CEN Workshop Agreement : Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures Part 3: Cryptographic Module for CSP key generation services Protection Profile (CMCKG-PP). 12. CEN Workshop Agreement : Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures Part 2: Cryptographic Module for CSP signing operations Protection Profile (CMCSO-PP). 13. IETF RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. 4. Definitions Administrator: A person who controls the service operation of the CA. Central Signing Service: Private Key storage and use under the End User s sole control within a secure service operated by Land Registry. Certificate Policy: A named set of rules that indicates the applicability of a Certificate to a particular community and/or class of application with common security requirements. Certificate: The Public Key of an End User or Device, together with verifiable identity information, rendered unforgeable by encoding with the Private Key of the Certification Authority which issued it. Certification Authority (CA): An entity trusted by one or more users to create and assign Certificates. Certification Practice Statement: A statement of the practices that a Certification Authority uses in issuing Certificates. Conveyancer: Any member, employee, officer or agent of a subscriber authorised under a current full Network Access Agreement. Device: In these policies is used to include an internet server, software or equipment used to initiate a virtual private network and functions in organisations authorised to sign software code. Electronic Signature: Data in electronic form in, affixed to, or logically associated with, a data message, which may be used to identify the signatory in relation to the data message and indicate the signatory s approval of the information contained in the data message. End User: The person or legal entity having its Public Key and name certified by a Certification Authority in a Public Key Certificate. Know Your Customer (KYC): The process of establishing a client s identity using appropriate documentary evidence (eg passport or utility bill) to ensure compliance with the Proceeds of Crime Act 2002 and the Terrorism Act 2000 and the Money Laundering Regulations Guidance is provided by the FSA and the Law Society. 7

8 Key Pairs: Encryption keys used for signature purposes comprise a pair of large prime numbers that have a specific mathematical relationship such that if one is used to encrypt data only the other half of the pair can be used to decrypt the data. Network: The electronic communications network provided in accordance with section 92 of the Land Registration Act 2002 and any components of it and the services provided by way of that network from time to time. Private Key: One part of the Key Pair that is kept private to by the Subject. Used for creating the Electronic Signature. Public Key: The other part of the Key Pair made public to any Relying Party in order to validate the Electronic Signature. Registration Authority: The organisational entity responsible for the enrolment of subjects into the Certification Authority. It may be a different organisation to the Certification Authority, but is obliged to comply with the Certificate Policy. Relying Party: The party in a transaction or communication which acts or may act in reliance on a Certificate and/or digital signatures verified using that Certificate. Representative: The individual who accepts the Certificate associated with computer applications and Devices 1 in the control of Subscribers, and is responsible for the correct protection and use of the Private Key. Subject: Entity identified in a Certificate as the rightful holder of the Private Key associated with the Public Key given in the Certificate. The Subject may be an End User or Device. Subscriber: Entity which subscribes with a Certification Authority on behalf of an End User or End Users to have one or more Public Keys and associated entities certified in the same number of Public Key Certificates. A Subscriber may also be the Subject or Representative. Technical Manual: The document, including parts 1 and 2, which details the system and security requirements and other technical aspects of the Network and published from time to time by the Registrar. References to the Technical Manual mean the version as updated from time to time. 1 Eg firewalls, routers, in-line network encryptors, trusted servers, and other infrastructure components. 8

9 5. General approach policy and contract responsibilities 5.1 Background The authority trusted by the users of the certification services to create and sign Certificates is called the Certification Authority. The Certification Authority has overall responsibility for the provision of these services and is identified in the Certificate as the issuer. When a Certification Authority issues a Certificate it attests that it has established the name of the Subject by using defined processes based on the examination of defined external evidence. This evidence concerns the certified entity s name and its association with other information in the Certificate to achieve a targeted level of reliability and trust, and represents information and facts that the Certification Authority chooses to rely upon to make a correct attestation. The evidence collected and the method of examination may vary between different types of certification services, but all services must in the end rely on information that is outside the scope of the Certification Authority to challenge. The responsibility of the Certification Authority is limited to the correct execution of its defined procedures which will include evidence collection and examination procedures that are defined to be part of its service. If an error is caused by false external evidence (such as a false ID-card) that was correctly collected and processed according to defined procedures, the Certification Authority has fulfilled its obligations and is not responsible for the error. However, the Certification Authority always maintains responsibility for processes defined to be part of its service for ensuring that the policy requirements imposed on the Certification Authority in this document are met; and for liability issues arising out of the issue and management of certificates. The Certification Authority may use other parties to provide services, and the distribution of responsibilities among these parties is contractually agreed between the Certification Authority and its subcontractors. In these cases it is also the responsibility of the Certification Authority to provide adequate instructions to Subscribers and Relying Parties and to provide the details required for the Subscribers or the Relying Parties to meet their obligations. 5.2 Certificate Policy and Certification Practice Statement Purpose In general, the purpose of the Certificate Policy (these are referenced by a policy identifier in a Certificate) states the rules on how the Certificate is to be issued, used and when it may be relied upon. The Certification Practice Statement is a summary of the processes and procedures the Certification Authority will use in creating and maintaining the Certificate. The relationship between the Certificate Policy and Certification Practice Statement is similar in nature to the relationship of other business policies that state the requirements of the business, while operational units define the practices and procedures of how these policies are to be carried out. If a Certification Authority is issuing Certificates against a number of Certificate Policies, then the Certification Authority s Certification Practice Statement (only one is necessary) will state how the Certification Authority implements the controls. 9

10 5.2.2 Level of specificity A Certificate Policy is a less specific document than a Certification Practice Statement. A Certification Practice Statement is a more detailed description of business and operational practices of a Certification Authority in issuing and otherwise managing Certificates. The Certification Practice Statement of a Certification Authority enforces the rules established by entities prescribing a specific Certificate Policy. A Certification Practice Statement defines how a specific Certification Authority meets the technical, organisational and procedural requirements identified in a Certificate Policy Approach The approach of a Certificate Policy is significantly different from that of a Certification Practice Statement. A Certificate Policy is defined independently of the details of the specific operating environment of a Certification Authority, whereas a Certification Practice Statement is tailored to the organisational structure, operating procedures, facilities, and computing environment of a Certification Authority. A Certificate Policy may be defined by the user of certification services, whereas the Certification Practice Statement is always defined by the provider. The Certification Practice Statement relevant to the Land Registry Certification Authority will be incorporated into the Technical Manual. 6. Introduction to the Certificate Policies for Land Registry 6.1 Overview Certificates issued by the Land Registry Certification Authority (hereafter referred to as the CA) in accordance with the current document include a Certificate Policy identifier that can be used by Relying Parties in determining the Certificate s suitability and trustworthiness for a particular application. Certificates for four types of use are defined by these policies. 1. Where End Users apply Electronic Signatures locally. 2. Where End Users apply Electronic Signatures centrally. 3. Where End Users have authentication needs. 4. Devices with software key storage. The main body of this document describes the general requirements for issuing and managing Certificates. Annex B covers more specific details for issuing and managing Certificates for use where End Users are in possession of their cryptographic token and apply Electronic Signatures locally. Annex C describes the requirements for issuing and managing Certificates for use where End Users apply Electronic Signatures centrally under sole control. Annex D describes the requirements for issuing and managing Certificates for use by End Users with cryptographic tokens for authentication purposes. Annex E describes the requirements for issuing and managing Certificates for use by Devices. Sections 1 to 7 are common to all four policies, whereas the requirements on the CA will differ according to the Certificate issued, as defined in Annexes B to E. 10

11 6.2 Identification The identifiers for the Certificate Policies specified in the current document are at Annex A. 6.3 Policy changes Change procedures The following aspects of these Certificate Policies can change without notification and without requiring a new object identifier to be allocated: a. formatting and b. correction of minor typographic errors. The following aspects of this Certificate Policy can change with notification, but without requiring a new object identifier to be allocated: c. any aspect that does not lower, and cannot be perceived to lower, the fundamental trust that can be placed in the Certificate. The following aspects of this Certificate Policy cannot be changed unless a new object identifier is created: d. any aspect that lowers, or could be perceived to lower, the fundamental trust that can be placed in the Certificate Publication and notification An electronic copy of this document, duly signed by an authorised representative of the CA, is to be made available: a. at the Land Registry website b. via an request to certificate.policies@landregistry.gsi.gov.uk 6.4 Conformance The CA shall only use the identifier for the appropriate Certificate Policy as provided in 6.2 if: the CA claims conformance to the identified Certificate Policy and makes available on request the evidence to support the claim of conformance; or the CA has been certified to be conformant to the identified Certificate Policy. 6.5 Contact details These Certificate Policies are published by: Business Development Board HM Land Registry Head Office Lincoln s Inn Fields London WC2A 3PH Contact: certificate.policies@landregistry.gsi.gov.uk 11

12 7. Obligations and liability 7.1 Certification Authority obligations The CA shall ensure that all requirements, as detailed in the relevant sections applicable to the policy issued, are implemented. The CA has the responsibility for conformance with the procedures prescribed in the policy, regardless of its operational responsibilities in performing its functions. The CA shall also fulfil any additional obligations that are indicated in the Certificates either directly or incorporated by reference. 7.2 Subscriber obligations The terms and conditions agreed with the Subscriber (see 9.4.4) shall include an obligation upon the Subscriber to address all the following obligations. If the Subject and Subscriber are different parties, the Subscriber shall make the Subject aware of those applicable obligations as listed below: a. only use the Key Pairs for the purposes defined in Section 9, 10, 11 or 12 and in accordance with any other limitations that may be notified to the Subscriber b. submit accurate and complete information to the CA during Subject registration in accordance with the requirements of the policy c. exercise reasonable care to avoid unauthorised use of the Subject s Private Key d. notify the CA, without any unreasonable delay, if any of the following occur up to the end of the validity period indicated in the Certificate the Subject s Private Key has been potentially or actually lost, stolen or compromised control over the Subject s Private Key has been lost due to potential or actual compromise of activation data (eg PIN code) or other reasons and/or inaccuracy or changes to the Certificate content, as notified to the Subscriber. e. ensure that if the Subscriber or Subject generates the Subject s Key Pair, only the Subject holds the Private Key f. ensure that Private Keys are generated within the hardware key storage device. 7.3 Relying Party obligations The obligations of the Relying Party if it is to reasonably rely on a Certificate are to: a. verify the validity, suspension or revocation status of the Certificate using current revocation status information as indicated to the Relying Party (see 9.4.6) b. take account of any limitations on the usage of the Certificate indicated to the Relying Party, either in the Certificate, or in the terms and conditions supplied as required in and and c. take any other precautions prescribed in the Certification Practice Statement. 12

13 7.4 Certification Authority liability Certificates issued by the CA will be used primarily for signing electronic dispositionary documents relating to registered land when permitted by law such as transfers or mortgages. Certificates can also be used to sign electronic contracts relating to registered land when permitted by law. Additional Certificates will be issued for End User and Device authentication purposes and for enabling secure communication channels. The liability taken by the CA, however, is limited to the correct application of procedures as declared in the Certification Practice Statement (as incorporated into the Technical Manual); these procedures relate to the issue and management of digital Certificates. Therefore any failure of transaction that utilises the digital Certificate is out of scope. In essence the liability will include the correct identification of Subjects according to the declared practices. If a transaction is found to be in error through the incorrect identification of the Subject through failing to follow the declared practices, then the CA is liable. If however the Subject is incorrectly identified, but the error was within the documents used to support the Subject s claim to an identity, then the CA shall not be liable. The CA shall include any limitation of liability within the Certificate, providing the relevant information within an easily accessible statement both on its website and within the Certification Practice Statement. The information above shall be available through a durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language. 13

14 8. Annex A Registered Land Registry Certificate Policies The following Certificate Policies are defined within the Land Registry e-security service. Service Policy name Object identifier 2 Description Land Registry Local Signing. {iso(1) memberbody(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificatepolicy(1) 2} Where End Users apply Electronic Signatures locally. Land Registry Central Signing. {iso(1) memberbody(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificatepolicy(1) 3} Where End Users apply Electronic Signatures centrally. e-security Land Registry Individual Authentication. {iso(1) memberbody(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificatepolicy(1) 4} Electronic identity-based Authentication. 2 See ISO/IEC 8824:1988 CCITT X.208 Specification of Abstract Syntax Notation One (ASN.1), Annexes B to D for a definition. Land Registry Device Authentication. {iso(1) memberbody(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificatepolicy(1) 5} Device authentication Certificate Policy. 14

15 9. Annex B Requirements on Certification Authority Practice for Land Registry Local Signing Certificate Policy This Certificate Policy applies to all Conveyancers and their customers who wish to sign electronic dispositionary documents relating to registered land such as transfers or mortgages, and who wish to keep their Private Keys in their possession. It includes Land Registry signing acknowledgement of any data presented to the Network and authenticating documents and information issued by Land Registry. The identifier for the Land Registry Local Signing Certificate Policy is: Policy Identifier = By including this object identifier in a Certificate, the CA claims conformance to the identified Land Registry Local Signing Certificate Policy. The Certificates issued under this policy may be used to support Electronic Signatures which meet the requirements of the Directive [1] and English law, in connection with information services, transactions, agreements, exchange of valuable information and contracting for property and land transactions. The decision to accept the Certificate, however, is at the discretion of the Relying Party. Certificates issued under this policy are primarily focused on the following main classes of security services: identification of originator creation of an Electronic Signature integrity of data. The Certificate Authority shall implement the controls that meet the requirements set out in this annex. This Certificate Policy incorporates Sections 5, 6 and 7 of this document with the amendments and changes defined in this Annex. 9.1 Subscriber obligations The terms and conditions agreed with the Subscriber (see 9.4.4) shall include an obligation upon the Subscriber to address all the following obligations. If the Subject and Subscriber are different parties, the Subscriber shall make the Subject aware of those applicable obligations as listed below: a. only use the Key Pairs for Electronic Signatures and in accordance with any other limitations that may be notified to the Subscriber and b. sub-paragraphs b. to f. contained in 7.2 above. 15

16 9.1.1 Key usage Certificates issued under this policy shall be used: a. by Conveyancers and their customers who wish to sign dispositionary documents for registration at Land Registry, for example for transfer or mortgage of title between parties, to enable Electronic Signatures b. by Land Registry for signing acknowledgement of data presented to the Network and/or c. by Land Registry to authenticate documents and other such information issued by Land Registry. The constraint is that the policy shall not cover any key usage other than non-repudiation as defined in [13] Certification Practice Statement The CA shall ensure that it has a Certification Practice Statement 3 that identifies the practices and procedures used to address all the requirements identified in this policy, as considered necessary through its risk analysis. a. its Certification Practice Statement identifies the obligations of all external organisations supporting the relevant Land Registry services including the applicable policies and practices b. details are made available of its Certification Practice Statement as necessary to assess conformance to the Certificate Policy c. the terms and conditions regarding use of the Certificate as specified in are disclosed to all Subscribers and potential Relying Parties d. it has a management body with final authority and responsibility for approving the Certification Practice Statement e. it has a defined review and maintenance process for its Certification Practice Statement f. revisions to the Certification Practice Statement are made available to the auditors and to all appropriate Subscribers and Relying Parties as in b. 9.3 Key Management Life Cycle Generation of Certification Authority Keys The CA shall ensure that CA keys are generated in accordance with industry standards. 3 This policy makes no requirement as to the structure of the Certification Practice Statement. 4 As defined by the Electronic Signatures Regulations a. generation of CA keys is undertaken in a physically secure environment (see 9.5.3) under, at least, dual control, and no greater number of personnel shall be authorised to carry out this function than required under the CA s practices b. generation of CA keys is carried out within a hardware key storage device which: meets the requirements identified in FIPS 140-2[9] Level3 or higher or meets the requirements identified in one of the following CEN Workshop Agreement [10], CWA [11] or CWA [12] or is a trustworthy system which is assured to EAL 4 or higher in accordance to ISO/IEC [8], or equivalent security criteria c. the selected key length and algorithm for CA signing key shall be one which is recognised as being fit for purposes of qualified 4 Certificates as issued by the CA. 16

17 9.3.2 Certification Authority Key storage, backup and recovery The CA shall ensure that CA Private Keys remain confidential and maintain their integrity. a. its private signing key is held and used within a hardware key storage device which: meets the requirements identified in FIPS 140-2[9] Level3 or higher meets the requirements identified in one of the following CEN Workshop Agreement [10], CWA [11] or CWA [12] or is a trustworthy system which is assured to EAL 4 or higher in accordance to ISO/IEC [8], or equivalent security criteria b. its private signing key is backed up, stored and recovered only by personnel in trusted roles using, at least, dual control in a physically secured environment (see 9.5.4). No more personnel shall be authorised to carry out this function than required under the CA s practices c. backup copies of the CA private signing keys are subject to the same or greater level of security controls as keys currently in use d. where the keys are stored in a dedicated key processing hardware module, access controls are in place to ensure that the keys are not accessible outside the hardware module Certification Authority Public Key distribution The CA shall ensure that the integrity of the CA Public Key and any associated parameters is maintained during its distribution to Relying Parties. In particular, the CA shall ensure that its Public Key is made available to Relying Parties in a manner that assures the integrity of the CA Public Key and authenticates its origin Key Escrow The CA shall not keep copies of Subject Private Keys Certification Authority Key usage The CA shall ensure that CA signing keys are used only for appropriate activities related to the CA operation such as signing Certificates (as defined in 9.4.3) and signing Certificate Revocation Lists (CRL), within physically secure premises End of Certification Authority Key life cycle The CA shall ensure that, at the end of their life cycle, all copies of the CA Private Keys are either: a. destroyed such that the Private Keys cannot be retrieved or archived in a manner such that they are protected against being put back into use. 17

18 9.3.7 Life cycle management of cryptographic hardware used to sign Certificates The CA shall ensure that: a. cryptographic hardware used for Certificate signing is shipped in such a manner that is tamper-evident b. cryptographic hardware used for Certificate signing is stored in such a way that is tamper-evident c. the installation, activation, back-up and recovery of cryptographic hardware used for Certificate signing requires a minimum of two trusted employees d. Certificate signing cryptographic hardware is functioning correctly e. CA Private Keys stored on CA cryptographic hardware are destroyed on device retirement CA provided Subject Key management services The CA shall ensure that any Subject keys that it generates are generated securely and the privacy of the Subject s Private Key is assured. If the CA generates the Subject s keys: a. CA-generated Subject keys shall be generated using an algorithm recognised as being fit for purpose for this policy b. CA-generated Subject keys shall be of a key length and for use with a Public Key algorithm which is recognised as being fit for the purposes of this policy c. CA-generated Subject keys shall be generated and stored securely before delivery to the Subject d. the Subject s Private Key shall be delivered to the Subscriber in a manner such that the privacy of the key is not compromised and on delivery only the Subject has access to its Private Key Hardware Key storage device preparation The CA shall ensure that if it issues to the Subject a hardware key storage device, this is carried out securely. In particular, if the CA issues hardware key storage devices: a. hardware key storage device preparation shall be securely controlled by the CA b. hardware key storage devices shall be securely stored and distributed c. hardware key storage deactivation and reactivation shall be securely controlled d. where the hardware key storage device has associated user activation data (eg PIN code), the activation data shall be securely prepared and distributed separately from the hardware key storage device 5. 5 Separation may be achieved by ensuring distribution and delivery at different times, or via a different route. 18

19 19 6 An example of evidence checked indirectly against a physical person is documentation presented for registration which was acquired as the result of an application requiring physical presence and shall be certified evidence such as a national ID card or passport. 7 The Certification Authority is liable as regards the accuracy of all information contained in the Certificate. 8 The place should be given in accordance to national conventions for registering births. 9 Copies of documents, appropriately countersigned (including by Electronic Signature), are suitable. The records should be securely stored as close as practicable to the location where the evidence is checked. Hence the use of an attestation in d. if the location where the evidence is checked differs from the place of registration. 9.4 Certificate Management life cycle Subject registration The CA shall ensure that evidence of Subjects identification and accuracy of their names and associated data are either properly examined as part of the defined service or, where applicable, concluded through examination of attestations from appropriate and authorised sources, and that Subscriber Certificate requests are accurate, authorised and complete according to the collected evidence or attestation. a. before entering into a relationship with a Subscriber, the Subscriber is adequately informed through a formal agreement of the precise terms and conditions regarding use of the Certificate as given in b. if the End User is not the same as the Subscriber, the End User shall be informed of his/her obligations c. the agreement at a above is communicated through a durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language d. it has collected either by direct evidence or by an attestation from an appropriate and authorised source that the name and, if applicable, any specific attributes of the person to which a Certificate is issued, has been verified by appropriate means in accordance with Know Your Customer procedures, and that evidence of the name has been checked against a physical person either directly or indirectly using means providing assurance equivalent to physical presence, and that evidence may be in the form of either paper or electronic documentation 6,7 e. where the Subject is a person acting on behalf of an organisation, an attestation according to d has been collected from the organisation, which constitutes a declaration that evidence has been provided of the following: full name (including surname and given names) of the person attributes of the Subject which may be used, to the extent possible, to distinguish the person from others with the same name, such as date and place 8 of birth or a nationally recognised identity number full name and legal status of the associated legal person or other organisational entity any relevant existing registration information (eg company registration) of the associated legal person or other organisational entity evidence that the Subject is associated with the legal person or other organisational entity a physical address, or other attributes, provided by the Subject, which describe how the Subject may be contacted. f. where the Subject is a person acting on their own behalf, evidence is provided of: full name (including surname and given names) attributes which may be used, to the extent possible, to distinguish the person from others with the same name, such as date and place of birth, or a nationally recognised identity number g. all the information used to verify the Subject s name, including any reference number on the documentation used for verification, and any limitations on its validity, is recorded 9

20 h. the signed agreement with the Subscriber is recorded, including: Subscriber s agreement to the Subscriber s obligations as defined in Section ,11,12 consent to the keeping of a record by the CA of information used in registration (see h and i) and any subsequent revocation (see j), and passing of this information to third parties under the same conditions as required by this policy in the case of the CA terminating its service whether, and under what conditions, the Subscriber requires and consents to the publication of its Certificate that the information held in the Certificate is correct i. the records of evidence identified in d e and f above are retained for the period of time as indicated to the Subscriber within the precise terms and conditions (see a above) and as necessary for the purposes for providing evidence of certification in legal proceedings j. the Certificate request process ensures that the Subject has possession of the Private Key associated with the Public Key presented for certification k. the requirements of data protection legislation are complied with (including the use of pseudonyms if applicable) within its registration process. 10 The End User may agree to different aspects of this agreement during different stages of registration. For example, agreement that the information held in the Certificate is correct may be carried out subsequent to other aspects of the agreement. 11 Other parties (eg the associated legal person) may be involved in establishing this agreement. 12 This agreement may be in electronic form. 13 The End User may, if the Certification Authority offers this service, request a Certificate renewal for example where relevant attributes presented to the Certification Authority for the Certificate have changed or when the Certificate lifetime is running out Certificate renewal, re-key and update The CA shall ensure that requests for Certificate renewal, re-key following revocation or prior to expiration, or update due to change to the Subject s attributes are complete, accurate and duly authorised. 13 a. the information used to verify the name and attributes of the Subject is still valid b. if any of the CA terms and conditions have changed, these are communicated to the Subscriber and agreed to in accordance with a, b and g c. if any certified names or attributes have changed, or the previous Certificate has been revoked, the registration information is verified, recorded and agreed to by the Subscriber in accordance with d to h d. it only issues a new Certificate using the Subject s previously certified Public Key if its cryptographic security is still sufficient for the new Certificate s intended lifetime and no indications exist that the Subject s Private Key has been compromised Certificate generation The CA shall ensure that new, renewed and re-keyed Certificates are issued securely. a. the procedure of issuing the Certificate is securely linked to the associated registration, Certificate renewal or re-key, including the provision of any Subject generated Public Key b. if it generates the Subject s key, the procedure of issuing the Certificate is securely linked to the generation of the key pair by the CA c. over time the uniqueness of the distinguished name assigned to the Subject within the domain of the CA is ensured (ie over the lifetime of the CA a distinguished name which has been used in an issued Certificate shall never be re-assigned to another entity)

21 d. the confidentiality and integrity of registration data are protected especially when exchanged with the Subject or between distributed CA system components Dissemination of terms and conditions The CA shall ensure that the terms and conditions are made available to Subscribers, Subjects and Relying Parties. a. the terms and conditions regarding the use of the Certificate are made available to Subscribers, Subjects and Relying Parties, including: any limitations on Certificate use the Subscriber s obligations as defined in 7.2 information on how to verify the Certificate, including requirements to check the revocation status of the Certificate, such that the Relying Party is considered to reasonably rely on the Certificate (see 7.3) limitations of liability the period of time registration information (see 9.4.1) is retained express consent for the use of personal data if present in the Certificate the period of time CA event logs (see ) are retained procedures for complaints and dispute settlement the applicable legal system the information identified in a above is available through a durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language Certificate dissemination The CA shall ensure that Certificates are made available as necessary to Subjects and Relying Parties. a. upon generation, the complete and accurate Certificate is available to the Subject for whom the Certificate is being issued b. Certificates are available for retrieval from the CA system in only those cases for which the Subject s consent has been obtained c. the terms and conditions regarding the use of the Certificate are made available to Relying Parties (see 9.4.4) d. the applicable terms and conditions are readily identifiable for a given Certificate e. the information identified in c above is available for a minimum of 21 hours per day, seven days per week, and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than the maximum period of time as denoted in the Certification Practice Statement f. the information identified in c above is publicly and internationally available. 21

22 14 Support for Certificate suspension is optional. 15 This may be done electronically. 16 Revocation status information may be provided, for example, using on-line Certificate status service or through distribution of CRLs through a repository Certificate revocation and suspension The CA shall ensure that Certificates are revoked in a timely manner based on authorised and validated Certificate revocation requests. a. as part of its Certification Practice Statement (see 9.2), the procedures for revocation of Certificates are documented, including: who may submit revocation reports and requests how they may be submitted any requirements for confirmation of revocation reports and requests whether and for what reasons Certificates may be suspended the mechanism used for distributing revocation status information the maximum delay between receipt of a revocation request or report and the change to revocation status information being available to all Relying Parties, and this shall be at most one day b. requests and reports relating to revocation (eg due to compromise of Subject s Private Key, death of the Subject, violation of contractual obligations) are processed on receipt c. requests and reports relating to revocation are authenticated and checked to be from an authorised source, if possible, and the method is to be documented in the CA s practices d. a Certificate s revocation status is set to suspended whilst the revocation is being confirmed, and the CA shall ensure that a Certificate is not kept suspended for longer than is necessary to confirm its status 14 e. the Subscriber agrees to inform the Subject (or Representative where the Subject is a Device) of a revoked or suspended Certificate within a reasonable time and to their best effort of the change of status of its Certificate 15 f. once a Certificate is definitively revoked (ie not suspended) it is not reinstated g. where CRLs, including any variants (eg Delta CRLs), are used, these are published at least daily and every CRL shall state a time for next scheduled CRL issue a new CRL may be published before the stated time of the next CRL issue and the CRL shall be signed by the CA h. revocation management services for processing of revocation requests from authorised revocation personnel are available 21 hours per day, seven days per week (hours as published on and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than a maximum period of time as denoted in the Certification Practice Statement i. revocation status information is available 21 hours per day, seven days per week (hours as published on gov.uk), and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than a maximum period of time as denoted in the Certification Practice Statement 16 j. the integrity and authenticity of the status information are protected k. revocation status information is publicly and internationally available l. revocation status information shall include information on the status of revoked Certificates at least until the Certificate expires. 22

23 9.5 Management and operation The CA shall ensure that a risk assessment is carried out to evaluate operational risks and determine the necessary security requirements and operational procedures. The risk analysis shall be regularly reviewed and revised if necessary Security management The CA shall ensure that administrative and management procedures are applied which are adequate and correspond to recognised standards. a. it retains liability towards Relying Parties for all aspects of the provision of certification services, even if some functions are outsourced, except liability for accuracy of underlying evidence and attestations according to on which the CA reasonably relies as part of the service provision. Responsibilities of third parties shall be clearly defined by the CA and appropriate arrangements made to ensure that third parties are obliged to implement any controls required by the CA. The CA shall retain responsibility for the disclosure of relevant practices of all parties b. it provides, through its management, direction on information security through Land Registry s IT Security Committee (ITSC) that is responsible for defining the CA s information security policy and for ensuring publication and communication of the policy to all employees of the CA who are affected by the policy c. it maintains a system (or systems) for quality and information security management appropriate for the certification services it is providing d. it maintains at all times the information security infrastructure necessary to manage the security within the CA. Any changes that will affect the level of security provided shall be approved by the ITSC 17 e. it documents, implements and maintains the security controls and operating procedures for CA facilities, systems and information assets providing the certification services 18 f. the security of information is maintained when the responsibility for CA functions has been outsourced to another organisation or entity. 17 See ISO/IEC for guidance on information security management including information security infrastructure, management information security forum and information security policies. 18 This documentation (commonly called a system security policy) should identify all relevant targets, objects and potential threats related to the services provided and the safeguards required to avoid or limit the effects of those threats. It should describe the rules, directives and procedures regarding how the specified services and the associated security assurance are granted in addition to stating policy on incidents and disasters Asset classification and management The CA shall ensure that assets and information related to Land Registry E-Security services receive an appropriate level of protection. In particular the CA shall maintain an inventory of all information assets and shall assign a classification of their protection requirements consistent with the risk analysis (9.2) Personnel security The CA shall ensure that personnel and hiring practices support the trustworthiness of the operation of Land Registry E-security services. a. it only employs or contracts personnel possessing the expert knowledge, experience and qualifications necessary for the offered services and which are appropriate to the job function b. security roles and responsibilities, as specified in the CA s security policy, are documented in job descriptions. Trusted roles, on which the security of the CA s operation is dependent, shall be clearly identified 23