Page 1
SPECIFIC CERTIFICATION PRACTICES AND POLICY FOR
NATURAL PERSON CERTIFICATES
FROM THE “AC FNMT USUARIOS”
NAME
DATE
Prepared by: FNMT-RCM / v1.3 17/11/2017
Revised by: FNMT-RCM / v1.3 11/12/2017
Approved by: FNMT-RCM / v1.3 22/12/2017
DOCUMENT LOG
Version
Date Description
1.0 25/03/2014 Document creation
1.1 24/06/2016 Modifications in accordance with ETSI 101 456 audit
1.2 03/01/2017 Modifications in accordance with ETSI EN 319 412 - 2
1.3 22/12/2017 Annual revision of the document.
Reference: DPC/CPUS0103/SGPSC/2017
Document classified as: Public
Page 2
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 2 of 27
TABLE OF CONTENTS
1. Introduction .................................................................................................................................................. 4
2. Document organization ................................................................................................................................ 4
3. Order of prevalence...................................................................................................................................... 5
4. Definitions ..................................................................................................................................................... 5
5. Pseudonyms .................................................................................................................................................. 5
6. Certificate profile ......................................................................................................................................... 5
6.1. Naming restrictions ............................................................................................................................... 5
6.2. Use of the policy constraints extension.................................................................................................. 6
6.3. Syntax and semantics of policy qualifiers .............................................................................................. 6
6.4. Semantic processing of the “certificate policy” extension .................................................................... 6
7. Acknowledgment and authentication of registered trademarks .............................................................. 6
8. Management of the life cycle of the keys of the Trust Services provider ................................................ 6
8.1. management of key life cycles................................................................................................................ 6 8.1.1. Generation of Trust Services Provider Keys ................................................................................. 6 8.1.2. Storage, safeguards, and recovery of Trust Services Provider Keys ............................................. 7 8.1.3. Distribution of the Signature verification data of the Trust Services Provider ............................. 7 8.1.4. Storage, safeguards, and recovery of Keys of the Private Keys of the Holders ............................ 7 8.1.5. Use of the Signature Creation Data of the Trust Services Provider .............................................. 7 8.1.6. End of the life cycle of Trust Services Provider Keys .................................................................. 7 8.1.7. Life cycle of cryptographic hardware used to sign Certificates .................................................... 7
9. Operation and management of public key infrastructure ......................................................................... 8
10. Publication of the terms and conditions ................................................................................................. 8
11. Certification policy for natural person certificates ............................................................................... 9
11.1. Identification.......................................................................................................................................... 9
11.2. Type description of the natural person certificate ................................................................................. 9
11.3. Community and scope of application .................................................................................................... 9
11.4. Liability and obligations of the parties ................................................................................................ 10 11.4.1. Rights and obligations of the Administrations ............................................................................ 10 11.4.2. Obligations and responsibility of Registry Offices ..................................................................... 10 11.4.3. Obligations and responsibility of the Trust Services Provider.................................................... 11
11.4.3.1. Prior to issuing the Certificate ............................................................................................ 11 11.4.3.2. Identification of the Holder ................................................................................................ 12 11.4.3.3. Generation of Signature creation data and additional information ..................................... 12 11.4.3.4. Conservation of information by the FNMT-RCM ............................................................. 12
Page 3
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 3 of 27
11.4.3.5. Protection of Personal Information .................................................................................... 13 11.4.3.6. Termination of the activity of the FNMT-RCM as Trust Services Provider ...................... 13 11.4.3.7. Responsibilities of the Trust Services Provider.................................................................. 13
11.4.4. Obligations and responsibility of the Applicant and the Holder ................................................. 14 11.4.4.1. Responsibility of the Applicant .......................................................................................... 14 11.4.4.2. Responsibility of the Holder .............................................................................................. 14
11.4.5. Obligations and responsibility of the User entity and third parties who trust the Certificates .... 15
11.5. Limits of use of natural person certificates ......................................................................................... 16
12. Specific certification practices for natural person certificates ........................................................... 16
12.1. Key management services .................................................................................................................... 16
12.2. management of certificate life cycles ................................................................................................... 17 12.2.1. Application procedure for Natural Person Certificates ............................................................... 17 12.2.2. Confirmation of personal identity ............................................................................................... 18
12.2.2.1. Verification of identity by physical visit ............................................................................ 18 12.2.2.2. Use of electronic certificates as a means of identification ................................................. 18
12.2.3. Issuing of the Natural Person Certificate .................................................................................... 19 12.2.4. Acceptance, downloading and installation of the Natural Person Certificate ............................. 21 12.2.5. Validity of the Natural Person Certificate ................................................................................... 21
12.2.5.1. Expiration ........................................................................................................................... 21 12.2.5.2. Invalidation of the Certificate ............................................................................................ 21
12.2.6. Revocation of the Natural Person Certificate .............................................................................. 22 12.2.6.1. Causes for revocation ......................................................................................................... 22 12.2.6.2. Effects of revocation .......................................................................................................... 23 12.2.6.3. Revocation procedure......................................................................................................... 23
12.2.7. Suspension of the Natural Person Certificate .............................................................................. 24 12.2.7.1. Causes for suspension of the Certificate ............................................................................ 24 12.2.7.2. Effects of suspension.......................................................................................................... 25 12.2.7.3. Procedure for the suspension of Certificates ...................................................................... 25
12.2.8. Renewal of the Natural Person Certificate .................................................................................. 25
12.3. Verification of the status of the natural person certificate .................................................................. 26
Annex I: Identification of the certification authority certificate ac fnmt usuarios ....................................... 27
Page 4
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 4 of 27
1. INTRODUCTION
1. This document is an integral part of the Trust Services Practices and Electronic Certification
Statement (TSPS) of the FNMT-RCM, and its aim is to inform the public about the conditions
and characteristics of the certification services and services for the issuing of electronic
Certificates by the FNMT-RCM as a Trust Services Provider, containing the obligations and
procedures that with which it agrees to comply in regard to the issuing of the Natural Person
Certificate issued by the “AC FNMT Usuarios”.
2. Specifically, for the purposes of the interpretation of these Specific Certification Practices
and Policies, the “Definitions” section of the TSPS.
3. The Natural Person Certificates issued by the FNMT-RCM, whose Specific Certification
Practices and Certification Policy are defined in this document, are technically considered to
be Qualified Certificates, in compliance with the Regulation (EU) No 910/2014 of the
European Parliament and of the Council of 23 July 2014 on electronic identification and trust
services for electronic transactions in the internal market and repealing Directive 1999/93/EC,
and in accordance with the Electronic Signature Act 59/2003.
2. DOCUMENT ORGANIZATION
4. The Certification Practices Statement of the FNMT-RCM, as a Trust Services Provider, is
structured, on one hand, based on the common part of the TSPS of the FNMT-RCM, since
there are similar levels of action for all of the Entity’s services, and on the other, based on the
Specific Certification Practices and Certification Policies that apply to each type of certificate
issued by the Entity in question.
5. In accordance with the above, the structure of the FNMT-RCM Certification Practices
Statement is as follows:
1) On one hand, the TSPS, which should be considered to be the main body of the
Certification Practices Statement, which describes, in addition to the provisions in
article 19 of the Electronic Signature Act 59/2003, of 19 December, the liability regime
that applies to the parties involved in the trust services, the security controls applied to
the procedures and installations of the FNMT-RCM, in regard to what may be published
without detriment to their effectiveness, secrecy and confidentiality standards, as well
as questions related to the ownership of their property and assets, the protection of
personal information, and other general information questions that must be made
available to the public.
2) And, on the other hand, the specific Certification Policy which describes the obligations
and the responsibilities of the parties, the limits of the use of the Certificates, and
Specific Certification Practices that develop the terms defined in the corresponding
policy and grant additional or specific functions in addition to the general functions
defined in the TSPS.
These Certification Policies and Specific Certification Practices specify what is
articulated in the main body of the TSPS, and therefore are an integral part of it, both
making up the Certification Practices Statement of the FNMT-RCM.
Page 5
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 5 of 27
6. This document therefore describes the Specific Certification Practices and Policies for
Certificates issued by the “AC FNMT Usuarios” to natural persons.
3. ORDER OF PREVALENCE
7. These Certification Policies and Specific Certification Practices of Natural Person
Certificates form part of the General Certification Practices Statement, and shall take
precedence over the provisions in the main body of the TSPS.
Therefore, in the case of contradictions between this document and the provisions in the TSPS,
the information indicated here shall take precedence.
4. DEFINITIONS
8. For the purposes of the provisions contained in this document, more precisely defining the
TSPS and only when the terms begin with an upper case letter and are in cursive, the following
will be understood to mean:
- Natural Person Certificate: Qualified certificate issued by the “AC FNMT
Usuarios” to a natural person who acts as the Signer. This is a specific type of
certificate issued by the FNMT-RCM, and therefore shall be subject to the
conditions established in its specific policy and certification practices.
- Subscriber: The individual who signs the terms and conditions of use of a
Certificate. In the case of the Natural Person Certificates issued under the terms
of this Policy, this is the same person as the Holder.
- Trust Service: An electronic service that consists of one of the following
activities: the creation, verification, validation, management, and conservation
of Electronic Signatures, electronic stamps, Timestamps, electronic documents,
electronic delivery services, website authentication, and Electronic Certificates,
including Electronic Signature and electronic stamp certificates.
5. PSEUDONYMS
9. In terms of the identification of Holders through the use of Certificates issued under the terms
of this Certification Policy, the FNMT-RCM does not allow the use of pseudonyms.
6. CERTIFICATE PROFILE
10. All of the Certificates issued under the terms of this policy conform to version 3 of the X.509
standard. The description of Certificate profiles can be found in the document published at
the address http://www.cert.fnmt.es/dpcs.
6.1. NAMING RESTRICTIONS
11. The coding of Certificates follows the recommendation RFC 5280 “Internet X.509 Public
Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”. All fields
Page 6
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 6 of 27
defined in the Certificate profile of these Certification Policies, with the exception of the
fields for which it is stated otherwise, use UTF8String encoding.
6.2. USE OF THE POLICY CONSTRAINTS EXTENSION
12. The Policy Constraints extension of the root certificate of the CA is not used.
6.3. SYNTAX AND SEMANTICS OF POLICY QUALIFIERS
13. The Certificate Policies extension includes two Policy Qualifier fields:
CPS Pointer: contains the URL where the TSPS and the Specific Certification Policies
and Certification Practices that apply to the Certificates are published.
User notice: contains a text that could be displayed in the screen by the user of the
Certificate during certificate verification.
6.4. SEMANTIC PROCESSING OF THE “CERTIFICATE POLICY” EXTENSION
14. The Certificate Policy extension includes the OID policy field, which identifies the policy
associated to the Certificate by the FNMT-RCM, as well as the two fields described in the
previous paragraph.
7. ACKNOWLEDGMENT AND AUTHENTICATION OF REGISTERED TRADEMARKS
15. The FNMT-RCM assumes no commitment of any type regarding the use of commercial
trademarks in the issuing of Certificates issued under the terms of this Certification Policy.
The use of symbols whose usage rights are not the property of the Holder is not allowed, and
the FNMT-RCM is therefore not required to previously verify the possession of registered
trademarks and other symbols prior to the issuing of certificates, even if they are included in
public registries.
8. MANAGEMENT OF THE LIFE CYCLE OF THE KEYS OF THE TRUST SERVICES
PROVIDER
16. The FNMT-RCM, in its activities as a Trust Services Provider, in regard to the cryptographic
keys used for the issuing of Natural Person Certificates, declares that it will carry out the
management processes described in the following section.
8.1. MANAGEMENT OF KEY LIFE CYCLES
8.1.1. Generation of Trust Services Provider Keys
17. The Keys of the FNMT-RCM, as a Trust Services Provider, are generated in completely
controlled circumstances, in a physically secure environment, and by at least two people
authorized to do this, using hardware and software systems that comply with the regulations
in effect in the area of cryptographic protection, as described in the TSPS.
Page 7
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 7 of 27
8.1.2. Storage, safeguards, and recovery of Trust Services Provider Keys
18. The FNMT-RCM uses the necessary mechanisms to maintain the confidentiality of its Private
key and to maintain the integrity of the way in which it is shown in the TSPS.
8.1.3. Distribution of the Signature verification data of the Trust Services Provider
19. The FNMT-RCM uses the necessary mechanisms to maintain the integrity and authenticity
of its Public Key, as well as its distribution in the way that is shown in the TSPS.
20. Natural Person Certificates are issued by a subordinate Certification Authority to the root
Certification Authority of the FNMT-RCM. The identification of this Certification Authority
is described in annex I of this document.
21. Therefore, the Certificates issued under the terms of the Certification Policy described in this
document will be signed electronically with the Signature Creation Data of the Trust Services
Provider.
8.1.4. Storage, safeguards, and recovery of Keys of the Private Keys of the Holders
22. Under no circumstances does the FNMT-RCM generate or store the Private Keys of the
Holders of the Certificates, which are generated under the exclusive control of the Applicant,
and the custody of which is the responsibility of the Holder of the certificate associated with
the Private Keys in question.
8.1.5. Use of the Signature Creation Data of the Trust Services Provider
23. The Signature / Seal Creation Data of the FNMT-RCM, its activity as a Trust Services
Provider, will be used solely and exclusively for the following purposes:
1) Signing of Certificates.
2) Signing of Revocation Lists.
3) Other uses included in this Statement and/or other applicable legislation.
8.1.6. End of the life cycle of Trust Services Provider Keys
24. The FNMT-RCM shall have the necessary means to ensure that once the validity period of
the Keys of the Trust Services Provider has expired, that they are not used again, either by
destroying them or storing them appropriately for this purpose.
8.1.7. Life cycle of cryptographic hardware used to sign Certificates
25. FNMT-RCM will have the necessary means to ensure that the cryptographic hardware used
to protect its Keys as Trust Services Provider are not manipulated, based on the current state
of the art, throughout its life cycle, with the component in question being located in a
physically secure environment from the time it is received until it is destroyed, at such time.
Page 8
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 8 of 27
9. OPERATION AND MANAGEMENT OF PUBLIC KEY INFRASTRUCTURE
26. The operations and procedures carried out to put the Certification Policies described in this
document into practice are carried out applying the controls required by recognized standards
for this purpose. These actions are described in the sections “Physical security, procedure,
and personnel controls” and “Technical security controls” of the TSPS of the FNMT-RCM.
27. In addition, it is important to note that the FNMT-RCM has an Information Security
Management System (hereinafter, ISMS) for its CERES Department, with the ultimate
objective of maintaining and guaranteeing the security of the information of the members of
the Electronic Community, as well as its own security, so that the FNMT-RCM-CERES
services are provided with a reasonable degree of security, in accordance with the current
state of the art. The ISMS of the FNMT-RCM-CERES applies to the information assets
defined in the Risk Assessment carried out for all of the areas that form part of the department,
including the services provided to members of the Electronic Community as assets.
28. The TSPS document provides concrete responses to all aspects regarding the following
sections of the European standard ETSI EN 319 411:
Physical security controls
Procedural controls
Personnel controls
Auditing processes
Records archival (registry of events)
Key changeover
Compromise and disaster recovery
Certification Authority or Registration Authority termination
10. PUBLICATION OF THE TERMS AND CONDITIONS
29. The FNMT-RCM provides this document, as well as the TSPS document to the Electronic
Community and other interested parties, specifying the following:
1) The terms and conditions that regulate the use of the Certificates issued by the FNMT-
RCM.
2) The Certification Policy that applies to Certificates issued by the FNMT-RCM.
3) The limits of usage for the Certificates issued under the terms of this Certification
Policy.
4) The obligations, guarantees and responsibilities of the parties involved in the issuing
and use of the Certificates.
5) The periods of conservation of the information gathered in the registration process and
the events occurring in the systems of the Trust Services Provider in relation to the
Page 9
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 9 of 27
management of the life cycle of the Certificates issued under the terms of this
Certification Policy.
11. CERTIFICATION POLICY FOR NATURAL PERSON CERTIFICATES
11.1. IDENTIFICATION
30. The identification of this Certification Policy of the FNMT-RCM for the issuing of Natural
Person Certificates is as follows:
Name: Certification Policy for Natural Person Certificates
Reference/ OID1:
1.3.6.1.4.1.5734.3.10.1.
Version: 1.3
Date of issue: December 22, 2017
Location: http://www.cert.fnmt.es/dpcs/
Related CPS: Trust Services Practices and Electronic Certification Statement of the FNMT-
RCM
Location: http://www.cert.fnmt.es/dpcs/
11.2. TYPE DESCRIPTION OF THE NATURAL PERSON CERTIFICATE
31. The Natural Person Certificate is the electronic certificate issued by the FNMT-RCM that
links a Signer to a series of Signature verification data and confirms his/her identity.
11.3. COMMUNITY AND SCOPE OF APPLICATION
32. This Certification Policy applies to the issuing of electronic Certificates with the following
characteristics.
33. They are issued as Qualified Certificates, in accordance with the Regulation (EU) No
910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic
identification and trust services for electronic transactions in the internal market and repealing
Directive 1999/93/EC (eIDAS Regulation) and in compliance with the European standards
ETSI EN 319 411-2 “Requirements for trust service providers issuing EU qualified
certificates” and ETSI EN 319 412-2 “Certificate profile for certificates issued to natural
persons”.
1 Note: The OID or policy identifier is a reference that is included in the Certificate in order to determine
a set of rules that indicate the applicability of a particular type of Certificate to the Electronic Community
and/or application class with common security requirements.
Page 10
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 10 of 27
34. The Certificates issued under the terms of this Certification Policy will be considered to be
valid as electronic signature and identification systems, in accordance with the Law 39/2015,
of October 1st, on the Common Administrative procedures of public administrations based on
Qualified electronic certificates that are admitted by virtue of their inclusion in the Trust
Service lists (TSL) in accordance with the technical specifications specified in the Annex of
Commission Decision 2009/767/EC, of 16 October (modified by Commission Decision
2010/425/EU, of 28 July 2010), which adopts measures that facilitate the use of electronic
procedures through single-service windows, in accordance with Directive 2006/123/EC, of
12 December 2006, of the European Parliament and Council, regarding services of the internal
market. These Trust Service lists contain information regarding Certification Service
Providers that issues Qualified electronic certificates to the public, supervised in each
member State, including the FNMT-RCM.
11.4. LIABILITY AND OBLIGATIONS OF THE PARTIES
35. The obligations and liability expressed in this section are understood without detriment to the
corresponding obligations and liability deriving from the applicable legislation and
regulations, specifically those that apply to the FNMT-RCM as a Trust Services Provider, and
that for this condition, the article in the Electronic Signature Act 59/2003, of 19 December,
its regulation and development, and the eIDAS Regulation.
36. The following subjects shall be the parties for the purposes of this section:
The Administration, organizations, public and private entities that accept Natural
Person Certificates as a means of identification and/or electronic signature.
Registry Offices which, through the personnel designated by the competent
Administration, must follow the procedures established by the FNMT-RCM in this
Certification Practices Statement and in the Certification Policies, in performing their
functions for the management, issuing, renewal, and revocation of Certificates, and not
deviate from this framework of actions.
The Holders of the Certificate.
FNMT-RCM, as the Trust Services Provider.
In such case, the rest of the Electronic Community and third parties.
11.4.1. Rights and obligations of the Administrations
37. The rights and obligations of the Administrations, organizations, public entities, and the
FNMT-RCM will be governed by the corresponding agreement or delegation regulating the
trust services and the applicable legislation.
11.4.2. Obligations and responsibility of Registry Offices
38. In addition to the obligations and responsibilities of the parties listed in this document and in
the TSPS, the Registry Offices have the obligation to:
i) Certifiably verify the identity and any personal circumstances of the Applicants of the
relevant Certificates for the purposes of the Certificates, using any of the means
Page 11
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 11 of 27
permitted by Law, and in accordance with the provisions in the TSPS, and specifically
in this Specific Certification Practices Statement.
ii) Conserve all of the information and documentation related to the Natural Person
Certificates, whose application, renewal, suspension, or revocation it manages, for the
period of time established in the legislation in effect.
iii) Allow the FNMT-RCM access to the files and to audit its procedures in relation to the
data obtained in its role as a Registry Office.
iv) Inform the FNMT-RCM of any aspect that affects the Certificates issued by this Entity
(e.g.: requests for issuing, renewal, etc.).
v) Notify the FNMT-RCM promptly of the applications for the issuing of Certificates.
vi) In regard to the expiration of the validity of the Certificates:
1. Duly verify the causes for the revocation and suspension that could affect the
validity of the Certificates.
2. Notify the FNMT-RCM promptly of the applications for the revocation and
suspension of the Certificates.
vii) In regard to the Protection of personal information, the provisions in the corresponding
section of the TSPS shall apply.
viii) The Registry Offices, through the personnel assigned to the service by virtue of labour
or civil service relationships, must exercise public functions in accordance with the
specific legislation that applies to the FNMT-RCM.
39. In any case, the FNMT-RCM may bring suit against the Registry Office that carried out the
identification procedure, initiating the corresponding actions, if the cause of the damages
originated through the culpable or negligent actions of the Registry Office.
11.4.3. Obligations and responsibility of the Trust Services Provider
40. The obligations and responsibilities of the FNMT-RCM, as a Trust Services Provider, with
the Holder of the Natural Person Certificate and the rest of the members of the Electronic
Community shall be determined mainly by the document related to the conditions of use or
the contract for the issuing of the Certificate, and, subsidiarily, by these Specific Certification
Policies and Practices and by the TSPS.
41. The FNMT - RCM meets the requirements of the European standards ETSI EN 319 412 for
issuing Qualified certificates and undertakes to continue to comply with that standard or those
that replace it.
11.4.3.1. Prior to issuing the Certificate
42. a) Verify the identity and personal circumstances of the Certificate Holders, in accordance
with these Specific Certification Practices and Policies (in this regard, the corresponding
registration procedure established in this document may be consulted). Certificates will not be
issued for minors unless they are emancipated and can accredit that condition.
b) Verify that all of the information contained in the Certificate application corresponds to the
information provided by the Applicant.
Page 12
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 12 of 27
c) Verify that the party interested in requesting the issuing of a Certificate is in possession of
the Private Key, which, once the Certificate has been issued, will constitute the Signature
creation data corresponding to the Signature verification data that will be included in the
Certificate, and verify that they match.
11.4.3.2. Identification of the Holder
43. a) Identify the individual who requests a Certificate, in general, requiring the appearance in
person and possession of a National Identity Document or Foreign Resident Identification
Number. The identification process will be carried out in accordance with the registration
procedure.
b) In the verification processes of the aforementioned methods, the FNMT-RCM may carry
out these verifications through the intervention of the authorized Registry Offices or third
parties who hold notarial powers.
11.4.3.3. Generation of Signature creation data and additional information
44. a) Guarantee that the procedures followed ensure that the Private Keys constituted by the
Signature creation data are generated without the creation of copies or the storage of the
Private Keys by the FNMT-RCM.
b) Provide the Applicant (http://www.ceres.fnmt.es) with the following information:
i. Instructions for the Holder, especially:
The way in which the Signature creation data should be stored.
The general mechanisms that guarantee the reliability of the Electronic Signature
of a document.
The procedure for reporting the loss or unauthorized use of this Data.
The exact conditions of use of the Certificate, its limits of usage, and the way in
which its state liability is guaranteed.
ii. A description of the method used by the FNMT-RCM to verify the identity of the
Holder and the other information that is included in the Certificate.
iii. The certifications that have been obtained by the FNMT-RCM.
iv. The applicable conflict resolution procedure.
v. A copy of these Specific Certification Policies and Practices of the Natural Person
Certificates, available at the Electronic Office of the FNMT-RCM.
11.4.3.4. Conservation of information by the FNMT-RCM
45. a) Conserve all of the information and documentation related to each Certificate, with the
necessary security conditions, for fifteen (15) years from the time of issue, so that the
signatures generated with it can be verified.
b) Maintain a secure and updated repository of Certificates, which identifies the issued
Certificates, as well as their validity, including, in the form of Revocation Lists, the
identification of the Certificates that have been revoked or suspended. The integrity of this
Page 13
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 13 of 27
Directory will be protected by the use of systems that conform to the specific regulatory
provisions in this regard dictated in Spain, and in such case, in the EU.
c) Maintain an Information and consultation service on the state of validity of the certificates.
This service is described in the section “Verification of the status of the Natural Person
Certificate” in this document.
d) Establish a dating mechanism that makes it possible to precisely determine the date and
time when a Certificate was issued, or when its validity expired or was suspended.
e) Conserve the CPSs for 15 years from the time of modification or substitution by the
publication of a new CPS, with the proper security conditions.
11.4.3.5. Protection of Personal Information
46. The FNMT-RCM agrees to understand and comply with the legislation in effect in the area
of Protection of Personal Information, fundamentally the Personal Information Protection
Act 15/1999 of 13 December. To this end, it agrees to comply with the obligations established
in the regulations, among others, in the area of the information provided to affected parties,
declaration of files with the Spanish Information Protection Agency, conservation and access
to the information, as well as the security measures and other obligations established in Royal
Decree 1720/2007. It also guarantees that the use of the personal information that is gathered
will be limited to those purposes for which the information was collected.
47. For information on the information protection policy followed by the FNMT-RCM, and
regarding the use that is made of the information, consult the section “Personal Information”
in the TSPS.
11.4.3.6. Termination of the activity of the FNMT-RCM as Trust Services Provider
48. In this regard, the section “Termination of activity of the Trust Services Provider.” of the
TSPS.
11.4.3.7. Responsibilities of the Trust Services Provider
49. The FNMT-RCM is responsible only for the personal identification of the Applicant and
future Holder, and for incorporating that information in a Certificate. For the application of
guarantees, obligations and responsibilities, it is necessary for the event to have taken place
within the scope of the Electronic Community, as this concept is defined in the TSPS.
50. The FNMT-RCM shall only be liable for deficiencies in the procedures that correspond to its
activity as a Trust Services Provider, and pursuant to the terms of these Certification Policies
or the Law. In no other case will it be liable for the actions or losses incurred by Holders,
Subscribers, User Entities, or third parties involved, what are not due to errors that can be
attributed to the FNMT-RCM in the aforementioned issuing procedures and/or management
of the Certificates.
51. The FNMT-RCM shall not be liable in the case of force majeure, terrorist attacks, illegal
strikes, as well as in the cases that involve actions that constitute a crime or omission that
affect its supplier infrastructure, except in the case of gross negligence by the entity. In any
Page 14
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 14 of 27
case, in the corresponding contracts and/or agreements, the FNMT-RCM may establish
clauses for the limitation of liability. In any case, the quantity that the FNMT-RCM must pay
for the concept of damages as ordered by the court to the harmed third parties and/or members
of the Electronic Community, in the absence of specific regulation in the contracts or
agreements, is limited to a maximum of SIX THOUSAND EUROS (6,000€).
52. The FNMT-RCM shall not be liable to persons whose behaviour in the use of the Certificates
has been negligent, with negligence, for these purposes and in any case considered to be the
failure to observe the provisions set forth in the TSPS, in these Specific Certification Practices
and Policy, and especially in the stipulations in the sections referring to the obligations and
liability of the parties.
53. The FNMT-RCM shall not be liable for any software that it has not provided directly.
Nevertheless, the FNMT-RCM will implement the adequate measures to protect its systems
against Malware, and will keep them duly updated to collaborate with users to avoid the
damages that may be caused by this type of software.
54. The FNMT-RCM does not guarantee the cryptographic algorithms, nor shall it be liable for
damages caused by successful outside attacks on the cryptographic algorithms used, if it
applied the necessary diligence in accordance with the state of the art, and proceeded in
accordance with terms of this Certification Practices Statement and the Law.
11.4.4. Obligations and responsibility of the Applicant and the Holder
11.4.4.1. Responsibility of the Applicant
55. The Applicant shall be responsible for guaranteeing that the information submitted during the
application for the Certificate is true and the Certificate application and download are realized
with a high level of confidence, under his sole control.
56. The Applicant shall hold the FNMT-RCM harmless and defend at his/her own expense against
any action that may be undertaken against the Entity as a result of false information provided
during the aforementioned Certificate issuing procedure, or against any damages suffered by
the FNMT-RCM as a result of an action or omission of the Applicant.
11.4.4.2. Responsibility of the Holder
57. In addition to the obligations and responsibilities of the parties listed in this the TSPS, the
Holder of the Natural Person Certificate, as the signer of the Certificate and the Keys, has the
following obligations:
Adequately store the Certificate and the Signature Creation Data, and in such case,
the Certificate support or card, providing the means necessary to prevent their use
by persons other than the Holder or the legitimate possessor of the Certificate.
Not use the Certificate when any of the information included in the Certificate is
incorrect or inaccurate, or there are security reasons that advise against the use of
the Certificate.
Notify the FNMT-RCM of the loss, theft, or suspected theft of the Certificate, the
Page 15
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 15 of 27
Signature Creation Data, the Certificate support or card of the Holder, in order to
initiate, in such case, the process to revoke or suspend the Certificate.
58. The Holder shall be responsible for notifying the FNMT-RCM regarding any variation in the
status or information in regard to the information reflected in the Certificate, to revoke and
reissue the Certificate.
59. Likewise, the Holder shall be responsible in relation to the members of the Electronic
Community and other User Entities, or in such case, to third parties, for improper use of the
Certificate, or false information in it, or actions or omissions that cause damages to the
FNMT-RCM or third parties
60. The Holder shall therefore be responsible and obliged not to use the Certificate if the Trust
Services Provider has terminated its activity as a Certificate issuing Entity and the substitution
stipulated by Law has not taken place. In any case, the Holder shall not use the Certificate in
the cases in which the Signature / Seal Creation Data of the Provider may be threatened
and/or compromised, and the Provider has communicated this, or in such case, if the Holder
has become aware of these circumstances.
11.4.5. Obligations and responsibility of the User entity and third parties who trust the
Certificates
61. The rest of the Electronic Community, User Entities, and third parties will regulate their
relations with the FNMT-RCM through the TSPS and in such case, through these specific
Certification Policies and Practices; all without detriment to the provisions in the regulations
on electronic signatures and the other regulations that may apply.
62. Without detriment to the information contained in the previous paragraph, the members of the
Electronic Community, User entities, and third parties that trust the Certificates and Electronic
signatures generated with them must comply with the following obligations, waiving all
liability of the Trust Services Provider in the case of failure to comply with them:
Verify before trusting the Certificates, the Advanced Electronic Signature / Seal of
the Trust Services Provider that issued the Certificate.
Verify that the received Certificate of the Holder is still valid.
Verify the status of the Certificates in the certification chain, by consulting the
Information and consultation service on the state of validity of the certificates of the
FNMT-RCM.
Confirm the usage limitations contained in the Certificate that is verified.
Understand the conditions of use of the Certificate in accordance with these Specific
Certification Policies and Practices.
Notify the FNMT-RCM or any Registry Office of any anomaly or information related
to the Certificate and that could be considered cause for the revocation of the
Certificate, providing all available proof.
63. The User entity and third parties who trust the Certificates issued by the FNMT-RCM will be
responsible, unless this obligation is contracted with the Entity, for the verification of the
Electronic signatures of the documents, as well as the Certificates, and under no
circumstances will the authenticity of the documents or Certificates be presumed without this
verification.
Page 16
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 16 of 27
64. The User entity may not be deemed to have acted with the minimum degree of diligence if it
trusts an electronic signature based on a Certificate issued by the FNMT-RCM without
observing the provisions contained in the TSPS and in this document and without verifying
that the electronic signature in question can be verified by reference to a valid Chain of
certification.
65. If the circumstances indicate the need for additional guarantees, the User entity will be
required to obtain additional guarantees for the trust to be reasonable.
66. The User entity shall also be responsible for observing the provisions included in the TSPS
and its possible future modifications, with special emphasis on the usage limits established
for Certificates in these Certification Policies.
11.5. LIMITS OF USE OF NATURAL PERSON CERTIFICATES
67. In any case, if a User entity or a third party wishes to trust the electronic signature generated
using one of these Certificates, without accessing the Information and consultation service
on the state of validity of the certificates issued under the terms of this Certification Policy,
these Specific Certification Policies and Practices shall not apply and there shall be no
legitimacy to claim or undertake legal action against the FNMT-RCM for damages or
conflicts arising from the use or trust of a Certificate.
68. This type of Certificate may not be used to:
Sign / Seal another Certificate, except in the cases expressly authorized previously.
Sign / Seal software or components.
Generate Electronic Time stamps for Electronic dating procedures.
Provide services free of charge or for payment, except in cases expressly authorized
previously, including, but not limited to:
o Providing OCSP services.
o Generation of Revocation Lists.
o Providing notification services
12. SPECIFIC CERTIFICATION PRACTICES FOR NATURAL PERSON CERTIFICATES
69. This document defines the set of Certification Practices adopted by the FNMT-RCM as a
Trust Services Provider for the management of the life cycle of the Natural Person
Certificates issued under the terms of this Certification Policy identified with OID
1.3.6.1.4.1.5734.3.10.1.
12.1. KEY MANAGEMENT SERVICES
70. The FNMT-RCM does not generate or store the Private Keys of the Holders, that are
generated under their exclusive control.
Page 17
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 17 of 27
12.2. MANAGEMENT OF CERTIFICATE LIFE CYCLES
71. This section defines the aspects which, although already covered in the TSPS of which this
document forms part, includes certain special characteristics that require a greater level of
detail.
The following section describes the application procedure used by the Registry Office to
collect the personal information from an Applicant, confirm his/her identity, and formalize
the conditions of use for the later issuing of the Natural Person Certificate between the
aforementioned Applicant and the FNMT-RCM.
12.2.1. Application procedure for Natural Person Certificates
72. The interested party visits the website of the Trust Services Provider of the FNMT-RCM at
the URL http://www.cert.fnmt.es, where the instructions for the entire process for obtaining
the Natural Person Certificate will be displayed. The Applicant must enter their National
Identity Document number or Tax Identification Number, first surname, and email address in
the information collection form provided for this. The Applicant will also indicate his/her
desire to obtain a Natural Person Certificate and give consent for the FNMT-RCM to consult
the Identity Data Verification System.
73. The Public and Private Keys are then generated (on a cryptographic device - Token or
cryptographic card - if the Applicant has one, or in the browser if they do not have one of
these devices), which will be linked to the Certificate that will be generated in a later phase,
and the FNMT-RCM assigns the application a unique code.
74. The Applicant must previously consult the General and Specific Certification Practice
Statements at the URL http://www.ceres.fnmt.es/dpcs/ with the conditions of use and
obligations of the parties.
75. When this application is made, the Public Key that is generated is sent to the FNMT-RCM,
along with the corresponding proof of possession of the Private Key, for the later issuing of
the Certificate. The sending of the Public Key to the CA for the generation of the Certificate
is done using a standard format, PKCS#10 or SPKAC, and using a secure channel.
76. After the FNMT-RCM receives this information, it will use the applicant’s Public Key to
verify the validity of the information in the application, verifying only the possession and
correspondence of the pair of Cryptographic keys by the applicant.
77. This information shall not result in the generation of a Certificate by the FNMT-RCM until it
receives confirmation from the Registry Office of the identification of the applicant. This
notwithstanding, the possibility of electronic identification of the applicant for the Natural
Person Certificate will be taken into account, generating, in such case, the Certificate without
the Applicant being required to physically visit a Registry Office to accredit his/her identity.
78. The Natural Person Certificate application procedure is completed with the transmission by
the FNMT-RCM of an email to the address provided by the Applicant, specifying the unique
application code assigned and informing the Applicant of the upcoming phases in the process
to obtain the Certificate.
Page 18
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 18 of 27
12.2.2. Confirmation of personal identity
79. The FNMT-RCM, as a Trust Services Provider, before it issues the Natural Person
Certificate, will identify the Applicant of the Certificate, either by physically visiting a
Registry Office with which the FNMT-RCM has signed an agreement, or by means of a valid
electronic certificate that confirms the identity of the natural person making the application.
For this purpose, the FNMT-RCM will accept electronic natural person Certificates issued by
it and the electronic Certificates that are incorporated into the DNIe.
12.2.2.1. Verification of identity by physical visit
80. Applicants for Natural Person Certificates must physically visit a Registry Office to formalize
the procedure for the confirmation of personal identity, visiting the authorized Registry Office,
with the following identification media. Spanish citizens: National Identity Document,
Passport or with other means allowed by law for the purposes of identification (which indicate
the National Identity Document Number). UE citizens: Foreign Identification Card or Citizen
Registration Certificate of Union (where Tax ID number is included), and Passport or identity
document of country of origin, or Official document of grant of the Tax ID number and
Passport or identity document of country of origin. Foreign citizens: Foreign Identification
Card (where Tax ID number is included) or Official document of grant of the Tax ID number
and Passport. The person responsible for accreditation in the Registry Office will verify that
the documents provided comply with all of the requirements to confirm the identity of the
Applicant.
81. The appearance by the Applicant will not be required if the signature on the application for
the issuing of a Certificate has been legitimated in the presence of a notary, if an electronic
certificate is used as a means of identification as specified in the following section, or if the
Certificate is requested, in accordance with the conditions in the section “Renewal of Natural
Person Certificates” of this document.
82. Once the identity of the Applicant has been confirmed by the Registry Office, the Registry
Office will validate the information and send it to the FNMT-RCM, along with the application
code sent to the Applicant by email. This information will be sent via secure communications
established for such purpose between the Registry Office and the FNMT-RCM. The personal
information and their processing, in such case, shall be subject to the specific legislation.
12.2.2.2. Use of electronic certificates as a means of identification
83. The FNMT-RCM will issue the Natural Person Certificate without the need for the applicant
to visit a Registry Office in accordance with the process described in the previous section, if,
during the application process for the Certificate in question, the Applicant is identified with
a valid electronic Certificate that belongs to one of the following types:
A Natural Person Certificate issued under the terms of this Policy.
A Natural Person Identity Certificate issued under the terms of the Certification Policy
of Qualified Certificates of the FNMT-RCM identified with OID 1.3.6.1.4.1.5734.3.5.
One of the electronic Certificates incorporated into the DNIe.
Page 19
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 19 of 27
84. However, telematic applications for Natural Person Certificates through the use of the
electronic certificates listed in the previous section shall only be allowed if at the time of the
application, a maximum of 5 years has not elapsed since the physical visit and identification
of the Holder, as established in article 13.4 of the Electronic Signature Act 59/2003, of 19
December.
12.2.3. Issuing of the Natural Person Certificate
85. Once the FNMT-RCM has received the personal information from the Applicant, along with
the application code and confirmed its identity in accordance with the previous paragraph, it
will issue the Natural Person Certificate.
86. The issuance of Natural Person Certificates involves the generation of electronic documents
that confirm the identity of the Holder, as well as the correspondence of that information with
the associated Public Key. Natural Person Certificates of the FNMT-RCM may only be
issued by the FNMT-RCM, in its role as a Trust Services Provider, and no other entity or
organization has the capacity to issue them.
87. The FNMT-RCM, by means of its electronic signature / seal, authenticates the Natural Person
Certificates and confirms the identity of the Holder. On the other hand, in order to prevent
the manipulation of the information contained in the Certificates, the FNMT-RCM shall use
the cryptographic mechanisms that protect the authenticity and integrity of the Certificate.
88. Under no circumstances shall the FNMT-RCM include any information other than the
information shown here, nor specific attributes or circumstances of the signers or limits in the
certificates, other than those that are specified in this Certification Practices Statement.
89. In all cases, the FNMT-RCM shall act effectively to:
Verify that the Applicant for the Natural Person Certificate uses the Private Key that
corresponds to the Public Key linked to the identity of the Holder of the Natural Person
Certificate. To do this, the FNMT-RCM will verify the correspondence between the
Private key and the Public key.
Ensure that the information included in the Natural Person Certificate is based on the
information provided by the Applicant.
Not ignore widely-publicized incidents that could affect the reliability of the Natural
Person Certificate.
Ensure that the DN (distinguished name) assigned to the Certificate is unique
throughout the Public Key Infrastructure of the FNMT-RCM.
90. The following steps will be followed to issue the Certificate:
1. Composition of the identification information located in the Common Name field of the
Subject of the Natural Person Certificate, based on the personal information of the
Applicant gathered during the application process for the Natural Person Certificate,
with the following structure:
Page 20
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 20 of 27
Last Names and First Name of the holder of the Natural Person Certificate
In UPPER CASE, separated only by a blank space, as indicated on the National
Identity Document/Foreign Resident Identification Number of the Holder. If
there is no second surname, the space that corresponds to this will be left blank
(with no character).
Blank space
Dash, or other symbol or character
Separates the surnames and the first name from the tax identification number.
Blank space
Tax Identification Number
Tax identification number of the Holder, NIF, as indicated on the National
Identity Document or Foreign Resident Identification Number.
Example:
ESPAÑOL ESPAÑOL JUAN – 00000000T
The use of pseudonyms as a form of identification is not considered.
2. Composition of the alternative identity of the Natural Person Certificate.
The alternative identity of the Natural Person Certificate contains that same information
as the CN, adding, at the request of the Applicant, his/her email address, distributed in
a series of attributes, so that it is easier to obtain the personal information of the Holder
of the Natural Person Certificate. The subjectAltName extension defined in X.509
version 3 is used to offer this information.
In this extension, the directoryName subfield will be used to include a set of attributes
defined by the FNMT-RCM, which incorporate information on the Holder of the
Natural Person Certificate in question.
3. Generation of the Certificate according to the Natural Person Certificate Profile.
The format of the Natural Person Certificate issued by the FNMT-RCM under the terms
of this Certification Policy, in accordance with the standard UIT X.509 version 3, and
in accordance with the regulations that are legally applicable in the area of Qualified
Certificates, as well as the Certification Authority Certificate that issues them (always
subordinated to the root Certification Authority of the FNMT-RCM), may be consulted
in the site http://www.cert.fnmt.es/dpcs/.
Page 21
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 21 of 27
The FNMT-RCM will send an email notification to the address provided by the
Applicant in the Certificate application, informing the Applicant that the Natural Person
Certificate is available for download.
12.2.4. Acceptance, downloading and installation of the Natural Person Certificate
91. In less than one (1) hour after the confirmation of the personal identity of the Holder, the
FNMT-RCM will make available exclusively to the Holder for retrieval the Natural Person
Certificate, at the website http://www.cert.fnmt.es.
92. In this guided process, the Applicant will be asked to enter the National Identity Document
(DNI) or Foreign Resident Identification Number (NIE), first surname, and the corresponding
application code obtained in this process. This application code will be used as the accepted
key for the generation by the Holder of an electronic signature of the conditions of use of the
Certificate, as a mandatory requirement to download the certificate and accept the conditions
of use, sending these signed conditions to the FNMT-RCM. If the Natural Person Certificate
has not been generated yet for any reason, the process will inform the applicant of this.
93. When the Natural Person Certificate is downloaded, it will be installed on the support on
which the Keys will be generated during the application process (cryptographic token or if
not, the Navigator from which the application was made). The aforementioned website of the
FNMT-RCM indicates the supported Browsers and the certificate installation requirements.
12.2.5. Validity of the Natural Person Certificate
12.2.5.1. Expiration
94. The Natural Person Certificates issued by the FNMT-RCM shall be valid for a period of four
(4) years from the moment the Certificate is issued, provided that its validity is not
extinguished. After this period, if the Certificate is still active, it will expire and a new one
will need to be issued if the Holder wishes to continue to use the services of the Trust Services
Provider.
12.2.5.2. Invalidation of the Certificate
95. The Natural Person Certificates issued by the FNMT-RCM shall be invalidated in the
following cases:
a) Termination of the Certificate’s period of validity.
b) Termination of the activity as a Trust Services Provider by the FNMT-RCM, unless the
Certificates issued by the FNMT-RCM have been transferred to another Trust Services
Provider, with prior express consent by the Signatory.
In these two cases [a) and b)], the effectiveness of the Certificates shall cease from the
moment these circumstances occur.
c) Suspension or revocation of the Certificate for any of the causes included in this
document.
Page 22
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 22 of 27
96. For the aforementioned purposes, the issuing of a Natural Person Certificate, when there is
another for the same Holder in force (whether this is a Certificate issued under the terms of
this policy or is an FNMT Class 2CA Certificate, issued under the policy with
OID1.3.6.1.4.1.5734.3.5) shall immediately result in the revocation of the previous
Certificate. The only exception to this occurs when the issuing of a Natural Person Certificate
is as a result of a renewal process for the certificate within a period of sixty (60) days prior to
the expiration date, in which the Certificate that is close to expiring shall remain valid until
its validity period has expired. During this time, if the Certificate in question is revoked in
accordance with the following section, the validity of both Certificates shall be extinguished.
12.2.6. Revocation of the Natural Person Certificate
12.2.6.1. Causes for revocation
97. The following causes shall be allowed for the revocation of a Natural Person Certificate:
a) The request by the Holder for revocation. This should be requested in all of the
following cases:
Loss of the Certificate support.
Use by third parties of the Signature Creation Data corresponding to the
Signature Verification Data contained in the Certificate and linked to the
personal identity of the Holder.
The violation or endangerment of the secrecy of the Signature Creation Data.
Failure to accept new conditions that may be included in the issuing of new
Certification Practice Statements, within one month of publication.
b) Judicial or administrative resolutions that order this.
c) Decease or full or supervening incapacity of the Holder.
d) Inaccuracies in the information provided by the Applicant to obtain the Certificate, or
the alteration of the information provided to obtain the Certificate, or the modification
of the verified circumstances for the issuing of the Certificate, in such a way that it is
no longer consistent with reality.
e) Contravening of a significant obligation of this Certification Practices Statement by the
Certificate Holder or Applicant, if, in the latter case, this may have affected the
procedure for the issuing of the Certificate.
f) The violation or endangerment of the secrecy of the Signature Creation Data.
g) Contravening of a significant obligation in this Certification Practices Statement by a
Registry Office, if this may have affected the procedure for the issuing of the Certificate.
h) Termination of the contract signed between the Holder and the FNMT-RCM.
98. Under no circumstances does the FNMT-RCM assume any obligation to verify the
circumstances mentioned in letters c) to f) of this section; the FNMT-RCM must be notified
by certified communication by delivery of the documents and information required to verify
this.
Page 23
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 23 of 27
99. The FNMT-RCM shall be liable for the consequences resulting from failure to revoke a
Certificate in following cases only:
The revocation should have been carried out by certified request by the Holder, or
by means of the systems provided by the FNMT-RCM for this purpose.
The FNMT-RCM has been notified of the revocation request or the cause behind
the request by a judicial or administrative resolution.
That causes c) to f) of this section have been reported by certified communication,
with prior identification of the Holder and/or Applicant of the revocation (or the
person with sufficient powers of representation, in the case of supervening
incapacity of the Holder).
100. Actions that constitute crime or omission of which the FNMT-RCM does not have knowledge
that are carried out on the information and/or Certificate and inaccuracies or lack of diligence
in notification of the FNMT-RCM shall release the FNMT-RCM of liability.
12.2.6.2. Effects of revocation
101. The revocation or suspension of the Natural Person Certificate, in other words, the
extinguishing of its effectiveness, shall take effect on the date on which the FNMT-RCM has
certain knowledge of any of the determining circumstances, and from the moment that this is
indicated in its Certificate status information and consultation service.
102. The revocation of the Natural Person Certificate, in addition to the extinguishing of its
effects, also supposes the termination of the relationship and usage regime for the Certificate
in question with the FNMT-RCM.
12.2.6.3. Revocation procedure
103. The request for the revocation of Natural Person Certificates may be made during the validity
period indicated in the Certificate.
104. The revocation of a Natural Person Certificate may only be requested by the Holder or person
with sufficient powers of representation, in the case of supervening incapacity of the Holder,
under the terms specified in these Specific Certification Practices and Policies.
105. Nevertheless, the FNMT-RCM may revoke the Natural Person Certificates itself in the cases
included in this Certification Practices Statement.
106. The Holder may request the revocation of his/her Natural Person Certificate in accordance
with the following procedures:
A) If the Holder is in possession of a Natural Person Certificate and its associated
Signature creation data, it is possible to authenticate the Holder’s identity based on
this certificate, so the revocation of the Certificate may be requested via Internet, or
any other equivalent method that allows the connection to the URL
http://www.ceres.fnmt.es, following the directions indicated on the website. This
service will be available twenty-four (24) hours a day, 365 days a year, except in
Page 24
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 24 of 27
circumstances beyond the control of FNMT-RCM or during maintenance operations.
The FNMT-RCM will announce maintenance operations at the URL
http://www.ceres.fnmt.es, if possible, with at least forty-eight (48) hours’ notice, and
will try to resolve the situation within a period of no more than twenty-four (24)
hours.
B) If the Holder does not possess the Natural Person Certificate and its associated
Signature creation data, revocation of the Certificate may be requested using any one
of the following methods:
1) Visiting one of the Registry Offices implemented by the User entities with
which the FNMT-RCM has signed the corresponding agreement, where the
Holder will accredit his/her identity.
2) By phone at 902 200 616 of FNMT-RCM, where the Holder will be asked the
pertinent questions in order to verify the identity of the person making the
request. This service shall be available twenty-four (24) hours a day, 365 days
a year.
107. As soon as the revocation has been resolved, the Signer will receive the notification of the
revocation of the Certificate sent to the email address specified in the request.
108. In all of the aforementioned cases of these specific Certification Practices which require
identification and electronic identification is possible, the functions planned for the DNIe in
accordance with the specific legislation shall be taken into account by the FNMT-RCM.
109. Once the FNMT-RCM has revoked the Certificate, it will publish the corresponding
Certificate Revocation List in the secure Directory, containing the serial number of the
revoked Certificate, the date and time of revocation, and the cause for the revocation.
12.2.7. Suspension of the Natural Person Certificate
110. Suspension of a Certificate leaves the Certificate in question without effect for a period of
time and under certain conditions.
111. The suspension of Certificates shall be considered to be a temporary revocation of their
effectiveness, so that procedures and entities provided to request and process the revocation
of the Certificate are also applicable in the case of suspension.
12.2.7.1. Causes for suspension of the Certificate
112. The FNMT-RCM may suspend the effectiveness of the Natural Person Certificates at the
request of the legitimate interested party or of the Judicial Authorities, or in the case of
justified doubt in regard the concurrency of the causes for the invalidation of the Certificates
included in the section “Causes for revocation” of this document.
113. Likewise, the suspension request may be due to the existence of a judicial or administrative
proceeding or investigation that is underway, the conclusion of which may determine that the
Certificate is effectively affected by a cause for revocation. In these cases, the FNMT-RCM,
Page 25
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 25 of 27
at the request of the legitimate interested party, shall suspend the validity of the Certificate
for the required time, and once this time has elapsed, shall revoke the Certificate unless the
legitimate interested party requests the reactivation of the Certificate by the FNMT-RCM by
means of certified communication.
12.2.7.2. Effects of suspension
114. The suspension of Certificates leaves a Certificate without effect (extinguishes its validity)
for a period of time and in a series of specific conditions.
12.2.7.3. Procedure for the suspension of Certificates
115. The request for the suspension of the Natural Person Certificates may only be done through
the Registry Offices implemented by the User entities with which the FNMT-RCM has signed
the corresponding agreements.
116. The FNMT-RCM shall suspend the Certificate for a period of thirty (30) days, after which
time it will extinguish the Certificate through its direct revocation by the Trust Services
Provider of the FNMT-RCM, unless the suspension has been lifted by a request for the
cancellation of the suspension by the Holder or an authorised third party. This
notwithstanding, the time limit of the suspension of the Certificate may be altered based on
judicial or administrative procedures that may affect it.
117. If the Certificate expires or its revocation is requested during the suspension period, the
consequences shall be the same as for unsuspended Certificates that are affected by expiration
or revocation
12.2.8. Renewal of the Natural Person Certificate
118. Natural Person Certificates may only be renewed a single time. Holders who have already
renewed their Certificates and would like to continue using a Natural Person Certificate under
the terms of these Specific Certification Practices and Policies, must request a new Certificate
and confirm their identity in accordance with the procedure described in the section
“Verification of identity by physical visit” in this document.
119. The renewal of the Natural Person Certificates issued by the FNMT-RCM to the Holders of
the Certificates may be requested provided that at the time of the request they have a
Certificate in force and the associated Signature creation data, and that this request is made
during the sixty (60) days prior to the Expiration of the Certificate.
120. The renewal of a Natural Person Certificate shall consist of the generation of new Signature
verification data and Signature creation data, as well as the issuing of a new Natural Person
Certificate. The renewal request will be made through the URL http://www.ceres.fnmt.es.
121. The Certificate that is close to expiration shall remain valid until its period of effectiveness
expires. If the revocation of the Natural Person Certificate is requested during the periods of
time that the Holder has two active Certificates, the FNMT-RCM shall revoke both
Certificates.
Page 26
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 26 of 27
122. The procedure established for the renewal of a Natural Person Certificate does not require
the physical visit by the person making the request, because the person will be identified
telematically by using his/her Signature creation data. Both application process as well as the
process for obtaining the Certificate will be done telematically, requiring in any case the
generation of an Advanced electronic signature by the person making the request, using a
Qualified Certificate, of the renewal application document. However, telematic renewal of
the Natural Person Certificate shall only be allowed if less than 5 years have elapsed since
the physical visit and identification of the Holder established in article 13.4 of the Electronic
Signature Act 59/2003, of 19 December.
123. The functions of the DNIe shall be taken into account for the purposes of identification, in
accordance with its specific legislation.
124. The use of renewed Natural Person Certificates is subject to the same general and specific
conditions that are in effect at any given time and that are established for this type of
Certificates in their corresponding Certification Practices Statement.
12.3. VERIFICATION OF THE STATUS OF THE NATURAL PERSON CERTIFICATE
125. The status of the Natural Person Certificate may be verified through the Information and
consultation service on the state of validity of the certificatesthrough the OCSP protocol.
126. This service will be available twenty-four (24) hours a day, 365 days a year, except in
circumstances beyond the control of FNMT-RCM or during maintenance operations. The
FNMT-RCM will announce maintenance operations at the URL http://www.ceres.fnmt.es, if
possible, with at least forty-eight (48) hours’ notice, and will try to resolve the situation within
a period of no more than twenty-four (24) hours.
127. This service functions as follows: the OCSP server receives the OCSP request made by an
OCSP Client registered in the system and verifies the status of the Certificates included in the
request. If the request is valid, and OCSP response will be generated with the information of
the current status of the Certificates included in the request. Such OCSP response is signed
with the Signature creation data associated to specific OCSP server for “AC FNMT
Usuarios”, protecting the integrity and authenticity of the information provided about the
revocation status of the Certificates.
128. The User entity shall be responsible for obtaining an OCSP Client to operate with the OCSP
server provided by the FNMT-RCM.
Page 27
Specific Certification Policies and Practices.
Natural person certificates from the AC FNMT Usuarios
Version 1.3
Page 27 of 27
ANNEX I: IDENTIFICATION OF THE CERTIFICATION AUTHORITY CERTIFICATE AC FNMT
USUARIOS
The Certification Authority AC FNMT Usuarios uses the following certificate for the signing / sealing
of Certificates and CRLs:
“CA FNMT Users” Certification Authority Certificate
- Name: CN = CA FNMT Usuarios, OU = Ceres, O = FNMT-RCM, C = ES
- Serial number: 45 5f 3a e1 5c 21 cd ba 54 4f 82 aa 47 51 eb db
- Valid from: Tuesday, 28 October 2014 12:48:58
- Valid until: Sunday, 28 October 2029 12:48:58
- Digital fingerprint (sha1) : 80 8B 72 E43B 57 4C F5 87 7C B8 41 A8 DF 88 39 6D 38 AB
94
- Digital fingerprint (sha256) : 60 12 93 CA 20 B0 9A 03 29 5D 19 62 56 C6 95 3F F9 EB
A8 11 DB 8E 3C E1 40 41 3C 1B FF E9 A8 69