CERTIFICATION PRACTICE STATEMENT (CPS) SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A. Version 2.0

Transcription

1 CERTIFICATION PRACTICE STATEMENT (CPS) OF SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A. Version.0

2 (CPS) INDEX 1. LEGAL FRAMEWORK Legal Base Validation Legal Support Conflicts Resolution Process INTRODUCTION Presentation Name of Document Identification Publication Definitions and Acronyms Definitions Acronyms General Aspects Obligations Responsibilities Participant Companies Authority (CA) Applicant Subscriber Signatory Password Protection Relaying Party Certificate types... 4/06/011 Página

3 (CPS).5.1. Recognized Cooperation Certificates Certificate for the Public Administration Private Secure Server Certificates Support Types Signature-Creation Device. SSCD Software support Roaming Support Particular use of certificates Appropriate use of certificates Unauthorized Use of Certificates Policy administrations Responsible Organization Revision Frequency Approval Procedure REPOSITORIES AND INFORMATION PUBLICATION Repositories Information Publication Policies and s Terms and conditions Certificate Diffusion Publication Frequency Access Control of the Repositories IDENTIFICATION AND AUTHENTICATION Name Registry Name Types Necessity of Names being Noteworthy Rules to interpret various name formats /06/011 Página

4 (CPS) Name Uniqueness Initial Identity Validation Proof of private key possession method Authentication of the identity of a Legal Entity Authentication of the Identity of a Natural Person Authentication of the RA Identity and RA Operators Validation Identification and Authentication in Certificate Renewal Online Certificate Renewal in Roaming Physical Certificate Renewal Identification and Authentication of Renewed Certificates OPERATIONAL REQUIREMENTS FOR THE CERTIFICATES LIFE CYCLE Certificate Request Who can request a Certificate Application Process Certificate Validity of an Electronic Signature for a Natural Person Application Process Completion of Identification Authentication Functions Approval or rejection of the Certificate Applications Certificate Emission CA Actions during the Certificate Emission Certificate Delivery Certificate Acceptance Manners to Accept a Certificate Certificate Publication Password Uses and Certificates Private Key and subscriber Certificate Use Use of Public key and Certificate by third parties that trust Certificates /06/011 Página 4

5 (CPS) 5.7. Certificate Renewals without Changing Passwords Renewal with Password Changes Online Renewal Circumstances Who can request for an Online Certificate Renewal Online Application Renewal Processing Requests of Online Renewal Notification of the Renewed Certificate Issuance Ways to accept a Renewed Certificate Publishing the Renewed Certificate Certificate Modification Revocation and Suspension of Certificates Causes for Revocation Who can request a revocation Application Revocation Procedures Period in which the CA should Resolve the Revocation Verification Obligation of Revocations by Third Parties Emission Frequency of the CPSs Maximum Time between the Generation and Publication of the CRLs Availability of the Online Certificate Verification Status System Requirements for Online Revocation Checking Suspension Circumstances Who can Request a suspension Suspension Period Limits Information Certificate Services State Operation Characteristics Service Availability Subscription Suspension PHYSICAL SECURITY, INSTALLATIONS, MANAGEMENT AND OPERATIONAL CONTROLS /06/011 Página 5

6 (CPS) 6.1. Physical Controls Physical Location and Construction Physical Access Electrical Power and Air Conditioning Water Exposure Fire Protection, and Prevention Storage Systems Elimination of Information support Procedure Controls Responsibility roles Number of people required per Tasks Role Identification and Authentication Role that Require Function Segregation Personnel control Requirements related to Professional Qualifications, Knowledge, and Experience Antecedents Verification Process Education Requirement Education Requirements, Frequency and Actualization Third party Contract Requirements Security Auditory Processes Registered Event Types Frequency of Auditing Registry Processes Auditing Registry Conservations Auditing Registry Protection Auditing Registry Backup Procedures Auditing Systems Information Gathering Vulnerability Analysis Registry Archives /06/011 Página 6

7 (CPS) Event Archive Types Registry Storage Period Archive Protection Archive Security Copy Procedure Registry Time Stammping Requirements Auditing Information Archiving System Procedure in Order to Obtain and Verify Archived Information CA Rekeying Root CA Subordinate CA Disaster Recuperation Plan Fire and Vulnerabilities Management Procedure Altering Hardware, Software and/or Data Resources Procedure to follow in the event of password theft from a Certificate Authority Continuing Business after a Catastrophe Activity Suspension Authority Registry Authority TECHNICAL SECURITY CONTROLS Generation and Installation of the Key Pair Generation of the Key Pair Delivery of the Private Key to the Subscriber Delivery of the Public Key to the Certificate Emissary Delivery of the CA Public Key to Trusted Certificate CA Third party Members Permitted uses of the Key (X509v Key Usage) Private Key Protection and Engineering Controls of the Cryptographic Module Cryptographic Standard Model Multi-person Control (k of n) of the Private Key /06/011 Página 7

8 (CPS) 7... Protection of the Private Key Security Copy of the Private Key Private Key Archiving Transferring the Private Key to/or from a Cryptographic Module Private Key Activation Method Private Code Deactivation Private Key Destruction Method Other Aspects of the Management of Key Pairs Public Key Storage Certificate Operation Period and Key Pair Usage Period Activation Data Activation Data Installation and Generation Activation Data Protection Information System Controls Security Requirements Information Security Evaluation Security Life Cycle Controls System Development Controls Security Management Controls Network Security Controls PROFILE CERTIFICATE Certificate profiles Version Number Certificate Extension Name Format CRL Profile Version Number CRL and Extensions /06/011 Página 8

9 (CPS) 9. AUDIT COMPLIANCE AND OTHER CONTROLS Auditing Frequency Auditor Qualification Relation between the Auditor and the Authority Audited Aspects Covered by the Controls Registry Authority Audit Actions to be taken as a result of incident detection Communication Results OTHER BUSINESS AND LEGAL MATTERS Fees Certificate Emission Fees and Renewal Certificate Access Fees Access Fee of the Information Status or Revocation Fees and Other Services Information Confidentiality Scope of Confidential Information Non Confidential information Responsibility in the Protection of Confidential Information Reviews /06/011 Página 9

10 (CPS) 1. LEGAL FRAMEWORK 1.1. Legal Base The Electronic Commerce, Electronic Signatures and Data Messaging Law, its Regulation; Organic Consumer Defense Law, CONATEL Organic Transparency Law of Information and Accreditation. 1.. Validation The present document will become valid since approval date. 1.. Legal Support a) The electronic commerce, electronic signatures and data messaging law, published in the Official Register No. 577 April 17, 00. b) According to Art. 7 of the electronic commerce, electronic signatures and data messaging law, the National Telecommunications Council is the organism for authorization, registry and regulation of information certification entities and accredited related services. c) The General Regulation of the electronic commerce, electronic signatures and data messaging law, was expended by executive decree No 496 published in the official registry 75 December 1, 00, and its constant reforms in executive decree 156 of September 9, 008, published in the Official Registry No. 440 of October 6, 008. d) The second listed article added by article 4 of the executive decree No. 156 after article 17 of general regulation by the law of electronic commerce, electronic signatures and data messaging, says that the accreditation as an information certification entity and related services, will consist in an administrative act emitted by CONATEL through a resolution that will be registered in the National Public Registry of Information certification entity. e) Resolution CONATEL-008 of October 08, 008, the resolution model was approved for the Accreditation as an Information Entity and related services f) Resolution No. TEL CONATEL-010 of October, 010, approved the 4/06/011 Página 10

11 (CPS) Petition for Accreditation for the company SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL S.A. as an information certification entity and related services, for which SENATEL subscribed in the respective administrative act, as the model approved by the National Telecommunications Council 1.4. Conflicts Resolution Process The differences that are presented between parties with occasion of this service during its execution or its interpretation will be resolved directly in the first instance by the User and SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL S.A. If no agreement exists, this may be submitted to the mediation process dispute to the as an alternative system for solution of conflicts recognized constitutionally, for which both parts agree to go to the Mediation Center of the General Attorney of State. The mediation process will be subject to the arbitration and mediation law and the regulations of the operation of the Mediation Center from the General Attorney of State. If in the case of signing a Total act, this will have the same effect as a final sentence and the judged element and its execution will be the same as a sentence from the last instance following legal procedures, as provided in Art. 47 in the Arbitration and Mediation Law. In the case of no agreement between parties, they will agree to the impossibility of agreement act and the dispute will be taken to the respective District Court of the competent administrative law. In case of subscribing acts of partial agreement, this will have the same effect and will happen over the agreed matters; and in the case of unresolved aspects, will be judged in front of the District Court of the competent administrative law. The applied legislation is the Ecuadorian one.. INTRODUCTION.1. Presentation Security Data Seguridad en Datos y Firma Digital S.A. is a certification entity that was created to meet the necessities of the Ecuadorian market in electronic signatures and digital certificates. The certification information services and related electronic services offered by Security Data Seguridad en Datos y Firma Digital are aimed to natural people, public and private corporations (such as businesses, public entities) and its objective is to accredit digital 4/06/011 Página 11

12 (CPS) identity of corporations and natural people that work through the internet. In this Declaration of the conditions are specified, policies and procedures are valid in the application, emission, use, suspension and revocation of certificates of electronic signatures and as well to related services and contains: 1. Identification Data of the Information Entity and Related Services in accreditation.. Terms of information use provided by users. Responsibility limits in services for information certification and related services in electronic signatures. 4. Obligations in the Accredited Information Entity and Related Services when providing certification, information, and related services concerning the signature. 5. User obligations and precautions that must be observed in the management, the use and safekeeping of certificates and passwords. 6. Management policies of electronic signature certificates. 7. Policies and management conditions of related services concerning electronic signatures. 8. Guarantees in the compliance of obligations that arise from activities. 9. Costs and Taxes in the information certification services and related concerning electronic signatures. The structure of this document is based on the specification of the Standard "RFC647 - Internet X.509 Public Key Infrastructure: Certificate Policy and s Framework, created by the work group PKIX of IETF. Furthermore the general conditions established in this CPS, each certificate type emitted by Security Data Seguridad en Datos y Firma Digital is based on particular conditions contained in a document entitled "Política de Certificación" (in English CP o Certificate Policy). There is a certification policy for every type of document emitted... Name of Document..1. Identification Name: Declaration of s (CPS) Version:.0 Description: Declaration of of Security Data Seguridad en Datos y Firma Digital S.A. Emission Date: September, 010 4/06/011 Página 1

13 (CPS)... Publication This document is free in the website Definitions and Acronyms..1. Definitions Electronic Certificate: Is an electronical document signed by a certification service provider which links signature verification data to a signatory and confirms its identity. Recognized Certificate: A certificate issued by an Accredited Entity that meets the requirements established by the law regarding identity verification and other circumstances by applicants and reliability of guarantees of certification services given. Public Key and Private Key: The asymmetric cryptography in which PKI is based on key pairs uses (this could also be two key pairs), which is encrypted with one and can only be decrypted with the other and viceversa. One of these keys is called Public and is included in the electronic certificate, while the other is called private and only is known by the certificate holder Signature Creation Data (Private Key): Are unique data, such as codes or private cryptographic passwords, which the subscriber uses to create electronic signatures. Data Signature Verification (Public Key): Are the data, such as codes or private cryptographic passwords, used to verify the electronic signature. Secure Signature-Creation Device. (SSCD): Instruments used to apply data for signature creation. Electronic Signature: Is a group of data in electronic form, entered with others, which can be used as a medium for personal identification. Advanced Electronic Signature: Is an electronic signature that establishes personal subscriber identification concerning signed data, and is used to check integrity, being linked exclusively to the subscriber, like referred data, and also it has been created by means to maintain exclusive control. Hash Function: Is an operation that is done in any size data group, so that the obtained result is another data group, regardless of the original size, that has the property of being uniquely associated with the initial data. Certificate Revocation List (CRL): This is a List that contains revoked or suspended certificates Hardware Security Module (HSM): This is a Hardware Module used to make cryptographic functions and also it is used to store passwords in safemode. Time Stamping: Electronic annotation signed electronically which is added to a message data that records the date, hour, and the identity of the person making the annotation. Time Stamping Authority (TSA): entity that issues trusted time stamps. Validation Authority (VA): trusted entity that provides information on the validity of digital certificates and electronic signatures. 4/06/011 Página 1

14 (CPS)... Acronyms CA: Authority SUB CA: Authority Subordinate RA: Register Authority CP: Policy CPS: Declaration for s CRL: Certificate Revocation List HSM: Hardware Security Module LDAP: Lightweight Directory Access Protocol OCSP: Online Certificate Status Protocol. PKI: Public Key Infrastructure CSP: Cryptographic Service Provider TSA: Time Stamp Authority VA: Validation Authority ICE: Information Entity OID: Object identifier DN: Distinguished Name C: Country, Distinguished Name Attribute CN: Common Name, Distinguished Name Attribute O: Organization, Distinguished Name Attribute OU: Organizational Unit (Organizational Unit), Distinguished Name attribute SN: ISO: PKCS: UTF8: SurName, Distinguished Name attribute International Organizational for Standardization Public Key Cryptography Standards, Unicode Transformation Format 8 bits. 4/06/011 Página 14

15 (CPS).4. General Aspects.4.1. Obligations CA Obligations Issue Certificates under the CPS, the corresponding PCs, and the standards of the application. Issue Certificates whose minimum content is defined by the current Policy Certificate. Issue Certificates based on the information in possession and error free from the entry data. Maintain their own private passwords under exclusive control using trustworthy products and systems for storage to ensure confidentiality and to make them inaccessible to unauthorized people, avoiding loss and compromise. Issue the requested certificates adjusting themselves according to the CPS, in the PCs each certificate type and, when appropriate, the contracts of provided services to the corresponding certifications and the agreement for the authority register. Facilitate the current versions access of the CPS and the PCs of each type of certificate. Offer and maintain the necessary infrastructure for certification services, as well as the physical security controls, the procedures and the personnel necessary to practice certification activities. Use reliable systems and products that are protected against alteration and that guarantee technical security and when appropriate, cryptography certification processes used as support. Publish issued certificates according to what is established in the law of Electronic Commerce, electronic signatures and data messaging. Protect personal data according to what is established in the law of Electronic Commerce, Electronic Signatures and data messaging. Use reliable systems to store recognized certificates that permit to verify their authenticity and prevent unauthorized alteration to data. Publish certificate copies and revocation information available to anyone who wishes to verify an electronic signature with reference to the certificates, which will be published on the web page Provide minimum information necessary for the use of certificates to the applicant, which information should be transmitted, by letter or by Take measures against certificate forgery and guarantee the confidentiality of the signature creation data during the generation process, as well as the safe delivery by a secure procedure by subscriber. Do not copy or store data from the signature creation by the subscriber. Report modifications of certificate policies and the Declaration to the subscribers and RA s which are linked. Comply with the obligations of the current CPS. All the obligations imposed by the current CPS in this case, the law of Electronic Commerce, Electronic Signatures and data messaging. Approve or reject emission applications for digital certifications from an electronic signature, according to the Established in the CPS and in the PCs. 4/06/011 Página 15

16 (CPS) Make available to the users the Certificate Revocation List, (CRL) which will be published in the webpage Constantly guard in any way all the information and relative documentation in a recognized certificate and the current declaration of certificate practice, during at least 15 years starting since the moment of its expedition date, so that the signatures can be verified. To this end SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL stores in digital format or on paper all the versions of the CPS published and contract copies of the provided services between the Information Entity and its subscriber. Report immediately to the certificate holders emitted by the ICE, the commitment of a private password, loss, disclosure, alteration, unauthorized use, for a revocation. Perform an identification and Authentication of users as in prior steps to the revocation of certificates and electronic signatures. Protect the personal data of applicants and digital or electronic certificate users Perform each of the steps described in the emission procedure of certificates for electronic signatures. Implement and maintain the security requirements imposed by lost passwords in the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, according to the CPS and PCs. Provide and maintain the necessary technological infrastructure to establish a structure, for both hardware and software to operate according to international standards Obligations of the RA The RA may assume the following obligations which will be responsible for: Identify and authenticate correctly the subscriber and/or applicant of the organization that it represents, according to the procedures established in the CPS and in the specific for each certificate type, using any means permitted by the law. Formalize issued contracts for certificates with the subscriber in terms and conditions established by the CA. Store securely and by period the provided documentation never below 15 years in the emission process of the certification and the suspension process / revocation, in the terms and conditions established by the CPS, in the CP for each type of certificate and, when appropriate, from the agreement for the Registration Authority. Carry out any other function that corresponds, through the personnel that is necessary in each case, according to the established in the CPS and in the CP for each certificate type and when appropriate, from the agreement for the Registration Authority In any case the RA will permit the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL the access to files and the procedures for the conservation of the archives assumed by the RA and it will give the right to investigate any suspicion of infraction from the CPS and/or from the CP by the RA or any certificate holder. The RA and its holders for any certificate must inform the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL immediately for any suspicion of possible infractions. 4/06/011 Página 16

17 (CPS) Applicant Obligations Pay the registration fees that correspond in virtue to the requested services. Provide the RA the information necessary for proper identification. Confirm the truthfulness and veracity of the provided information. Notify any change in provided data for the certificate creation during its valid period. Request the certificate according to the terms and conditions established by the CP for each certificate type and when appropriate, from the contract of provided services for subscribed certificates with the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL Subscriber Obligations Comply at all times with the norms and regulations issued by SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL in the corresponding certificate policies. Inform the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL any alteration or modification in the provided data to obtain the electronic signature certificate. Verify, through the list of Revoked Certificates, the status of the electronic signature certificates. Protect and conserve the Token-Security Portable Device. Request the revocation of the certificate and the emission of a new one from ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL in case of failure of remembering the protection password of the electronic signature certificate. Respond for the use of the electronic signature certificate and the consequences that arise from using it. Comply with the established in article 17 from the electronic commerce, electronic signatures and data messaging law User Obligations The users that wish to use the certificates emitted by the CA should verify the validity of the signatures emitted by the subscribers. In the event that the users do not proceed to verify the signatures through the CRL (Certificate Revocation list), the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL is not responsible for the use and reliance of these certificates. 4/06/011 Página 17

18 (CPS) Every person is entitled to trust in an electronic signature emitted by the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL certificate to a reasonable extent. To determine if it s reasonable to trust; it must be taken into account, where appropriate, the following: The nature of the operation correspondent to the signature intended to endorse. It will be not considered reasonable to trust a signature emitted by a certificate from the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, if the operation could be considered as a misuse. If the relying party has adopted adequate steps to determine the signature reliability, especially, if it has been verified that the certificate is not expired, suspended or revoked. The expiration will be stated in the certificate itself. The possible suspension or revocation of the certificate will be consulted in the revocation list or certification suspension (CRL). If the relying party knew or should have known that the signature was questioned or had been revoked or suspended The policies and procedures that rule the activity of ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL in relation to the different electronic signatures made with different emitted certificate types by ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, policies and procedures that are specified in the CPS and in the PCs are different for each certificate..4.. Responsibilities Responsibility of the CA Guarantee responsibilities and obligations fulfillment described in the CPS; and what is seen in the law of electronic commerce, electronic signatures and messaging data, and its norms. Solely and exclusively ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, will respond to damages caused to any person, when the certification services are not complying or neglecting with its legal obligations under the legislation of the Ecuadorian government. The ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL will not be responsible for the derived or related damage from a non or defective execution of obligations made by the applicant, subscriber and/or Users. The ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL will not be responsible for the negligent or illegal use of certificates and passwords. The ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL will not be responsible for the damage resulting from negligent or illegal actions caused by third parties in relation to certificates by the ones emitted in favor to the determined subscriber. The ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL will not be responsible of eventual inaccuracies in the certificate that result from the information given by the subscriber, except when always acting with the maximum negligence. The ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL will not be responsible due to derived damage from operations whose limits haven t been identified in PCs for each certificate type. 4/06/011 Página 18

19 (CPS) The ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL will not assume any responsibility for the delay or non execution of any of the obligations in virtue of the present CPS, if the delay or non execution results from a consequence of any fortuitous case, force majeure or any circumstance that the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL could not have reasonable control over. The ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL will not be responsible of the content of those electronically digitally signed documents. Nor the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL nor its register authorities will be responsible for damage caused by the use of its public certification services in those environments Responsibility of the RA The RA is responsible for the functions corresponding under the CPS and, in particular, will assume all responsibility for the correct identification and validation of the applicant/subscriber, with the same limitations that are established in the preceding paragraph in relation to the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL. The RA, is responsible under the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL for the damage resulting from the concerted execution of its functions in a negligent manner or in a different way other than the one specified from the present CPS and the PCs emitted for each type of certificate. Nevertheless, the RA is not responsible in any case, of the identity or identification of the applicant and/or subscriber in the event of a document falsification or other provided data, by himself or by the person who is impersonating him Responsibility of the Subscriber The subscriber is responsible for the damage caused by the non-compliance of the respective obligations listed in the CPS The subscriber is responsible of the compliance of all the obligations imposed by the present CPS, the CP of every certificate type, and the current regulations regarding the provision of certification services The subscriber agrees to compensate the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL the damage that may cause any omission or intention act, assuming procedural costs in which ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL could incur including professional lawyer and attorney fees. The subscriber shall compensate and to hold harmless the ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL for any damage that it may suffer from the full, partial or defective compliance of assumed obligations based on any complaint against it by any third party which the subscriber would have contracted. 4/06/011 Página 19

20 (CPS) User Responsibilities The user will be responsible for any legal damages caused by the non-fulfillment of its respective obligations stated in this CPS. The user will be responsible for the fulfillment of all obligations stated in this CPS, the CP of each Certificate type, and by the current certificate rendering services norm. In any case, the user will assume all responsibility and risks derived from accepting a certificate without having observed the obligations in the CPS and in the case, in the CP of each certificate, guaranteeing the compensation of ICE SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL for this concept..4.. Participant Companies Credited Entity (CE) Security Data Seguridad en Datos y Firma Digital is a Credited Entity (CE) that emits certificates recognized by the Electronic Signatures and Data Messaging Commerce Law. Security Data Seguridad en Datos y Firma Digital is the entity that emits these certificates and is the company responsible of the operation of life cycle certificates. The authorization functions, registry, issuing and revoke of personal certificates of the destination entity, can be done by other entities associated by contract with Security Data Seguridad en Datos y Firma Digital, which will considered as intermediary. Security Data Seguridad en Datos y Firma Digital also offer electronic signatures validation services and timestamping, which is controlled by their own norms and regulations which are not included in this document Authority (CA) The system of certification of Security Data Seguridad en Datos y Firma Digital is composed of diverse CA or Authority which is organized under a Hierarchy CA Root A CA Root is the entity inside the hierarchy that emits certificates to other certification authorities and whose public key certificate has been self-signed. Its purpose is to sign the certificate of other CAs in the Hierarchy. 4/06/011 Página 0

21 (CPS) Registration Authority (AR) The Registration Authority of Security Data Seguridad en Datos y Firma Digital is the entity in charge of: Certificate applications Identify the applicant and check if he/she meets with the necessary requirements for the Certificate Application. Check the situation of the person that will be the certificate signatory Administrate password generation and certificate emissions Submit the certificate to the subscriber. A representative for the RA of Security Data Seguridad en Datos y Firma Digital could be: Any Cooperation that is client of Security Data Seguridad en Datos y Firma Digital, for the issuing of certificates under the name of the Corporation or under members of the cooperation. Any trusted entity that reaches an agreement with Security Data Seguridad en Datos y Firma Digital so they can act as representative of Security Data Seguridad en Datos y Firma Digital. Security Data Seguridad en Datos y Firma Digital itself. Security Data Seguridad en Datos y Firma Digital will formalize relations by contract with every one of the entities that act as RA of Security Data Seguridad en Datos y Firma Digital. The entity that acts as the RA of Security Data Seguridad en Datos y Firma Digital can authorize one or various people as the RA Operator in order to operate with the information system of certificate emissions of Security Data Seguridad en Datos y Firma Digital under the RA name. For the subscribers where geographical location represents a logistic problem for subscriber identification and in the application and delivery of certificates, the RA could appoint these functions to another trusted company. This entity should have a special relationship with the RA and have a trusted relationship with the certificate subscriber which justifies this appointment. This trusted entity should sign a collaborative agreement with the RA in which this appointment is accepted by these functions. Security Data Seguridad en Datos y Firma Digital should know and expressively authorize such agreement Applicant An applicant is the person that, under his/her own name or representing a third party, requests the emission of a certificate by Security Data Seguridad en Datos y Firma Digital. The type of requirements that an applicant must meet depends of the certificate type 4/06/011 Página 1

22 (CPS) requested which requirements are published in the Policy of each type of concrete certification Subscriber The subscriber is the person that has contracted the certification services of Security Data Seguridad en Datos y Firma Digital. Therefore this person will be the owner of the certificate. Generally, the subscriber of a certificate of Security Data Seguridad en Datos y Firma Digital will be a cooperation (private business, public entity, or natural person), whose name will appear on the certificate Signatory The signatory is the person that possesses a signature creation device and that acts under its own name or in representation of a legal entity. The signatory will be responsible of guarding the data of the signature creation, that is, the personal key which is associated to the certificate Password Protection The protection of creation data of associated firms of each certificate is the responsibility of the natural person, whose identification will be included in the electronic certificate Relaying Party A relaying party is all (person or organization) that voluntarily trusts in a certificate emitted by Security Data Seguridad en Datos y Firma Digital. The certificates emitted by Data Seguridad en Datos y Firma Digital are accepted by the majority of Ecuadorian State public organizations such as Ministries and Departments etc. The obligations and responsibilities of Data Seguridad en Datos y Firma Digital with relaying parties is limited to the ones stated here in this CPS. 4/06/011 Página

23 (CPS) Relaying Parties should take note the limitations in its use..5. Certificate types.5.1. Recognized Cooperation Certificates Cooperative certificates are recognized electronic signature certificates which the subscriber is a Cooperation (private business, organization or Public Administration): Legal Representative Cooperation Certificate: Are recognized certificates by the natural person that identifies the subscriber as a cooperation and the signatory as a legal representative of this cooperation. Judicial Cooperation Certificate: Are certificates recognized by the judicial person that identifies the subscriber as a Judicial Person. Natural Person Cooperative Certificate: Are certificates that are recognized by the natural person which identifies the subscriber as a Cooperation and the signatory as associated to the cooperation, such as employee, associate, collaborator, client or provider..5.. Certificate for the Public Administration The certificate for the Public Administration is an electronic certificate emitted according to the requirements established in the Ecuadorian Electronic Commerce, Electronic Signatures and Data Messaging Law. Certificate of Public Function: Are recognized certificates of the natural person that identifies the subscriber as Public Administration and the signatory as Administration employee..5.. Private Natural Person Certificate: Are recognized certificates by the natural person that identifies the subscriber as a natural person who can use these certificates for personal, legal and tax issues Secure Server Certificates 4/06/011 Página

24 (CPS) Secure Server Certificates: are certificates that announce an Internet domain as a judicial entity or a determined registered merchant..6. Support Types The Cooperation Certificates, of public or private administration can generate into two types of support: hardware support, or, software or roaming support:.6.1. Signature-Creation Device. SSCD The private passwords of the certificates emitted by the hardware support is generated and stored in a Secure Device of Signature Creation as a Smart Card or a Cryptographic Token. The SSCD provided by Security Data Seguridad en Datos y Firma Digital S.A. contain FIPS certificates. Therefore, the usage of Functional of Business with SSCD permits to safely execute Electronic Signatures. These SSCD generated certificate passwords cannot be in any way copied, which means in the case of loss or destruction of the device it will be necessary to repeat the certificate emission process. In order to activate the SSCD it will be necessary to introduce the PIN number if the PIN is for five consecutive times entered incorrectly the device will be blocked and therefore it will be inoperable. In order to unblock the RA should take where the certificate was acquired with the blocked device or send the device back to the company and there the device will be unblocked as well as emitting a new certificate. The PIN is secret and personal for each user, an initial PIN will be given which must be changed by the user by means of a special programs..6.. Software support Certificates, Public and Private Keys in Software This software permits the user access the Security Data portal, only after having submitted the application and received its approval by the Entity and receiving the generation code. Here, they can generate the digital certificate with their public and private keys which are stored in Windows CAPI in the client s PC which the user can operate these 4/06/011 Página 4

25 (CPS) certificates to sign and encrypt documents and Certificates, public and private keys by Secure Web Server -SSL This software permits the user, after having submitted the application and its approval by the Entity, associate an Internet Domain with a Judicial Person or a registered merchant and having received the generation codes, access the Security Data portal which will generate the digital certificate. Once the application is generated in the Web Server, this allows the information to be stored it in the Server in a.cer format which the use of these certificates are used to implement Secure Web Servers..6.. Roaming Support The private keys of the emitted certificates in the Roaming application are generated and safely stored in the LDAP directory property of the CA. This repository is secure with double encryption caps which permit safe password storage. These keys are protected with a password; this provides a double authorization factor. This support gives a flexible solution to the situation of not being dependant by hardware devices..7. Particular use of certificates.7.1. Appropriate use of certificates The Subscriber could use the Electronic Signature certificate according to the established in this certificate policy, the contract with ECI SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL and the CPSs. Improper use of a certificate is considered when this is used to realize unauthorized operations according to the certificate policies and is applicable to each certificate and the contracts of the ECI SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL with its subscriptions, in consequence the ECI SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL can revoke the certificate and thus terminating the contract. Authorized use of certificates emitted by the ECI SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL could be specified in each type of certificate. If the subscriber certificate in a particular time frame is stolen, i.e. the private password, the user should start the revoke proceedings as mentioned in this PC and the CPSs. The certificate of Electronic signatures is emitted by the ECI SECURITY 4/06/011 Página 5

26 (CPS) DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL to the subscriber and should be used as intended. The user is prohibited to alter the certificate in any way. The electronic signature certificates cannot be used in illegal actions according to the established in the Ecuadorian legislation. The electronic signatures certificates presents the following guarantees: o Authenticity: the document information and its electronic signature undoubtedly corresponds to the person who signed the signed the contract. o o o Integrity: The information in the electronic document has not been modified or altered after signing. No repudiation: The person who has electronically signed the document cannot deny his or her signature. Confidentiality: The information in the document has been coded and by the will of the emitter, only the receptor is permitted to decode it..8. Unauthorized Use of Certificates It is prohibited any use that would contradict Ecuadorian and Community Norms, international agreements ratified by the Ecuadorian Government, native customs, and moral and public conduct. It is also prohibited the distinctive use of the stated in this Declaration of Certified s or in its corresponding Policy. The certificates has not been designed nor destined to nor permits its use or retail as control equipment for dangerous situations or for use that requires unerring decisions such as nuclear plant equipment, Systems navigation or aerial communications or army systems control, where an error could directly cause death, personal injury or serious environmental damages. Final user certificates cannot be used to sign public key certificates of any kind, or sign certification revokes lists..9. Policy administrations.9.1. Responsible Organization The Technical Department of Security Data Seguridad en Datos y Firma Digital is responsible for the administration of this CPS and certification policies. 4/06/011 Página 6

27 (CPS).9.. Revision Frequency The CPS and the various CP will be annually revised and if necessary actualize them..9.. Approval Procedure The publication of revisions of this CPS and of policies of each certificate type should be approved by the General Directory of Security Data Seguridad en Datos y Firmas Digitales of each certification type after checking the requirement completion expressed in this document.. REPOSITORIES AND INFORMATION PUBLICATION.1. Repositories The repositories of Security Data Seguridad en Datos y Firma Digital is referenced by the URL. Any change in the URLS will notify all entities that could be affected by this act. The IP address corresponding to each URL could be multiple and dynamic, which can be modified without previous notice... Information Publication..1. Policies and s The current CPS as well as Policies will be available in electronic format in the Security Data Seguridad en Datos y Firma Digital website. Previous versions will be removed from online reference, but can be requested by contacting Security Data Seguridad en Datos y Firma Digital.... Terms and conditions The contract relation between Security Data Seguridad en Datos y Firma Digital and its subscribers is based on the signing of a certification service contract and the approval of General Conditions of Contract of Security Data en Datos y Firma Digital which are published on its network. 4/06/011 Página 7

28 (CPS)... Certificate Diffusion The certificate subscriber will be responsible in giving the certificate to any third party who wishes to authenticate a user or validate a signature. This delivery usually performs automatically, by attaching the certificate to every signed electronic document. Security Data Seguridad en Datos y Firma Digital is not obligated to publish emitted certificates in a public repository. However, in order to improve the services to customers, Security Data Seguridad en Datos y Firma Digital could provide directory, search and download services of some of the emitted certificates under the certification hierarchy... Publication Frequency The CA Root will emit a list of all the revoked CAs (CRL) at least every six months, or in special circumstances, when an authority certificate is revoked. Every Subordinated CA will emit a Certificate Revocation list (CRL) daily, and in special circumstances, every time a certificate is suspended or revoked. Security Data Seguridad en Datos y Firma Digital will publish immediately any modification in certification practices and policies..4. Access Control of the Repositories The CPS, the certification Policies, the general contract terms and conditions, the CA certificates and the Certificate Revocation List (CRL) will be published in public access repositories without access control. The emitted certificates can be published in public repositories or in the restricted access when needed. The validation services with the protocol OCSP and time stamping by the TSP protocol will be of restricted access service and payment 4. IDENTIFICATION AND AUTHENTICATION 4.1. Name Registry Name Types All the certificates require a distinguished name (DN or Distinguished Name) according to the X.500 standard. Furthermore; all the names of recognized signatures are coherent to the disposed norms: 4/06/011 Página 8

29 (CPS) ETSI TS known as "European profile for Qualified Certificates" RFC 80 "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", RFC 79 "Qualified Certificates Profile" Necessity of Names being Noteworthy DN fields referring to names and surnames correspond to the data registered legally by the subscriber, expressing exactly in the format that consists in the identification card, residence card, or passport or other means recognized by law. In the case the consigned data in the DN were to be false or indicates its invalidly (Ex. TEST or INVALID ) the certificate will be considered without legal validity, it will only be able to be used for technical interoperability Rules to interpret various name formats Security Data Seguridad en Datos y Firma Digital uses the standard X.500 in reference to ISO/IEC Name Uniqueness The distinctive name (DN) of the emitted certificates will be unique to each subscriber or signatory. The CIF or NIF attribute are used to distinguish between identities when there is a problem of name duplication. 4.. Initial Identity Validation Proof of private key possession method When a hardware device certificate is issued, a private code is created right before the certificate generation, by a procedure that guarantees the confidentiality and its link to the applicant s identity. Each RA is responsible to guarantee the safe delivery of the applicant s device. In other cases, the private key possession authentication method by the subscriber will be the delivery of PKCS#10 or a cryptographic test or another method approved by the Security Data Seguridad en Datos y Firma Digital. 4/06/011 Página 9

30 (CPS) 4... Authentication of the identity of a Legal Entity The Authority of the registry must verify the following data to authenticate the company s identity: Data of the corporate name of the organization Data of the constitution and legal status of the subscriber Data on the extent and validity on the representation faculties of the applicant Data on the fiscal identification code and company s RUC Security Data Seguridad en Datos y Firma Digital reserves it rights not to emit certificates if it considers that the given documentation isn t enough or adequate for the verification of the above data Authentication of the Identity of a Natural Person The RA will reliably verify the physical identity in a certificate. For this purpose, the person must appear at the headquarters and present his/her identity card, passport or any other document that the law permits. In the event a subscriber claims data modification or personal identity theft concerning the identity document presented, he/she must give the corresponding certificate from the Civil Registry proving this variation. The RA will verify, by comparing original documents with their own sources. The rest of the data and attributes to be included in the certificate (distinctive name of the certificate), must be kept in the validity data documentation that can not be checked with their own data sources Authentication of the RA Identity and RA Operators In the formation of a new RA, the following actions will be taken: Security Data Seguridad en Datos y Firma Digital will verify the existence of the entity by its own sources. An authorized representative of the company must sign a contract with Security Data Seguridad en Datos y Firma Digital, where will specify particular aspects of the delegation responsibility of each agent. Also the RA will require the compliance of the following regarding to RA operators: 4/06/011 Página 0

31 (CPS) o o o Verify and validate the identity of new RA operators. The RA must send to Security Data Seguridad en Datos y Firma Digital the required documentation to the new operator, as well as legal authorization to act as an RA operator. Assure that the RA operators have received enough training to ensure their duties, attending at least to one session of operator training. Ensure that the communication between the RA and the Security Data Seguridad en Datos y Firma Digital is done in a secure way by the use of the operator s digital certificates Validation In general, signatories are linked to the Registry Authority (for example banks, companies, etc.) In these cases it isn t the signatory who requests a determined to be included in the certificate but in its own RA consulting databases, to obtain that . In cases in which the author does not have any relation with the RA, control is done by request and response of the requested address. 4.. Identification and Authentication in Certificate Renewal Online Certificate Renewal in Roaming The subscriber may identify and authenticate an online renewal process through a recognized certificate that complies with the following: The RA has authorized the renewal. The certificate to be renewed is not yet expired. In the case of recognized certificates which have been less than years since last RA personalization and identification. The certificates in the cryptographic device can not be renewed online Physical Certificate Renewal The identification process will be executed the same way as the emission of a new one. 4/06/011 Página 1

32 (CPS) 4.4. Identification and Authentication of Renewed Certificates The identification of the subscribers in the certificate renewal process can be done by: a) Its own subscriber, identifying and authenticating himself/herself in the Security Data Seguridad en Datos y Firma Digital web page. b) Any RA from Security Data Seguridad en Datos y Firma Digital: must identify the subscriber before a revocation petition by any means necessary. 5. OPERATIONAL REQUIREMENTS FOR THE CERTIFICATES LIFE CYCLE 5.1. Certificate Request Who can request a Certificate Application requirements needed will depend on the certificate type requested and will be collected in the Policy of each specific type of certification Application Process The applicant must contact Security Data Seguridad en Datos y Firma Digital in order to receive a certification application, through the CA web page or any of the associated RAs. The RA will provide the applicant with the following information: Documents required to submit an application to verify the identity of the subscriber. Availability to perform a registry process. Information about the emission and revocation process, of the private key custody, and also the responsibilities and conditions of use of the certificate and the device. How to access and consult the present document and certification policies. In the Policies (CP) the required documentation of the application for each certificate type are detailed. 4/06/011 Página

33 (CPS) 5.. Certificate Validity of an Electronic Signature for a Natural Person According to the Regulations of the electronic commerce, electronic signatures and data messaging law (Decree No. 469): The duration of the electronic signatures certificate will be established by contract between the owner of the electronic signature and the Information Entity or who is in charge. In the event the parties do not agree in anything, the electronic signature certificate will be emitted with a validity of two years since its expedition. When certificates of an electronic signature are emitted in relation to public or private charges, the duration of the electronic signature certificate will last more than two years but cannot exceed the duration time of the public or private charge unless there is an extension of functions established under by law. 5.. Application Process Completion of Identification Authentication Functions The responsibility of the RA is to perform reliably the identification and authentication of the subscriber. This process must be done before the certificate emission Approval or rejection of the Certificate Applications Once the certification application is done, the RA must verify the information provided by the applicant including the validation of the subscriber s identification. If the information is not correct, the RA rejects the petition, contacting the applicant to tell the reason. If the information is correct, the applicant will receive an indicating that the application has been approved and that he/she must personally go to the Authority Registry for data confirmation, payment or confirmation payment of the certificate and a signature of the legal instrument linked between the subscriber and/or the applicant and Security Data Seguridad en Datos y Firma Digital. Then the certificate shall be issued Certificate Emission 4/06/011 Página

34 (CPS) CA Actions during the Certificate Emission Once the application is approved the certificate shall be issued, and must be delivered to the subscriber safely To issue a certificate the following actions must be taken: a) For hardware support certificates: The RA will deliver the token. In case the applicant provides his own device, it must be approved by the Security Data Seguridad en Datos y Firma Digital before use. The RA will have a list of approved devices. Device Activation: In the event that the applicant does not have one, the device activation data will be generated and also the private access password that will be contained. Generation of key pairs: CA key pairs will be generated. b) For Software certification: The applicant will receive an with the emission passwords for the certificate. The second password will be delivered personally to the RA along with the invoice. These passwords must be entered in the web page following the RA instructions. Once the entry is made the certificate is issued and will be downloaded to the applicant s computer Certificate Delivery When the subscriber has both passwords generated (Authorization code and reference number), he can now generate the certificate. a) In Software Both passwords must be entered on the web page and must follow the procedure described in the Certificate Activation Manual via software found on the web page once this procedure is done a certificate is issued, one that the applicant will install on his computer. b) In Hardware Both passwords must be entered on the web page and must follow the procedure described in the Certificate Activation Manual via Hardware that is found on the web 4/06/011 Página 4

35 (CPS) page Once the procedure is concluded, the Certificate is issued, program which will then install the Token Certificate Acceptance Manners to Accept a Certificate The certificate will be accepted the moment a legal instrument linked between the subscriber and Security Data Seguridad en Datos y Firma Digital has been signed As evidence to this acceptance there must be an acceptance sheet signed by the applicant. The certificate will be considered valid since the day the acceptance sheet was signed. The accepted sheet must be delivered to the RA personally and must be digitally signed once the subscriber orders the corresponding digital signature. The physical archive will then be destroyed Certificate Publication Once the certificate is generated and accepted by the subscriber or signatory, the certificate may be published in the necessary certificates repository Password Uses and Certificates Private Key and subscriber Certificate Use The certificates can be used according to the CPS and the corresponding certification policies. The Key usage extension can be used to establish technical limits depending in great part of the correct implementation by computer applications by third parties, leaving the regulation out of reach of this document Use of Public key and Certificate by third parties that trust Certificates The third party that trusts in certificates can use them in what this CPS establishes and the corresponding Policy. 4/06/011 Página 5

36 (CPS) It is the responsibility of third parties to verify the certificate status via offered services from Security Data Seguridad en Datos y Firma Digital, especially for this purpose and specified in this document Certificate Renewals without Changing Passwords Not considered in this option 5.8. Renewal with Password Changes Two possibilities exist for the renewal of certificates: a) Physical renewal process, which will be executed the same way as an issuance of a new certificate. b) Online Renewal process, which is detailed below: 5.9. Online Renewal Circumstances The online certificate renewal may only be made if the following conditions are met: The RA has the online renewal service The certificate has not expired. In the case of recognized certificates that have been less than years since the last RA identification Who can request for an Online Certificate Renewal Any Subscriber can ask for an online renewal if he complies with the circumstances described in the previous section Online Application Renewal The subscriber can contact the RA that issued his certificate and request its renewal. The RA will inform how to formalize the application. 4/06/011 Página 6

37 (CPS) Processing Requests of Online Renewal The following steps will be completed: The RA will receive a notification that a certificate is about to expire. In that moment the RA can authorize a renewal. The subscriber will be notified by that the certificate can be renewed. The Subscriber will access the web page of Security Data Seguridad en Datos y Firma Digital and through the use of certificate will sign the certificate renewal. There shall be the generation of a new key pairs. The public key will be sent to the CA through a safe channel in PKCS10 format or its equivalent. After that, a certificate generation will be created in a procedure that will use protection against forgery, and will maintain confidentiality of exchanged data. The Generated certificate will be delivered to the subscriber Notification of the Renewed Certificate Issuance The CA will notify the subscriber that the certificate has been renewed when correctly concluding the process Ways to accept a Renewed Certificate The certificate will be accepted when the renewal is electronically signed Publishing the Renewed Certificate Once the certificate has been renewed, the new certificate can be published in the certificates repositories that are considered necessary, replacing the prior certificate Certificate Modification In case of modifying any data, the RA must revoke and emit a new certificate 5.1. Revocation and Suspension of Certificates The revocation of a certificate means the loss of its validity, and is irreversible. The 4/06/011 Página 7

38 (CPS) suspension means a temporary loss of a certificate and is reversible. The revocations and suspensions have the same effect the moment that they appear published in the CRL Causes for Revocation A certificate can be revoked by the following causes: a) Circumstances that affect the information content of the certificate: Modification of any data contained in the certificate. Discovery of any incorrect data contained in the certificate application. Loss or change in the link of the signatory of the corporation. b) Circumstances that affect the private key or the certificate security: The compromise of the private key infrastructure or CA systems. CA or the RA infringement, of the previous requirements in management procedures of certificates, established by the CPS. Infringement or suspicion of the password or subscriber certificates security. Access or unauthorized use, by a third party, of the subscriber s private key The irregular use of the certificate by the subscriber or signatory. The breech of contract by the subscriber or signatory of the terms of use from the certificate exposed in the present CPS or in the legal instrument linked between Security Data Seguridad en Datos y Firma Digital and the subscriber. c) Circumstances that affect the security of the cryptographic device: Theft or suspicion of the security of cryptographic device Loss or damage of the cryptographic device. Unauthorized access, by a third party, to the activation data of the subscriber Breech of contract by the subscriber or signatory of the terms of use of the certificate exposed in the present CPS or in the legal instrument linked between Security Data Seguridad en Datos y Firma Digital and the subscriber. c) Circumstances that affect the subscriber: Conclusion of the legal relationship between Security Data Seguridad en Datos y Firma Digital and the subscriber. Modification or termination of the underlying legal relationship that permitted the issuance of the signatory certificate. Infringement by the subscriber of his/her obligations, responsibility and 4/06/011 Página 8

39 (CPS) guarantees established in the corresponding legal instrument or by the CPS. Sudden total or partial disability. Through the death of a subscriber or signatory. d) Other circumstances: The suspension of the digital certificate of a period exceeding the established by the CPS. By order of legal or administrative resolution. By the occurrence of any other cause specified in the CPS Who can request a revocation People that can request the revocation of a certificate: The subscriber himself/herself, who should request the revocation of a certificate in case of having knowledge of any circumstances mentioned above. Any person can request a certificate s revocation when having the knowledge of any of the circumstances mentioned above. People who may arrange a revocation from a certificate are: The authorized operators from the RA that belongs to the certificate subscriber. Authorized operators from the CA Application Revocation Procedures Different alternatives exist for the subscriber when requesting a certificate s revocation. In any case, at the time of suspension or revoking a certificate, a letter to subscriber will be sent, communicating the time and the cause of it Online Procedure Security Data Seguridad en Datos y Firma Digital will put at its subscriber s disposition a revocation system published online which is available 4 hours a day/ 7 days a week and 65 days a year. In order to do this the subscriber must: Access the web page of Security Data Seguridad en Datos y Firma Digital in the revocation section. Enter the administration account (Manager Account) 4/06/011 Página 9

40 (CPS) Look for the digital Certificate by name, surname or . Enter the password when entering the system revocation Enter the option Certificate Revocation Enter the cause of the revocation Once accepted, the certificate will be immediately revoked Revocation during office hours The subscriber or signatory must contact the RA of Security Data Seguridad en Datos y Firma Digital either personally or by telephone. If personally, the identity of the subscriber or signatory will be authenticated by his identification card or Passport and will proceed to immediately to revoke the certificate. If it is done by phone at the number 1800-firmas / , the certificate will be suspended until the subscriber or signatory will personally present himself/herself before the RA or a letter is sent or a fax requesting a certificate revocation. The certificate will be suspended for maximum time of 15 days which is when it will be revoked. Within 15 days the applicant or signatory can cancel the suspension and the revocation procedure. A message to the RA will be sent by the client with the suspension and/or revocation data plus the reason why Revocation Out of Office Hours See Online Procedure Period in which the CA should Resolve the Revocation Once the subscriber s identity has been authenticated according to the described above, and the revocation is duly processed by the RA, the revocation will be effective immediately Verification Obligation of Revocations by Third Parties The verification of certificates status is compulsory for each certificates use, either by consulting the Certificate Revocation list (CRL) or the OCSP service. 4/06/011 Página 40

41 (CPS) Emission Frequency of the CPSs The CRL of the final entity certificates are emitted at least each 4 hours, or when a revocation is produced, with a validity of 7 days Maximum Time between the Generation and Publication of the CRLs Since the publication of the CRL is done the moment it is generated, the time considered is zero or null Availability of the Online Certificate Verification Status System The information concerning the certificates status will be available online 4 hours a day 7 days a week. In case of system failure, or other factors that are not under CA control, the best efforts will be done to ensure that the service information is not unavailable for longer than a 4 hour period Requirements for Online Revocation Checking For the use of the CPSs service, that is access free, the following must be considered: In every case the latest emitted CRL must be checked, and can be downloaded from the URL containing its own certificate from the extension CRL Distribution Point The user should additionally check the CRL(s) relevant to the certificate chain hierarchy The user should ensure that the revocation list is signed by the authority that emits the certificate that wants to be validated. The revoked certificates that expire will be removed from the CRL Suspension Circumstances Security Data Seguridad en Datos y Firma Digital may suspend a certificate in the following cases: If there is a suspicion of a password theft, until the data is confirmed or denied. If a subscriber has not paid for a certificate. 4/06/011 Página 41

42 (CPS) If all the necessary information to determine a certificate s revocation is not available. If it is stipulated by the National Telecommunications Council, under the law of electronic commerce, electronic signatures and data messaging. If the Information Entity finds false data allocated by the certificate holder. If an breach of the contract is produced between the certification entity and the information from the electronic signature holder Who can Request a suspension Those who can only make a certificate suspension are: The authorized operators from the RA that belongs to the certificate subscriber. CA authorized operators Suspension Period Limits 15 days after of the suspension, the CA may process the certificate revocation Information Certificate Services State Operation Characteristics Security Data Seguridad en Datos y Firma Digital offers a free publication service on the web of the Certificate Revocation list without restriction access. Additionally, Security Data Seguridad en Datos y Firma Digital offers free commercials services for certificate validation by the protocol OCSP (Online Certificate Status Protocol) Service Availability The information concerning the status of certificates will be available online 4 hours a day 7 days a week. In case of system failure, or other factors that are not under control of the CA, the best efforts will be done to ensure that the service information is not unavailable for longer than a 4 hour period. 4/06/011 Página 4

43 (CPS) Subscription Suspension The Subscription will end the moment of expiration or certificate revocation. 6. PHYSICAL SECURITY, INSTALLATIONS, MANAGEMENT AND OPERATIONAL CONTROLS 6.1. Physical Controls The CA has established physical and environmental security controls to protect installation resources where the systems and the employee equipment used in operations are found. Security and environmental policy applicable to the certificate generation services offer protection against: Unauthorized physical access Natural disasters Fire Support systems failure (electric energy, telecommunications, etc.) Structure collapse Flooding Theft Unauthorized equipment removal, information, support and related applications to components utilized for Credited Entity services. Installations have preventive and collective maintenance systems at their disposal with 4h- 65 day assistance in the 4 hours after the notice. The location of this device guarantees the presence of security forces in a time frame no superior to 0 minutes Physical Location and Construction The CA installations are made with materials that guarantee protection against physical attacks and are located in a low risk disaster zone and permits easy access. In fact, the room where the cryptographic operations take place is actually a cage with protection against external radiation; double flooring, smoke alarms, anti humidity systems, double refrigerating systems and double electronic support systems. 4/06/011 Página 4

44 (CPS) Physical Access The Physical access to the accredited dependencies where accredited processes take place is limited and protected through the means of a combination of physical and procedural measures. The room is solely limited to authorized personnel only with proper identification in the moment of access and registry, including closed circuit television filming and its storage. Installations have presence detectors in all of its vulnerable spots as well as alarm theft systems which are announced by alternative channels. Room access is done by identification card readers and thumb prints, which is managed by an automatic entry and exit logs Electrical Power and Air Conditioning CA installations have at their disposal stabilizing electrical equipment and an electrical power device system which is doubled by an electric group with combustion deposits which can be refilled externally. The rooms which contain information equipment have temperature control systems with duplicated air conditioned equipment Water Exposure The rooms where information equipment is kept have a humidity detection system Fire Protection, and Prevention The rooms where information systems are kept also have automatic fire detention and control systems Storage Systems Each detachable storage systems (tapes, cartridges, diskettes etc) are labeled with the highest 4/06/011 Página 44

45 (CPS) level of information classification and are kept only at the authorized personnel level. Confidential classification information storage, independent from other storage systems, is kept in fireproof closets or locked up permanently, which requires express authorization for its removal Elimination of Information support When the device has outlived its use, sensible information is destroyed in the most adequate form, in the following ways: Paper and printouts: Through paper shredders or in special wastebaskets which are destroyed under controlled conditions. Storage Means: before being eliminated or reused, it should be processed for its physical erasure or make the containing information illegible. 6.. Procedure Controls Responsibility roles Confidential roles are those that are described in the corresponding Hierarchy policy in the way that would guarantee functional segregation that distributes control and limits internal fraud, and does not permit only one person control certificate functions from start to finish. Minimal established roles are: Security Officer: Maintains global responsibility in the administration and implementing security policies and procedures. System Administrators: Is authorized to realize changes in systems configuration, but without access to the actual data. System Operator: Is responsible for the day to day system management (Monitoring, backup, recovery,...) System Auditor: Is authorized to access system logs and verify procedures. CA Operator- Operator: Is responsible in activating CA keys offline, or certificate signing procedures and CRL s in Root Offline. Registration Officer: Responsible in approving, emitting, suspending, and revoking final entity certificates Number of people required per Tasks 4/06/011 Página 45

46 (CPS) The CA guarantees at least two people to do tasks that require Multi person control and is detailed as follows: Generating keys destined to the CA. Recuperation and backup of CA private key. The emission of CA certificates. Activating CA private keys. Any activity realized in the resource hardware and software that supports the root CA Role Identification and Authentication The people assigned for each role are identified by the internal auditor that assures that each person realized his or her assigned operations. Each person only controls the necessary activity roles, assuring in this way that no person accesses non assigned resources. The access to resources is realized depending on the active though the login/password, digital certificates, physical access cards and keys Role that Require Function Segregation Auditor roles are incompatible with certificate tasks timing and also incompatible with systems. These functions are subordinated to systems chief of operations, reporting to this as well as technical direction. The people implied in Systems administrations cannot carry out Auditory nor activities. 6.. Personnel control Requirements related to Professional Qualifications, Knowledge, and Experience All personnel that undertake trusted and unsupervised tasks are those that work at the production center at least six months and have a fixed labor contract. All of the personnel are qualified and are instructed to carry out their assigned operations. 4/06/011 Página 46

47 (CPS) The CA assures that the register personnel is a dependable person and part of a cooperation to carry out registration duties. To this effect a declaration is required by the entity in order for a person to assume RA functions. The registry employee must have already attended a preparation course in order to realize registry duties and application validations. At the end of the course an auditor proceeds to evaluate their process knowledge. Security Data Seguridad en Datos y Firmas Digital relieves an employee of its functions when the knowledge of the existence of a criminal act/record that could affect the development of these functions Antecedents Verification Process Security Data Seguridad en Datos y Firma Digital carries out the pertinent investigations before contacting personnel. The RA can establish different criterion and thus become responsible for the actions done by the authorized personnel Education Requirement Security Data Seguridad en Datos y Firma Digital employees attend all necessary courses to assure the correct execution of certification tasks, especially when substantial modifications are done in these tasks by operator Education Requirements, Frequency and Actualization All actualizations are annually, except for CPS modifications which will be notified when they are approved Third party Contract Requirements All contracted employees required to do trusted tasks should previously sign a confidentiality clause and operation requirements for CA operation employee. Any action that jeopardizes the accepted critical process security could cause the dismissal of the labor contract. 4/06/011 Página 47

48 (CPS) 6.4. Security Auditory Processes Registered Event Types Security Data Seguridad en Datos y Firma Digital registers and saves the logs of all events related to the CA security system. These include the following events: System boot and power down. Attempts in creation, erasure, establishing passwords or privilege changes. All log in and out attempts. Unauthorized access attempts to the CA system through the network. Unauthorized access attempts to the CA internal network. Attempts to access unauthorized access to system archives. Physical access to logs. Changes in the configuration and system maintenance. Application registration to the authority. Turning on and off the A.C. application. Changes in the details in the CA and/or its passwords. Changes in the creation of certificate profiles. Generate individual passwords. Certificate life events Events associated to the use of the cryptography module associated to the CA. Medium destruction registry that contains passwords and activation data. Additionally, Security Data Seguridad en Datos and Firma Digital, manually or electronically conserves the following information: The creation ceremonies of CA keys and the password generation database. Physical access registry System configuration maintenance and changes. Changes in the personnel that performs CA security tasks. Material destruction registry that contain password information, activation data or personal subscriber information if such information exists. Activation data possession for operations that have private CA keys Frequency of Auditing Registry Processes Auditory Logs are reviewed weekly and in all cases when there is a motivated system alert 4/06/011 Página 48

49 (CPS) by appearance of some incident, in search of suspicious or irregular events Auditing Registry Conservations All auditory log information is saved when necessary in order to guarantee system security in function of each concrete logs Auditing Registry Protection System logs are protected from perpetrators by the means of the files signature container. They are stored in fireproof deposits. Access is protected through external storage systems outside the Authority Center. The devices are managed at all moments by authorized personnel Auditing Registry Backup Procedures Security Data Seguridad en Datos y Firma Digital has an adequate backup process available. In the case of loss or destruction of important archives, copies of the backup logs are available for a short period of time. The CA implemented a safe backup auditing log procedure, creating a copy of all the logs in an external medium. This is done weekly. The external medium is stored in a fireproof closet under safe security measures that guarantee access to only authorized personnel. There is an additional a copy of the auditory logs in the external custody center Auditing Systems Information Gathering Auditing event information is internally and automatically collected by the operating systems and by the certification software Vulnerability Analysis The CA periodically does a discrepancies revision in the log information and suspicious 4/06/011 Página 49

50 (CPS) activities, according to the internal procedure established to the security policies Registry Archives Event Archive Types All events that take place during the certificate life cycle, including renovations are stored. This will be kept by the CA, or by RA delegations: All auditing data. All certificate related data, including subscription contracts and data related to its identification. Emission applications and certification revokes All emitted or published certificates. Emitted CRLs or state registration of generated certificates Audit required documents Communications between PKI elements The CA is responsible for the adequate archiving of all the documentation and material Registry Storage Period All of the system data related to the certificate life cycle is kept during the period established in the law when it is applicable. The certificates are posted in the repository during at least a year alter its expiration. Subscriber contracts and any related information to identification and authentication of the subscriber are kept for at least 15 years or in the current law established period of time Archive Protection The CA assures archive protection during the assignation of qualified personnel for its storage and treatment in fireproof security boxes and external installations if necessary. The CA has at its disposition technical and configuration documentation where all actions are detailed to guarantee archive protection. 4/06/011 Página 50

51 (CPS) Archive Security Copy Procedure The CA has at its disposition an external storage system to guarantee archive copy disposition of electronic archives. Physical documents are stored in secure places with restricted access and only to authorized personnel Registry Time Stamping Requirements The registry is dated with a reliable source. Inside the technical documentation and CA configuration a separate document about the time stamping configuration devices used in certificate emissions Auditing Information Archiving System Not stipulated Procedure in Order to Obtain and Verify Archived Information. During the CPS required audit, the auditor will verify the integrity of the archived information. The access to archived information is done only by authorized personnel. The CA will provide information to the auditor to try and verify archived information CA Rekeying Root CA Before the CA Root certificate expires there is a rekeying, and will introduce certificate content changes that will better adjust to existing laws and Security Data Seguridad en Datos y Firmas Digital current situation and market situation. The old CA and its private key will only be used to sign the CRL as long as there are existing active certificates emitted for the old CA. A new private key for the new CA will be generated. AC technical and security documentation will detail AC password changes. 4/06/011 Página 51

52 (CPS) Subordinate CA In the case of subordinate AC the user could opt for certificate renewal with or without password changes. Only when the switch is done the changes stated in the previous point will occur Disaster Recuperation Plan Fire and Vulnerabilities Management Procedure The AC has developed a contingencies plan, further elaborated in the Security Policy document in order to recuperate all Systems in less than 4 hours, even though revoke and certificate state information publication is in less than 4 hours. Any failure in the achievement of marked goals made by this contingency plan will be treated as inevitably reasonable except when this failure is caused by a breach of contract by the AC to implement such processes Altering Hardware, Software and/or Data Resources In the case that there is an incident that alters or corrupts hardware, software or data software. Security Data Seguridad en Datos y Firma Digital will proceed according to what has been stipulated in Security Policies Procedure to follow in the event of password theft from a Certificate Authority The contingency plan of the Security Data Seguridad en Datos y Firma Digital is about the theft of the private AC. In the case of AC private key compromise, Security Data Seguridad en Datos y Firma Digital will: Inform all subscribers, users and other CAs with they have agreements and other agreement types, by the means of an announcement on the AC main webpage. 4/06/011 Página 5

53 (CPS) Inform that all certificates and information related to the revoked singed statement using that particular key are invalid Continuing Business after a Catastrophe The AC will reestablish critical services (Cancelation and the publication of annulled certificates) according to this CPS within 4 hours after a catastrophe or an unforeseen emergency by using contingency plan and existing business continuity as a foundation. The AC has at its disposal an alternative center, if the situation requires it, for the functioning of the certification system Activity Suspension Authority Before activity suspension the CA will do the following actions: Provide the necessary fund (to continue the finalization of revocation activities until the definite activity suspension) if the situation requires it. Inform to all subscribers, applicants, users and other CA or other entity partners of this suspension from a minimal month period or the period of time that the current law stipulates. Revoke all authorization to subcontracted entities that could act in the name of the CA. Inform the competent administration in the indicated time frame, activity suspension and the new destination of all certificates, and specifying depending on the situation, if the management will be transferred, and if so, the name of the new management Registry Authority Before suspending a registered authority of a specific Group, Security Data Seguridad en Datos y Firma Digital will: Stop emitting and renewing that RA s certificates Revoke operating certificates of that RA. Revoke subscriber certificates emitted by that RA except when noted otherwise. 4/06/011 Página 5

54 (CPS) 7. TECHNICAL SECURITY CONTROLS 7.1. Generation and Installation of the Key Pair Generation of the Key Pair There are two cases of key generation for recognized certificates: a) In hardware (physical support) Generating AC keys is done according to the documented process of key ceremonies, inside the security lounge of the Accredited Entity, in the Hardware Security Module (HSM) by adequate personnel according to trust roles and at least with a dual control and witnesses from Security Data Seguridad en Datos y Firma Digital, as well as the CA bearer and from the external auditor. For the final entity certificates, the key pairs are created in the same device using the system provided by the RA. This process is safely linked to the certificate generation process, guaranteeing confidentiality of the private key during the generation process and is complementary between creation data and signature verification. b) In Roaming Software The subscriber receives an invitation to connect to the certificate generation services of Security Data Seguridad en Datos y Firma Digital. The subscriber will generate the key pairs in its system and sends the public key to the AC in PKCS10 format or other equivalent. In other cases, the key generation by the subscriber is done in devices that reasonably assure that the private key will be protected by the subscriber against unauthorized usage through physical methods, established to the subscriber adequate controls and security measures Delivery of the Private Key to the Subscriber a) In Hardware (Physical Support) The private key will be delivered along with the certificate in the signature creation device. The RA is responsible of guaranteeing the delivery of the device to the subscriber, assuring in this way that the subscriber is in the possession of the corresponding creation data the verification that is found in the certificate. 4/06/011 Página 54

55 (CPS) The cryptographic device uses an activation code in order to access private keys. b) Software The subscriber generates the key pairs directly to the system and is saved in the computer CAPI c) Roaming The subscriber generates the key pairs directly into the system and is saved in Security Data servers Delivery of the Public Key to the Certificate Emissary The delivery of the public key to the AC to generate certificates is done through a standard format preferably in the PKCS#10 or X509 auto signed format, using a safe channel for it transmission Delivery of the CA Public Key to Trusted Certificate CA Third party Members The AC certificate whereof the certification chains and its finger print will be at the disposition of Seguridad Data Seguridad en Datos y Firma Digital web page users Permitted uses of the Key (X509v Key Usage) All of the certificates include the Key Usage extension, and Extended Key Usage, indicating all of the permitted usages of the keys. The permitted uses of the key of each certificate are defined in the corresponding certification policy Extended Key Usage (EKU) The EKU that are included in the Certificates of Electronic Signature of Security Data S.A. are the following. Server Auth Client Auth OCSP Time stamping /06/011 Página 55

56 (CPS) 7.. Private Key Protection and Engineering Controls of the Cryptographic Module Cryptographic Standard Model The cryptographic modules employed to generate and store Authority keys are certified with the FIPS-140- Level norm. The subscriber keys of recognized certificate with SSCD and of administration operator are generated by the interested party in a secure way using a cryptographic device CC EAL4+, FIPS level, ITSEC E4 High or other equivalent level. The private key custody cryptographic devices of the subscriber of recognized SSCD certificates and of the operator or administrator contribute to a safe security level Multi-person Control (k of n) of the Private Key The access to private key of the AC requires the simultaneous usage of three out a possible five cryptographic devices which are protected by an access code Protection of the Private Key The AC private key is guarded by a cryptographic hardware device which is certified with the FIPS 140- level three norm guaranteeing that private key is never outside the cryptographic device. Activation and use of the private key requires multi person control which has been previously detailed. After the finished operation, the session closes which deactivate the private key. AC Subordinate private keys are kept in secure cryptographic devices certified with the FIPS 140- level norm Security Copy of the Private Key There are some devices that permit the restoration of the AC private key, which are safely stored and are only accessible by authorized personnel according to trust roles, using at least a dual control in a secure medium. 4/06/011 Página 56

57 (CPS) The AC Root keys and AC subordinate can be restored by a process that requires the simultaneous use of of a possible 5 cryptographic devices (cards). This process is described in detail in the security policy of Security Data Seguridad en Datos y Firma Digital Private Key Archiving The AC will not archive the private signature keys of the certificates after its expiration. The private keys of the internal certificates that use the distinct CA system components in order to communicate between the certificates, sign and encode information will be archived for at least a ten year period, after the emission of the last certificate. Private subscriber keys can be self-stored, through the preservation of the signature device or other devices, due to the fact that it can be used to decode history data with the public key, when the devices permits this operation Transferring the Private Key to/or from a Cryptographic Module. There is a ceremony AC key document where the private key generation process is described and the use of cryptographic hardware. In other cases a PKCS1 format archive can be used to transfer the private key to the cryptographic module. In any case the archive is protected by an activation code Private Key Activation Method The AC Root is activated by a process that requires the simultaneous use of out of 5 cryptographic devices (cards). The AC Subordinate keys are activated by a process that requires the usage of 1 out of 4 cryptographic devices (cards). Access to the private subscriber key is done by the means of a PIN number. The device has a protection system against system access which blocks itself when an erroneous access code is entered incorrectly more than five times in a row. The subscriber has an unblocking code. If this code is incorrectly entered more than three times, the device is blocked and becomes useless. 4/06/011 Página 57

58 (CPS) Private Code Deactivation The subscriber private key of SSCD certificates become deactivated once the cryptographic signature creation device is read Private Key Destruction Method The devices that have stored any part of the AC private key signature certificates or its activation data are physically destroyed or are reinitialized. 7.. Other Aspects of the Management of Key Pairs Public Key Storage The CA stores all public keys during the period of time requested by the current law, when applicable, or while the certification service is active plus six months after ending the subscription at least Certificate Operation Period and Key Pair Usage Period The certificate usage period is determined by its temporal validity. A certificate should not be used after the valid time frame even though the trusting party could use it to verify historical dates taking into account that there is no valid online verification service for these kinds of certificates Activation Data Activation Data Installation and Generation The activation data are generated once the cryptographic device is initialized. In the initialization is produced in an external entity, activation data will be given to the subscriber through a process that assures the confidentiality of this program. 4/06/011 Página 58

59 (CPS) Activation Data Protection Only authorized personnel have knowledge of the activation data of the AC Root and AC Subordinate private keys. For the final entity certificates, once the device and the activation data are delivered, it is the sole responsibility of the subscriber in maintaining confidential this data Information System Controls The AC uses trustworthy systems and commercial products to offer its certification products. The equipment used is initially configured with adequate security profiles by the systems personnel of Security Data Seguridad en Datos y Firma Digital in the following aspects: Operating security system configuration. Application system configuration. Correct dimensioning of the System. User and permission configuration. Log event and configuration. Backup plan and recuperation. Antivirus configuration. Network traffic requirements. Technical and configuration documentation of Security Data Seguridad en Datos y Firma Digital details equipment construction and offers certification services in its physical and logistic security Security Requirements Each AC server includes the following functions: Access control to the AC servers and privilege management. Imposing task separations for the privilege managements. Identification and authorization of associated identities and roles. Subscriber and AC history storage and audit data. Event auditing related to the AC. Security auto-diagnostic related to AC services. 4/06/011 Página 59

60 (CPS) Key recuperation mechanisms and AC Systems. The exposed functionality is supplied through a combination of the operating system, PKI software physical protection and procedures Information Security Evaluation Equipment security are reflected by an initial risk analysis in such a way that the implemented security measures respond to the probability and impact produced when a particular threat could take advantage of security breaches. Security is guaranteed by previously mentioned installations, and personal management is easy due to the low number of people that are employed at Security Data Seguridad En Datos y Firma Digital data center Security Life Cycle Controls System Development Controls The AC possesses a change control procedure in operating system and application versions that imply an improvement in security functions or that correct any detected vulnerability Security Management Controls Security Management The AC develops precise activities for the formation and awareness of employees in security matters. Materials used for the formation and descriptive document of the processes are actualized after its approval by a forum for security management. The AC demands via contract, security measures equivalent to any external provider involved in labor certification. 4/06/011 Página 60

61 (CPS) Classification and Management of Goods and Information The AC maintains an active and documentation inventory and a management procedure of these materials to guarantee its use. AC security policy details information management procedures which are classified according to its confidentially level. Documents are categorized into three levels: PUBLIC, INTERNAL AND CONFIDENTIAL Management Operations The AC provides an adequate Management procedure and response system, though the implementation of an alert system and the generation of periodic reports. In the AC technical documentation and CPD procedures there is an detailed incident management process. The AC provides fireproof security boxes for the storage of physical support. The AC has documented all of the procedure related to the functions and responsibilities of the involved personnel in element and Management controls contained in the certification process Security Support Treatment All support will be safely treated according to the information classification requirements. Support that contains sensitive information is safely destroyed if they are not going to be required in the future System Planning The CA technical department maintains an equipment capacity registry along with resource system control application of each system could prevent a possible re dimensioning Incident Reports and Response 4/06/011 Página 61

62 (CPS) The CA contains an incident following and its resolution where responses are recorded as well as an economic evaluation that assumes incident resolution Operational Procedures and Responsibilities The CA defines assigned activities to people with a different trust role to the people in charge of carrying out common operations that do not have a high level of confidentiality System Access Management The CA realizes all efforts that are reasonably within reach to confirm that the system access is limited to authorized people. Particularly: a) General CA Management: Provides high availably firewall based controls. Sensible data are protected though cryptographic techniques or access controls with strong authentication systems. CAs contains a management procedure o user highs and lows and access policy detailed in the security policy. The CA has at its disposal a procedure to assure that operations are done while respecting role policy. Each person has his or her own identification card to carry out certification operations according to his or her own role. CA personnel are responsible for its actions, for example, keeping event logs. b) Certificate Generation: The AC installations are equipped with continuous monitoring Systems as well as detection and registration alarms, and can act immediately react to an unauthorized access attempt to its recourses. The authentication to realize emission processes is done through a m of n operation systems operation for the activation of private AC key. c) Revoke Management: CA installations are equipped with continuous monitoring systems and detecting and registering alarms, it can act immediately against an unauthorized access The revoke refers to the permanent loss of a digital certificate. This revoke is done 4/06/011 Página 6

63 (CPS) through strong authorization processes with application cards or an authorized administrator. Log systems generate tests that guarantee the non repudiation of the action made by the CA. d) Revoke Status The application of the revoke contains an access control based in the certificate authorization to prevent the attempt of information modification of the revoke status Management of the Cryptographic Hardware Life Cycle The CA assures that the cryptographic software used in certificate signatures is not manipulated during its transport. The cryptographic Hardware is built over prepared supports to prevent any manipulation. The CA registers all the pertaining information related to the device to add to the active catalog of the Security Data Seguridad en Datos y Firma Digital, S.A. The use of cryptographic certificate signing hardware requires the use of at least two trusted employees. Security Data Seguridad en Datos y Firma Digital periodically carries out tests to assure correct functional levels. The cryptographic device can only be manipulated by a trusted personnel. The CA private signature key is stored in its cryptographic hardware which is eliminated once the device is removed. CA System configuration as well as its modifications and actualizations are documented and controlled. The CA possesses device maintenance contract for its correct usage. Any actualizations or changes are authorized by the security personnel and will be reflected in the corresponding work acts. These configurations are done at least by two trusted people Network Security Controls The CA is protected from the physical access to network management devices and contains a structure that orders generated traffic based on its security characteristics which creates clearly defined network sections. Each division is done through the use of firewalls. The confidential information that transfers through unsecure networks is done in an encrypted matter 4/06/011 Página 6

64 (CPS) 8. PROFILE CERTIFICATE 8.1. Certificate profiles The profile certificates correspond to what is proposed in certification policies that are coherent to the following norms: ETSI TS known as \ European profile for Qualified Certificates RFC 80 "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", RFC 79 Qualified Certificates Profile. The common profile for all certificates is the following Certificate Fields Name Description Version version Nº V (Standard version of X509) Serial Serial nº Unique Code according to the name distinguished emitter Issuer Emitter DN from the CA the emits the certificate Not Before Valid since Valid emission date: UTC Not After Valid Until Valid mission end date, Subject (DN) Matter Subscriber Name. Extensions Extensions Certificate extension Version Number The certificates follow the standard X.509 version Certificate Extension The extensions here presented correspond to all that may contain emitted certificates. In the certification policy of every certificate type the extension will specify the required extensions Extension Critical Possible Values X509v Subject Alternative - Subscriber (of the 4/06/011 Página 64

65 (CPS) Name X509v Issuer Alternative Name CA) - URI: data.net.ec X509v Basic Constraints Yes possible values in function whether if it is a CA certificate: CA:FALSE CA:TRUE X509v Key Usage Yes Digital Signature Non Repudiation Key Encipherment, Data Encipherment, Key Agreement X509v Extended Key Usage TLS Web Client Authentication Protection X509v Subject Key Identifier - Identification of the public certificate code, obtained since the hash X509v Authority Key Identifier X509v Authority Information Access - id de la clave pública del certificado de la CA, obtenido a partir del hash de la misma - URI Where the CA certificate is found X509v CRL Distribution - URI of the CRL Points X509v Certificate Policies - OID of the certification policy corresponding to the certificate. URI of the CPS User Notice: Text note that can be displayed in the user screen Qcs - types exist: Id-etsi-qcs-QcCompliance ( to add when a certificate is recognized) Id-etsi-qcs- QcSSCD (indicates that the private key is stored in the SSCD) id-etsi-qcs- QcLimitValue: Limit value of the transactions 4/06/011 Página 65

66 (CPS) (Obsolete) proprietary Extension of professional signature. Can have the joint value If the signature is from a legal person it is joint. In the event it is not a joint signature the extension will not appear Name Format DN Field Name Description CN, Common Name Name Name and surname of the subscriber, Additionally, it can contain a numerical code of identification, or RUC subscriber, distinguishing from the value by prior labeled inclusion. / num.: o RUC. Subscriber . E, ST, State Geographic Geographic area linking the Location subscriber C, Country Country Country two digit code according to ISO By defect ES. Serial Number Serial Number Identity Card of the Subscriber* SN, surname Surname Subscriber s surname GN, Given Name Given Name Subscriber Name CRL Profile The profile of the CRLs agrees to what is proposed in the certification policies, and the standard X. 509 version of the RFC 80 Internet X.509 Public Key. Infrastructure Certificates and CRL 4/06/011 Página 66

67 (CPS) Profile. The CRL s are signed by the certification authority that emits them Version Number The CRLs emitted by the AC are version CRL and Extensions The CRL from the Authority Root (CA Root) Fields Version Number of CRL Algorithm signature Emitter (Issuer) Effective Emission Date Date of next update Authority Key Identifier Only contains User Certificate Only contains certificates of the entity emitter Indirect Certificate Revocation List (CRL) CRL Entries Values Incremental Number Sha1WithRSAEncryption Distinguished Name (DN) of emitter (Emission Date of the CRL, time UTC) Effective Emission date + 6 months Hash Key of the emitter NO NO NO Certificate Serial Nº Revocation Date Reason Code 4/06/011 Página 67

68 (CPS) CRL of Subordinate Authorities FIELDS VALUES Version Number of CRL Signature Algorithm Emitter (Issuer) Effective Emission Date Date of Next update Authority Key Identifier Only contains User Certificate Only contains certificates of the entity emitter Indirect Certificate Revocation List (CRL) Incremental Number Sha1WithRSAEncryption Distinguished Name (DN) of emitter (Emission Date of the CRL, time UTC) Emission date + 7 days Hash Key of the emitter NO NO NO CRL Entries Certificate Serial Nº Revocation Date Reason Code 4/06/011 Página 68

69 (CPS) 9. AUDIT COMPLIANCE AND OTHER CONTROLS 9.1. Auditing Frequency Periodic Audits will be conducted, usually on an annual basis. 9.. Auditor Qualification The audits can be either internal or external. In the second case they will be done by prestigious companies within the auditing scope. 9.. Relation between the Auditor and the Authority Audited The companies that make external audits never should present any conflicts of interest that could detract its action in relation to the Security Data Seguridad en Datos y Firma Digital. However, Security Data Seguridad en Datos y Firma Digital makes periodical internal audits from the CA hierarchy to guarantee in every moment the adequate requirements marked by the certification policies of the hierarchy 9.4. Aspects Covered by the Controls The audit verifies the following aspects: a) Information Publishing: That the CA makes public business practices and certificate management (the present CPS), and also the information privacy policy and the protection of personal data plus it should provide its services in accordance to those affirmations. b) Service Integrity. Making sure that the CA maintains effective controls to ensure reasonably that: The subscriber information is authenticated adequately (for registry activities made by the CA), and The integrity of passwords and managed certificates plus the protection along with all the life circle. c) General Controls. Making sure that the CA maintains effective controls to ensure reasonably that: The subscriber information and users is restricted to authorized personnel and protected of unspecified uses in business practices of the published CA. 4/06/011 Página 69

70 (CPS) The Operations continuity is maintained concerning the management of the life circle for keys and certificates. The Operational tasks, development and system management of the CA are adequately authorized and made to maintain their integrity Registry Authority Audit The Registry Authorities that have access to software/system provided by Security Data Seguridad en Datos y Firma Digital used for the management of certificates, are audited by a third party prior to its effective implementation. Additionally, Audits are made to prove the compliance of the requirements asked by the certification policies for the development of work registries exposed in the service signed contract. The Audit frequency will be determined between Security Data Seguridad en Datos y Firma Digital and the Registry Authority, always taking into account the planned activity to be undertaken by the Registry Authority in certificate numbers or specified security requirements. However and exceptionally, the Security Data Seguridad en Datos y Firma Digital may exempt a Registry Authority from the obligation of subjecting to an initial audit and the audit maintenance Actions to be taken as a result of incident detection In the event that incidents or non-conformities are detected, appropriate actions will be enabled for resolution in the shortest time possible. For grave non-conformities (that affect critical services, REVOCATION SERVICES, ACTIVATION SERVICES/CERTIFICATE SUSPENSION, PUBLISHING SERVICES OF CRL), Security Data Seguridad en Datos y Firma Digital is committed to have a resolution within a maximum of three months. In any rate, incidents and non-conformities that are detected a resolution committee will be formed by personnel of the affected areas and other monitoring by the responsible of the affected area and General Direction Communication Results The auditor will communicate the results to the Technical Director and General Director, who is the maximum in charge of Security Data Seguridad en Datos y Firma Digital. 10. OTHER BUSINESS AND LEGAL MATTERS 4/06/011 Página 70

71 (CPS) Fees Certificate Emission Fees and Renewal The prices of certification services or any other service will be provided to customers or possible customers by the Commercial department of Security Data Seguridad en Datos y Firma Digital Certificate Access Fees The access of the emitted certificates is free, although, the CA reserves the right to impose any fee in the event of a massive download of certificates or any other circumstance that according to CA should be taxed Access Fee of the Information Status or Revocation Security Data Seguridad en Datos y Firma Digital possess access to information and certificate status or free revoked certificates, through the publication of the corresponding CRL. Security Data Seguridad en Datos y Firma Digital provides other validation services of commercial certificates (like OCSP), whose fees will be negotiated with every client of these services Fees and Other Services The applicable fees to other services will be negotiated between Security Data Seguridad en Datos y Firma Digital and the customers of the provided services Information Confidentiality Security Data Seguridad en Datos y Firma Digital has an adequate information policy and models of agreement that must be signed by all the people that have access to confidential information Scope of Confidential Information Security Data Seguridad en Datos y Firma Digital will consider confidential all the information that is not categorized as public. No information declared confidential will be diffused without a written consent by the entity or company that has given a confidential category, unless there is a legal imposition. 4/06/011 Página 71

72 (CPS) Non Confidential information The following information will be considered non confidential: The content of the present CPS. The content of different Policies (CP). The information contained in the certificates, because for its emission the subscriber must give his consent, including different statuses or situations from the certificate The Certificate Revocation lists (CRL s) and also the other information from the revocation status The information contained in the certificate deposits. Any Information which publicity is imposed by norms Responsibility in the Protection of Confidential Information It is the responsibility of Security Data Seguridad en Datos y Firma Digital to establish appropriate measures for protecting confidential information. 4/06/011 Página 7

73 (CPS) 11. Reviews Review Published 4/01/011 4/01/011 Author(s) LV/ LV/ Review Date 18/0/011 14/0/011 Reviewed by Approval date 0/0/011 16/0/011 Approved by CS CS 4/06/011 Página 7