CERITIFICATE POLICY CONCERNING PERSONAL DIGITAL CERTIFICATES OF BANK OF FINLAND AND FINANCIAL SUPERVISORY AUTHORITY EMPLOYEES

Similar documents
Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

TACC ROOT CA CERTIFICATE POLICY

Neutralus Certification Practices Statement

TeliaSonera Public Root CA. Certification Practice Statement. Revision Date: Version: Rev A. Published by: TeliaSonera Sverige AB

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Certificate Policy. SWIFT Qualified Certificates SWIFT

CMS Illinois Department of Central Management Services

TR-GRID CERTIFICATION AUTHORITY

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

TR-GRID CERTIFICATION AUTHORITY

InCommon Certification Practices Statement. Server Certificates

InCommon Certification Practices Statement. Client Certificates

VeriSign Trust Network Certificate Policies

Vodafone Group CA Web Server Certificate Policy

Symantec Trust Network (STN) Certificate Policy

Telia hardware based e-legitimation v2. Certification Practice Statement. Revision Date: 10 th June Version: 1.0

Metropolitan Police Service Enterprise PKI. Root Certificate Authority, Certificate Policy. Version th February 2012 NOT PROTECTIVELY MARKED

Certification Practice Statement

KIBS Certification Practice Statement for non-qualified Certificates

Gandi CA Certification Practice Statement

REVENUE ON-LINE SERVICE CERTIFICATE POLICY. Document Version 1.2 Date: 15 September OID for this CP:

The Boeing Company. Boeing Commercial Airline PKI. Basic Assurance CERTIFICATE POLICY

TeliaSonera Server Certificate Policy and Certification Practice Statement

ENTRUST CERTIFICATE SERVICES

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. July 2011 Version 2.0. Copyright , The Walt Disney Company

Equens Certificate Policy

SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates

GARR Certification Authority Certificate Policy and Certification Practice Statement. Version 1.0

SAUDI NATIONAL ROOT-CA CERTIFICATE POLICY

Fraunhofer Corporate PKI. Certification Practice Statement

Bangladesh Bank Certification Authority (BBCA) Certification Practice Statement (CPS)

Ford Motor Company CA Certification Practice Statement

X.509 Certificate Policy for the Australian Department of Defence Root Certificate Authority and Subordinate Certificate Authorities

CERTIFICATE POLICY (CP) (For SSL, EV SSL, OSC and similar electronic certificates)

Advantage Security Certification Practice Statement

California Independent System Operator Certification Practice Statement for Basic Assurance Certification Authority. Version 3.

Registration Practices Statement. Grid Registration Authority Approved December, 2011 Version 1.00

Globe Hosting Certification Authority Globe Hosting, Inc. 501 Silverside Road, Suite 105, Wilmington, DE 19809, County of New Castle, United States

EuropeanSSL Secure Certification Practice Statement

TeliaSonera Root CA v1 Certificate Practice Statement. Published by: TeliaSonera AB

SWITCHaai Metadata CA. Certificate Policy and Certification Practice Statement

Danske Bank Group Certificate Policy

Getronics Certification Certificate of Authentic Trustworthy

Starfield Technologies, Inc. Certificate Policy and Certification Practice Statement (CP/CPS)

Malaysian Identity Federation and Access Management Certification Authority Certificate Policy and Certification Practice Statement

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

epki Root Certification Authority Certification Practice Statement Version 1.2

phicert Direct Certificate Policy and Certification Practices Statement

TREND MICRO SSL CERTIFICATION PRACTICE STATEMENT. Version 2.0

Certification Practice Statement

Ericsson Group Certificate Value Statement

SSL.com Certification Practice Statement

Certification Practice Statement (ANZ PKI)

X.509 Certification Practices Statement for the U.S. Government Printing Office Principal Certification Authority (GPO-PCA)

DigiCert Certification Practice Statement

- X.509 PKI SECURITY GATEWAY. Certificate Policy (CP) & Certification Practice Statement (CPS) Edition 1.1

Class 3 Registration Authority Charter

e-tuğra CERTIFICATE POLICY E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş. Version: 3.1 Validity Date: September, 2013 Update Date: 30/08/2013

PKI NBP Certification Policy for ESCB Signature Certificates. OID: version 1.5

- X.509 PKI COMMERZBANK PERSONS PKI. Certificate Policy (CP) & Certification Practice Statement (CPS) Edition 1.0

CA Certificate Policy. SCHEDULE 1 to the SERVICE PROVIDER AGREEMENT

PEXA Public Key Infrastructure (PKI) Certification Authority Certificate Policy

UniTrust Network Trust Service Hierarchy. Extended Validation Certification Practice Statement

Symantec Trust Network (STN) Certificate Policy

Trusted Certificate Service

Visa Public Key Infrastructure Certificate Policy (CP)

Comodo Certification Practice Statement

Comodo Certification Practice Statement

Government CA Government AA. Certification Practice Statement

PostSignum CA Certification Policy applicable to qualified personal certificates

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr

3.Practices and procedures. v

TELSTRA RSS CA Subscriber Agreement (SA)

Citizen CA Certification Practice statement

Certification Practice Statement

Adobe Systems Incorporated. Adobe Root CA Certification Practice Statement. Revision #5. Revision History

VeriSign Trust Network Certificate Policies

PKI NBP Certification Policy for ESCB Encryption Certificates. OID: version 1.2

QUOVADIS ROOT CERTIFICATION AUTHORITY CERTIFICATE POLICY/ CERTIFICATION PRACTICE STATEMENT. OIDs:

CERTIFICATE POLICY KEYNECTIS SSL CA

TC TrustCenter GmbH. Certification Practice Statement

Starfield Technologies, LLC. Certificate Policy and Certification Practice Statement (CP/CPS)

Swiss Government Root CA II. Document OID:

Certification Practice Statement

X.509 Certification Practice Statement for the Australian Department of Defence

Certum QCA PKI Disclosure Statement

Trusted Certificate Service (TCS)

Version 2.4 of April 25, 2008

Certificate Policy KEYNECTIS SSL CA CP. Emmanuel Montacutelli 12/11/2014 DMS_CP_KEYNECTIS SSL CA CP_1.2

SSL CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT

SECOM Trust.net Root1 CA

Public Certification Authority Certification Practice Statement of Chunghwa Telecom (PublicCA CPS) Version 1.5

ING Public Key Infrastructure Technical Certificate Policy

ING Public Key Infrastructure Certificate Practice Statement. Version June 2015

X.509 Certificate Policy for India PKI

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Internet Security Research Group (ISRG)

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Transcription:

Certificate Policy 1 (18) CERITIFICATE POLICY CONCERNING PERSONAL DIGITAL CERTIFICATES OF BANK OF FINLAND AND FINANCIAL SUPERVISORY AUTHORITY EMPLOYEES 1 INTRODUCTION... 4 1.1 Overview... 4 1.2 Document name and identification... 5 1.3 PKI participants... 5 1.4 Certificate usage... 6 1.5 Policy administration... 7 1.6 Definitions and acronyms... 7 2 PUBLICATION AND REPOSITORY RESPONSIBILITIES... 8 2.1 Repositories... 8 2.2 Publication of certification information... 8 2.3 Time or frequency of publication... 8 2.4 Access controls on repositories... 8 3 IDENTIFICATION AND AUTHENTICATION... 9 3.1 Naming... 9 3.2 Initial identity validation... 9 3.3 Identification and authentication for re-key requests... 9 3.4 Identification and authentication for revocation request... 9 4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS... 10 4.1 Certificate Application... 10 4.2 Certificate application processing... 10 4.3 Certificate issuance... 10 4.4 Certificate acceptance... 10 4.5 Key pair and certificate usage... 10 4.6 Certificate renewal... 10 4.7 Certificate re-key... 10 4.8 Certificate modification... 10 4.9 Certificate revocation and suspension... 11 4.10 Certificate status services... 11 4.11 End of subscription... 11 4.12 Key escrow and recovery... 11 5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS... 12 5.1 Physical controls... 12 5.2 Procedural controls... 12 5.3 Personnel controls... 12

Certificate Policy 2 (18) 5.4 Audit logging procedures... 12 5.5 Records archival... 12 5.6 Key changeover... 12 5.7 Compromise and disaster recovery... 12 5.8 CA or RA termination... 12 6 TECHNICAL SECURITY CONTROLS... 13 6.1 Key pair generation and installation... 13 6.2 Private Key Protection and Cryptographic Module Engineering Controls... 13 6.3 Other aspects of key pair management... 13 6.4 Activation data... 13 6.5 Computer security controls... 13 6.6 Life cycle technical controls... 14 6.7 Network security controls... 14 6.8 Time-stamping... 14 7 CERTIFICATE, CRL, AND OCSP PROFILES... 15 7.1 Certificate profile... 15 7.2 CRL profile... 15 7.3 OCSP profile... 15 8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS... 16 8.1 Frequency or circumstances of assessment... 16 8.2 Identity/qualifications of assessor... 16 8.3 Assessor's relationship to assessed entity... 16 8.4 Topics covered by assessment... 16 8.5 Actions taken as a result of deficiency... 16 8.6 Communication of results... 16 9 OTHER BUSINESS AND LEGAL MATTERS... 17 9.1 Fees... 17 9.2 Financial responsibility... 17 9.3 Confidentiality of business information... 17 9.4 Privacy of personal information... 17 9.5 Intellectual property rights... 17 9.6 Representations and warranties... 17 9.7 Disclaimers of warranties... 17 9.8 Limitations of liability... 17 9.9 Indemnities... 17 9.10 Term and termination... 17 9.11 Individual notices and communications with participants... 18 9.12 Amendments... 18

Certificate Policy 3 (18) 9.13 Dispute resolution provisions... 18 9.14 Governing law... 18 9.15 Compliance with applicable law... 18 9.16 Miscellaneous provisions... 18 9.17 Other provisions... 18

Level 0 Level 1 Level 2 Certificate Policy 4 (18) 1 INTRODUCTION This document defines the Certificate Policy (CP) of the Certification Authority (CA) of Bank of Finland (BOF). The Certification Authority of Bank of Finland issues personal digital certificates for the employees of the Bank of Finland and Financial Supervisory Authority (FIN-FSA). This Certificate Policy document is not a legal contract or legal document but it is rather a description of factors affecting the reliability of certificates issued by Bank of Finland s Certificate Authority. The security procedures and technical specifications presented in this document regarding digital certificate production are implemented in accordance with the European System of Central Banks (ESCB) Certificate Acceptance Framework (CAF) and best practices of Bank of Finland. The practices observed within Bank of Finland s Certificate Authority in the process of producing digital certificates are described in a separate Certification Practice Statement (CPS) document. 1.1 Overview The overview of CA infrastructure in Bank of Finland is presented in picture 1. Picture 1: CA infrastructure of Bank of Finland Certificate Holder BOF CA Root CA The CA infrastructure of Bank of Finland consists of two hierarchically deployed CA servers: Root CA and BOF CA.

Certificate Policy 5 (18) Root CA is the absolute base of the hierarchy. It only issues digital certificates to subordinate CAs. BOF CA is a subordinate CA server which is used to issue personal digital certificates for Bank of Finland and FIN-FSA personnel. Management of the CA infrastructure is handled by the Information Technology department of Bank of Finland. 1.2 Document name and identification 1.3 PKI participants The complete name of this document is Certificate policy concerning personal digital certificates of Bank of Finland and Financial supervisory authority employees. The object identifier for this Certificate policy is 1.2.246.542.2.1. The certification entities and operations covered by this certificate policy are presented in following table: PKI participant Certification authority Role Certification authority produces the certificate services under the terms referred to in this certificate policy provided by Bank of Finland. Certification authority has the following tasks: Fulfilling its responsibility for providing certificate and directory services as well as revocation services. Monitoring to ensure that this CP as well as the CPS of Bank of Finland is followed when granting certificates. Maintaining the CP and CPS documents. Ensuring such human resources for the certification so that the process has every chance of succeeding. Ensuring that only reliable IT systems are used for the certification.

Certificate Policy 6 (18) Registration authority Certificate holder Revocation service Monitoring to ensure that the IT systems used for certification are used appropriately and preventing other use. Certificates as referred in this CP are registered by the BoF security unit. Registration authority has the following tasks: Ensuring the identity of the applicant as provided in this CP before the certificate is granted. Ensuring the handling, retaining and progress of the application to certificate production in a way that leaves no room for failure. On application, Bank of Finland and FIN-FSA employees obtain a personal smart card containing personal digital certificates. The revocation of digital certificates is handled by the security unit in Bank of Finland. 1.4 Certificate usage Certificates as referred to in this CP are to be used with the personal smart cards granted to BOF and FIN-FSA employees. Each certificate holder has two digital certificates corresponding to individual key pairs of private and public keys generated for each certificate. The following uses are available for the certificates: Certificate for authentication, email encryption and signature The certificate holder can use the keys of the certificate for authentication in BOF computer systems as well as other systems which recognize this certificate issued by BOF CA. The public key of this certificate can be used to encrypt email messages. The certificate holder can use the corresponding private key to decrypt email message encrypted with the public key. The certificate holder can use the private key of the certificate for digital signature of data. The public key can be used to verify the digital signature made with a private key. Certificate for undisputed signature

Certificate Policy 7 (18) The certificate holder can use the private key for undisputed signature of data. The key pair of this certificate is generated so that the private key will at no stage be disclosed or become available outside of the smart card. 1.5 Policy administration Bank of Finland maintains and is responsible for this Certificate Policy. The validity of this document is periodically verified by Bank of Finland. The CA reserves itself the right to change this CP through a notification provided 2 weeks in advance of the entry into force of the changes. If there is only a slight change that does not affect any CA reliability factors, the change may be carried out without notification. Contact information concerning this CP: Email: pki@bof.fi Postal address: Suomen Pankki Snellmaninaukio PO Box 160 00101 Helsinki, Finland 1.6 Definitions and acronyms BOF CA CAF CP CPS CRL ESCB FIN-FSA RA Bank of Finland Certificate Authority Certificate Acceptance Framework Certificate Policy Certification Practice Statement Certificate Revocation List European System of Central Banks Finnish Financial Supervisory Authority Registration Authority

Certificate Policy 8 (18) 2 PUBLICATION AND REPOSITORY RESPONSIBILITIES 2.1 Repositories 2.2 Publication of certification information 2.3 Time or frequency of publication 2.4 Access controls on repositories The certificate authority publishes the publicly available data on its website at URL http://www.bof.fi/cps. These data include this certificate policy, public key data of the CA servers (Root CA and BOF CA) and other information that the certification authority deems necessary. The BOF CA server certificate revocation list is also publicly available at the certificates CRL distribution point at URL http://www.bof.fi/cps. The Certification Practice Statement and the documents not listed above are considered non-public information and are available only for a limited audience. All publically available information may be freely used for reading purposes. The certificate authority of Bank of Finland is responsible for informing its digital certificate holders and relying parties about changes in the certificate policy or Certification Practice Statement that might affect the credibility of the certificate. The CA reserves the right to change the certificate policy or Certification Practice Statement with a notification period of two weeks. Publishing of the certificate revocation list is carried out as stated in section 7.2 of this certificate policy. All publicly available data are published on the CA website. Data with restricted audience are kept within the BOF intranet and are available only to the appropriate personnel.

Certificate Policy 9 (18) 3 IDENTIFICATION AND AUTHENTICATION 3.1 Naming 3.2 Initial identity validation Before a certificate is granted the identity of applicant is validated. Before the BOF smart card containing the certificates is given to its holder the identity is verified. A certificate as referred to in this CP complies with X.509 standard. Naming defines the identification data of the certificate holder and the CA used in the certificate. The issuing CA is named in the Issuer field of the certificate and the holder is named in the Subject field of the certificate. BOF smart cards containing the issued certificates are only given to employees of Bank of Finland or FIN-FSA and third party personnel currently working for either organization. The initial identity validation for each certificate holder is done as stated in CPS. 3.3 Identification and authentication for re-key requests 3.4 Identification and authentication for revocation request The holder of a BOF smart card containing certificates is obligated to personally inform the revocation service about any disappeared, broken or compromised smart card so that the certificates on it can be revoked.

Certificate Policy 10 (18) 4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS 4.1 Certificate Application 4.2 Certificate application processing 4.3 Certificate issuance 4.4 Certificate acceptance 4.5 Key pair and certificate usage 4.6 Certificate renewal 4.7 Certificate re-key 4.8 Certificate modification The certification authority of Bank of Finland only issues digital certificates based on written requests received by the registration authority of Bank of Finland. The certificate application is processed by the registration authority of Bank of Finland. The related process is described in CPS. The certificate is issued by CA server if the registration authority of Bank of Finland approves the processed certificate application. The related process is described in CPS. The applicant becomes a digital certificate holder once he/she receives the BOF smart card containing the certificates. The related process is described in CPS. Digital certificate holders may use the key pair and certificate only for purposes described in section 1.4 of this certificate policy.

Certificate Policy 11 (18) 4.9 Certificate revocation and suspension 4.10 Certificate status services 4.11 End of subscription 4.12 Key escrow and recovery Upon receiving a BOF smart card the digital certificate holder agrees to be obligated to personally inform the registration authority of Bank of Finland about disappeared, broken or compromised smart cards so that the certificates on them can be revoked. The revocation of a certificate is a process of terminating the usage of a certificate prior to its expiration date. Information concerning revoked certificates issued by CA at Bank of Finland is published in a certificate revocation list (CRL). The related process is described in CPS. The CRL is published and is accessible as stated in section 7.2. The CRL distribution point is specified in each digital certificate issued by the CA. Usage of digital certificates is terminated in two separate cases: 1. Normal expiration of a certificate. The CA does not support re-key option at the moment so that a new certificate is required once the previous one expires. 2. Revocation of a certificate. Revocation is handled by the revocation service as stated in section 1.3 of CPS. Private keys are stored only in BOF smart cards. Therefore the key archive or recovery options are not available to these keys.

Certificate Policy 12 (18) 5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS 5.1 Physical controls All premises used by the certificate service are secure, well protected, efficiently monitored and alarmed. The physical security at the BoF is at a good central bank level. 5.2 Procedural controls 5.3 Personnel controls 5.4 Audit logging procedures 5.5 Records archival 5.6 Key changeover No stipulation (basically all critical operations are logged, log is protected by encryption and signing etc.) 5.7 Compromise and disaster recovery 5.8 CA or RA termination The operations of the certification authority according to this CP may have to be terminated as a result of a CA decision, disclosure of a private key provided by the CA or questions raised about the technical basis of the system. The CA informs the certificate holders and agreed certificate users about such discontinuation. When the certification operations have been discontinued, the certificates shall no longer be trusted.

Certificate Policy 13 (18) 6 TECHNICAL SECURITY CONTROLS 6.1 Key pair generation and installation The key pair used for undisputed signature is generated as an internal personal smart card operation so that the private key will at no stage be disclosed or become available outside of the card. The key used for encryption and identification is generated in the certification system. A back-up copy of the encryption key is retained in the certification system in case the card should break or disappear. The related process is described in CPS. 6.2 Private Key Protection and Cryptographic Module Engineering Controls 6.3 Other aspects of key pair management 6.4 Activation data 6.5 Computer security controls Security controls are implemented to protect the module and to prevent anyone from managing the module single-handedly. Computer security controls are implemented to increase the information security of the CA system and to ensure continuation of the certification process. The controls are focused on following topics: Data backups Access control (system, databases and applications) Access rights (system, databases and applications) Archive and log files Authentication

Certificate Policy 14 (18) 6.6 Life cycle technical controls 6.7 Network security controls 6.8 Time-stamping No Stipulation.

Certificate Policy 15 (18) 7 CERTIFICATE, CRL, AND OCSP PROFILES 7.1 Certificate profile 7.2 CRL profile 7.3 OCSP profile A certificate as referred to in this certificate policy document complies with standard X.509. As a rule, the certificates are valid for three years. All personal digital certificates issued by the CA include the following information: Version Serial number Algorithm info Issuer + OID Validity Subject Scope of usage Public key A certificate revocation list (CRL) as referred to in this certificate policy document complies with standard X.509. BOF CA publishes its certificate revocation list every hour, and the list is valid for 72 hours. The list is available at CRL distribution point at URL http://crl.bof.fi/bof.crl. Certificate revocation lists published by BOF CA include the following information: Version Issuer Effective date Next update Algorithm info List of revocated certificates

Certificate Policy 16 (18) 8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS 8.1 Frequency or circumstances of assessment 8.2 Identity/qualifications of assessor 8.3 Assessor's relationship to assessed entity 8.4 Topics covered by assessment 8.5 Actions taken as a result of deficiency 8.6 Communication of results

Certificate Policy 17 (18) 9 OTHER BUSINESS AND LEGAL MATTERS 9.1 Fees 9.2 Financial responsibility 9.3 Confidentiality of business information As the personal digital certificates issued by BOF CA are intended only for internal use in the Bank of Finland and the Financial Supervisory Authority, the CA is not responsible for possible damages caused to other parties that have relied on the certificates. 9.4 Privacy of personal information 9.5 Intellectual property rights 9.6 Representations and warranties 9.7 Disclaimers of warranties 9.8 Limitations of liability 9.9 Indemnities 9.10 Term and termination No stipulation Bank of Finland maintains and is responsible for this CP. The CA reserves the right to change this CP with a notification period of two weeks. Validity of the older version of the CP is terminated as soon as the new one enters

Certificate Policy 18 (18) into force. This CP and the corresponding CPS will remain valid until further notice. 9.11 Individual notices and communications with participants 9.12 Amendments 9.13 Dispute resolution provisions 9.14 Governing law 9.15 Compliance with applicable law 9.16 Miscellaneous provisions 9.17 Other provisions The CA is responsible for the information published in the relevant directory to the extent specified in the national legislation.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information