Certification Practice Statement CPS_PCS_01 Version 3.1 “Postecert Certificati Server” Certification Service Date 07/07/09 Postecom S.p.A. Page 1 of 26 PosteItalianeGroup “Postecert Certificati Server” Certification Service (Certification Practice Statement)
26
Embed
“Postecert Certificati Server” Certification Servicepostecert.poste.it/postashqiptare/docs/CPS_PCS_01_3.1.pdf · Version 3.1 “Postecert Certificati Server” Certification Service
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 1 of 26
PosteItalianeGroup
“Postecert Certificati Server”
Certification Service
(Certification Practice Statement)
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 2 of 26
PosteItalianeGroup
Version no. Page no. Reason for revision Date
1.0 Approval 21/05/2002
1.1 10, 23 Redefinition of organizational aspects 01/07/2002
1.2 23, 24 Update of Attachment 2 03/10/2002
2.0 All Complete redefinition of the CPS after a review of the process of dispensing the service.
25/11/2002
3.0 1, 5, 6, 8, 9, 11, 21, 22
Update relative to the use of the new CA certificate 22/02/2005
3.1 23,24 Inserted Certificate Revocation List Distribution Point
Modified URL of CPS 07/07/2009
Version no. Drafted Verification Approval Date
3.1 Giuseppe La Rosa Assunta Alfano Roberto Ugolini 07/07/2009
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
CONTEXT ....................................................................................................................................5 IDENTIFICATION OF THE DOCUMENT .............................................................................................5 TABLE OF ACRONYMS AND ABBREVIATIONS..................................................................................6 COMMUNITY AND APPLICABILITY ..................................................................................................6
Certification Authority (CA) ....................................................................................................6 Registration Authority (RA) ....................................................................................................7 Requester ..............................................................................................................................7 User .......................................................................................................................................8 Types of Certificates ..............................................................................................................8
FOR ADDITIONAL INFORMATION....................................................................................................8 Telephone Support ................................................................................................................8 Internet Service......................................................................................................................8
GENERAL SERVICE CONDITIONS ............................................................................................9
OBLIGATIONS ..............................................................................................................................9 The CA's Obligations .............................................................................................................9 Requester's Obligations .........................................................................................................9
THE CA'S LIABILITY ...................................................................................................................10 To the Requester .................................................................................................................10
PUBLICATION AND DIRECTORY...................................................................................................10 Information about the CA .....................................................................................................10 Certificates and CRLs ..........................................................................................................12
APPLICABLE LAW AND COMPETENT JURISDICTION ......................................................................12
GENERATION OF THE CERTIFICATION REQUEST..........................................................................13 REGISTRATION OF THE REQUESTER...........................................................................................13 PAYMENT METHODS..................................................................................................................14 VERIFICATION OF THE INFORMATION ..........................................................................................14 GENERATION OF THE CERTIFICATE ............................................................................................15 PUBLICATION OF THE CERTIFICATE ............................................................................................15 ACCEPTANCE OF THE CERTIFICATE............................................................................................15
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 4 of 26
PosteItalianeGroup
INSTALLATION OF THE CERTIFICATE ...........................................................................................15 CHANGES IN REGISTRATION INFORMATION.................................................................................15 REVOCATION OF THE CERTIFICATE.............................................................................................16
Circumstances for Revocation .............................................................................................16 Revocation Requests from the Requester ...........................................................................16 Revocation Requests from the CA.......................................................................................16
RENEWAL OF CERTIFICATES ......................................................................................................17 MANAGEMENT OF THE ARCHIVES ...............................................................................................17 SERVICE LEVELS .......................................................................................................................17 DAMAGE AND DISASTER RECOVERY...........................................................................................17
PHYSICAL PROTECTION OF THE PREMISES .................................................................................19 CERTIFICATION SYSTEM SECURITY ............................................................................................19 SECURITY OF THE CRYPTOGRAPHIC MODULE.............................................................................20 SECURITY OF THE PROCESSORS................................................................................................20 NETWORK SECURITY .................................................................................................................20
PROFILE OF THE CERTIFICATES ...........................................................................................22
To use the service, the Requester must pay the fee required for the certificate and relative
accessory services requested. For payment methods and conditions, please refer to the
general service conditions updated from time to time on the site, postecert.poste.it.
Verification of the Information
Upon receipt of the information, Postecom will:
Check the file with the certification request and verify its coherence with the information in
the Registration Form, Contract and attached paper documentation;
Verify the uniqueness of the X.500 Distinguished Name (DN) in the context of its issued
certificates;
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 15 of 26
PosteItalianeGroup
Check the attribution of the Internet domain for the web server to the company requesting
the certification;
Make a telephone check using a third-party database.
If all the checks are positive, the RA will send the file with the certification request to the CA,
authorizing the generation of the certificate.
The Certification Authority will then proceed to verification of the documentation, sending it only
after receipt of proof of payment thereof.
Postecom shall not issue the certificate if the information communicated is incorrect or
incomplete, based on the checks made.
Generation of the Certificate
Once the RA's approval is received, the CA will verify that the request's PKCS#10 format is
correct. If the required verification is positive, the CA will generate the certificate conforming to
the profile described in paragraph “Profile of the Certificates”. The DN will appear as the value
of the Certificate's subject field.
Should the checks not be positive, Postecom shall notify the Requester through the RA,
requesting the generation of a new certification request.
Publication of the Certificate
The certificate will be published in the X.500 Directory Server and sent by the RA to the e-mail
address of the Server's authorized Responsible.
Acceptance of the Certificate
Once the certificate is generated, it is sent to the e-mail address of the Server's Responsible
that appears in the Registration Form in Attachment 1 of the CPS. Should the Requester
discover any errors or defects in the certificate, he/she must inform Postecom immediately at
the e-mail address [email protected]. Otherwise, the Requester shall be considered to
have accepted the certificate.
By accepting the certificate, the Requester declares his acceptance of the terms and conditions
of the present CPS and the Contract referred to in paragraph Registration of the Requester.
Installation of the Certificate
The Requester may install the certificate on the web server upon receipt by following the
instructions for the specific product used.
Changes in Registration Information
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 16 of 26
PosteItalianeGroup
The Requester must notify Postecom, in a timely manner, of any changes to the information
discussed in paragraph Registration of the Requester. If the changes pertain to information in
the certificate, the Requester must also request its revocation.
Postecom reserves the right to revoke the Requester's certificate whenever the change of
registration information requires such.
Revocation of the Certificate
The revocation of a certificate is complete with its publication in the revocation list (CRL) signed
by the Certification Authority. The revoked certificate is no longer valid and the Requester must
immediately remove the relative certificate from the associated web server.
Circumstances for Revocation
Postecom will revoke the certificate upon the Requester's request, conforming to the methods
and terms prescribed in the present CPS.
The Certification Authority may revoke the certificate on its own initiative under precise
conditions such as discovering use that does not comply with the present CPS.
Revocation Requests from the Requester
The Requester must request the revocation of the certificate in the following circumstances:
In the case where he/she wishes to terminate the contractual relationship with Postecom;
if the information in the certificate issued is no longer valid;
if he/she believes that the security of the web server on which the certificate was installed
has been compromised.
This latter circumstance must be promptly detected and communicated; in any case, Postecom
assumes no liability for the improper use of the private key associated with the certified public
key.
To request revocation, the Requester must send a fax on letterhead, and suitably signed, to the
number +39 06 59585049 or +39 06 59585028, explicitly requesting the revocation of the web
server certificate with at least the Requester's company name and the name of the web server
(the value in the field Name of the Web Server to be certified in Attachment 1) to be revoked.
Following the receipt of the fax, Postecom's Registration Area shall perform a telephone
verification in which the Requester will be asked to provide several required pieces of
information contained in the Registration Form, in paragraph “Registration of the Requester,” in
order to authenticate its revocation request.
The RA shall verify the revocation request and, if positive, will forward the request to the CA.
The revoked Certificate will be placed on the CRL (see Certificates and CRLs on page 12).
The revocation request service is available from Monday to Friday, from 08:30 to 18:00, Italian
holidays excluded.
Revocation Requests from the CA
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 17 of 26
PosteItalianeGroup
Postecom may only revoke a Requester's certificate under the following circumstances:
certainty that information in the certificate has changed;
certainty of the certificate's improper use.
In either case, Postecom will inform the Requester after the revocation.
Renewal of Certificates
If the renewal request is made during the certificate's period of validity, the Requester may
send a declaration with which the Requester, under its own responsibility, confirms to the
Certification Authority that it continues to meet the requirements for the first issue of the
certificate. In addition, it must send a new renewal request (CSR) for the certificate in question
using the methods provided by the Certification Authority.
In addition to the expiration date (or after revocation, if necessary) it will not be possible to
renew. Rather, a new certificate must be generated in the manner required for first issue, as
provided for in paragraph “Generation of the Certification Request.”
Management of the Archives
Postecom keeps track of computer records relative to:
• Requests for the generation of certificates,
• Issuing of certificates,
• Revocation of certificates.
Postecom keeps the above-listed records for a maximum of two years from the expiration date
of the certificate.
A complete daily backup is made of all archives containing the above-listed records.
Postecom likewise preserves all paper documentation for a maximum of two years from the
expiration date of the certificate, except for the different periods required for fiscal
documentation.
Service Levels
The certificate is generated within 3 (three) working days from the receipt of the file with the
certification request and the information required in paragraph “Registration of the Requester.”
The certificate will be revoked within 4 (four) hours from receipt of the request, during the
period the service is available (from Monday to Friday, 08:30 a.m. to 6:00 p.m., Italian holidays
excluded).
Access to the Directory Server and CRLs is available 7 days a week, 24 hours a day, except for
scheduled maintenance.
Damage and Disaster Recovery
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 18 of 26
PosteItalianeGroup
All processors used to provide the certification service are covered by a maintenance contract
that guarantees service within 8 (eight) hours.
In the event of damage to programs or data, they will be restored from periodic backups.
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 19 of 26
PosteItalianeGroup
Security Features
Physical Protection of the Premises
The technological systems involved are located in a protected area with access allowed only to
Postecom employees and controlled through digital fingerprint recognition devices, Smart Card
readers and closed-circuit television. The area is located inside the Poste Italiane buildings in
Rome, Viale Europa, 175. Poste Italiane's buildings are protected and under surveillance 24
hours a day, 7 days a week, and include the permanent presence of Postal and
Communications Police.
Certification System Security
The certification activities management platform, which consists of various modules of the
Baltimore Technologies UniCERT software suite, offers the following security functions:
Identification and Authentication
Access to the platform's application modules is provided through user
identification. The authentication mechanism is also required for starting and
stopping the service linked to the application module.
Access Control
Access to the platform's application modules is provided through strong
authentication mechanisms. Access is only allowed to the modules after
verification of the correct entry of the passphrase.
Tracking
All the applications running inside the Certifier's certification system keep track of
the operations made in a database.
Text logs are kept that record information about start-up, stopping or alarms
relative to services linked to the application modules, as well as tracking
information for any configuration changes made to the services. Each record in the
logs is digitally signed.
Integrity and Non-Repudiation
Digital signature of the messages. All messages sent by single modules are digitally
signed.
Verification of the messages: the modules verify all messages they received to
ensure their integrity and authenticity.
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 20 of 26
PosteItalianeGroup
Archiving the data: all data and audit logs are recorded in the database for each
module. These records are digitally signed by the proprietary modules of the DB.
Each record has a unique identification number.
Communications
The modules communicate with each other using the PKIX protocol.
Security of the Cryptographic Module
Postecom uses the RSA (Rivest-Shamir-Adleman) algorithm for the generation of digital signatures.
All certificates issued by Postecom – beginning with certificates relative to certification keys, through to certificates relative to web server public keys – are signed using the RSA algorithm. The user must use the same RSA algorithm to generate its own pair of keys. The web server's public keys have a maximum length of 1024 bits, the certification keys are 2048 bits long.
At present, there is yet no cryptanalysis system capable of breaking keys of that length. Since the probability of breaking 1024 or 2048-bit keys may increase in the future, Postecom reserves the right to adjust the length of keys to future technology.
As regards the hash function, the function defined by the ISO/IEC 10118-3:1998 standard for
the generation of fingerprints will be used: Dedicated Hash-Function 3, corresponding to the
SHA-1 function.
Security of the Processors
The operating system of the computers used in certification activities, generating certificates
and managing the certificate registry, conforms, at least, to the specifications required for the
ITSEC F-C2/E2 class or the C2 class of the TCSEC standards.
The systems are configured in such a way as to reduce the risk of altering the configurations to
a minimum. Profiles with access rights are thus required for the normal use of the systems that
are not similar to the administrative ones.
Network Security
The network infrastructure requires a first line consisting of a firewall system, configured in high
reliability, which filters traffic from the Internet to the DMZ network, where the servers that must
be accessible from the Internet (such as the Directory Server and the web server that publishes
the CRLs) are located, and a second line that filters the traffic between the DMZ network and
the Secure LAN where the certification systems are installed.
The use of this technology offers the possibility of using NAT (Network Address Translation) to
“mask” internal IPs to the Internet, permits the interception of attempts to create service
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 21 of 26
PosteItalianeGroup
interruptions with DoS SYN flood attacks, set Anti-Spoofing rules and limit accesses to a span
of time definable in a granular manner. In order to analyze the packets traveling over the
network in real-time and, where suspicious activity is encountered, to activate the due
precautions (blocking IP addresses, interrupting connections, sending traps) and alarms, an
Intrusion Detection System is used based on a constantly-updated vulnerability database.
The services in the DMZ are provided with coverage 24 hours a day, 7 days a week, 365 days
a year, with a manned presence from Monday through Friday from 08:00 a.m. to 8:00 p.m. and
coverage in unmanned hours and holidays by a 2-level, on-call structure. A centralized
monitoring system signals alarms by sending SMSs and making telephone calls.
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 22 of 26
PosteItalianeGroup
Profile of the Certificates “Postecert Certificati Server”