Specifikationsdokument for OCES II



Similar documents
Specification document for LDAP API

Specification document for the RID-CPR service

Specification document for the PID-CPR service

Terms and Concepts in NemID

Displaying SSL Certificate and Key Pair Information

Displaying SSL Certificate and Key Pair Information

Network Automation 9.22 Features: RIM and PKI Authentication July 31, 2013

TeliaSonera Public Root CA. Certification Practice Statement. Revision Date: Version: Rev A. Published by: TeliaSonera Sverige AB

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Certificate Policy for OCES company certificates (Public Certificates for Electronic Services)

Windows Server 2008 PKI and Certificate Security

Certificate Policy for OCES Employee Certificates (Public Certificates for Electronic Services) Version 5

Introduction to NemID and the NemID Service Provider Package

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

The IVE also supports using the following additional features with CA certificates:

Key Management and Distribution

Certificate Policy for OCES personal certificates (Public Certificates for Electronic Services)

Prepared By: P Lichen. P Xulu

Certificate Policy for. SSL Client & S/MIME Certificates

NemID JS Developer Support site. Guidelines

Apple Certificate Library Functional Specification

OIOIDWS for Healthcare Token Profile for Authentication Tokens

Programme of Requirements part 3h: Certificate Policy Server certificates Private Services Domain (G3)

public key version 0.2

ETSI TS V1.1.1 ( )

Guide. - How to setup secure communication for REST services in Automatisk kortbetaling. Revision 1.3. Nets A/S. Lautrupbjerg 10.

Certificate Path Validation

Configuring SSL Termination

APNIC Trial of Certification of IP Addresses and ASes

MTAT Applied Cryptography

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

TechNote 0006: Digital Signatures in PDF/A-1

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates

Certificate Policy. SWIFT Qualified Certificates SWIFT

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

Configuring Digital Certificates

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

Terms and conditions of business for a NemID administrator of commercial NemID

Optimized Certificates A New Proposal for Efficient Electronic Document Signature Validation

Interoperability Guidelines for Digital Signature Certificates issued under Information Technology Act

Token specification for Energinet.dk DataHub

Neutralus Certification Practices Statement

Implementation Problems on PKI

PEXA Public Key Infrastructure (PKI) Certification Authority Certificate Policy

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1.

TeliaSonera Server Certificate Policy and Certification Practice Statement

Gandi CA Certification Practice Statement

An LDAP/X.500 based distributed PGP Keyserver

A PKI case study: Implementing the Server-based Certificate Validation Protocol

Entrust Managed Services Non-Federal Public Key Infrastructure X.509 Certificate Policy

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

CA Certificate Policy. SCHEDULE 1 to the SERVICE PROVIDER AGREEMENT

Security Digital Certificate Manager

Certification Practice Statement

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Security Digital Certificate Manager

Den Gode Webservice - Security Analysis

Public Key Infrastructure (PKI)

PostSignum CA Certification Policy applicable to qualified personal certificates

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

ETSI TS V1.1.1 ( ) Technical Specification

Integrated SSL Scanning

Certificate Policy for the United States Patent and Trademark Office November 26, 2013 Version 2.5

Bugzilla ID: Bugzilla Summary:

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr

ECC Certificate Addendum to the Comodo EV Certification Practice Statement v.1.03

Certipost Trust Services. Certificate Policy. for Lightweight Certificates for EUROCONTROL. Version 1.2. Effective date 03 May 2012

Polycom RealPresence Access Director System Administrator s Guide

Integrated SSL Scanning

TR-GRID CERTIFICATION AUTHORITY

X.509 Certificate Generator User Manual

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

Globe Hosting Certification Authority Globe Hosting, Inc. 501 Silverside Road, Suite 105, Wilmington, DE 19809, County of New Castle, United States

- X.509 PKI SECURITY GATEWAY. Certificate Policy (CP) & Certification Practice Statement (CPS) Edition 1.1

Certification services for electronic security certificates

PKI NBP Certification Policy for ESCB Signature Certificates. OID: version 1.5

Certificate technology on Pulse Secure Access

Application Note Configuring Department of Defense Common Access Card Authentication on McAfee. Firewall Enterprise

PKI NBP Certification Policy for ESCB Encryption Certificates. OID: version 1.2

SEZ SEZ Online Manual- DSC Signing with Java Applet. V Version 1.0 ersion 1.0

Certificate technology on Junos Pulse Secure Access

CPS - Certification Practice Statement

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

EuropeanSSL Secure Certification Practice Statement

Certification Service Provider of the Ministry of Employment and Social Security. Profile for Public Employee certificates

Actalis Object Identifiers (OIDs)

Asymmetric cryptosystems fundamental problem: authentication of public keys

IBM i Version 7.3. Security Digital Certificate Manager IBM

NISTIR 7676 Maintaining and Using Key History on Personal Identity Verification (PIV) Cards

- X.509 PKI COMMERZBANK PERSONS PKI. Certificate Policy (CP) & Certification Practice Statement (CPS) Edition 1.0

Transcription:

Nets DanID A/S Lautrupbjerg 10 DK 2750 Ballerup T +45 87 42 45 00 F +45 70 20 66 29 info@danid.dk www.nets-danid.dk CVR-nr. 30808460 Specifikationsdokument for OCES II Side 1-17

Versionsfortegnelse 3. juni 2014 Version 1.5 PHJER Side 2-17

Indholdsfortegnelse 1 Formål og målgruppe... 4 2 Preface... 5 3 Components of a certificate... 6 4 Formalia... 7 5 Issuer Distinguished Name... 8 6 Subject Distinguished Name... 9 6.1 Personal certificates... 9 6.2 Employee certificates... 10 6.3 Company certificates... 10 6.4 Functional certificates... 11 7 Public Key... 13 8 Extensions... 14 9 Signature... 17 Side 3-17

1 Formål og målgruppe Dette dokument er en del af NemID tjenesteudbyderpakken. Dokument beskriver OCES II, som benyttes i NemID-systemet. Dokumentet er relevant for tjenesteudbyderen, hvis Nets DanIDs Sikkerhedspakke ikke indeholder den ønskede funktionalitet på dette område. Dokumentet henvender sig til de personer hos tjenesteudbydere, der er ansvarlige for implementeringen af NemID. Bemærk at dokumentet fra Afsnit 2 og frem er på engelsk. Side 4-17

2 Preface This document details the contents of OCES II certificates issued by Nets DanID. This includes content specifics for the different types of certificates namely Personal, Employee, Company and Functional certificates defined in the OCES certificate policy. Some of the content is regulated by the X.509v3 standard or the respective certificate policy, and the reader should consult these documents for further details. It is assumed that the reader has adequate knowledge of the X.509 technology. Side 5-17

3 Components of a certificate The contents of a certificate can be divided into the following components: Formalia Issuer 509 version, Certificate Serial Number, Validity period DN of issuer Subject DN of subject Public Key The subjects public Key Extensions Subject Alternative Name, Key Usage, Certificate Policy, CRL Distribution Point, Basic Constraints, Authority Information Access, Private Key Usage Period, Issuer Key Identifier, Subject Key Identifier Signature The CA s signature confirming the correspondence between the identity of the subscriber and the key pair Formalia, Issuer DN, Subject DN and the extensions will be described in detail. Note that in the following, the ASN1 encoding types are given in parenthesis where applicable. Side 6-17

4 Formalia Formalia are characterized by the following details: X.509 Version 3 (Integer) Note that the actual integer value is 2 according to the X.509 standard Serial Number Serial number of the issued certificate (Integer) Note that this number should not be mistaken for the Subject serialnumber. Validity Period The notbefore and notafter fields specifying the validity of the certificate (UTCTime) Side 7-17

5 Issuer Distinguished Name Nets DanID has several CA issuing OCES II certificates. Note that Nets DanID is using the officially registered alternative name Trust2408 in the certificates. The content of the Issuer DN are characterized by the following details: Country Organisation Common Name DK (PrintableString) TRUST2408 (UTF8String) TRUST2408 OCES CA n (UTF8String) Where n is a number (represented by roman numerals) to distinguish between the different issuing CA. E.g. the fourth OCES issuing CA will be named: CN=TRUST2408 OCES CA IV, O=TRUST2408, C=DK Side 8-17

6 Subject Distinguished Name 6.1 Personal certificates The contents of the Subject field are characterized by the following details: Country Organisation Common Name Subject SerialNumber DK (PrintableString) Ingen organisatorisk tilknytning (UTF8String) Common Name of user, i.e. Registered Name or Pseudonym (UTF8String) The PID of the subscriber, e.g. PID:9208-2002-2-123456789012 (PrintableString). The last component is the serial number, while the start is CA specific stuff. The serial number is at present time 12 digits. The total PID string can be considered unique. The total Subject serialnumber however is restricted to 64 chars. For young persons, who are between 15 and 18 years of age the subject DN also includes an OU field which is characterized by the following details: Organisational Unit Ung mellem 15 og 18 - Kan som udgangspunkt ikke lave juridisk bindende aftaler (UTF8String) Side 9-17

6.2 Employee certificates The contents of the Subject field are characterized by the following details: Country Organisation Organisation Unit Common Name Subject SerialNumber DK (PrintableString) Organisation name and CVR number (UTF8String) in the form OrgName // CVR:xxxxxxxx where the OrgName is the registered name of the organization and xxxxxxxx is the CVR number e.g. NETS DANID A/S // CVR: 30808460. Note that long organisation names may be truncated Optional Organisation Unit Name fields. Note that more than one field can be present. (UTF8String) e.g. Marketing Name of certificate holder which may include the title e.g. CEO John Doe (UTF8String) The CVR number of the organization followed by the RID of the employee (PrintableString) e.g. CVR:14773908- RID:1234. The total string can be considered unique. The total Subject serial number is restricted to 64 chars. Note that the RID may include other characters than digits. 6.3 Company certificates The contents of the Subject field are characterized by the following details: Country Organisation DK (PrintableString) Organisation name and CVR number (UTF8String) in the form OrgName // CVR:xxxxxxxx where the OrgName is the registered name of the organization Side 10-17

and xxxxxxxx is the CVR number e.g. NETS DANID A/S // CVR: 30808460. Note that long organisation names may be truncated Organisation Unit Common Name Subject SerialNumber Optional Organisation Unit Name fields. Note that more than one field can be present. (UTF8String) e.g. Marketing Common Name consists of organisation, name organisation unit names and optional function description (UTF8String), e.g. Nets DanID A/S - Marketing - Reciept Broker The CVR number of the organization and followed by the UID of the certificate holder (PrintableString) e.g. CVR:14773908-UID:1234. The total string can be considered unique. The total Subject serial number is restricted to 64 chars. Note that the UID may include other characters than digits. 6.4 Functional certificates The contents of the Subject field are characterized by the following details: Country Organisation Organisation Unit Common Name DK (PrintableString) Organisation name and CVR number (UTF8String) in the form OrgName // CVR:xxxxxxxx where the OrgName is the registered name of the organization and xxxxxxxx is the CVR number e.g. NETS DANID A/S // CVR: 30808460. Note that long organisation names may be truncated Optional Organisation Unit Name fields. Note that more than one field can be present (UTF8String), e.g. Marketing Common Name consists of organisation, name organisation unit names and optional function description Side 11-17

(UTF8String), e.g. Nets DanID A/S - Marketing - Reciept Broker Subject SerialNumber The CVR number of the organization and followed by the FID of the certificate holder (PrintableString) e.g. CVR:14773908-FID:1234. The total string can be considered unique. The total Subject serial number is restricted to 64 chars. Note that the FID may include other characters than digits. Side 12-17

7 Public Key The content of the Public Key field is characterized by the following details: Public Key The subscribers public key (BitString) Side 13-17

8 Extensions The contents of the Extension fields are characterized by the following details. Note that extension can be marked as critical. If this is the case, this will be specified under the particular extension. Critical Key Usage Certificate Policies CRL Distributio n Points The intended key usage for the given certificate. Different for encryption, verification and combined certificates according to the OCES CP. (OctetString). The Certificate Policy extension holds the following parts: 1. OCES CP OID 2. Reference to www.certifikat.dk/repository where terms can be found 3. A short cook up (200 chars) of the terms The CRL Distribution Points extension holds different locations for status information of the given certificate. Two different ways are supported: 1. A full CRL over http 2. A partitioned CRL over LDAP Since most client applications support CRL download over http the full CRL is located at the http link. Example: http://crl.oces.certifikat.dk/ocesii.crl The LDAP reference to the partitioned CRL is not full, i.e. the hostname is not included. This prevents clients who are expecting a full CRL to trust a partitioned CRL as full. If a partner wants to implement partitioned CRL support they have to be aware of the following details: 1. A new partitioned CRL is issued for every 750 certificates 2. The most secure way to decide which partitioned CRL to use is to look at the Yes No No Side 14-17

Access Informatio n Authority (AIA) CRL Distribution Point in the certificate. 3. The hostname of the external LDAP is ldap://dir.certifikat.dk Note further that since the partitioned CRL mechanism is far more complicated it is the responsibility of the partner to ensure that the implementation is correct. Example: DirName:/C=DK/O=DanID/CN=DanID OCES CA n/cn=crl3 Note further that the full CRL can be obtained over LDAP from the node /C=DK/O=DanID/CN=DanID OCES CA n in the attribute certificaterevocationlist Note that the CRL files obey the following rule of thumb: A general CRL grows with 38 bytes for each revoked certificate (offset 527 bytes) Hence partitioned CRLs have size 0-30000 bytes The location of the CRL servers is dictated by the DNS names crl.oces.certifikat.dk and dir.certifikat.dk Note that may corresponds to the several IPaddresses since shift between the IP-addresses is done dynamically and without warning however respecting TTL in the DNS system. This means that an implementation of CRL retrieval should comply with the following: 1. The service should not cache DNS/IP information but perform DNS lookups respecting TTL. 2. If the service is behind a firewall make sure that the firewall does not block any of the destination IP-addresses in the list. The OCES certificate holds one AIA extension with two references: A reference (Online Certificate Status Protocol) to the OCSP responder. The OCSP responder can be used as an alternative to CRLs to verify certificates. The responder is compliant with No Side 15-17

Authority Key Identifier Subject Key Identifier RFC2560 and is described in further details elsewhere. A HTTP reference (CA Issuers) to a DERencoded file containing the CA certificate used to sign the certificate. This can be used for building a trusted certificate path. This is useful for relying parties, which only has the end user certificate (or a fraction of a certificate chain). The Authority Key ID holds a fingerprint of the Issuing key. For chain building purposes (OctetString). The Subject Key ID holds a fingerprint of the Subject key. For chain building and internal client administrative purposes (OctetString) No No Basic Constraint s Subject Alternative Name Basic Constraints hold information about whether or not the certificate is an end user or a CA certificate. For OCES End User Certificates this is done by the value CA:FALSE (OctetString) Certificate holders email address, if subscriber decides to include this in the certificate, e.g.: email:me@mail.dk (OctetString) Note that this extension is optional. No No Side 16-17

9 Signature The content of the Signature field is characterized by the following details: Signature The CA s signature on the certificate (BitString) Side 17-17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information