Land Registry. Version 4.0 10/09/2009. Certificate Policy

Land Registry Version 4.0 10/09/2009 Certificate Policy

Contents 1 Background 5 2 Scope 6 3 References 6 4 Definitions 7 5 General approach policy and contract responsibilities 9 5.1 Background 9 5.2 Certificate Policy and Certification Practice Statement 9 5.2.1 Purpose 9 5.2.2 Level of specificity 10 5.2.3 Approach 10 6 Introduction to the Certificate Policies for Land Registry 10 6.1 Overview 10 6.2 Identification 11 6.3 Policy changes 11 6.4 Conformance 11 6.5 Contact details 11 7 Obligations and liability 12 7.1 Certification Authority obligations 12 7.2 Subscriber obligations 12 7.3 Relying Party obligations 12 7.4 Certification Authority liability 13 8 Annex A Registered Land Registry Certificate Policies 14 9 Annex B Requirements on Certification Authority Practice for Land Registry Local Signing Certificate Policy 15 9.1 Subscriber obligations 15 9.1.1 Key usage 16 9.2 Certification Practice Statement 16 9.3 Key Management Life Cycle 16 9.3.1 Generation of Certification Authority Keys 16 9.3.2 Certification Authority Key storage, backup and recovery 17 9.3.3 Certification Authority Public Key distribution 17 9.3.4 Key Escrow 17 9.3.5 Certification Authority Key usage 17 9.3.6 End of Certification Authority Key life cycle 17 9.3.7 Life cycle management of cryptographic hardware used to sign Certificates 18 9.3.8 CA provided Subject Key management services 18 9.3.9 Hardware Key storage device preparation 18 9.4 Certificate Management life cycle 19 9.4.1 Subject registration 19 9.4.2 Certificate renewal, re-key and update 20 9.4.3 Certificate generation 20 9.4.4 Dissemination of terms and conditions 21 9.4.5 Certificate dissemination 21 9.4.6 Certificate revocation and suspension 22 9.5 Management and operation 23 9.5.1 Security management 23 9.5.2 Asset classification and management 23 9.5.3 Personnel security 23 9.5.4 Physical and environmental security 24 9.5.5 Operations management 25 9.5.6 System access management 26 9.5.7 Trustworthy systems deployment and maintenance 26 9.5.8 Business continuity management and incident handling 26 9.5.9 Certification Authority termination 27 3

4 9.5.10 Compliance with legal requirements and Land Registry s policies and practices 28 9.5.11 Recording of information concerning Certificates 28 9.6 Organisational 29 10 Annex C Requirements on Certification Authority Practice for Land Registry Central Signing Certificate Policy 30 10.1 Deviation from the original policy 30 10.1.1 Key Escrow 30 10.1.2 Certificate Authority Provided Subject Key Management Services 31 11 Annex D Requirements on Certification Authority Practice for Land Registry Individual Authentication Certificate Policy 32 11.1 Deviation from the original policy 32 11.1.1 Subscriber obligations 32 11.1.2 Key usage 33 12 Annex E Requirements on Certification Authority Practice for Land Registry Device Authentication Certificate Policy 34 12.1 Deviation from the original policy 34 12.1.1 Subscriber obligations 34 12.1.2 Key usage 35 12.1.3 CA Provided Subscriber Key Management Services 35 12.1.4 Hardware Key Storage Device Preparation 35 12.1.5 Subject registration 35

1. Background Public Key Infrastructure (PKI) has been widely accepted by the market and governments worldwide as an important electronic business enabler. PKI can ensure, in a cost-effective manner, the confidentiality and integrity of digital data, as well as guarantee the identities of communicating or transacting entities or persons. Confidentiality is achieved through encryption, whereas identification and integrity are achieved through digital signatures. These critical internet trust techniques are supported by Certificates issued by a Certification Authority. Such Certificates bind a person or legal entity to a cryptographic key that is published within a relevant community. This Public Key corresponds in a unique manner to another key, which for PKI to work must be kept strictly confidential (the Private Key). Digital signatures are created by using the Private Key of the sender, while confidentiality is achieved by use of the Public Key of the receiver. For users of PKI to have confidence in the Certificates that identify their counterparts in for example web transactions, they need to have confidence that the Certification Authority has properly established procedures and protective measures in order to minimise the operational and financial threats and risks associated with PKI. This document specifies the policy requirements on the operation and management of Land Registry and their customers to give users this confidence in relation to the Land Registry E-services. 5

2. Scope This document specifies policy requirements relating to Land Registry Certification Authority. It defines policy requirements on the operation and management of its Certification Authority issuing Certificates such that Subjects certified by the Certification Authority and Relying Parties may have confidence in the reliability of the Certificate. Subscribers and Relying Parties should consult the Land Registry Certification Practice Statement to obtain further details of precisely how this Certificate Policy is implemented by Land Registry for a particular class of Certificate. 3. References The following documents contain provisions which, through references in this text indicated by [n], constitute provisions of the present document. References are either specific (identified by date of publication, edition number, version number, etcetera) or non specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. 1. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. 2. ETSI TS 101 456: Policy requirements for issuing qualified certificates. 3. IETF RFC 3739: Internet X.509 Public Key Infrastructure: Qualified certificate profile. (Also ETSI TS 101 862). 4. IETF RFC 3647 (2003): Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. 5. Data Protection Act 1988. 6. ISO/IEC 9000: 2000 Quality Management Systems. 7. ISO/IEC 17799:2005: Information Technology Security Techniques Code of Practice for Information Security Management. 8. ISO/IEC 15408:2005 (parts 1 3): Information Technology Security Techniques Evaluation Criteria for IT Security. 9. FIPS PUB 140-2 (2001): Security Requirements for Cryptographic Modules. 10. CEN Workshop Agreement 14167-2: Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures Part 2: Cryptographic Module for CSP signing operations with backup Protection Profile (CMCSOB-PP). 6

11. CEN Workshop Agreement 14167-3: Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures Part 3: Cryptographic Module for CSP key generation services Protection Profile (CMCKG-PP). 12. CEN Workshop Agreement 14167-4: Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures Part 2: Cryptographic Module for CSP signing operations Protection Profile (CMCSO-PP). 13. IETF RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. 4. Definitions Administrator: A person who controls the service operation of the CA. Central Signing Service: Private Key storage and use under the End User s sole control within a secure service operated by Land Registry. Certificate Policy: A named set of rules that indicates the applicability of a Certificate to a particular community and/or class of application with common security requirements. Certificate: The Public Key of an End User or Device, together with verifiable identity information, rendered unforgeable by encoding with the Private Key of the Certification Authority which issued it. Certification Authority (CA): An entity trusted by one or more users to create and assign Certificates. Certification Practice Statement: A statement of the practices that a Certification Authority uses in issuing Certificates. Conveyancer: Any member, employee, officer or agent of a subscriber authorised under a current full Network Access Agreement. Device: In these policies is used to include an internet server, software or equipment used to initiate a virtual private network and functions in organisations authorised to sign software code. Electronic Signature: Data in electronic form in, affixed to, or logically associated with, a data message, which may be used to identify the signatory in relation to the data message and indicate the signatory s approval of the information contained in the data message. End User: The person or legal entity having its Public Key and name certified by a Certification Authority in a Public Key Certificate. Know Your Customer (KYC): The process of establishing a client s identity using appropriate documentary evidence (eg passport or utility bill) to ensure compliance with the Proceeds of Crime Act 2002 and the Terrorism Act 2000 and the Money Laundering Regulations 2003. Guidance is provided by the FSA and the Law Society. 7

Key Pairs: Encryption keys used for signature purposes comprise a pair of large prime numbers that have a specific mathematical relationship such that if one is used to encrypt data only the other half of the pair can be used to decrypt the data. Network: The electronic communications network provided in accordance with section 92 of the Land Registration Act 2002 and any components of it and the services provided by way of that network from time to time. Private Key: One part of the Key Pair that is kept private to by the Subject. Used for creating the Electronic Signature. Public Key: The other part of the Key Pair made public to any Relying Party in order to validate the Electronic Signature. Registration Authority: The organisational entity responsible for the enrolment of subjects into the Certification Authority. It may be a different organisation to the Certification Authority, but is obliged to comply with the Certificate Policy. Relying Party: The party in a transaction or communication which acts or may act in reliance on a Certificate and/or digital signatures verified using that Certificate. Representative: The individual who accepts the Certificate associated with computer applications and Devices 1 in the control of Subscribers, and is responsible for the correct protection and use of the Private Key. Subject: Entity identified in a Certificate as the rightful holder of the Private Key associated with the Public Key given in the Certificate. The Subject may be an End User or Device. Subscriber: Entity which subscribes with a Certification Authority on behalf of an End User or End Users to have one or more Public Keys and associated entities certified in the same number of Public Key Certificates. A Subscriber may also be the Subject or Representative. Technical Manual: The document, including parts 1 and 2, which details the system and security requirements and other technical aspects of the Network and published from time to time by the Registrar. References to the Technical Manual mean the version as updated from time to time. 1 Eg firewalls, routers, in-line network encryptors, trusted servers, and other infrastructure components. 8

5. General approach policy and contract responsibilities 5.1 Background The authority trusted by the users of the certification services to create and sign Certificates is called the Certification Authority. The Certification Authority has overall responsibility for the provision of these services and is identified in the Certificate as the issuer. When a Certification Authority issues a Certificate it attests that it has established the name of the Subject by using defined processes based on the examination of defined external evidence. This evidence concerns the certified entity s name and its association with other information in the Certificate to achieve a targeted level of reliability and trust, and represents information and facts that the Certification Authority chooses to rely upon to make a correct attestation. The evidence collected and the method of examination may vary between different types of certification services, but all services must in the end rely on information that is outside the scope of the Certification Authority to challenge. The responsibility of the Certification Authority is limited to the correct execution of its defined procedures which will include evidence collection and examination procedures that are defined to be part of its service. If an error is caused by false external evidence (such as a false ID-card) that was correctly collected and processed according to defined procedures, the Certification Authority has fulfilled its obligations and is not responsible for the error. However, the Certification Authority always maintains responsibility for processes defined to be part of its service for ensuring that the policy requirements imposed on the Certification Authority in this document are met; and for liability issues arising out of the issue and management of certificates. The Certification Authority may use other parties to provide services, and the distribution of responsibilities among these parties is contractually agreed between the Certification Authority and its subcontractors. In these cases it is also the responsibility of the Certification Authority to provide adequate instructions to Subscribers and Relying Parties and to provide the details required for the Subscribers or the Relying Parties to meet their obligations. 5.2 Certificate Policy and Certification Practice Statement 5.2.1 Purpose In general, the purpose of the Certificate Policy (these are referenced by a policy identifier in a Certificate) states the rules on how the Certificate is to be issued, used and when it may be relied upon. The Certification Practice Statement is a summary of the processes and procedures the Certification Authority will use in creating and maintaining the Certificate. The relationship between the Certificate Policy and Certification Practice Statement is similar in nature to the relationship of other business policies that state the requirements of the business, while operational units define the practices and procedures of how these policies are to be carried out. If a Certification Authority is issuing Certificates against a number of Certificate Policies, then the Certification Authority s Certification Practice Statement (only one is necessary) will state how the Certification Authority implements the controls. 9

5.2.2 Level of specificity A Certificate Policy is a less specific document than a Certification Practice Statement. A Certification Practice Statement is a more detailed description of business and operational practices of a Certification Authority in issuing and otherwise managing Certificates. The Certification Practice Statement of a Certification Authority enforces the rules established by entities prescribing a specific Certificate Policy. A Certification Practice Statement defines how a specific Certification Authority meets the technical, organisational and procedural requirements identified in a Certificate Policy. 5.2.3 Approach The approach of a Certificate Policy is significantly different from that of a Certification Practice Statement. A Certificate Policy is defined independently of the details of the specific operating environment of a Certification Authority, whereas a Certification Practice Statement is tailored to the organisational structure, operating procedures, facilities, and computing environment of a Certification Authority. A Certificate Policy may be defined by the user of certification services, whereas the Certification Practice Statement is always defined by the provider. The Certification Practice Statement relevant to the Land Registry Certification Authority will be incorporated into the Technical Manual. 6. Introduction to the Certificate Policies for Land Registry 6.1 Overview Certificates issued by the Land Registry Certification Authority (hereafter referred to as the CA) in accordance with the current document include a Certificate Policy identifier that can be used by Relying Parties in determining the Certificate s suitability and trustworthiness for a particular application. Certificates for four types of use are defined by these policies. 1. Where End Users apply Electronic Signatures locally. 2. Where End Users apply Electronic Signatures centrally. 3. Where End Users have authentication needs. 4. Devices with software key storage. The main body of this document describes the general requirements for issuing and managing Certificates. Annex B covers more specific details for issuing and managing Certificates for use where End Users are in possession of their cryptographic token and apply Electronic Signatures locally. Annex C describes the requirements for issuing and managing Certificates for use where End Users apply Electronic Signatures centrally under sole control. Annex D describes the requirements for issuing and managing Certificates for use by End Users with cryptographic tokens for authentication purposes. Annex E describes the requirements for issuing and managing Certificates for use by Devices. Sections 1 to 7 are common to all four policies, whereas the requirements on the CA will differ according to the Certificate issued, as defined in Annexes B to E. 10

6.2 Identification The identifiers for the Certificate Policies specified in the current document are at Annex A. 6.3 Policy changes 6.3.1 Change procedures The following aspects of these Certificate Policies can change without notification and without requiring a new object identifier to be allocated: a. formatting and b. correction of minor typographic errors. The following aspects of this Certificate Policy can change with notification, but without requiring a new object identifier to be allocated: c. any aspect that does not lower, and cannot be perceived to lower, the fundamental trust that can be placed in the Certificate. The following aspects of this Certificate Policy cannot be changed unless a new object identifier is created: d. any aspect that lowers, or could be perceived to lower, the fundamental trust that can be placed in the Certificate. 6.3.2 Publication and notification An electronic copy of this document, duly signed by an authorised representative of the CA, is to be made available: a. at the Land Registry website www.landregistry.gov.uk b. via an email request to certificate.policies@landregistry.gsi.gov.uk 6.4 Conformance The CA shall only use the identifier for the appropriate Certificate Policy as provided in 6.2 if: the CA claims conformance to the identified Certificate Policy and makes available on request the evidence to support the claim of conformance; or the CA has been certified to be conformant to the identified Certificate Policy. 6.5 Contact details These Certificate Policies are published by: Business Development Board HM Land Registry Head Office Lincoln s Inn Fields London WC2A 3PH Contact: certificate.policies@landregistry.gsi.gov.uk 11

7. Obligations and liability 7.1 Certification Authority obligations The CA shall ensure that all requirements, as detailed in the relevant sections applicable to the policy issued, are implemented. The CA has the responsibility for conformance with the procedures prescribed in the policy, regardless of its operational responsibilities in performing its functions. The CA shall also fulfil any additional obligations that are indicated in the Certificates either directly or incorporated by reference. 7.2 Subscriber obligations The terms and conditions agreed with the Subscriber (see 9.4.4) shall include an obligation upon the Subscriber to address all the following obligations. If the Subject and Subscriber are different parties, the Subscriber shall make the Subject aware of those applicable obligations as listed below: a. only use the Key Pairs for the purposes defined in Section 9, 10, 11 or 12 and in accordance with any other limitations that may be notified to the Subscriber b. submit accurate and complete information to the CA during Subject registration in accordance with the requirements of the policy c. exercise reasonable care to avoid unauthorised use of the Subject s Private Key d. notify the CA, without any unreasonable delay, if any of the following occur up to the end of the validity period indicated in the Certificate the Subject s Private Key has been potentially or actually lost, stolen or compromised control over the Subject s Private Key has been lost due to potential or actual compromise of activation data (eg PIN code) or other reasons and/or inaccuracy or changes to the Certificate content, as notified to the Subscriber. e. ensure that if the Subscriber or Subject generates the Subject s Key Pair, only the Subject holds the Private Key f. ensure that Private Keys are generated within the hardware key storage device. 7.3 Relying Party obligations The obligations of the Relying Party if it is to reasonably rely on a Certificate are to: a. verify the validity, suspension or revocation status of the Certificate using current revocation status information as indicated to the Relying Party (see 9.4.6) b. take account of any limitations on the usage of the Certificate indicated to the Relying Party, either in the Certificate, or in the terms and conditions supplied as required in 9.4.4 and 9.4.5 and c. take any other precautions prescribed in the Certification Practice Statement. 12

7.4 Certification Authority liability Certificates issued by the CA will be used primarily for signing electronic dispositionary documents relating to registered land when permitted by law such as transfers or mortgages. Certificates can also be used to sign electronic contracts relating to registered land when permitted by law. Additional Certificates will be issued for End User and Device authentication purposes and for enabling secure communication channels. The liability taken by the CA, however, is limited to the correct application of procedures as declared in the Certification Practice Statement (as incorporated into the Technical Manual); these procedures relate to the issue and management of digital Certificates. Therefore any failure of transaction that utilises the digital Certificate is out of scope. In essence the liability will include the correct identification of Subjects according to the declared practices. If a transaction is found to be in error through the incorrect identification of the Subject through failing to follow the declared practices, then the CA is liable. If however the Subject is incorrectly identified, but the error was within the documents used to support the Subject s claim to an identity, then the CA shall not be liable. The CA shall include any limitation of liability within the Certificate, providing the relevant information within an easily accessible statement both on its website and within the Certification Practice Statement. The information above shall be available through a durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language. 13

8. Annex A Registered Land Registry Certificate Policies The following Certificate Policies are defined within the Land Registry e-security service. Service Policy name Object identifier 2 Description Land Registry Local Signing. {iso(1) memberbody(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificatepolicy(1) 2} Where End Users apply Electronic Signatures locally. Land Registry Central Signing. {iso(1) memberbody(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificatepolicy(1) 3} Where End Users apply Electronic Signatures centrally. e-security Land Registry Individual Authentication. {iso(1) memberbody(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificatepolicy(1) 4} Electronic identity-based Authentication. 2 See ISO/IEC 8824:1988 CCITT X.208 Specification of Abstract Syntax Notation One (ASN.1), Annexes B to D for a definition. Land Registry Device Authentication. {iso(1) memberbody(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificatepolicy(1) 5} Device authentication Certificate Policy. 14

9. Annex B Requirements on Certification Authority Practice for Land Registry Local Signing Certificate Policy This Certificate Policy applies to all Conveyancers and their customers who wish to sign electronic dispositionary documents relating to registered land such as transfers or mortgages, and who wish to keep their Private Keys in their possession. It includes Land Registry signing acknowledgement of any data presented to the Network and authenticating documents and information issued by Land Registry. The identifier for the Land Registry Local Signing Certificate Policy is: Policy Identifier =1.2.826. 0.1359. 1.1.2 By including this object identifier in a Certificate, the CA claims conformance to the identified Land Registry Local Signing Certificate Policy. The Certificates issued under this policy may be used to support Electronic Signatures which meet the requirements of the Directive [1] and English law, in connection with information services, transactions, agreements, exchange of valuable information and contracting for property and land transactions. The decision to accept the Certificate, however, is at the discretion of the Relying Party. Certificates issued under this policy are primarily focused on the following main classes of security services: identification of originator creation of an Electronic Signature integrity of data. The Certificate Authority shall implement the controls that meet the requirements set out in this annex. This Certificate Policy incorporates Sections 5, 6 and 7 of this document with the amendments and changes defined in this Annex. 9.1 Subscriber obligations The terms and conditions agreed with the Subscriber (see 9.4.4) shall include an obligation upon the Subscriber to address all the following obligations. If the Subject and Subscriber are different parties, the Subscriber shall make the Subject aware of those applicable obligations as listed below: a. only use the Key Pairs for Electronic Signatures and in accordance with any other limitations that may be notified to the Subscriber and b. sub-paragraphs b. to f. contained in 7.2 above. 15

9.1.1 Key usage Certificates issued under this policy shall be used: a. by Conveyancers and their customers who wish to sign dispositionary documents for registration at Land Registry, for example for transfer or mortgage of title between parties, to enable Electronic Signatures b. by Land Registry for signing acknowledgement of data presented to the Network and/or c. by Land Registry to authenticate documents and other such information issued by Land Registry. The constraint is that the policy shall not cover any key usage other than non-repudiation as defined in [13]. 9.2. Certification Practice Statement The CA shall ensure that it has a Certification Practice Statement 3 that identifies the practices and procedures used to address all the requirements identified in this policy, as considered necessary through its risk analysis. a. its Certification Practice Statement identifies the obligations of all external organisations supporting the relevant Land Registry services including the applicable policies and practices b. details are made available of its Certification Practice Statement as necessary to assess conformance to the Certificate Policy c. the terms and conditions regarding use of the Certificate as specified in 9.4.4 are disclosed to all Subscribers and potential Relying Parties d. it has a management body with final authority and responsibility for approving the Certification Practice Statement e. it has a defined review and maintenance process for its Certification Practice Statement f. revisions to the Certification Practice Statement are made available to the auditors and to all appropriate Subscribers and Relying Parties as in b. 9.3 Key Management Life Cycle 9.3.1 Generation of Certification Authority Keys The CA shall ensure that CA keys are generated in accordance with industry standards. 3 This policy makes no requirement as to the structure of the Certification Practice Statement. 4 As defined by the Electronic Signatures Regulations 2002. a. generation of CA keys is undertaken in a physically secure environment (see 9.5.3) under, at least, dual control, and no greater number of personnel shall be authorised to carry out this function than required under the CA s practices b. generation of CA keys is carried out within a hardware key storage device which: meets the requirements identified in FIPS 140-2[9] Level3 or higher or meets the requirements identified in one of the following CEN Workshop Agreement 14167-2 [10], CWA 14167-3 [11] or CWA 14167-4 [12] or is a trustworthy system which is assured to EAL 4 or higher in accordance to ISO/IEC 15408 [8], or equivalent security criteria c. the selected key length and algorithm for CA signing key shall be one which is recognised as being fit for purposes of qualified 4 Certificates as issued by the CA. 16

9.3.2 Certification Authority Key storage, backup and recovery The CA shall ensure that CA Private Keys remain confidential and maintain their integrity. a. its private signing key is held and used within a hardware key storage device which: meets the requirements identified in FIPS 140-2[9] Level3 or higher meets the requirements identified in one of the following CEN Workshop Agreement 14167-2 [10], CWA 14167-3 [11] or CWA 14167-4 [12] or is a trustworthy system which is assured to EAL 4 or higher in accordance to ISO/IEC 15408 [8], or equivalent security criteria b. its private signing key is backed up, stored and recovered only by personnel in trusted roles using, at least, dual control in a physically secured environment (see 9.5.4). No more personnel shall be authorised to carry out this function than required under the CA s practices c. backup copies of the CA private signing keys are subject to the same or greater level of security controls as keys currently in use d. where the keys are stored in a dedicated key processing hardware module, access controls are in place to ensure that the keys are not accessible outside the hardware module. 9.3.3 Certification Authority Public Key distribution The CA shall ensure that the integrity of the CA Public Key and any associated parameters is maintained during its distribution to Relying Parties. In particular, the CA shall ensure that its Public Key is made available to Relying Parties in a manner that assures the integrity of the CA Public Key and authenticates its origin. 9.3.4 Key Escrow The CA shall not keep copies of Subject Private Keys. 9.3.5. Certification Authority Key usage The CA shall ensure that CA signing keys are used only for appropriate activities related to the CA operation such as signing Certificates (as defined in 9.4.3) and signing Certificate Revocation Lists (CRL), within physically secure premises. 9.3.6 End of Certification Authority Key life cycle The CA shall ensure that, at the end of their life cycle, all copies of the CA Private Keys are either: a. destroyed such that the Private Keys cannot be retrieved or archived in a manner such that they are protected against being put back into use. 17

9.3.7 Life cycle management of cryptographic hardware used to sign Certificates The CA shall ensure that: a. cryptographic hardware used for Certificate signing is shipped in such a manner that is tamper-evident b. cryptographic hardware used for Certificate signing is stored in such a way that is tamper-evident c. the installation, activation, back-up and recovery of cryptographic hardware used for Certificate signing requires a minimum of two trusted employees d. Certificate signing cryptographic hardware is functioning correctly e. CA Private Keys stored on CA cryptographic hardware are destroyed on device retirement. 9.3.8 CA provided Subject Key management services The CA shall ensure that any Subject keys that it generates are generated securely and the privacy of the Subject s Private Key is assured. If the CA generates the Subject s keys: a. CA-generated Subject keys shall be generated using an algorithm recognised as being fit for purpose for this policy b. CA-generated Subject keys shall be of a key length and for use with a Public Key algorithm which is recognised as being fit for the purposes of this policy c. CA-generated Subject keys shall be generated and stored securely before delivery to the Subject d. the Subject s Private Key shall be delivered to the Subscriber in a manner such that the privacy of the key is not compromised and on delivery only the Subject has access to its Private Key. 9.3.9 Hardware Key storage device preparation The CA shall ensure that if it issues to the Subject a hardware key storage device, this is carried out securely. In particular, if the CA issues hardware key storage devices: a. hardware key storage device preparation shall be securely controlled by the CA b. hardware key storage devices shall be securely stored and distributed c. hardware key storage deactivation and reactivation shall be securely controlled d. where the hardware key storage device has associated user activation data (eg PIN code), the activation data shall be securely prepared and distributed separately from the hardware key storage device 5. 5 Separation may be achieved by ensuring distribution and delivery at different times, or via a different route. 18

19 6 An example of evidence checked indirectly against a physical person is documentation presented for registration which was acquired as the result of an application requiring physical presence and shall be certified evidence such as a national ID card or passport. 7 The Certification Authority is liable as regards the accuracy of all information contained in the Certificate. 8 The place should be given in accordance to national conventions for registering births. 9 Copies of documents, appropriately countersigned (including by Electronic Signature), are suitable. The records should be securely stored as close as practicable to the location where the evidence is checked. Hence the use of an attestation in 9.4.1.d. if the location where the evidence is checked differs from the place of registration. 9.4 Certificate Management life cycle 9.4.1 Subject registration The CA shall ensure that evidence of Subjects identification and accuracy of their names and associated data are either properly examined as part of the defined service or, where applicable, concluded through examination of attestations from appropriate and authorised sources, and that Subscriber Certificate requests are accurate, authorised and complete according to the collected evidence or attestation. a. before entering into a relationship with a Subscriber, the Subscriber is adequately informed through a formal agreement of the precise terms and conditions regarding use of the Certificate as given in 9.4.4 b. if the End User is not the same as the Subscriber, the End User shall be informed of his/her obligations c. the agreement at a above is communicated through a durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language d. it has collected either by direct evidence or by an attestation from an appropriate and authorised source that the name and, if applicable, any specific attributes of the person to which a Certificate is issued, has been verified by appropriate means in accordance with Know Your Customer procedures, and that evidence of the name has been checked against a physical person either directly or indirectly using means providing assurance equivalent to physical presence, and that evidence may be in the form of either paper or electronic documentation 6,7 e. where the Subject is a person acting on behalf of an organisation, an attestation according to d has been collected from the organisation, which constitutes a declaration that evidence has been provided of the following: full name (including surname and given names) of the person attributes of the Subject which may be used, to the extent possible, to distinguish the person from others with the same name, such as date and place 8 of birth or a nationally recognised identity number full name and legal status of the associated legal person or other organisational entity any relevant existing registration information (eg company registration) of the associated legal person or other organisational entity evidence that the Subject is associated with the legal person or other organisational entity a physical address, or other attributes, provided by the Subject, which describe how the Subject may be contacted. f. where the Subject is a person acting on their own behalf, evidence is provided of: full name (including surname and given names) attributes which may be used, to the extent possible, to distinguish the person from others with the same name, such as date and place of birth, or a nationally recognised identity number g. all the information used to verify the Subject s name, including any reference number on the documentation used for verification, and any limitations on its validity, is recorded 9

h. the signed agreement with the Subscriber is recorded, including: Subscriber s agreement to the Subscriber s obligations as defined in Section 7.2 10,11,12 consent to the keeping of a record by the CA of information used in registration (see 9.5.11 h and i) and any subsequent revocation (see 9.5.11 j), and passing of this information to third parties under the same conditions as required by this policy in the case of the CA terminating its service whether, and under what conditions, the Subscriber requires and consents to the publication of its Certificate that the information held in the Certificate is correct i. the records of evidence identified in d e and f above are retained for the period of time as indicated to the Subscriber within the precise terms and conditions (see a above) and as necessary for the purposes for providing evidence of certification in legal proceedings j. the Certificate request process ensures that the Subject has possession of the Private Key associated with the Public Key presented for certification k. the requirements of data protection legislation are complied with (including the use of pseudonyms if applicable) within its registration process. 10 The End User may agree to different aspects of this agreement during different stages of registration. For example, agreement that the information held in the Certificate is correct may be carried out subsequent to other aspects of the agreement. 11 Other parties (eg the associated legal person) may be involved in establishing this agreement. 12 This agreement may be in electronic form. 13 The End User may, if the Certification Authority offers this service, request a Certificate renewal for example where relevant attributes presented to the Certification Authority for the Certificate have changed or when the Certificate lifetime is running out. 20 9.4.2 Certificate renewal, re-key and update The CA shall ensure that requests for Certificate renewal, re-key following revocation or prior to expiration, or update due to change to the Subject s attributes are complete, accurate and duly authorised. 13 a. the information used to verify the name and attributes of the Subject is still valid b. if any of the CA terms and conditions have changed, these are communicated to the Subscriber and agreed to in accordance with 9.4.1 a, b and g c. if any certified names or attributes have changed, or the previous Certificate has been revoked, the registration information is verified, recorded and agreed to by the Subscriber in accordance with 9.4.1 d to h d. it only issues a new Certificate using the Subject s previously certified Public Key if its cryptographic security is still sufficient for the new Certificate s intended lifetime and no indications exist that the Subject s Private Key has been compromised. 9.4.3 Certificate generation The CA shall ensure that new, renewed and re-keyed Certificates are issued securely. a. the procedure of issuing the Certificate is securely linked to the associated registration, Certificate renewal or re-key, including the provision of any Subject generated Public Key b. if it generates the Subject s key, the procedure of issuing the Certificate is securely linked to the generation of the key pair by the CA c. over time the uniqueness of the distinguished name assigned to the Subject within the domain of the CA is ensured (ie over the lifetime of the CA a distinguished name which has been used in an issued Certificate shall never be re-assigned to another entity)

d. the confidentiality and integrity of registration data are protected especially when exchanged with the Subject or between distributed CA system components. 9.4.4 Dissemination of terms and conditions The CA shall ensure that the terms and conditions are made available to Subscribers, Subjects and Relying Parties. a. the terms and conditions regarding the use of the Certificate are made available to Subscribers, Subjects and Relying Parties, including: any limitations on Certificate use the Subscriber s obligations as defined in 7.2 information on how to verify the Certificate, including requirements to check the revocation status of the Certificate, such that the Relying Party is considered to reasonably rely on the Certificate (see 7.3) limitations of liability the period of time registration information (see 9.4.1) is retained express consent for the use of personal data if present in the Certificate the period of time CA event logs (see 9.5.11) are retained procedures for complaints and dispute settlement the applicable legal system the information identified in a above is available through a durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language. 9.4.5 Certificate dissemination The CA shall ensure that Certificates are made available as necessary to Subjects and Relying Parties. a. upon generation, the complete and accurate Certificate is available to the Subject for whom the Certificate is being issued b. Certificates are available for retrieval from the CA system in only those cases for which the Subject s consent has been obtained c. the terms and conditions regarding the use of the Certificate are made available to Relying Parties (see 9.4.4) d. the applicable terms and conditions are readily identifiable for a given Certificate e. the information identified in c above is available for a minimum of 21 hours per day, seven days per week, and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than the maximum period of time as denoted in the Certification Practice Statement f. the information identified in c above is publicly and internationally available. 21

14 Support for Certificate suspension is optional. 15 This may be done electronically. 16 Revocation status information may be provided, for example, using on-line Certificate status service or through distribution of CRLs through a repository. 9.4.6 Certificate revocation and suspension The CA shall ensure that Certificates are revoked in a timely manner based on authorised and validated Certificate revocation requests. a. as part of its Certification Practice Statement (see 9.2), the procedures for revocation of Certificates are documented, including: who may submit revocation reports and requests how they may be submitted any requirements for confirmation of revocation reports and requests whether and for what reasons Certificates may be suspended the mechanism used for distributing revocation status information the maximum delay between receipt of a revocation request or report and the change to revocation status information being available to all Relying Parties, and this shall be at most one day b. requests and reports relating to revocation (eg due to compromise of Subject s Private Key, death of the Subject, violation of contractual obligations) are processed on receipt c. requests and reports relating to revocation are authenticated and checked to be from an authorised source, if possible, and the method is to be documented in the CA s practices d. a Certificate s revocation status is set to suspended whilst the revocation is being confirmed, and the CA shall ensure that a Certificate is not kept suspended for longer than is necessary to confirm its status 14 e. the Subscriber agrees to inform the Subject (or Representative where the Subject is a Device) of a revoked or suspended Certificate within a reasonable time and to their best effort of the change of status of its Certificate 15 f. once a Certificate is definitively revoked (ie not suspended) it is not reinstated g. where CRLs, including any variants (eg Delta CRLs), are used, these are published at least daily and every CRL shall state a time for next scheduled CRL issue a new CRL may be published before the stated time of the next CRL issue and the CRL shall be signed by the CA h. revocation management services for processing of revocation requests from authorised revocation personnel are available 21 hours per day, seven days per week (hours as published on www.landregistry.gov.uk), and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than a maximum period of time as denoted in the Certification Practice Statement i. revocation status information is available 21 hours per day, seven days per week (hours as published on www.landregistry. gov.uk), and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than a maximum period of time as denoted in the Certification Practice Statement 16 j. the integrity and authenticity of the status information are protected k. revocation status information is publicly and internationally available l. revocation status information shall include information on the status of revoked Certificates at least until the Certificate expires. 22

9.5 Management and operation The CA shall ensure that a risk assessment is carried out to evaluate operational risks and determine the necessary security requirements and operational procedures. The risk analysis shall be regularly reviewed and revised if necessary. 9.5.1 Security management The CA shall ensure that administrative and management procedures are applied which are adequate and correspond to recognised standards. a. it retains liability towards Relying Parties for all aspects of the provision of certification services, even if some functions are outsourced, except liability for accuracy of underlying evidence and attestations according to 9.4.1 on which the CA reasonably relies as part of the service provision. Responsibilities of third parties shall be clearly defined by the CA and appropriate arrangements made to ensure that third parties are obliged to implement any controls required by the CA. The CA shall retain responsibility for the disclosure of relevant practices of all parties b. it provides, through its management, direction on information security through Land Registry s IT Security Committee (ITSC) that is responsible for defining the CA s information security policy and for ensuring publication and communication of the policy to all employees of the CA who are affected by the policy c. it maintains a system (or systems) for quality and information security management appropriate for the certification services it is providing d. it maintains at all times the information security infrastructure necessary to manage the security within the CA. Any changes that will affect the level of security provided shall be approved by the ITSC 17 e. it documents, implements and maintains the security controls and operating procedures for CA facilities, systems and information assets providing the certification services 18 f. the security of information is maintained when the responsibility for CA functions has been outsourced to another organisation or entity. 17 See ISO/IEC 17799-1 for guidance on information security management including information security infrastructure, management information security forum and information security policies. 18 This documentation (commonly called a system security policy) should identify all relevant targets, objects and potential threats related to the services provided and the safeguards required to avoid or limit the effects of those threats. It should describe the rules, directives and procedures regarding how the specified services and the associated security assurance are granted in addition to stating policy on incidents and disasters. 9.5.2 Asset classification and management The CA shall ensure that assets and information related to Land Registry E-Security services receive an appropriate level of protection. In particular the CA shall maintain an inventory of all information assets and shall assign a classification of their protection requirements consistent with the risk analysis (9.2). 9.5.3 Personnel security The CA shall ensure that personnel and hiring practices support the trustworthiness of the operation of Land Registry E-security services. a. it only employs or contracts personnel possessing the expert knowledge, experience and qualifications necessary for the offered services and which are appropriate to the job function b. security roles and responsibilities, as specified in the CA s security policy, are documented in job descriptions. Trusted roles, on which the security of the CA s operation is dependent, shall be clearly identified 23

c. its own and relevant subcontractors and customers staff (both temporary and permanent) have job descriptions defined from the view point of separation of duties and least privilege, determining position sensitivity based on the duties and access levels, background screening and employee training and awareness. Where appropriate, these job descriptions shall differentiate between general functions and functions specific to Land Registry E-security services. These job descriptions should include skills and experience requirements d. staff exercise administrative and management procedures and processes that are adequate and that correspond to recognised standards e. managerial staff are employed within CA functions who possess appropriate expertise in the field of CA services and familiarity with proper security procedures for personnel with security responsibilities f. all its staff, and all its relevant subcontractors and customers staff in trusted roles, are free from conflicting interests that might prejudice the trustworthiness of the CA operations g. trusted roles include, but are not limited to, roles that involve the following responsibilities: Security Officers: Overall responsibility for administering the implementation of the security practices. Additionally approve the generation, revocation, suspension and resumption of Land Registry Security Administrator Certificates System Administrators: Authorised to install, configure and maintain the CA trustworthy systems for registration, Certificate generation, Subject Device provision and revocation management System Operators: Responsible for operating the CA trustworthy systems on a day-to-day basis. Authorised to perform system backup and recovery System Auditors: Authorised to view and maintain archives and audit logs of the CA trustworthy systems. h. its staff, and all its relevant subcontractors and customers staff, are formally appointed to trusted roles by an appropriate senior management group such as the ITSC (9.5.1.b) above) i. that no person is appointed to trusted roles who is known to have a conviction for a serious crime or other offence which may affect their suitability for the position 19. Staff shall not have access to the trusted functions until any necessary checks are completed. 19 In some countries it may not be possible to obtain information on past convictions. However, the employer may be able to ask the candidate to provide such information and turn down an application in case of refusal. 9.5.4 Physical and environmental security 20 The CA shall ensure that: physical access to its premises and equipment is limited to properly authorised individuals Certificate issuance facilities are protected from environmental hazards controls are implemented to avoid loss, damage or compromise of assets and interruption to business activities and controls are implemented to avoid compromise or theft of information and information processing facilities. 20 See ISO/IEC 17799 [REF _ Ref159998961 \r \h 7] for guidance on physical and environmental security. 24

25 21 Every member of staff with management responsibilities is responsible for planning and efficiently implementing the Certificate Policy and associated practices as documented in the Certification Practice Statement. 22 The responsibilities of End Users are defined in the terms and conditions as defined in 9.4.4. 23 CA Security Operations responsibilities include: operational procedures and responsibilities secure systems planning and acceptance protection from malicious software housekeeping network management active monitoring of audit journals, event analysis and follow-up media handling and security data and software exchange These responsibilities will be managed by the Certification Authority, but may actually be performed by non-specialist operational staff (under supervision) as defined within the appropriate security policy and roles and responsibility documents. a. facilities concerned with CA key management, Certificate generation and revocation management shall be operated from an environment which physically protects the services from compromise through unauthorised access to systems or data b. physical protection is achieved through the creation of clearly defined security perimeters (ie physical barriers) around the facilities concerned with Certificate generation and revocation management. Any parts of the premises shared with other businesses shall be outside this perimeter c. physical and environmental security controls are implemented to protect the facility housing system resources, the system resources themselves, and the facilities used to support their operation. The CA s physical and environmental security programmes concerned with CA key management, Certificate generation and revocation management services shall address the physical access control, natural disaster protection, fire safety factors, failure of supporting utilities (eg power, telecommunications), structure collapse, plumbing leaks, protection against theft, breaking, entering, and disaster recovery, etcetera d. controls are implemented to protect against equipment, information and software relating to the Land Registry E-Security services being taken off-site without authorisation. 9.5.5 Operations management The CA shall ensure that: the correct and secure operation of CA systems are ensured the risk of CA systems failure are minimised its systems and information are protected against viruses and malicious software to maintain their integrity damage from security incidents and malfunctions is minimised through the use of incident reporting and response procedures data media are handled securely to protect media from damage, theft and unauthorised access. a. procedures are established and implemented for all trusted and administrative roles that affect the provision of certification services 21 b. all data media are handled securely in accordance with requirements of the information classification scheme (see 9.5.2). Media containing sensitive data shall be securely disposed of when no longer required c. capacity demands are monitored and projections of future capacity requirements made to ensure that adequate processing power and storage are available d. parties act in a timely and co-ordinated manner in order to respond quickly to incidents and to limit the impact of breaches of security. All incidents shall be reported as soon as possible after the incident 22 e. CA systems for CA key management, Certificate generation and revocation management are operated under senior management control f. CA security operations are separated from normal operations 23.

9.5.6 System access management The CA shall ensure that CA system access is limited to properly authorised individuals. 24 Firewalls should be configured to prevent protocols and accesses not required for the operation of the Certification Authority. 25 Sensitive data includes registration information. 26 Sensitive data includes registration information. 27 This may use, for example, an intrusion detection system, access control monitoring and alarm facilities. 28 Requirements for the trustworthy systems may be ensured using, for example, systems conforming to a suitable protection profile (or profiles), defined in accordance with ISO/IEC 15408 [8] or equivalent. 29 The risk analysis carried out on the Certification Authority s services (see REF _Ref159999867 \r \h 9.2) should identify its critical services requiring trustworthy systems and the levels of assurance required. 26 a. controls (eg firewalls) are implemented to protect the CA s internal network domains from external network domains accessible by third parties 24 b. sensitive data are protected when exchanged over networks which are not secure 25 c. there is effective administration of user access to maintain system security (this includes operators, Administrators and any users given direct access to the system), including user account management, auditing and timely modification or removal of access d. access to information and application system functions are restricted in accordance with the access control policy and that the CA system provides sufficient computer security controls for the separation of trusted roles identified in CA practices, including the separation of security administrator and operations functions. Particularly, use of system utility programs shall be restricted and tightly controlled e. CA personnel are successfully identified and authenticated before using critical applications related to Certificate management f. users (ie trusted roles) are accountable for their activities, for example by retaining event logs (see 9.5.11) g. sensitive data are protected against being revealed through re-used storage objects (eg deleted files) being accessible to unauthorised users 26 h. local network components (eg routers) are kept in a physically secure environment and their configurations periodically audited i. continuous monitoring and alarm facilities are provided to enable the CA to detect, register and react in a timely manner upon any unauthorised or irregular attempts to access its resources 27 j. the repository enforces access control on attempts to add or delete Certificates and modify other associated information k. the revocation status application enforces access control on attempts to modify revocation status information. 9.5.7 Trustworthy systems deployment and maintenance The CA shall use trustworthy systems and products that are protected against modification 28,29. a. an analysis of security requirements is carried out at the design and requirements specification stage of any systems development project undertaken by the CA or on behalf of the CA to ensure that security is built into IT systems b. change control procedures exist for releases, modifications and emergency software fixes for any operational software. 9.5.8 Business continuity management and incident handling The CA shall ensure that in the event of a disaster, including compromise of the CA s private signing key, operations are restored as soon as possible.

a. its business continuity plan (or disaster recovery plan) addresses the compromise or suspected compromise of its private signing key as a disaster b. as a minimum, it provides the following undertakings in the case of compromise of the CA private signing key: inform all Subscribers, Subjects, Relying Parties and other Certification Authorities with which it has agreements or other form of established relations of the compromise indicate that Certificates and revocation status information issued using this CA key may no longer be valid 30 stop the issuance of new Certificate revocation lists associated with the compromised CA and stop provision of other related Certificate status checking services 31. 9.5.9 Certification Authority termination The CA shall ensure that potential disruptions to Subjects and Relying Parties are minimised as a result of the cessation of its services, and in particular ensure continued maintenance of records required to provide evidence of certification for the purposes of legal proceedings. a. before it terminates its services the following procedures are executed as a minimum: inform all Subscribers, and other entities with which the CA has agreements or other form of established relations 32 terminate all authorisation of subcontractors to act on behalf of the CA in the process of issuing Certificates perform necessary undertakings to transfer obligations for maintaining registration information (see 9.4.1) and event log archives (see 9.5.11) for their respective period of time as indicated to the Subscriber and Relying Party (see 9.4.4) CA Private Keys are destroyed, or withdrawn from use, as defined in 9.3.6. b. it has an arrangement to cover the costs to fulfil these minimum requirements in case the CA becomes bankrupt or for other reasons is unable to cover the costs by itself c. it states in its practices the provisions made for termination of service. This shall include: notification of affected entities transfer of the CA obligations to other parties how the revocation status of unexpired Certificates that have been issued will be handled. 30 When another Certification Authority with which a compromised Certification Authority has an agreement is informed of the compromise, any Certification Authority Certificate that has been issued for the compromised Certification Authority should be revoked. 31 This is a means to force Relying Parties to reject related Certificates due to non-availability of valid Certificate revocation information. 27 32 The Certification Authority is not required to have any prior relationship with the Relying Party.

9.5.10 Compliance with Legal Requirements and Land Registry s policies and practices The CA shall ensure that: it complies with legal requirements it complies with Land Registry s policies and practices the effectiveness of the system audit process is maximised and interference with or from the system audit process is minimised. a. important records are protected from loss, destruction and falsification. Some records may need to be securely retained to meet statutory requirements, as well as to support essential business activities b. the requirements of the Data Protection Act [5] are met c. Subjects are assured that the information they contribute to the Subscriber is completely protected from disclosure unless with their agreement or by court order or other legal requirement 33 Records concerning Certificates include registration information (see 9.3.1) and information concerning significant Certification Authority environmental, key management and Certificate management events. 34 This may be used, for example, to support the link between the Certificate and the End User. 35 The Certification Authority should state in its practices the accuracy the clock used in timing of events, and how this accuracy is ensured. 36 The duration of the record retention period is difficult to pinpoint, and requires weighing the need for reference to the records against the burden of keeping them. The records could be needed at least as long as a transaction relying on a valid Certificate can be questioned. For most transactions, statutes of limitation will eventually place a transaction beyond dispute. However, for some transactions such as real property conveyances, legal repose may not be realised until after a lengthy time elapses, if ever. 9.5.11 Recording of information concerning Certificates The CA shall ensure that all relevant information concerning a Certificate is recorded for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings 33. a. the confidentiality and integrity of current and archived records concerning Certificates is maintained b. records concerning Certificates are completely and confidentially archived in accordance with disclosed business practices c. records concerning Certificates are made available if required for the purposes of providing evidence of certification for the purpose of legal proceedings. The Subject shall have access to registration and other information relating to the Subject 34 d. the precise time of significant CA environmental, key management and Certificate management events is recorded 35 e. records concerning Certificates are held for a period of time as appropriate for providing necessary legal evidence in support of Electronic Signatures 36,37 f. the events are logged in a way that they cannot be easily deleted or destroyed within the period of time that they are required to be held 38 g. the specific events and data to be logged are documented, that is, all events relating to registration, including requests for Certificate re-key or renewal, are logged 37 Where differing periods of times are applied to Certificates being used for different purposes, they shall be clearly identified and they should have different specific Certificate Policy identifiers. Where differing periods are applied to different parts of the registration and event log records, this shall be indicated to the Relying Party as specified in 9.3.1 and 9.3.4. 38 This may be achieved, for example, through the use of write-only media, a record of each removable media used, and the use of off-site backup. 28

h. all registration information is recorded including the following: type of document(s) presented by the applicant to support registration record of unique identification data, numbers, identification documents (eg driving licence number) or a combination of these, if applicable storage location of copies of applications and identification documents, including the signed Subscriber agreement (see 9.4.1 h) any specific choices in the Subscriber agreement (eg consent to publication of Certificate) identity of the Subscriber method used to validate identification documents, if any name of receiving CA and/or submitting Registration Authority, if applicable. it maintains privacy of Subject information it logs all requests and reports relating to revocation, as well as the resulting action it logs all events relating to the life cycle of CA keys it logs all events relating to the life cycle of Certificates. 9.6 Organisational The CA shall ensure that its organisation is reliable. a. the policies and procedures under which the CA operates are non-discriminatory b. its services are made accessible to all applicants whose activities fall within its declared field of operation c. it has adequate arrangements to cover liabilities arising from its operations and activities, in particular to bear the risk of liability for damages d. it has the financial stability and resources required to operate in conformity with this policy e. it has policies and procedures for the resolution of complaints and disputes received from customers or other parties about the provisioning of CA services or any other related matters f. it has a properly documented agreement and contractual relationship in place where the provisioning of services involves subcontracting, outsourcing or other third party arrangements g. with regard to its CA key management, Certificate generation and revocation management capabilities, it is independent of others for its decisions relating to the establishing, provisioning and maintaining and suspending of services. In particular its senior executives and staff must be free from any commercial, financial or other pressures which might adversely influence trust in the services it provides h. with regard to its CA key management, Certificate generation and revocation management capabilities, it has a documented structure which safeguards impartiality of operations. 29

10. Annex C Requirements on Certification Authority Practice for Land Registry Central Signing Certificate Policy This Certificate Policy applies to all Conveyancers and their customers who wish to sign electronic dispositionary documents relating to registered land when permitted by law, such as transfers or mortgages, and who wish to store their Private Keys within the Land Registry Central Signing server, but used under their sole control. This section defines a Certificate Policy identical to the main Land Registry Local Signing Certificate Policy except for limitations on key usage and items concerning the Certificate management life cycle. The identifier for the Land Registry Central Signing Certificate Policy is: Policy Identifier =1.2.826. 0.1359. 1.1.3 By including this object identifier in a Certificate, the CA claims conformance to the identified Land Registry Central Signing Certificate Policy. The Certificates issued under this policy may be used to support digital signatures which are not denied legal effectiveness and admissibility as evidence in legal proceedings as specified in article 5.2 of the Directive [1], in connection with information services, transactions, agreements, exchange of valuable information and contracting for property and land transactions. The acceptability of the Certificate, however, is at the discretion of the Relying Party. Certificates issued under this policy are primarily focused on the following main classes of security services: identification of originator creation of an Electronic Signature integrity of data. The CA shall implement the controls that meet the following requirements. This Certificate Policy incorporates Sections 5, 6, 7 and 9 of this document with the amendments and changes defined in this Annex. 10.1 Deviation from the original policy This policy is identical to the Land Registry Local Signing Certificate Policy except for the following deviations: 10.1.1 Key Escrow The CA shall keep copies of Subject Private Keys for backup purposes. Subject Private Keys may only be stored for Central Signing purposes and, as such, will be backed up in a way that ensures the End User retains sole control. 30

10.1.2 CA Provided Subject Key Management Services The CA shall ensure that any Subject keys, that it generates, are generated securely and the privacy of the Subject s Private Key is assured. If the CA generates the Subject s keys: a. CA-generated Subject keys shall be generated using an algorithm recognised as being fit for purpose for this policy b. CA-generated Subject keys shall be of a key length and for use with a Public Key algorithm which is recognised as being fit for the purposes of this policy c. CA-generated Subject keys shall be generated and stored securely before allocation to the Subject d. The Subject s Private Key shall be stored and provided for use by the Subject in a manner such that the privacy of the key is not compromised and on allocation only the Subject has access to its Private Key. 31

11. Annex D Requirements on Certification Authority Practice for Land Registry Individual Authentication Certificate Policy This Certificate Policy applies to all Land Registry and others who wish to be authenticated to Land Registry s Network. This section defines a Certificate Policy identical to the main Land Registry Local Signing Certificate Policy except for limitations on key usage and items concerning the Certificate management lifecycle. The identifier for the Land Registry Individual Authentication Certificate Policy is: Policy Identifier =1.2.826. 0.1359. 1.1.4 By including this object identifier in a Certificate the CA claims conformance to the identified Land Registry Individual Authentication Certificate Policy. This Certificate Policy incorporates Sections 5, 6, 7 and 9 of this document. The Certificates issued under this policy are typically suitable for verifying the identity of an individual in connection with access to Land Registry e-security systems. The acceptability of the Certificate, however, is at the discretion of the Relying Party. Certificates issued under this policy are primarily focused on the following main classes of security services: identification of originator authentication for access to a server. The CA shall implement the controls that meet the following requirements. 11.1 Deviation from the original policy This policy is identical to the Land Registry Local Signing Certificate Policy except for the following deviations: 11.1.1 Subscriber obligations The terms and conditions agreed with the Subscriber (see 9.3.4) shall include an obligation upon the Subscriber to address all the following obligations. If the Subject and Subscriber are different parties, the Subscriber shall make the Subject aware of those applicable obligations as listed below: 1. only use the Key Pairs for authentication and in accordance with any other limitations that may be notified to the Subscriber; and 2. Sub paras. b. to f. contained in 7.2 above. 32

11.1.2 Key usage Certificates issued under this policy shall only be used by Land Registry and Conveyancer administrators for authentication to Land Registry e-security systems. Therefore the constraint is that they shall not cover any key usage other than digital signature as defined in [13]. 11.1.3 Key escrow Where the CA stores Subject Private Keys for Central Authentication purposes any copies of Subject Private keys made for back up purposes will be made in such a way that ensures the End User retains sole control. Where the CA does not store Subject Private Keys for Central Authentication purposes, the CA shall not keep copies of Subject Private Keys. 11.1.4 CA provided Subject Key Management Services The CA shall ensure that any Subject keys that it generates, are generated securely and the privacy of the Subject s Private Key is assured. If the CA generates the Subject s keys: 1. CA-generated Subject keys shall be generated using an algorithm recognised as being fit for purpose for this policy; 2. CA-generated Subject keys shall be of a key length and for use with a Public Key algorithm which is recognised as being fit for the purposes of this policy; 3. CA-generated Subject keys shall be generated and stored securely before allocation or delivery to the Subject; 4. Where the CA stores Subject Private Keys for Central Authentication purposes, the Subject s Private Key shall be delivered to the Subscriber in a manner such that the privacy of the key is not compromised and on delivery only the Subject has access to its Private Key. 5. Where the CA does not store Subject Private Keys for Central Authentication purposes, the Subject s Private Key shall be stored and provided for use by the Subject in a manner such that the privacy of the key is not compromised and on allocation only the Subject has access to its Private Key. 33 39 With reference to [13] non-repudiation is used for signing, whereas digital signature is used for authentication.

12 Annex E Requirements on Certification Authority Practice for Land Registry Device Authentication Certificate Policy This Certificate Policy applies to Devices used within Land Registry s Network. This section defines a Certificate Policy identical to the main Land Registry Local Signing Certificate Policy except for limitations on key usage and items concerning the Certificate management lifecycle. The identifier for the Land Registry Device Authentication Certificate Policy is: Policy Identifier =1.2.826. 0.1359. 1.1.5 By including this object identifier in a Certificate the CA claims conformance to the identified Land Registry Device Authentication Certificate Policy. This Certificate Policy incorporates Sections 5, 6, 7 and 9 of this document with the amendments and changes defined in this Annex. The Certificates issued under this policy are suitable for verifying the identity of an internet server or communications (Virtual Private Networking [VPN]) Device; for initiating a secure connection between a server and client internet browser or between VPN Devices. The acceptability of the Certificate, however, is at the discretion of the Relying Party. Certificates issued under this policy may be suitable for a wide range of applications primarily focusing on the following main classes of security services: identification of a server identification of a VPN Device message integrity enabling the confidentiality of data. 12.1 Deviation from the original policy This policy is identical to the Land Registry Local Signing Certificate Policy except for the following deviations: 12.1.1 Subscriber obligations The terms and conditions agreed with the Subscriber (see 9.4.4) shall include an obligation upon the Subscriber to ensure, where relevant, that the Representative fulfils the following obligations. The Subscriber shall: a. only use the Key Pairs for authentication and data confidentiality and in accordance with any other limitations that may be notified to the Subscriber and b. sub paragraphs b to f contained in 7.2 above. 40 This is to ensure that the device belongs to the organisation or is being operated on their behalf, and as such the organisation has the right to associate its name with it. 34

35 41 The Representative may agree to different aspects of this agreement during different stages of registration. For example, agreement that the information held in the Certificate is correct may be carried out subsequent to other aspects of the agreement. 42 Other parties (eg the associated legal person) may be involved in establishing this agreement. 43 This agreement may be in electronic form. 12.1.2 Key usage Certificates issued under this policy shall only be used by Devices used within Land Registry s Network for authentication and communications security. Therefore the constraint is that they shall not cover any key usage other than digital signature and key encipherment as defined in [13]. 12.1.3 CA Provided Subscriber Key Management Services Clause 9.3.8 does not apply to this Certificate Policy. 12.1.4 Hardware Key Storage Device Preparation Clause 9.3.9 does not apply to this Certificate Policy. 12.1.5 Subject Registration This Section replaces Section 9.4.1. All Devices shall have an associated Representative, and the Representative shall be subject to all obligations placed on the Subject by the Subscriber. The CA shall ensure that evidence of Subjects identification and accuracy of their names and associated data are either properly examined as part of the defined service or, where applicable, concluded through examination of attestations from appropriate and authorised sources, and that Subscriber Certificate requests are accurate, authorised and complete according to the collected evidence or attestation. a. before entering into a contractual relationship with a Subscriber, the CA shall inform the Subscriber of the terms and conditions regarding use of the Certificate as given in 9.4.4 b. the agreement above is communicated through a durable (ie with integrity over time) means of communication, which may be transmitted electronically, and in readily understandable language c. the CA shall verify by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of Subjects to whom a Certificate is issued. Submitted evidence may be in the form of either paper or electronic documentation d. as the Subject is a Device or system, operated by or on behalf of an organisational entity, the organisational entity has the right to the Subject 40 and evidence shall be provided of: the identifier of the Device by which it may be referenced (eg internet domain name) the full name of the organisational entity a nationally recognised identity number, or other attributes which may be used to distinguish, as far as possible, the organisational entity from others with the same name e. the Subscriber shall provide a physical address, or other attributes, which describe how the Subscriber may be contacted f. the CA shall record all the information necessary to verify the Subject s identity, including any reference number on the documentation used for verification, and any limitations on its validity g. the signed agreement with the Subscriber is recorded, including: Subscriber agreement to the Representative s obligations as defined in Section 7.2 41,42,43 consent of the Subscriber to the keeping of a record by the CA of information used in registration (see 9.4.11 h and i) and any subsequent revocation (see 9.4.11 j) and passing

of this information to third parties under the same conditions as required by this policy in the case of the CA terminating its service whether, and under what conditions, the End User requires and consents to the publication of its Certificate that the information held in the Certificate is correct. h. the records of evidence identified in e and f above are retained for the period of time as indicated to the Subscriber (see b above) and as necessary for the purposes for providing evidence of certification in legal proceedings i. the Certificate request process ensures that the Subject has possession of the Private Key associated with the Public Key presented for certification j. the requirements of its national data protection legislation are complied with (including the use of pseudonyms if applicable) within its registration process. For alternative formats please contact customer contact centre on 0844 892 1111. 36 Issued by Land Registry Corporate Marketing Services September 2009. Crown copyright 2009 Land Registry.