OTU Certification Authority

Transcription

1 Reference document: OTU.PC.0002 Revision of the document: 1.3 Document Date: 01/02/2015 Classification Public OTU Certification Authority Certification Policy Statement This document is a translation of the Certificate policy in French language. The French version of this document is the reference version and prevails over any other document. OTU C.A. - Certificate Policy Statement Page : 1 / 76

2 Table of Contents DOCUMENT REVISION HISTORY INTRODUCTION PURPOSE OF THE DOCUMENT IDENTIFICATION Document Identification Identification of Certification Authority PKI COMPONENTS PKI Functional diagram CA hierarchy OTU CAs Registration Authority (RA) Certificate holder Subscriber and Subject Certificate user Organization Other participants CLASSES OF CERTIFICATES One-time-use certificates Organization certificate USE OF CERTIFICATES Areas of use Prohibited uses CP MANAGEMENT Entity that manages the CP Contact Entity that determines whether a CPS complies with this CP CPS compliance approval procedure DEFINITIONS AND ABBREVIATIONS Main Definitions Abbreviations COMPLIANCE STATEMENT RESPONSIBILITIES WITH REGARD TO THE INFORMATION THAT HAS TO BE PUBLISHED ENTITIES IN CHARGE OF MAKING THE INFORMATION AVAILABLE INFORMATION THAT HAS TO BE PUBLISHED PUBLICATION TIME AND FREQUENCY ACCESS RESTRICTIONS APPLICABLE TO THE PUBLISHED INFORMATION Access to the other documents IDENTIFICATION AND AUTHENTICATION NAMING Types of names Necessity of using explicit names Anonymization or pseudonymization of Holders Rules for interpreting the various name forms Names uniqueness Identification, authentication and role of registred trademarks INITIAL IDENTITY VALIDATION Method for proving the possession of the private key Validation of organizations entities Validation of an individual s identity Unverified information Validation by the Authority of the Subscriber that makes a request OTU C.A. - Certificate Policy Statement Page : 2 / 76

3 3.2.6 RA validation Interoperability criteria IDENTIFICATION AND VALIDATION OF A KEY RENEWAL REQUEST One-time-use Certificate Organization Certificate IDENTIFICATION AND VALIDATION OF A REVOCATION REQUEST One-time-use certificate Organization certificate OPERATIONAL REQUIREMENTS ON THE LIFECYCLE OF CERTIFICATES CERTIFICATE REQUEST Origin of a certificate request Drawing up of a certificate request: process and responsibilities CERTIFICATE REQUEST PROCESSING Execution of the processes for identifying and validating the request Acceptance or rejection of the request Time needed to draw up the certificate CERTIFICATE DELIVERY Actions of the CA with regard to certificate delivery Notification by the CA of the delivery of the certificate to the Holder CERTIFICATE ACCEPTANCE Certificate acceptance process Certificate publication Notification sent by the CA to inform other entities of the delivery of the certificate KEY PAIR AND CERTIFICATE USES Use of the private key and certificate by the Holder Use of the private key and certificate by stakeholders CERTIFICATE RENEWAL Possible causes of certificate renewal Origin of a renewal request Renewal request processing Notification of the creation of a renewed certificate Process of acceptance of the new certificate Publication of the new certificate Notification sent by the CA to inform other entities of the delivery of the new certificate Not applicable DELIVERY OF A NEW CERTIFICATE AFTER THE KEY PAIR IS CHANGED Possible causes of certificate renewal Origin of a request for a new certificate Processing of a request for a new certificate Notification of the creation of the new certificate Process of acceptance of the new certificate Publication of the new certificate Notification sent by the CA to inform other entities of the delivery of the new certificate CERTIFICATE MODIFICATION Possible causes of certificate renewal Origin of a request for a new certificate Processing of a request for a new certificate Notification of the creation of the new certificate Process of acceptance of the new certificate Publication of the new certificate Notification sent by the CA to inform other entities of the delivery of the new certificate REVOCATION AND SUSPENSION OF CERTIFICATES Possible causes of suspension Origin of a revocation request Revocation request processing Time given to the Holder to request the revocation Time needed by the CA to process a revocation request Requirements with regard to the verification of the revocation by certificate users OTU C.A. - Certificate Policy Statement Page : 3 / 76

4 4.9.7 CRL publication frequency CRL publication deadline Other ways of getting information about revocations Requirements with regard to the online verification of the revocation of certificates by certificate users Other ways of getting information about revocations Specific requirements if the private key is compromised Possible causes of suspension Origin of a suspension request Processing of a suspension request Minimum and maximum durations of the suspension period of the certificate CERTIFICATE STATUS INFORMATION FUNCTION Operational characteristics Availability of the function Optional mechanisms END OF THE RELATIONSHIP BETWEEN THE SUBSCRIBER AND THE CA KEY ESCROW AND RECOVERY Policy and practices with regard to the recovery of the keys held in escrow Policy and practices with regard to the recovery of session keys through encapsulation NON-TECHNICAL SECURITY MEASURES PHYSICAL SECURITY MEASURES PROCEDURAL SECURITY MEASURES Trusted roles Number of people required per task Identification and authentication for each role Roles that require assignment separation SECURITY MEASURES WITH REGARD TO THE STAFF Required qualifications, skills and authorisations Judicial record verification procedure Basic training requirements Continuous training requirements Frequency and process for the rotation of the various assignments Sanctions in the case of unauthorised actions Requirements with regard to external providers' staff Documents given to the staff PROCEDURES FOR CONSTITUTING AUDIT DATA Types of events logged Event log processing frequency Event log retention period Event log protection Event log backup procedure Event log collection system Notification of the logging of an event to the person in charge of it Evaluation of vulnerabilities DATA ARCHIVING Type of data to archive Archive retention period Archive protection Archive backup procedure Data timestamping requirements Archive collection system Archive retrieval CHANGE OF THE CA S KEY RECOVERY FOLLOWING COMPROMISE AND DISASTER Procedures for reporting and processing incidents and compromises Recovery procedures should IT resources (hardware, software and/or data) be corrupted Recovery procedures should the private key of a component be compromised Ability to pursue the activity following a disaster END OF THE PKI S LIFE OTU C.A. - Certificate Policy Statement Page : 4 / 76

5 5.8.1 Transfer of activity or ceasing of activity affecting a PKI component other than the CA Ceasing of activity affecting the CA TECHNICAL SECURITY MEASURES KEY PAIR GENERATION AND INSTALLATION Key pair generation Transmission of the private key to its owner Transmission of the public key to the CA Transmission of the CA's public key to the various actors Key size Verification of the generation of key pair settings and their quality Target uses of the key SECURITY MEASURES FOR THE PROTECTION OF PRIVATE KEYS AND FOR CRYPTOGRAPHIC MODULES Security standards and measures for cryptographic modules Control of the private key Escrow of the private key Private key emergency backup Archiving of the private key Transfer of the private key to/from the cryptographic module Storage of a private key into a cryptographic module Private key activation method Private key deactivation method Private key destruction method Evaluation of the cryptographic module OTHER ASPECTS OF KEY PAIR MANAGEMENT Archiving of public keys Key pair and certificate life times Key inventory ACTIVATION DATA Generation and installation of the activation data Activation data protection Other aspects pertaining to activation data IT SYSTEMS SECURITY MECHANISMS Technical security requirements that are specific to IT systems Evaluation of IT systems MEASURING THE SECURITY OF SYSTEMS THROUGHOUT THEIR LIFE CYCLES Security measures related to system development Security management measures Evaluation of the security of systems' life cycles NETWORK SECURITY MEASURES TIMESTAMPING SYSTEM PROFILES CERTIFICATES, OCSP AND CRL CERTIFICATE PROFILES Version number Certificate extensions Algorithm OIDs Naming schemes Naming constraints CP OID Use of the "policy constraints" extension CRL PROFILE CRLs and extensions OCSP PROFILE COMPLIANCE AUDIT AND OTHER EVALUATIONS FREQUENCY AND/OR CIRCUMSTANCES OF AUDITS AUDITORS IDENTIFIES/QUALIFICATIONS RELATIONSHIPS BETWEEN AUDITORS AND AUDITED ENTITIES OTU C.A. - Certificate Policy Statement Page : 5 / 76

6 8.4 SUBJECTS COVERED BY AUDITS ACTIONS CARRIED OUT FOLLOWING AUDIT CONCLUSIONS Passed To be confirmed Failed PUBLICATION OF RESULTS OTHER BUSINESS AND LEGAL ISSUES PRICES INSURANCE Insurance coverage Other Resources Coverage and guarantee applicable to user entities CONFIDENTIALITY OF PROFESSIONAL DATA Scope of secret information Scope of confidential information Information that falls out of the scope of confidential information Responsibilities with regard to the protection of confidential information PROTECTION OF PERSONAL DATA Policy for the protection of personal data Personal Information Non-personal information Responsibilities with regard to the protection of personal data Use of personal data: notification and consent Conditions for disclosing personal information to legal or administrative authorities Other circumstances under which personal information is disclosed INTELLECTUAL AND INDUSTRIAL PROPERTY RIGHTS OBLIGATIONS AND GUARANTEES Certification Authority Registration Authority Holders obligations Subscribers Subject Certificate users Other participants LIMITED GUARANTEE LIMITATED LIABILITY COMPENSATION VALIDITY PERIOD AND EARLY EXPIRY OF THE CP Validity period Early expiry Effects of expiry; clauses that remain applicable INDIVIDUAL NOTIFICATIONS AND COMMUNICATIONS BETWEEN PARTICIPANTS AMENDMENT PROCEDURES Amendment process and information period Circumstances under which OID must be changed DISPUTE RESOLUTION CLAUSE JURIDICTION COMPLIANCE WITH LAWS AND REGULATIONS MISCELLANEOUS CLAUSES Global Agreement Activity transfers Consequences of an invalid clause Application and renonciation Force majeure OTHER CLAUSES APPENDIX REGULATION/STANDARDISATION OTU C.A. - Certificate Policy Statement Page : 6 / 76

7 10.2 CONTRACTUAL DOCUMENT REQUIREMENTS WITH REGARD TO SECURITY OBJECTIVES QUALIFICATION REQUIREMENTS END OF DOCUMENT Document Revision History Version Date Author Pattern /12/2012 C.BRUNET Initial public release /04/2013 C.BRUNET Evolution following remarks during the initial ETSI audit: : reformulation of the origins of the revocation 5.8.2: More detail on CRL extended in case of cessation of activity /11/2013 C.BRUNET Evolution after adjustment contract : Further explanation of conservation outside use data in the certificate 5.5.2: Changing the retention periods of registration dossiers : The term "immediately" is replaced by "promptly" 9.9, 9.13, 9.14, : Change in reference to Client contracts / AWL /02/15 C.BRUNET Evolution after the newname of the company, and change of certificate template : All the document : Worldline is replaced by Worldline (notice : it the same company using the same registration number : SIRET) : modification of the content of DN field, Subject Alt Name and Key usage OTU C.A. - Certificate Policy Statement Page : 7 / 76

8 1. Introduction 1.1 Purpose of the document This document describes the certification policy (CP) of the OTU CA that has been created to issue signature certificates as part of the OTU online subscription service. This CP describes: - The requirements which the OTU CA complies with during the registration and verification of certificate requests. - The management of certificates through their life cycles. - The security measures applicable to the infrastructure. - the uses for which these certificates are issued This CP is applicable to the certificates intended for certificate Holders. A second document called Certification Practice Statement [CPS] is drawn up in addition to this CP. The CPS sets out the certificate management that a CA implements. This document describes how the OTU CA is implemented: - IT and network resources; - external software packages, proprietary services; - physical security implemented on hosting sites; - logical security of IT resources; - certificate management procedures; - Operation and staff training procedures. Therefore, the CPS is the answer to the project requirements specified in the CP. OTU C.A. - Certificate Policy Statement Page : 8 / 76

9 1.2 Identification Document Identification Elements Value Title Certification Policy of the OTU Certification Authority Document reference OTU.PC.0002 Version 1.2 Author Worldline Product reference OTU Certification Authority Keywords Certification Authority, Certification Policy, CP, Electronic certification, Electronic signature Identification of Certification Authority The Certification Authority is called "OTU ". AFNOR (the French national organization for standardization) has assigned n to "Worldline". The OIDs are based on Worldline s OID and built as follows: x.y.z.w where: x is the year on which the PC was created: 2012 => 12 y is a number that indicates that the document was the y -th document created during the year (in the CP number specified below, y=7, which means that the CP was the seventh document created in 2012.). z is the version of the CP. w is the type of certificate within the CA. The OID of OTU CA s CP is One-time-use Certificate OID: Organisation Certificate OID: PKI components PKI Functional diagram The implemented OTU PKI consists of several functional components, which are described in detail in section 1.3. OTU C.A. - Certificate Policy Statement Page : 9 / 76

10 1.3.2 CA hierarchy The OTU CA is attached to an Atos Worldline Root CA. DN: C = FR O = Atos worldline OU = CN = AC Racine - Root CA OID: OTU CAs It is imperative that the OTU CA implement this OTU CP. The OTU CA signs the certificates that it issues with its private key and is responsible for them. For this purpose, the OTU CA relies on a technical infrastructure called Public Key Infrastructure (PKI). The services that the PKI provides are the product of various services that correspond to the various stages of the life cycles of key pairs and certificates. In terms of functions, the OTU PKI can be broken down as follows: Registration Service; Certificate Registration Service; Certificate Delivery Service; Certificate Revocation Service; Certification Status Information Service. OTU C.A. - Certificate Policy Statement Page : 10 / 76

11 Certifying Authority Here, this term refers the technical part of the Certification Authority or certification service. It is the entity that produces certificates at the request of the Registration service. It is also in charge of the complete life cycle of the certificate (manufacturing, publication...). This service generates (electronic signature with the private key of the OTU CA) the certificates from the information given by the Registration Authority, and the Certificate Holder's public key produced by the function that generates Holders' secret elements. The Certification Authority is also represented by an Authority manager appointed within Worldline Certificate delivery service This function delivers the certificate signed by the Certification Authority to the Registration Authority. This certificate is then sent to the certificate Holder so it can be used within the scope described in section Service Certificate Revocation This service processes certificate revocation requests. The processing results are given through the certificate status information service Information on the status of certificates Service This function provides certificate users with information about the statuses of certificates (revoked...). This function is implemented through the use of a Certificate Revocation List (CRL) Registration Authority (RA) The RA is the contact of customer units (Subscribers) that send certificate requests to it. This is where the following operations are carried out: - authentication of the Subscriber that makes the request; - verification of the content of certificate requests; - registration of certificate requests; - certificate delivery; - archiving of certificate requests; - registration of revocation requests; - acceptance or refusal of revocation requests; - archiving of revocation requests. To provide these services, the RA relies on technical means, notably a Registration service for managing the life cycles of certificates for the CA. This Registration Service thus constitutes a unique point for accessing the CA (servers for conveying requests and delivering certificates) Certificate holder In the context of this CP, the Certificate Holder is different from the Certificate Subject. Indeed, the term "Certificate Holder" refers to a software and hardware entity that is hosted by Worldline and stores the Subject s or an organisation's certificate and private key. The Certificate Subject is in charge of the following tasks: generation of the key pair; secure storage of the key pair; generation of the Certificate Signing Request (CSR) that contains the user information given by the Subscriber; use of the private key and certificate for electronic signature purposes on behalf of the Certificate Subject's organisation; destruction of the private key (according to the types of certificates; see 1.4). OTU C.A. - Certificate Policy Statement Page : 11 / 76

12 The Certificate Holder stores the secret elements securely and has exclusive control over them on behalf of the Subject or organisation Subscriber and Subject In certain cases, certificates can be issued directly, at their request, to physical people who act on their own behalf and for their own use. These people are called Subjects and have a direct link with the Subscriber, which they request certificates from. It must be noted that in the context of OTU CA, the Subscriber requests certificates from the OTU Certification Service for its Customer. As soon as the Customer wants to sign electronically the document that the Subscriber has sent to them as part of the electronic contract signing process, the Subscriber, who has subscribed to the services of the OTU CA, requests the certificate for its customer, who will be the subject of the issued certificate. Prior to the certificate request for its Customer, the Subscriber, notably according to its business needs, will have identified its Customer so the Certificate issued with the Customer's name is based on a reliable, reasonably verified identity. In this case, the Certification Authority will produce a one-time-use certificate (see ). The Subscriber's customer can be an individual or a company's representative. for one or more Organisations that depend on the Subscriber. The Certification Authority then produces Organisation certificates (see section ) Certificate user The user is the natural or legal person that uses the information of a certificate that they receive (here through an electronic signature). This signature is associated with a digital document (PDF document). It should be noted that the signature of a PDF document is mostly used by the products supplied by ADOBE, such as Acrobat Reader. These products have functions for viewing the signature of the document. Not all other PDF viewers have functions for viewing signatures Organization An Organisation is attached to a Subscriber that will request a signature certificate containing the Organisation's name. This certificate is only used as part of the PDF signature service operated by Worldline. The Organisation uses a Certificate Holder operated by Worldline to store and sign documents in its stead as part of a delegation between Worldline and the Subscriber. Although the Subscriber and the Organisation are the same entity in most cases, it is possible to make a difference between the two. For instance, a Subscriber may want to use a brand name rather than the company's name. If a group has multiple subsidiaries, the Subscriber and the Organisation may have different names. In any case, the Subscriber will have to prove the right that it holds (ownership of the name, extract from the French Trade Register, mandate) to specify an Organisation name that differs from its own. An Organisation certificate refers to a person who represents the Subscriber and is duly authorised. This person's name appears in the certificate provided by the OTU CA. In relation to the ETSI specifications document, an organisation has to be considered as a subject. However, this CP refers to the Organisation by name Other participants Human resources complete the system: - IT systems operators (who maintain the operational condition of the system); - teams in charge of maintaining the compliance of the system. OTU C.A. - Certificate Policy Statement Page : 12 / 76

13 1.4 Classes of certificates The OTU CA produces two types of certificates. The main difference between these two types is the OID (see 7.1) One-time-use certificates A one-time-use certificate is produced by the Certification Authority for a human subject for whom a certificate is produced at the Subscriber's request. This certificate has a very short life time and makes it possible to produce a PDF document signature on behalf of the Subject at the Subscriber's request. The Subscriber sends the one-time-use certificate request to the OTU Registration Authority through a message that it signs electronically. This message contains: the data that identify the subject. an electronic signature that makes it possible to guarantee the integrity of the identification data as well as the Subscriber's identity. The CPS describes how the message is validated during the signing request. The Subscriber is responsible for the identification data that are sent in the request and which make it possible to create a certificate that contains the subject's verified data. A subject's private key is generated in a dedicated, secure piece of equipment (Hardware Secure Module) that has been granted certification FIPS level 2 or above. Once the one-time-use certificate has been used at the Subscriber's request, the corresponding private key is destroyed in the HSM Organization certificate The Organisation certificate is delivered as part of the PDF signing service that Worldline operates on its own premises on behalf of the Organisation. The Organisation certificate enables this Organisation to request from Worldline the signing of PDF documents by an Organisation (Certification). The Subscriber sends to the signing request to the Subject through a message that it signs electronically. The certificate request is a procedure that takes place between a representative authorized by the Subscriber and an Worldline Registration Operator. The information that has to be supplied for the request is specified in detail in section This PC does not impose any physical presence requirements but reserves the rights to have additional checks performed, such as verification phone calls. An organisation's private key is generated in a dedicated, secure piece of equipment (Hardware Security Module) that has been granted certification level FIPS level 2 or higher. 1.5 Use of certificates Areas of use Holders key pair and certificates This CP deals with the key pairs and certificates that are intended for the categories of Holders identified in chapter Erreur! Source du renvoi introuvable. above so said Holders can sign PDF documents electronically as part of a dematerialised subscription or transmission procedures. OTU C.A. - Certificate Policy Statement Page : 13 / 76

14 Key pair and CA certificates and components The OTU CA has a single key pair that is used only to sign Subject or Organisation certificates, and CRLs. Its certificate is signed by the upper-level CA; see section The structure of the OTU PKI is the following : - certificate of the root CA: self-signed AWL-RACINE electronic certificate; - certificate of the child CA: electronic certificate delivered by the Root CA to a CA; - holder Certificate: electronic certificate delivered by the child OTU CA to a Holder Prohibited uses Any use of a certificate issued by the OTU CA that contravenes the uses described in sections & 4.5 of this CP is prohibited. The OTU CA cannot be held liable if a certificate that it issues is used for any other use than those specified in sections & 4.5 of this CP. OTU C.A. - Certificate Policy Statement Page : 14 / 76

15 1.6 CP management Entity that manages the CP Worldline is responsible for drawing up this CP, maintaining it, and revising it as soon as necessary. For this purpose, the security committee will make regular decisions as to the necessity of making changes to this CP Contact The authorized contact for any comment, request for additional information, claim or submission of a dispute file concerning this CP is: Comité "MediaCert OTU" Worldline 19, rue de la Vallée Maillard B.P Blois Cedex France dlfr-mediacert-ac-otu@atos.net Entity that determines whether a CPS complies with this CP Worldline has the compliance of the CA verified by external auditors CPS compliance approval procedure Worldline appoints the people who determine whether the CPS complies with this PC. These people are Worldline employees. 1.7 Definitions and Abbreviations Main Definitions The definitions of the main technical terms used in this CP are provided below. Certificate: standardised X509 data that makes it possible to associate a public key with its possessor. A certificate contains data such as: - the possessor's identity; - the possessor s public key; - the identity of the organisation that issued the certificate (CA); - the validity period; - a serial number; - a thumbprint; - usage criteria. All these elements are signed by the CA. The Certificate is delivered by a Certification Authority that signs the certificate which contains the Subscriber's Customer's identity and its capacity as declared by the Subscriber, whether said Customer is a physical person who acts for their own needs, or a duly authorized physical person who acts on behalf of their Organization. The certificate makes it possible to validate the link between the electronic signature and its declared signatory, who is the certificate subject. OTU C.A. - Certificate Policy Statement Page : 15 / 76

16 As part of this CP, the certificate is not a qualified one. The certificate is valid for a period that is specified in it. Certificate holder: software component that obtains one or more certificates from the CA. These certificates are used for electronic signature purposes according to the applications and types of certificates. The "Certificate Holder" entity is represented by servers that are operated along with the CA, and guarantees the exclusive control of key pairs by this entity only. Certificate management service - See section Certificate request: request sent the Subscriber to the Registration Authority with a view to obtaining a certificate for the Subscriber's Customer. It includes information that has to be supplied to the Registration service along with the certificate request. Certificate status information service - See section Certificate template: computer data resulting from the Registration of a Subscriber that request a certificate from the Registration service; it is then sent to the Certification Authority so it can be signed. Certification Authority (CA): see section Authority in charge of implementing this CP. It also refers to the technical entity that produces the certificates at the request of the Registration service, and is more generally in charge of managing them (manufacturing, delivery, revocation, publishing, logging, archiving) in accordance with the CP. Certification Policy (CP): published document that describes all the rules defining the requirements which the CA abides by when setting up and providing services, and which specifies whether a certificate is applicable to a particular community and/or application category with common security requirements. If need be, a CP can also identify the obligations and requirements applicable to the various actors as well as all the components involved in managing the life cycles of certificates. The certification policy is identified by an OID. Certification Practice Statement (CPS): identifies the practices (Organisation, operational procedures, technical and human resources) that the CA implements when providing users with its electronic certification services in accordance with the certification policy/policies which it undertakes to abide by. Common Name (CN): element of the "subject" field of the certificate which contains the identity of its possessor Distinguished Name (DN): distinguished X500 name for which the certificate is issued. The DN is made up of data, including the CN, which make it possible to know its identity precisely and unequivocally. Electronic registration file: electronic data container designed to contain all the data sent by a Subscriber during a certification request (certificate information, subject identification data, etc.). These data are archived in an archiving system with evidentiary value that the CA can search at any time. Electronic signature: "Data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication." In this CP, the term "electronic signature" abides by the definition of the electronic signature given by the European Directive of the European Parliament and Council dated 13 December 1999, but it does not meet the requirements of signatures based on qualified certificates. OTU C.A. - Certificate Policy Statement Page : 16 / 76

17 Hash: refers to the result of a calculation performed on digital content so any change made to this content, even a tiny one, also alters the hash. The hash is used to identify data and verify their integrity over time. Key pair: a key pair consists of a private key (which has to be kept secret) and a public key. This combination is needed to implement a cryptography service based on asymmetrical algorithms (e.g. RSA). Lightweight Certificate Policy (LCP): certification policy that provides a service quality that is less costly than that achieved with the certification policies for qualified certificates as defined by the [ETSI]. Organization: entity that represents a company or is authorised to use a brand name for which a signature certificate will be delivered at a Subscriber s request. OTU Certificate: one-time-use certificate that is produced dynamically during the online contract signing process. This certificate is used by the platform during a single signing session (signing by the platform of the various documents of a contract for the subject); the signing key is then destroyed. PKI components: hardware platforms (computers, HSMs, chip readers) and software products that play specific roles within the PKI. Registration Authority (RA): see section Authority in charge of receiving certificate requests from the Subscriber, verifying them, archiving them and sending them to the Certification Authority. This term also refers to the technical entity in charge of implementing the Registration service Registration Service: see Registration Authority Relying party: in the context of this CP, the relying party is the entity that uses the certificate that it receives (here through an electronic signature) This signature is associated with a digital document e.g. a PDF file. Signing session: operation that takes place between the signing request and the return of the signed document(s) by the natural or legal person that is referred to in the request. During a signing session, several successive signing operations can be performed with the same certificate. Subscriber: entity that has registered with the OTU certificate delivery service for the delivery of Organisation certificates bearing the names of duly authorised people within the Subscriber. of One-time-use certificates bearing the names of the Subjects referred to by name in this CP and who will have been identified in advance. Subject: natural person identified in the certificate as its possessor. The "Certificate holder" entity is in charge of the generation and exclusive use of the private key that is associated with the public key specified in the certificate Trust chain: set of certificates necessary to validate the origin of a certificate delivered to an entity. For this CP, the trust chain consists of the certificate of the OTU CA. OTU C.A. - Certificate Policy Statement Page : 17 / 76

18 User: see Relying Party Abbreviations The acronyms used in this CP are: CA: Certification Authority CARL: Certificate Authority Revocation List CC: Common Criteria CN: Common Name CO: Certification Operator CP: Certification Policy CPS: Certification Practice Statement CRL; Certificate Revocation List CSR: Certificate Signing Request DN: Distinguished Name ETSI: European Telecommunications Standards Institute FQDN: Fully Qualified Domain Name HSM: Hardware Security Module ISO: Information Security Officer ISS: Information System Security KC: Key Ceremony OID: Object Identifier OTU CA: Certificate Authority that delivers the certificates described in this CP PKI: Public Key Infrastructure PP: Protection Profile PS: Publishing Service PSCE : Electronic Certification Service Provider RA: Registration Authority RCA: Root Certification Authority RFC: Request For Comment RO : Registration Operator RSA: Rivest Shamir Adelman SHA: Secure Hash Algorithm SS: Secure Sockets Layer TA: Timestamping authority TLS: Transport Layer Security URL: Uniform Resource Locator UTC: Universal Time Coordinated 1.8 Compliance statement This CP complies with the LCP level of technical specification [ETSI ]. OTU C.A. - Certificate Policy Statement Page : 18 / 76

19 2 Responsibilities with regard to the information that has to be published 2.1 Entities in charge of making the information available To provide the information that has to be published for certificate users, the CA implements a publishing function and a certificate status information function. This CP and the CRL are both available publicly. 2.2 Information that has to be published The OTU CA publishes the Certificate Revocation List (CRL) using the HTTP protocol. The OTU CA publishes this certification policy. The URLs for accessing the CP and the CRL are available in extensions of the certificates delivered by the OTU CA (see Profile in section 7.1) respectively: the CPS URI extension; the CRL Distribution Point extension. The OTU CA publishes the certification documents that are available and provided by an approved organisation on its website Publication time and frequency The time and frequency at which the certificate status information is published, as well as the availability requirements concerning said information, are specified in sections & The CP that is publicly available is the most recent one in force. 2.4 Access restrictions applicable to the published information The CRL and CP are read-only documents Access to the other documents Write access to the systems used to publish information about the statuses of certificates (i.e. adding, deleting or modifying the published information) is strictly limited to the authorized internal functions of the OTU PKI through authentication on dedicated access control servers. Write access to the other information is strictly limited to the authorized internal administration functions of the OTU. The access control is performed by dedicated servers. The CPS specifies the access control resources that are implemented. OTU C.A. - Certificate Policy Statement Page : 19 / 76

20 OTU C.A. - Certificate Policy Statement Page : 20 / 76

21 3 Identification and Authentication 3.1 Naming Types of names The names used comply with the specifications of the X.500 standard. In each X509v3 certificate, the "issuer" and "subject" fields are identified using X.501 "Distinguished Names" (DN) in the form of printable strings Necessity of using explicit names In the case of a one-time-use certificate, the certificates issued according to this CP contain the explicit name and first name of the subject. In the case of organisation certificates, the issued certificates contain the explicit name and first name of the individual who has been authorized by the Subscriber, and the organisation's name Anonymization or pseudonymization of Holders The notions of anonymization or pseudonymization are not used Rules for interpreting the various name forms The interpretation of the information of the DN field is explained in the Certificate Profiles chapter of the OTU CA's CP (see section 7) Names uniqueness The "Distinguished Name" (DN) field is unique for each Holder. Any request that does not comply with this rule is refused. Therefore, throughout the life of the CA, a DN that has been assigned to a Holder cannot be assigned to another. Section specifies the rules that are applied to achieve such name uniqueness. For one-time-use certificates, name uniqueness is guaranteed throughout the life cycle of the CA. Therefore, if a Subject requests two distinct certificates through the Subscriber, 2 different DNs will be issued. For Organisation certificates, the uniqueness of the DN is guaranteed by the Registration Operator during the Registration. For the same organisation, the DN will not change when certificates are renewed Identification, authentication and role of registred trademarks See Initial identity validation Method for proving the possession of the private key One-time-use certificate For certificates designed to be used over a short period of time, the possession of the key is verified through a low-level cryptographic check of a first signature produced using the private key. OTU C.A. - Certificate Policy Statement Page : 21 / 76

22 If the verification fails, the PDF document is not signed, the private key is destroyed, and the Subscriber who has made the request receives an error message saying that said request has failed. The subject of this certificate is not subjected to this proof of possession Organization Certificate The proof of possession of the private key supplied by the Holder is guaranteed when the latter generates the request, thanks to the signing of the message with the private key that corresponds to the public key contained in the PKCS#10 message sent to the RA. These request formats include signing with the corresponding private key, which maintains their integrity and the proof of possession of the private key. The authorized individual specified in the certificate is not subjected this proof of possession Validation of organizations entities Initial validation of the Subscriber The initial validation of a Subscriber is associated with the prior establishment of a contractual relationship between the Subscriber and Worldline. This is the Contract by which the Subscriber subscribes to the OTU electronic signing service. A representative of the Subscriber has to be identified; they will later be the CA's contact for Organisation certificate requests. The Subscriber can formally appoint people who are authorized to represent it. It has to inform the CA in order to do so. During the implementation of the subscription contract, the representative appointed by the Subscriber will have to supply a copy of a valid official identity document that includes a valid identity photograph (French national ID, passport or residence card). The RA will keep a copy of it. They will also have to supply an address that will be used to contact them, notably to send information to them during organisation certificate requests. When the representative of the Subscriber requests an organisation certificate, said representative is authenticated by the Registration Operator. When they request one-time-use certificates from the RA, the representative of the Subscriber will have to authenticate themselves and sign these requests electronically. When requesting signing from the Holder, the Subscriber will have to authenticate itself and sign these requests electronically. It is imperative that the Subscriber use the authentication and signing modes required by the RA and Holder. The certificates used by the Subscriber to authenticate itself, and sign the certificate and signing requests have to be issued by a certification authority approved by the OTU CA. The CPS describes the method for authenticating the Subscriber, which is based on the use and verification of the electronic certificates with the RA and Holder. It also describes the checks that are performed. OTU C.A. - Certificate Policy Statement Page : 22 / 76

23 The RA keeps all the documents sent during this subscription operation Validation of an Organization As explained in section 1.3.8, the Organization is represented by an authorized individual. The Subscriber has to supply the following information: a request less than three months old signed by an identified representative of the Subscriber; this request has to specify: o the Organisation's name; o the future individual who will be authorized and identified in the certificate. The Authorized individual has to sign this request for acceptance. any document that is valid at the time of the certificate request and which: o can prove the Subscriber's right to use the Organisation's name in the certificate [if the Certificate is intended for the Subscriber itself (identical name), this document is not required.]. o proves the existence of the Organisation. o contains the SIREN number or its equivalent or, if none, another document that will identify in a unique way the Organisation that will be specified in the certificate. any document that is valid at the time of the certificate request and which makes it possible to prove that the authorized individual belongs to the organisation. a copy of a valid official identity document of the authorized individual (French national ID, passport or residence card). The RA will keep a copy of this document. the postal address, address and phone number that the CA can use to contact the authorized individual. The RA keeps all the documents sent during this request. This PC does not impose any physical presence requirements. However, the RA may carry out additional checks by phone Validation of an individual s identity Validation of the identity of a one-time-use certificate subject The Subscriber requests the certificate for the Subject from a RA. The Subscriber's request is made electronically. The Subscriber creates the request and signs it with an electronic signature. At the very least, the Subscriber's request has to contain the following identification data about the Subject: the Subject's name and first name; the Subject's title. The Subscriber can also specify (but not only) the following elements: the Subject's postal address; the Subject's phone number; the Subject's address, OTU C.A. - Certificate Policy Statement Page : 23 / 76

24 the Subject's date and place of birth. Although this information is not contained in the produced certificate, it will be kept in the electronic registration file associated with the issuance of the certificate. Keeping these data is necessary, because they are needed to create the registration file that will be associated with each certificate issuance. This registration file contains these data, which describe the processes and data for identifying the final customer. The certificate template as described in section defines how the uniqueness of the name is guaranteed in the certificate. The Subscriber has to specify to the CA: The reliable user identification process that will be used alone or along with other processes, and which makes it possible to verify the civil identity declared by the future subject, notably: o the addition of a digitized evidentiary document (subject to the verification of the digitized image); o o o additional information that is known beforehand, is specific to the future subject and makes it possible to identify the latter in a predefined database. a verified digital identity (as opposed to a declared digital identity); any other process that makes it possible or has made it possible to verify the declared identity of a subject. This list is not exhaustive, but the Subject s electronic signature of the electronic document submitted to them by the Subscriber has to guarantee the link between said signature and the related document. This identification process will have been described beforehand by the Subscriber during its subscription request. The process can be implemented by a technical Operator working on behalf of the Subscriber. Since the process is described by the Subscriber, the latter is in charge of: implementing it (or have it implemented by its technical service provider). sending, in an electronic registration file, the identification data captured during the implementation of the selected process. The CPS describes the implementation of the electronic registration file that will be created on this occasion. The CA reserves the right to assess the reliability of the identification process and not to deliver certificates if the reliability of the process is deemed insufficient. The Subscriber has to provide: the technical information showing how the subject explicitly agreed to perform an electronic signing operation through the one-time-use certificate. Examples of such processes are (this list is not exhaustive.): o electronic capture of a handwritten signature; o provision of a code received via SMS on a mobile phone; o a recording of the subject's voice. OTU C.A. - Certificate Policy Statement Page : 24 / 76