CERITIFICATE POLICY CONCERNING PERSONAL DIGITAL CERTIFICATES OF BANK OF FINLAND AND FINANCIAL SUPERVISORY AUTHORITY EMPLOYEES

Transcription

1 Certificate Policy 1 (18) CERITIFICATE POLICY CONCERNING PERSONAL DIGITAL CERTIFICATES OF BANK OF FINLAND AND FINANCIAL SUPERVISORY AUTHORITY EMPLOYEES 1 INTRODUCTION Overview Document name and identification PKI participants Certificate usage Policy administration Definitions and acronyms PUBLICATION AND REPOSITORY RESPONSIBILITIES Repositories Publication of certification information Time or frequency of publication Access controls on repositories IDENTIFICATION AND AUTHENTICATION Naming Initial identity validation Identification and authentication for re-key requests Identification and authentication for revocation request CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS Certificate Application Certificate application processing Certificate issuance Certificate acceptance Key pair and certificate usage Certificate renewal Certificate re-key Certificate modification Certificate revocation and suspension Certificate status services End of subscription Key escrow and recovery FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS Physical controls Procedural controls Personnel controls... 12

2 Certificate Policy 2 (18) 5.4 Audit logging procedures Records archival Key changeover Compromise and disaster recovery CA or RA termination TECHNICAL SECURITY CONTROLS Key pair generation and installation Private Key Protection and Cryptographic Module Engineering Controls Other aspects of key pair management Activation data Computer security controls Life cycle technical controls Network security controls Time-stamping CERTIFICATE, CRL, AND OCSP PROFILES Certificate profile CRL profile OCSP profile COMPLIANCE AUDIT AND OTHER ASSESSMENTS Frequency or circumstances of assessment Identity/qualifications of assessor Assessor's relationship to assessed entity Topics covered by assessment Actions taken as a result of deficiency Communication of results OTHER BUSINESS AND LEGAL MATTERS Fees Financial responsibility Confidentiality of business information Privacy of personal information Intellectual property rights Representations and warranties Disclaimers of warranties Limitations of liability Indemnities Term and termination Individual notices and communications with participants Amendments... 18

3 Certificate Policy 3 (18) 9.13 Dispute resolution provisions Governing law Compliance with applicable law Miscellaneous provisions Other provisions... 18

4 Level 0 Level 1 Level 2 Certificate Policy 4 (18) 1 INTRODUCTION This document defines the Certificate Policy (CP) of the Certification Authority (CA) of Bank of Finland (BOF). The Certification Authority of Bank of Finland issues personal digital certificates for the employees of the Bank of Finland and Financial Supervisory Authority (FIN-FSA). This Certificate Policy document is not a legal contract or legal document but it is rather a description of factors affecting the reliability of certificates issued by Bank of Finland s Certificate Authority. The security procedures and technical specifications presented in this document regarding digital certificate production are implemented in accordance with the European System of Central Banks (ESCB) Certificate Acceptance Framework (CAF) and best practices of Bank of Finland. The practices observed within Bank of Finland s Certificate Authority in the process of producing digital certificates are described in a separate Certification Practice Statement (CPS) document. 1.1 Overview The overview of CA infrastructure in Bank of Finland is presented in picture 1. Picture 1: CA infrastructure of Bank of Finland Certificate Holder BOF CA Root CA The CA infrastructure of Bank of Finland consists of two hierarchically deployed CA servers: Root CA and BOF CA.

5 Certificate Policy 5 (18) Root CA is the absolute base of the hierarchy. It only issues digital certificates to subordinate CAs. BOF CA is a subordinate CA server which is used to issue personal digital certificates for Bank of Finland and FIN-FSA personnel. Management of the CA infrastructure is handled by the Information Technology department of Bank of Finland. 1.2 Document name and identification 1.3 PKI participants The complete name of this document is Certificate policy concerning personal digital certificates of Bank of Finland and Financial supervisory authority employees. The object identifier for this Certificate policy is The certification entities and operations covered by this certificate policy are presented in following table: PKI participant Certification authority Role Certification authority produces the certificate services under the terms referred to in this certificate policy provided by Bank of Finland. Certification authority has the following tasks: Fulfilling its responsibility for providing certificate and directory services as well as revocation services. Monitoring to ensure that this CP as well as the CPS of Bank of Finland is followed when granting certificates. Maintaining the CP and CPS documents. Ensuring such human resources for the certification so that the process has every chance of succeeding. Ensuring that only reliable IT systems are used for the certification.

6 Certificate Policy 6 (18) Registration authority Certificate holder Revocation service Monitoring to ensure that the IT systems used for certification are used appropriately and preventing other use. Certificates as referred in this CP are registered by the BoF security unit. Registration authority has the following tasks: Ensuring the identity of the applicant as provided in this CP before the certificate is granted. Ensuring the handling, retaining and progress of the application to certificate production in a way that leaves no room for failure. On application, Bank of Finland and FIN-FSA employees obtain a personal smart card containing personal digital certificates. The revocation of digital certificates is handled by the security unit in Bank of Finland. 1.4 Certificate usage Certificates as referred to in this CP are to be used with the personal smart cards granted to BOF and FIN-FSA employees. Each certificate holder has two digital certificates corresponding to individual key pairs of private and public keys generated for each certificate. The following uses are available for the certificates: Certificate for authentication, encryption and signature The certificate holder can use the keys of the certificate for authentication in BOF computer systems as well as other systems which recognize this certificate issued by BOF CA. The public key of this certificate can be used to encrypt messages. The certificate holder can use the corresponding private key to decrypt message encrypted with the public key. The certificate holder can use the private key of the certificate for digital signature of data. The public key can be used to verify the digital signature made with a private key. Certificate for undisputed signature

7 Certificate Policy 7 (18) The certificate holder can use the private key for undisputed signature of data. The key pair of this certificate is generated so that the private key will at no stage be disclosed or become available outside of the smart card. 1.5 Policy administration Bank of Finland maintains and is responsible for this Certificate Policy. The validity of this document is periodically verified by Bank of Finland. The CA reserves itself the right to change this CP through a notification provided 2 weeks in advance of the entry into force of the changes. If there is only a slight change that does not affect any CA reliability factors, the change may be carried out without notification. Contact information concerning this CP: pki@bof.fi Postal address: Suomen Pankki Snellmaninaukio PO Box Helsinki, Finland 1.6 Definitions and acronyms BOF CA CAF CP CPS CRL ESCB FIN-FSA RA Bank of Finland Certificate Authority Certificate Acceptance Framework Certificate Policy Certification Practice Statement Certificate Revocation List European System of Central Banks Finnish Financial Supervisory Authority Registration Authority

8 Certificate Policy 8 (18) 2 PUBLICATION AND REPOSITORY RESPONSIBILITIES 2.1 Repositories 2.2 Publication of certification information 2.3 Time or frequency of publication 2.4 Access controls on repositories The certificate authority publishes the publicly available data on its website at URL These data include this certificate policy, public key data of the CA servers (Root CA and BOF CA) and other information that the certification authority deems necessary. The BOF CA server certificate revocation list is also publicly available at the certificates CRL distribution point at URL The Certification Practice Statement and the documents not listed above are considered non-public information and are available only for a limited audience. All publically available information may be freely used for reading purposes. The certificate authority of Bank of Finland is responsible for informing its digital certificate holders and relying parties about changes in the certificate policy or Certification Practice Statement that might affect the credibility of the certificate. The CA reserves the right to change the certificate policy or Certification Practice Statement with a notification period of two weeks. Publishing of the certificate revocation list is carried out as stated in section 7.2 of this certificate policy. All publicly available data are published on the CA website. Data with restricted audience are kept within the BOF intranet and are available only to the appropriate personnel.

9 Certificate Policy 9 (18) 3 IDENTIFICATION AND AUTHENTICATION 3.1 Naming 3.2 Initial identity validation Before a certificate is granted the identity of applicant is validated. Before the BOF smart card containing the certificates is given to its holder the identity is verified. A certificate as referred to in this CP complies with X.509 standard. Naming defines the identification data of the certificate holder and the CA used in the certificate. The issuing CA is named in the Issuer field of the certificate and the holder is named in the Subject field of the certificate. BOF smart cards containing the issued certificates are only given to employees of Bank of Finland or FIN-FSA and third party personnel currently working for either organization. The initial identity validation for each certificate holder is done as stated in CPS. 3.3 Identification and authentication for re-key requests 3.4 Identification and authentication for revocation request The holder of a BOF smart card containing certificates is obligated to personally inform the revocation service about any disappeared, broken or compromised smart card so that the certificates on it can be revoked.

10 Certificate Policy 10 (18) 4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS 4.1 Certificate Application 4.2 Certificate application processing 4.3 Certificate issuance 4.4 Certificate acceptance 4.5 Key pair and certificate usage 4.6 Certificate renewal 4.7 Certificate re-key 4.8 Certificate modification The certification authority of Bank of Finland only issues digital certificates based on written requests received by the registration authority of Bank of Finland. The certificate application is processed by the registration authority of Bank of Finland. The related process is described in CPS. The certificate is issued by CA server if the registration authority of Bank of Finland approves the processed certificate application. The related process is described in CPS. The applicant becomes a digital certificate holder once he/she receives the BOF smart card containing the certificates. The related process is described in CPS. Digital certificate holders may use the key pair and certificate only for purposes described in section 1.4 of this certificate policy.

11 Certificate Policy 11 (18) 4.9 Certificate revocation and suspension 4.10 Certificate status services 4.11 End of subscription 4.12 Key escrow and recovery Upon receiving a BOF smart card the digital certificate holder agrees to be obligated to personally inform the registration authority of Bank of Finland about disappeared, broken or compromised smart cards so that the certificates on them can be revoked. The revocation of a certificate is a process of terminating the usage of a certificate prior to its expiration date. Information concerning revoked certificates issued by CA at Bank of Finland is published in a certificate revocation list (CRL). The related process is described in CPS. The CRL is published and is accessible as stated in section 7.2. The CRL distribution point is specified in each digital certificate issued by the CA. Usage of digital certificates is terminated in two separate cases: 1. Normal expiration of a certificate. The CA does not support re-key option at the moment so that a new certificate is required once the previous one expires. 2. Revocation of a certificate. Revocation is handled by the revocation service as stated in section 1.3 of CPS. Private keys are stored only in BOF smart cards. Therefore the key archive or recovery options are not available to these keys.

12 Certificate Policy 12 (18) 5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS 5.1 Physical controls All premises used by the certificate service are secure, well protected, efficiently monitored and alarmed. The physical security at the BoF is at a good central bank level. 5.2 Procedural controls 5.3 Personnel controls 5.4 Audit logging procedures 5.5 Records archival 5.6 Key changeover No stipulation (basically all critical operations are logged, log is protected by encryption and signing etc.) 5.7 Compromise and disaster recovery 5.8 CA or RA termination The operations of the certification authority according to this CP may have to be terminated as a result of a CA decision, disclosure of a private key provided by the CA or questions raised about the technical basis of the system. The CA informs the certificate holders and agreed certificate users about such discontinuation. When the certification operations have been discontinued, the certificates shall no longer be trusted.

13 Certificate Policy 13 (18) 6 TECHNICAL SECURITY CONTROLS 6.1 Key pair generation and installation The key pair used for undisputed signature is generated as an internal personal smart card operation so that the private key will at no stage be disclosed or become available outside of the card. The key used for encryption and identification is generated in the certification system. A back-up copy of the encryption key is retained in the certification system in case the card should break or disappear. The related process is described in CPS. 6.2 Private Key Protection and Cryptographic Module Engineering Controls 6.3 Other aspects of key pair management 6.4 Activation data 6.5 Computer security controls Security controls are implemented to protect the module and to prevent anyone from managing the module single-handedly. Computer security controls are implemented to increase the information security of the CA system and to ensure continuation of the certification process. The controls are focused on following topics: Data backups Access control (system, databases and applications) Access rights (system, databases and applications) Archive and log files Authentication

14 Certificate Policy 14 (18) 6.6 Life cycle technical controls 6.7 Network security controls 6.8 Time-stamping No Stipulation.

15 Certificate Policy 15 (18) 7 CERTIFICATE, CRL, AND OCSP PROFILES 7.1 Certificate profile 7.2 CRL profile 7.3 OCSP profile A certificate as referred to in this certificate policy document complies with standard X.509. As a rule, the certificates are valid for three years. All personal digital certificates issued by the CA include the following information: Version Serial number Algorithm info Issuer + OID Validity Subject Scope of usage Public key A certificate revocation list (CRL) as referred to in this certificate policy document complies with standard X.509. BOF CA publishes its certificate revocation list every hour, and the list is valid for 72 hours. The list is available at CRL distribution point at URL Certificate revocation lists published by BOF CA include the following information: Version Issuer Effective date Next update Algorithm info List of revocated certificates

16 Certificate Policy 16 (18) 8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS 8.1 Frequency or circumstances of assessment 8.2 Identity/qualifications of assessor 8.3 Assessor's relationship to assessed entity 8.4 Topics covered by assessment 8.5 Actions taken as a result of deficiency 8.6 Communication of results

17 Certificate Policy 17 (18) 9 OTHER BUSINESS AND LEGAL MATTERS 9.1 Fees 9.2 Financial responsibility 9.3 Confidentiality of business information As the personal digital certificates issued by BOF CA are intended only for internal use in the Bank of Finland and the Financial Supervisory Authority, the CA is not responsible for possible damages caused to other parties that have relied on the certificates. 9.4 Privacy of personal information 9.5 Intellectual property rights 9.6 Representations and warranties 9.7 Disclaimers of warranties 9.8 Limitations of liability 9.9 Indemnities 9.10 Term and termination No stipulation Bank of Finland maintains and is responsible for this CP. The CA reserves the right to change this CP with a notification period of two weeks. Validity of the older version of the CP is terminated as soon as the new one enters

18 Certificate Policy 18 (18) into force. This CP and the corresponding CPS will remain valid until further notice Individual notices and communications with participants 9.12 Amendments 9.13 Dispute resolution provisions 9.14 Governing law 9.15 Compliance with applicable law 9.16 Miscellaneous provisions 9.17 Other provisions The CA is responsible for the information published in the relevant directory to the extent specified in the national legislation.