SPECIFIC CERTIFICATION PRACTICES AND POLICY … · specific certification practices and policy for natural person certificates from the “ac fnmt usuarios” name date prepared by:

SPECIFIC CERTIFICATION PRACTICES AND POLICY FOR

NATURAL PERSON CERTIFICATES

FROM THE “AC FNMT USUARIOS”

NAME

DATE

Prepared by: FNMT-RCM / v1.3 17/11/2017

Revised by: FNMT-RCM / v1.3 11/12/2017

Approved by: FNMT-RCM / v1.3 22/12/2017

DOCUMENT LOG

Version

Date Description

1.0 25/03/2014 Document creation

1.1 24/06/2016 Modifications in accordance with ETSI 101 456 audit

1.2 03/01/2017 Modifications in accordance with ETSI EN 319 412 - 2

1.3 22/12/2017 Annual revision of the document.

Reference: DPC/CPUS0103/SGPSC/2017

Document classified as: Public

Specific Certification Policies and Practices.

Natural person certificates from the AC FNMT Usuarios

Version 1.3

Page 2 of 27

TABLE OF CONTENTS

1. Introduction .................................................................................................................................................. 4

2. Document organization ................................................................................................................................ 4

3. Order of prevalence...................................................................................................................................... 5

4. Definitions ..................................................................................................................................................... 5

5. Pseudonyms .................................................................................................................................................. 5

6. Certificate profile ......................................................................................................................................... 5

6.1. Naming restrictions ............................................................................................................................... 5

6.2. Use of the policy constraints extension.................................................................................................. 6

6.3. Syntax and semantics of policy qualifiers .............................................................................................. 6

6.4. Semantic processing of the “certificate policy” extension .................................................................... 6

7. Acknowledgment and authentication of registered trademarks .............................................................. 6

8. Management of the life cycle of the keys of the Trust Services provider ................................................ 6

8.1. management of key life cycles................................................................................................................ 6 8.1.1. Generation of Trust Services Provider Keys ................................................................................. 6 8.1.2. Storage, safeguards, and recovery of Trust Services Provider Keys ............................................. 7 8.1.3. Distribution of the Signature verification data of the Trust Services Provider ............................. 7 8.1.4. Storage, safeguards, and recovery of Keys of the Private Keys of the Holders ............................ 7 8.1.5. Use of the Signature Creation Data of the Trust Services Provider .............................................. 7 8.1.6. End of the life cycle of Trust Services Provider Keys .................................................................. 7 8.1.7. Life cycle of cryptographic hardware used to sign Certificates .................................................... 7

9. Operation and management of public key infrastructure ......................................................................... 8

10. Publication of the terms and conditions ................................................................................................. 8

11. Certification policy for natural person certificates ............................................................................... 9

11.1. Identification.......................................................................................................................................... 9

11.2. Type description of the natural person certificate ................................................................................. 9

11.3. Community and scope of application .................................................................................................... 9

11.4. Liability and obligations of the parties ................................................................................................ 10 11.4.1. Rights and obligations of the Administrations ............................................................................ 10 11.4.2. Obligations and responsibility of Registry Offices ..................................................................... 10 11.4.3. Obligations and responsibility of the Trust Services Provider.................................................... 11

11.4.3.1. Prior to issuing the Certificate ............................................................................................ 11 11.4.3.2. Identification of the Holder ................................................................................................ 12 11.4.3.3. Generation of Signature creation data and additional information ..................................... 12 11.4.3.4. Conservation of information by the FNMT-RCM ............................................................. 12



Version 1.3

Page 3 of 27

11.4.3.5. Protection of Personal Information .................................................................................... 13 11.4.3.6. Termination of the activity of the FNMT-RCM as Trust Services Provider ...................... 13 11.4.3.7. Responsibilities of the Trust Services Provider.................................................................. 13

11.4.4. Obligations and responsibility of the Applicant and the Holder ................................................. 14 11.4.4.1. Responsibility of the Applicant .......................................................................................... 14 11.4.4.2. Responsibility of the Holder .............................................................................................. 14

11.4.5. Obligations and responsibility of the User entity and third parties who trust the Certificates .... 15

11.5. Limits of use of natural person certificates ......................................................................................... 16

12. Specific certification practices for natural person certificates ........................................................... 16

12.1. Key management services .................................................................................................................... 16

12.2. management of certificate life cycles ................................................................................................... 17 12.2.1. Application procedure for Natural Person Certificates ............................................................... 17 12.2.2. Confirmation of personal identity ............................................................................................... 18

12.2.2.1. Verification of identity by physical visit ............................................................................ 18 12.2.2.2. Use of electronic certificates as a means of identification ................................................. 18

12.2.3. Issuing of the Natural Person Certificate .................................................................................... 19 12.2.4. Acceptance, downloading and installation of the Natural Person Certificate ............................. 21 12.2.5. Validity of the Natural Person Certificate ................................................................................... 21

12.2.5.1. Expiration ........................................................................................................................... 21 12.2.5.2. Invalidation of the Certificate ............................................................................................ 21

12.2.6. Revocation of the Natural Person Certificate .............................................................................. 22 12.2.6.1. Causes for revocation ......................................................................................................... 22 12.2.6.2. Effects of revocation .......................................................................................................... 23 12.2.6.3. Revocation procedure......................................................................................................... 23

12.2.7. Suspension of the Natural Person Certificate .............................................................................. 24 12.2.7.1. Causes for suspension of the Certificate ............................................................................ 24 12.2.7.2. Effects of suspension.......................................................................................................... 25 12.2.7.3. Procedure for the suspension of Certificates ...................................................................... 25

12.2.8. Renewal of the Natural Person Certificate .................................................................................. 25

12.3. Verification of the status of the natural person certificate .................................................................. 26

Annex I: Identification of the certification authority certificate ac fnmt usuarios ....................................... 27



Version 1.3

Page 4 of 27

1. INTRODUCTION

1. This document is an integral part of the Trust Services Practices and Electronic Certification

Statement (TSPS) of the FNMT-RCM, and its aim is to inform the public about the conditions

and characteristics of the certification services and services for the issuing of electronic

Certificates by the FNMT-RCM as a Trust Services Provider, containing the obligations and

procedures that with which it agrees to comply in regard to the issuing of the Natural Person

Certificate issued by the “AC FNMT Usuarios”.

2. Specifically, for the purposes of the interpretation of these Specific Certification Practices

and Policies, the “Definitions” section of the TSPS.

3. The Natural Person Certificates issued by the FNMT-RCM, whose Specific Certification

Practices and Certification Policy are defined in this document, are technically considered to

be Qualified Certificates, in compliance with the Regulation (EU) No 910/2014 of the

European Parliament and of the Council of 23 July 2014 on electronic identification and trust

services for electronic transactions in the internal market and repealing Directive 1999/93/EC,

and in accordance with the Electronic Signature Act 59/2003.

2. DOCUMENT ORGANIZATION

4. The Certification Practices Statement of the FNMT-RCM, as a Trust Services Provider, is

structured, on one hand, based on the common part of the TSPS of the FNMT-RCM, since

there are similar levels of action for all of the Entity’s services, and on the other, based on the

Specific Certification Practices and Certification Policies that apply to each type of certificate

issued by the Entity in question.

5. In accordance with the above, the structure of the FNMT-RCM Certification Practices

Statement is as follows:

1) On one hand, the TSPS, which should be considered to be the main body of the

Certification Practices Statement, which describes, in addition to the provisions in

article 19 of the Electronic Signature Act 59/2003, of 19 December, the liability regime

that applies to the parties involved in the trust services, the security controls applied to

the procedures and installations of the FNMT-RCM, in regard to what may be published

without detriment to their effectiveness, secrecy and confidentiality standards, as well

as questions related to the ownership of their property and assets, the protection of

personal information, and other general information questions that must be made

available to the public.

2) And, on the other hand, the specific Certification Policy which describes the obligations

and the responsibilities of the parties, the limits of the use of the Certificates, and

Specific Certification Practices that develop the terms defined in the corresponding

policy and grant additional or specific functions in addition to the general functions

defined in the TSPS.

These Certification Policies and Specific Certification Practices specify what is

articulated in the main body of the TSPS, and therefore are an integral part of it, both

making up the Certification Practices Statement of the FNMT-RCM.



Version 1.3

Page 5 of 27

6. This document therefore describes the Specific Certification Practices and Policies for

Certificates issued by the “AC FNMT Usuarios” to natural persons.

3. ORDER OF PREVALENCE

7. These Certification Policies and Specific Certification Practices of Natural Person

Certificates form part of the General Certification Practices Statement, and shall take

precedence over the provisions in the main body of the TSPS.

Therefore, in the case of contradictions between this document and the provisions in the TSPS,

the information indicated here shall take precedence.

4. DEFINITIONS

8. For the purposes of the provisions contained in this document, more precisely defining the

TSPS and only when the terms begin with an upper case letter and are in cursive, the following

will be understood to mean:

- Natural Person Certificate: Qualified certificate issued by the “AC FNMT

Usuarios” to a natural person who acts as the Signer. This is a specific type of

certificate issued by the FNMT-RCM, and therefore shall be subject to the

conditions established in its specific policy and certification practices.

- Subscriber: The individual who signs the terms and conditions of use of a

Certificate. In the case of the Natural Person Certificates issued under the terms

of this Policy, this is the same person as the Holder.

- Trust Service: An electronic service that consists of one of the following

activities: the creation, verification, validation, management, and conservation

of Electronic Signatures, electronic stamps, Timestamps, electronic documents,

electronic delivery services, website authentication, and Electronic Certificates,

including Electronic Signature and electronic stamp certificates.

5. PSEUDONYMS

9. In terms of the identification of Holders through the use of Certificates issued under the terms

of this Certification Policy, the FNMT-RCM does not allow the use of pseudonyms.

6. CERTIFICATE PROFILE

10. All of the Certificates issued under the terms of this policy conform to version 3 of the X.509

standard. The description of Certificate profiles can be found in the document published at

the address http://www.cert.fnmt.es/dpcs.

6.1. NAMING RESTRICTIONS

11. The coding of Certificates follows the recommendation RFC 5280 “Internet X.509 Public

Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”. All fields

http://www.cert.fnmt.es/dpcs



Version 1.3

Page 6 of 27

defined in the Certificate profile of these Certification Policies, with the exception of the

fields for which it is stated otherwise, use UTF8String encoding.

6.2. USE OF THE POLICY CONSTRAINTS EXTENSION

12. The Policy Constraints extension of the root certificate of the CA is not used.

6.3. SYNTAX AND SEMANTICS OF POLICY QUALIFIERS

13. The Certificate Policies extension includes two Policy Qualifier fields:

CPS Pointer: contains the URL where the TSPS and the Specific Certification Policies

and Certification Practices that apply to the Certificates are published.

User notice: contains a text that could be displayed in the screen by the user of the

Certificate during certificate verification.

6.4. SEMANTIC PROCESSING OF THE “CERTIFICATE POLICY” EXTENSION

14. The Certificate Policy extension includes the OID policy field, which identifies the policy

associated to the Certificate by the FNMT-RCM, as well as the two fields described in the

previous paragraph.

7. ACKNOWLEDGMENT AND AUTHENTICATION OF REGISTERED TRADEMARKS

15. The FNMT-RCM assumes no commitment of any type regarding the use of commercial

trademarks in the issuing of Certificates issued under the terms of this Certification Policy.

The use of symbols whose usage rights are not the property of the Holder is not allowed, and

the FNMT-RCM is therefore not required to previously verify the possession of registered

trademarks and other symbols prior to the issuing of certificates, even if they are included in

public registries.

8. MANAGEMENT OF THE LIFE CYCLE OF THE KEYS OF THE TRUST SERVICES

PROVIDER

16. The FNMT-RCM, in its activities as a Trust Services Provider, in regard to the cryptographic

keys used for the issuing of Natural Person Certificates, declares that it will carry out the

management processes described in the following section.

8.1. MANAGEMENT OF KEY LIFE CYCLES

8.1.1. Generation of Trust Services Provider Keys

17. The Keys of the FNMT-RCM, as a Trust Services Provider, are generated in completely

controlled circumstances, in a physically secure environment, and by at least two people

authorized to do this, using hardware and software systems that comply with the regulations

in effect in the area of cryptographic protection, as described in the TSPS.



Version 1.3

Page 7 of 27

8.1.2. Storage, safeguards, and recovery of Trust Services Provider Keys

18. The FNMT-RCM uses the necessary mechanisms to maintain the confidentiality of its Private

key and to maintain the integrity of the way in which it is shown in the TSPS.

8.1.3. Distribution of the Signature verification data of the Trust Services Provider

19. The FNMT-RCM uses the necessary mechanisms to maintain the integrity and authenticity

of its Public Key, as well as its distribution in the way that is shown in the TSPS.

20. Natural Person Certificates are issued by a subordinate Certification Authority to the root

Certification Authority of the FNMT-RCM. The identification of this Certification Authority

is described in annex I of this document.

21. Therefore, the Certificates issued under the terms of the Certification Policy described in this

document will be signed electronically with the Signature Creation Data of the Trust Services

Provider.

8.1.4. Storage, safeguards, and recovery of Keys of the Private Keys of the Holders

22. Under no circumstances does the FNMT-RCM generate or store the Private Keys of the

Holders of the Certificates, which are generated under the exclusive control of the Applicant,

and the custody of which is the responsibility of the Holder of the certificate associated with

the Private Keys in question.

8.1.5. Use of the Signature Creation Data of the Trust Services Provider

23. The Signature / Seal Creation Data of the FNMT-RCM, its activity as a Trust Services

Provider, will be used solely and exclusively for the following purposes:

1) Signing of Certificates.

2) Signing of Revocation Lists.

3) Other uses included in this Statement and/or other applicable legislation.

8.1.6. End of the life cycle of Trust Services Provider Keys

24. The FNMT-RCM shall have the necessary means to ensure that once the validity period of

the Keys of the Trust Services Provider has expired, that they are not used again, either by

destroying them or storing them appropriately for this purpose.

8.1.7. Life cycle of cryptographic hardware used to sign Certificates

25. FNMT-RCM will have the necessary means to ensure that the cryptographic hardware used

to protect its Keys as Trust Services Provider are not manipulated, based on the current state

of the art, throughout its life cycle, with the component in question being located in a

physically secure environment from the time it is received until it is destroyed, at such time.



Version 1.3

Page 8 of 27

9. OPERATION AND MANAGEMENT OF PUBLIC KEY INFRASTRUCTURE

26. The operations and procedures carried out to put the Certification Policies described in this

document into practice are carried out applying the controls required by recognized standards

for this purpose. These actions are described in the sections “Physical security, procedure,

and personnel controls” and “Technical security controls” of the TSPS of the FNMT-RCM.

27. In addition, it is important to note that the FNMT-RCM has an Information Security

Management System (hereinafter, ISMS) for its CERES Department, with the ultimate

objective of maintaining and guaranteeing the security of the information of the members of

the Electronic Community, as well as its own security, so that the FNMT-RCM-CERES

services are provided with a reasonable degree of security, in accordance with the current

state of the art. The ISMS of the FNMT-RCM-CERES applies to the information assets

defined in the Risk Assessment carried out for all of the areas that form part of the department,

including the services provided to members of the Electronic Community as assets.

28. The TSPS document provides concrete responses to all aspects regarding the following

sections of the European standard ETSI EN 319 411:

Physical security controls

Procedural controls

Personnel controls

Auditing processes

Records archival (registry of events)

Key changeover

Compromise and disaster recovery

Certification Authority or Registration Authority termination

10. PUBLICATION OF THE TERMS AND CONDITIONS

29. The FNMT-RCM provides this document, as well as the TSPS document to the Electronic

Community and other interested parties, specifying the following:

1) The terms and conditions that regulate the use of the Certificates issued by the FNMT-

RCM.

2) The Certification Policy that applies to Certificates issued by the FNMT-RCM.

3) The limits of usage for the Certificates issued under the terms of this Certification

Policy.

4) The obligations, guarantees and responsibilities of the parties involved in the issuing

and use of the Certificates.

5) The periods of conservation of the information gathered in the registration process and

the events occurring in the systems of the Trust Services Provider in relation to the



Version 1.3

Page 9 of 27

management of the life cycle of the Certificates issued under the terms of this

Certification Policy.

11. CERTIFICATION POLICY FOR NATURAL PERSON CERTIFICATES

11.1. IDENTIFICATION

30. The identification of this Certification Policy of the FNMT-RCM for the issuing of Natural

Person Certificates is as follows:

Name: Certification Policy for Natural Person Certificates

Reference/ OID1:

1.3.6.1.4.1.5734.3.10.1.

Version: 1.3

Date of issue: December 22, 2017

Location: http://www.cert.fnmt.es/dpcs/

Related CPS: Trust Services Practices and Electronic Certification Statement of the FNMT-

RCM

Location: http://www.cert.fnmt.es/dpcs/

11.2. TYPE DESCRIPTION OF THE NATURAL PERSON CERTIFICATE

31. The Natural Person Certificate is the electronic certificate issued by the FNMT-RCM that

links a Signer to a series of Signature verification data and confirms his/her identity.

11.3. COMMUNITY AND SCOPE OF APPLICATION

32. This Certification Policy applies to the issuing of electronic Certificates with the following

characteristics.

33. They are issued as Qualified Certificates, in accordance with the Regulation (EU) No

910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic

identification and trust services for electronic transactions in the internal market and repealing

Directive 1999/93/EC (eIDAS Regulation) and in compliance with the European standards

ETSI EN 319 411-2 “Requirements for trust service providers issuing EU qualified

certificates” and ETSI EN 319 412-2 “Certificate profile for certificates issued to natural

persons”.

1 Note: The OID or policy identifier is a reference that is included in the Certificate in order to determine

a set of rules that indicate the applicability of a particular type of Certificate to the Electronic Community

and/or application class with common security requirements.

http://www.cert.fnmt.es/dpcs/




Version 1.3

Page 10 of 27

34. The Certificates issued under the terms of this Certification Policy will be considered to be

valid as electronic signature and identification systems, in accordance with the Law 39/2015,

of October 1st, on the Common Administrative procedures of public administrations based on

Qualified electronic certificates that are admitted by virtue of their inclusion in the Trust

Service lists (TSL) in accordance with the technical specifications specified in the Annex of

Commission Decision 2009/767/EC, of 16 October (modified by Commission Decision

2010/425/EU, of 28 July 2010), which adopts measures that facilitate the use of electronic

procedures through single-service windows, in accordance with Directive 2006/123/EC, of

12 December 2006, of the European Parliament and Council, regarding services of the internal

market. These Trust Service lists contain information regarding Certification Service

Providers that issues Qualified electronic certificates to the public, supervised in each

member State, including the FNMT-RCM.

11.4. LIABILITY AND OBLIGATIONS OF THE PARTIES

35. The obligations and liability expressed in this section are understood without detriment to the

corresponding obligations and liability deriving from the applicable legislation and

regulations, specifically those that apply to the FNMT-RCM as a Trust Services Provider, and

that for this condition, the article in the Electronic Signature Act 59/2003, of 19 December,

its regulation and development, and the eIDAS Regulation.

36. The following subjects shall be the parties for the purposes of this section:

The Administration, organizations, public and private entities that accept Natural

Person Certificates as a means of identification and/or electronic signature.

Registry Offices which, through the personnel designated by the competent

Administration, must follow the procedures established by the FNMT-RCM in this

Certification Practices Statement and in the Certification Policies, in performing their

functions for the management, issuing, renewal, and revocation of Certificates, and not

deviate from this framework of actions.

The Holders of the Certificate.

FNMT-RCM, as the Trust Services Provider.

In such case, the rest of the Electronic Community and third parties.

11.4.1. Rights and obligations of the Administrations

37. The rights and obligations of the Administrations, organizations, public entities, and the

FNMT-RCM will be governed by the corresponding agreement or delegation regulating the

trust services and the applicable legislation.

11.4.2. Obligations and responsibility of Registry Offices

38. In addition to the obligations and responsibilities of the parties listed in this document and in

the TSPS, the Registry Offices have the obligation to:

i) Certifiably verify the identity and any personal circumstances of the Applicants of the

relevant Certificates for the purposes of the Certificates, using any of the means



Version 1.3

Page 11 of 27

permitted by Law, and in accordance with the provisions in the TSPS, and specifically

in this Specific Certification Practices Statement.

ii) Conserve all of the information and documentation related to the Natural Person

Certificates, whose application, renewal, suspension, or revocation it manages, for the

period of time established in the legislation in effect.

iii) Allow the FNMT-RCM access to the files and to audit its procedures in relation to the

data obtained in its role as a Registry Office.

iv) Inform the FNMT-RCM of any aspect that affects the Certificates issued by this Entity

(e.g.: requests for issuing, renewal, etc.).

v) Notify the FNMT-RCM promptly of the applications for the issuing of Certificates.

vi) In regard to the expiration of the validity of the Certificates:

1. Duly verify the causes for the revocation and suspension that could affect the

validity of the Certificates.

2. Notify the FNMT-RCM promptly of the applications for the revocation and

suspension of the Certificates.

vii) In regard to the Protection of personal information, the provisions in the corresponding

section of the TSPS shall apply.

viii) The Registry Offices, through the personnel assigned to the service by virtue of labour

or civil service relationships, must exercise public functions in accordance with the

specific legislation that applies to the FNMT-RCM.

39. In any case, the FNMT-RCM may bring suit against the Registry Office that carried out the

identification procedure, initiating the corresponding actions, if the cause of the damages

originated through the culpable or negligent actions of the Registry Office.

11.4.3. Obligations and responsibility of the Trust Services Provider

40. The obligations and responsibilities of the FNMT-RCM, as a Trust Services Provider, with

the Holder of the Natural Person Certificate and the rest of the members of the Electronic

Community shall be determined mainly by the document related to the conditions of use or

the contract for the issuing of the Certificate, and, subsidiarily, by these Specific Certification

Policies and Practices and by the TSPS.

41. The FNMT - RCM meets the requirements of the European standards ETSI EN 319 412 for

issuing Qualified certificates and undertakes to continue to comply with that standard or those

that replace it.

11.4.3.1. Prior to issuing the Certificate

42. a) Verify the identity and personal circumstances of the Certificate Holders, in accordance

with these Specific Certification Practices and Policies (in this regard, the corresponding

registration procedure established in this document may be consulted). Certificates will not be

issued for minors unless they are emancipated and can accredit that condition.

b) Verify that all of the information contained in the Certificate application corresponds to the

information provided by the Applicant.



Version 1.3

Page 12 of 27

c) Verify that the party interested in requesting the issuing of a Certificate is in possession of

the Private Key, which, once the Certificate has been issued, will constitute the Signature

creation data corresponding to the Signature verification data that will be included in the

Certificate, and verify that they match.

11.4.3.2. Identification of the Holder

43. a) Identify the individual who requests a Certificate, in general, requiring the appearance in

person and possession of a National Identity Document or Foreign Resident Identification

Number. The identification process will be carried out in accordance with the registration

procedure.

b) In the verification processes of the aforementioned methods, the FNMT-RCM may carry

out these verifications through the intervention of the authorized Registry Offices or third

parties who hold notarial powers.

11.4.3.3. Generation of Signature creation data and additional information

44. a) Guarantee that the procedures followed ensure that the Private Keys constituted by the

Signature creation data are generated without the creation of copies or the storage of the

Private Keys by the FNMT-RCM.

b) Provide the Applicant (http://www.ceres.fnmt.es) with the following information:

i. Instructions for the Holder, especially:

The way in which the Signature creation data should be stored.

The general mechanisms that guarantee the reliability of the Electronic Signature

of a document.

The procedure for reporting the loss or unauthorized use of this Data.

The exact conditions of use of the Certificate, its limits of usage, and the way in

which its state liability is guaranteed.

ii. A description of the method used by the FNMT-RCM to verify the identity of the

Holder and the other information that is included in the Certificate.

iii. The certifications that have been obtained by the FNMT-RCM.

iv. The applicable conflict resolution procedure.

v. A copy of these Specific Certification Policies and Practices of the Natural Person

Certificates, available at the Electronic Office of the FNMT-RCM.

11.4.3.4. Conservation of information by the FNMT-RCM

45. a) Conserve all of the information and documentation related to each Certificate, with the

necessary security conditions, for fifteen (15) years from the time of issue, so that the

signatures generated with it can be verified.

b) Maintain a secure and updated repository of Certificates, which identifies the issued

Certificates, as well as their validity, including, in the form of Revocation Lists, the

identification of the Certificates that have been revoked or suspended. The integrity of this



Version 1.3

Page 13 of 27

Directory will be protected by the use of systems that conform to the specific regulatory

provisions in this regard dictated in Spain, and in such case, in the EU.

c) Maintain an Information and consultation service on the state of validity of the certificates.

This service is described in the section “Verification of the status of the Natural Person

Certificate” in this document.

d) Establish a dating mechanism that makes it possible to precisely determine the date and

time when a Certificate was issued, or when its validity expired or was suspended.

e) Conserve the CPSs for 15 years from the time of modification or substitution by the

publication of a new CPS, with the proper security conditions.

11.4.3.5. Protection of Personal Information

46. The FNMT-RCM agrees to understand and comply with the legislation in effect in the area

of Protection of Personal Information, fundamentally the Personal Information Protection

Act 15/1999 of 13 December. To this end, it agrees to comply with the obligations established

in the regulations, among others, in the area of the information provided to affected parties,

declaration of files with the Spanish Information Protection Agency, conservation and access

to the information, as well as the security measures and other obligations established in Royal

Decree 1720/2007. It also guarantees that the use of the personal information that is gathered

will be limited to those purposes for which the information was collected.

47. For information on the information protection policy followed by the FNMT-RCM, and

regarding the use that is made of the information, consult the section “Personal Information”

in the TSPS.

11.4.3.6. Termination of the activity of the FNMT-RCM as Trust Services Provider

48. In this regard, the section “Termination of activity of the Trust Services Provider.” of the

TSPS.

11.4.3.7. Responsibilities of the Trust Services Provider

49. The FNMT-RCM is responsible only for the personal identification of the Applicant and

future Holder, and for incorporating that information in a Certificate. For the application of

guarantees, obligations and responsibilities, it is necessary for the event to have taken place

within the scope of the Electronic Community, as this concept is defined in the TSPS.

50. The FNMT-RCM shall only be liable for deficiencies in the procedures that correspond to its

activity as a Trust Services Provider, and pursuant to the terms of these Certification Policies

or the Law. In no other case will it be liable for the actions or losses incurred by Holders,

Subscribers, User Entities, or third parties involved, what are not due to errors that can be

attributed to the FNMT-RCM in the aforementioned issuing procedures and/or management

of the Certificates.

51. The FNMT-RCM shall not be liable in the case of force majeure, terrorist attacks, illegal

strikes, as well as in the cases that involve actions that constitute a crime or omission that

affect its supplier infrastructure, except in the case of gross negligence by the entity. In any



Version 1.3

Page 14 of 27

case, in the corresponding contracts and/or agreements, the FNMT-RCM may establish

clauses for the limitation of liability. In any case, the quantity that the FNMT-RCM must pay

for the concept of damages as ordered by the court to the harmed third parties and/or members

of the Electronic Community, in the absence of specific regulation in the contracts or

agreements, is limited to a maximum of SIX THOUSAND EUROS (6,000€).

52. The FNMT-RCM shall not be liable to persons whose behaviour in the use of the Certificates

has been negligent, with negligence, for these purposes and in any case considered to be the

failure to observe the provisions set forth in the TSPS, in these Specific Certification Practices

and Policy, and especially in the stipulations in the sections referring to the obligations and

liability of the parties.

53. The FNMT-RCM shall not be liable for any software that it has not provided directly.

Nevertheless, the FNMT-RCM will implement the adequate measures to protect its systems

against Malware, and will keep them duly updated to collaborate with users to avoid the

damages that may be caused by this type of software.

54. The FNMT-RCM does not guarantee the cryptographic algorithms, nor shall it be liable for

damages caused by successful outside attacks on the cryptographic algorithms used, if it

applied the necessary diligence in accordance with the state of the art, and proceeded in

accordance with terms of this Certification Practices Statement and the Law.

11.4.4. Obligations and responsibility of the Applicant and the Holder

11.4.4.1. Responsibility of the Applicant

55. The Applicant shall be responsible for guaranteeing that the information submitted during the

application for the Certificate is true and the Certificate application and download are realized

with a high level of confidence, under his sole control.

56. The Applicant shall hold the FNMT-RCM harmless and defend at his/her own expense against

any action that may be undertaken against the Entity as a result of false information provided

during the aforementioned Certificate issuing procedure, or against any damages suffered by

the FNMT-RCM as a result of an action or omission of the Applicant.

11.4.4.2. Responsibility of the Holder

57. In addition to the obligations and responsibilities of the parties listed in this the TSPS, the

Holder of the Natural Person Certificate, as the signer of the Certificate and the Keys, has the

following obligations:

Adequately store the Certificate and the Signature Creation Data, and in such case,

the Certificate support or card, providing the means necessary to prevent their use

by persons other than the Holder or the legitimate possessor of the Certificate.

Not use the Certificate when any of the information included in the Certificate is

incorrect or inaccurate, or there are security reasons that advise against the use of

the Certificate.

Notify the FNMT-RCM of the loss, theft, or suspected theft of the Certificate, the



Version 1.3

Page 15 of 27

Signature Creation Data, the Certificate support or card of the Holder, in order to

initiate, in such case, the process to revoke or suspend the Certificate.

58. The Holder shall be responsible for notifying the FNMT-RCM regarding any variation in the

status or information in regard to the information reflected in the Certificate, to revoke and

reissue the Certificate.

59. Likewise, the Holder shall be responsible in relation to the members of the Electronic

Community and other User Entities, or in such case, to third parties, for improper use of the

Certificate, or false information in it, or actions or omissions that cause damages to the

FNMT-RCM or third parties

60. The Holder shall therefore be responsible and obliged not to use the Certificate if the Trust

Services Provider has terminated its activity as a Certificate issuing Entity and the substitution

stipulated by Law has not taken place. In any case, the Holder shall not use the Certificate in

the cases in which the Signature / Seal Creation Data of the Provider may be threatened

and/or compromised, and the Provider has communicated this, or in such case, if the Holder

has become aware of these circumstances.

11.4.5. Obligations and responsibility of the User entity and third parties who trust the

Certificates

61. The rest of the Electronic Community, User Entities, and third parties will regulate their

relations with the FNMT-RCM through the TSPS and in such case, through these specific

Certification Policies and Practices; all without detriment to the provisions in the regulations

on electronic signatures and the other regulations that may apply.

62. Without detriment to the information contained in the previous paragraph, the members of the

Electronic Community, User entities, and third parties that trust the Certificates and Electronic

signatures generated with them must comply with the following obligations, waiving all

liability of the Trust Services Provider in the case of failure to comply with them:

Verify before trusting the Certificates, the Advanced Electronic Signature / Seal of

the Trust Services Provider that issued the Certificate.

Verify that the received Certificate of the Holder is still valid.

Verify the status of the Certificates in the certification chain, by consulting the

Information and consultation service on the state of validity of the certificates of the

FNMT-RCM.

Confirm the usage limitations contained in the Certificate that is verified.

Understand the conditions of use of the Certificate in accordance with these Specific

Certification Policies and Practices.

Notify the FNMT-RCM or any Registry Office of any anomaly or information related

to the Certificate and that could be considered cause for the revocation of the

Certificate, providing all available proof.

63. The User entity and third parties who trust the Certificates issued by the FNMT-RCM will be

responsible, unless this obligation is contracted with the Entity, for the verification of the

Electronic signatures of the documents, as well as the Certificates, and under no

circumstances will the authenticity of the documents or Certificates be presumed without this

verification.



Version 1.3

Page 16 of 27

64. The User entity may not be deemed to have acted with the minimum degree of diligence if it

trusts an electronic signature based on a Certificate issued by the FNMT-RCM without

observing the provisions contained in the TSPS and in this document and without verifying

that the electronic signature in question can be verified by reference to a valid Chain of

certification.

65. If the circumstances indicate the need for additional guarantees, the User entity will be

required to obtain additional guarantees for the trust to be reasonable.

66. The User entity shall also be responsible for observing the provisions included in the TSPS

and its possible future modifications, with special emphasis on the usage limits established

for Certificates in these Certification Policies.

11.5. LIMITS OF USE OF NATURAL PERSON CERTIFICATES

67. In any case, if a User entity or a third party wishes to trust the electronic signature generated

using one of these Certificates, without accessing the Information and consultation service

on the state of validity of the certificates issued under the terms of this Certification Policy,

these Specific Certification Policies and Practices shall not apply and there shall be no

legitimacy to claim or undertake legal action against the FNMT-RCM for damages or

conflicts arising from the use or trust of a Certificate.

68. This type of Certificate may not be used to:

Sign / Seal another Certificate, except in the cases expressly authorized previously.

Sign / Seal software or components.

Generate Electronic Time stamps for Electronic dating procedures.

Provide services free of charge or for payment, except in cases expressly authorized

previously, including, but not limited to:

o Providing OCSP services.

o Generation of Revocation Lists.

o Providing notification services

12. SPECIFIC CERTIFICATION PRACTICES FOR NATURAL PERSON CERTIFICATES

69. This document defines the set of Certification Practices adopted by the FNMT-RCM as a

Trust Services Provider for the management of the life cycle of the Natural Person

Certificates issued under the terms of this Certification Policy identified with OID

1.3.6.1.4.1.5734.3.10.1.

12.1. KEY MANAGEMENT SERVICES

70. The FNMT-RCM does not generate or store the Private Keys of the Holders, that are

generated under their exclusive control.



Version 1.3

Page 17 of 27

12.2. MANAGEMENT OF CERTIFICATE LIFE CYCLES

71. This section defines the aspects which, although already covered in the TSPS of which this

document forms part, includes certain special characteristics that require a greater level of

detail.

The following section describes the application procedure used by the Registry Office to

collect the personal information from an Applicant, confirm his/her identity, and formalize

the conditions of use for the later issuing of the Natural Person Certificate between the

aforementioned Applicant and the FNMT-RCM.

12.2.1. Application procedure for Natural Person Certificates

72. The interested party visits the website of the Trust Services Provider of the FNMT-RCM at

the URL http://www.cert.fnmt.es, where the instructions for the entire process for obtaining

the Natural Person Certificate will be displayed. The Applicant must enter their National

Identity Document number or Tax Identification Number, first surname, and email address in

the information collection form provided for this. The Applicant will also indicate his/her

desire to obtain a Natural Person Certificate and give consent for the FNMT-RCM to consult

the Identity Data Verification System.

73. The Public and Private Keys are then generated (on a cryptographic device - Token or

cryptographic card - if the Applicant has one, or in the browser if they do not have one of

these devices), which will be linked to the Certificate that will be generated in a later phase,

and the FNMT-RCM assigns the application a unique code.

74. The Applicant must previously consult the General and Specific Certification Practice

Statements at the URL http://www.ceres.fnmt.es/dpcs/ with the conditions of use and

obligations of the parties.

75. When this application is made, the Public Key that is generated is sent to the FNMT-RCM,

along with the corresponding proof of possession of the Private Key, for the later issuing of

the Certificate. The sending of the Public Key to the CA for the generation of the Certificate

is done using a standard format, PKCS#10 or SPKAC, and using a secure channel.

76. After the FNMT-RCM receives this information, it will use the applicant’s Public Key to

verify the validity of the information in the application, verifying only the possession and

correspondence of the pair of Cryptographic keys by the applicant.

77. This information shall not result in the generation of a Certificate by the FNMT-RCM until it

receives confirmation from the Registry Office of the identification of the applicant. This

notwithstanding, the possibility of electronic identification of the applicant for the Natural

Person Certificate will be taken into account, generating, in such case, the Certificate without

the Applicant being required to physically visit a Registry Office to accredit his/her identity.

78. The Natural Person Certificate application procedure is completed with the transmission by

the FNMT-RCM of an email to the address provided by the Applicant, specifying the unique

application code assigned and informing the Applicant of the upcoming phases in the process

to obtain the Certificate.

http://www.cert.fnmt.es/

http://www.ceres.fnmt.es/dpcs/



Version 1.3

Page 18 of 27

12.2.2. Confirmation of personal identity

79. The FNMT-RCM, as a Trust Services Provider, before it issues the Natural Person

Certificate, will identify the Applicant of the Certificate, either by physically visiting a

Registry Office with which the FNMT-RCM has signed an agreement, or by means of a valid

electronic certificate that confirms the identity of the natural person making the application.

For this purpose, the FNMT-RCM will accept electronic natural person Certificates issued by

it and the electronic Certificates that are incorporated into the DNIe.

12.2.2.1. Verification of identity by physical visit

80. Applicants for Natural Person Certificates must physically visit a Registry Office to formalize

the procedure for the confirmation of personal identity, visiting the authorized Registry Office,

with the following identification media. Spanish citizens: National Identity Document,

Passport or with other means allowed by law for the purposes of identification (which indicate

the National Identity Document Number). UE citizens: Foreign Identification Card or Citizen

Registration Certificate of Union (where Tax ID number is included), and Passport or identity

document of country of origin, or Official document of grant of the Tax ID number and

Passport or identity document of country of origin. Foreign citizens: Foreign Identification

Card (where Tax ID number is included) or Official document of grant of the Tax ID number

and Passport. The person responsible for accreditation in the Registry Office will verify that

the documents provided comply with all of the requirements to confirm the identity of the

Applicant.

81. The appearance by the Applicant will not be required if the signature on the application for

the issuing of a Certificate has been legitimated in the presence of a notary, if an electronic

certificate is used as a means of identification as specified in the following section, or if the

Certificate is requested, in accordance with the conditions in the section “Renewal of Natural

Person Certificates” of this document.

82. Once the identity of the Applicant has been confirmed by the Registry Office, the Registry

Office will validate the information and send it to the FNMT-RCM, along with the application

code sent to the Applicant by email. This information will be sent via secure communications

established for such purpose between the Registry Office and the FNMT-RCM. The personal

information and their processing, in such case, shall be subject to the specific legislation.

12.2.2.2. Use of electronic certificates as a means of identification

83. The FNMT-RCM will issue the Natural Person Certificate without the need for the applicant

to visit a Registry Office in accordance with the process described in the previous section, if,

during the application process for the Certificate in question, the Applicant is identified with

a valid electronic Certificate that belongs to one of the following types:

A Natural Person Certificate issued under the terms of this Policy.

A Natural Person Identity Certificate issued under the terms of the Certification Policy

of Qualified Certificates of the FNMT-RCM identified with OID 1.3.6.1.4.1.5734.3.5.

One of the electronic Certificates incorporated into the DNIe.



Version 1.3

Page 19 of 27

84. However, telematic applications for Natural Person Certificates through the use of the

electronic certificates listed in the previous section shall only be allowed if at the time of the

application, a maximum of 5 years has not elapsed since the physical visit and identification

of the Holder, as established in article 13.4 of the Electronic Signature Act 59/2003, of 19

December.

12.2.3. Issuing of the Natural Person Certificate

85. Once the FNMT-RCM has received the personal information from the Applicant, along with

the application code and confirmed its identity in accordance with the previous paragraph, it

will issue the Natural Person Certificate.

86. The issuance of Natural Person Certificates involves the generation of electronic documents

that confirm the identity of the Holder, as well as the correspondence of that information with

the associated Public Key. Natural Person Certificates of the FNMT-RCM may only be

issued by the FNMT-RCM, in its role as a Trust Services Provider, and no other entity or

organization has the capacity to issue them.

87. The FNMT-RCM, by means of its electronic signature / seal, authenticates the Natural Person

Certificates and confirms the identity of the Holder. On the other hand, in order to prevent

the manipulation of the information contained in the Certificates, the FNMT-RCM shall use

the cryptographic mechanisms that protect the authenticity and integrity of the Certificate.

88. Under no circumstances shall the FNMT-RCM include any information other than the

information shown here, nor specific attributes or circumstances of the signers or limits in the

certificates, other than those that are specified in this Certification Practices Statement.

89. In all cases, the FNMT-RCM shall act effectively to:

Verify that the Applicant for the Natural Person Certificate uses the Private Key that

corresponds to the Public Key linked to the identity of the Holder of the Natural Person

Certificate. To do this, the FNMT-RCM will verify the correspondence between the

Private key and the Public key.

Ensure that the information included in the Natural Person Certificate is based on the

information provided by the Applicant.

Not ignore widely-publicized incidents that could affect the reliability of the Natural

Person Certificate.

Ensure that the DN (distinguished name) assigned to the Certificate is unique

throughout the Public Key Infrastructure of the FNMT-RCM.

90. The following steps will be followed to issue the Certificate:

1. Composition of the identification information located in the Common Name field of the

Subject of the Natural Person Certificate, based on the personal information of the

Applicant gathered during the application process for the Natural Person Certificate,

with the following structure:



Version 1.3

Page 20 of 27

Last Names and First Name of the holder of the Natural Person Certificate

In UPPER CASE, separated only by a blank space, as indicated on the National

Identity Document/Foreign Resident Identification Number of the Holder. If

there is no second surname, the space that corresponds to this will be left blank

(with no character).

Blank space

Dash, or other symbol or character

Separates the surnames and the first name from the tax identification number.

Blank space

Tax Identification Number

Tax identification number of the Holder, NIF, as indicated on the National

Identity Document or Foreign Resident Identification Number.

Example:

ESPAÑOL ESPAÑOL JUAN – 00000000T

The use of pseudonyms as a form of identification is not considered.

2. Composition of the alternative identity of the Natural Person Certificate.

The alternative identity of the Natural Person Certificate contains that same information

as the CN, adding, at the request of the Applicant, his/her email address, distributed in

a series of attributes, so that it is easier to obtain the personal information of the Holder

of the Natural Person Certificate. The subjectAltName extension defined in X.509

version 3 is used to offer this information.

In this extension, the directoryName subfield will be used to include a set of attributes

defined by the FNMT-RCM, which incorporate information on the Holder of the

Natural Person Certificate in question.

3. Generation of the Certificate according to the Natural Person Certificate Profile.

The format of the Natural Person Certificate issued by the FNMT-RCM under the terms

of this Certification Policy, in accordance with the standard UIT X.509 version 3, and

in accordance with the regulations that are legally applicable in the area of Qualified

Certificates, as well as the Certification Authority Certificate that issues them (always

subordinated to the root Certification Authority of the FNMT-RCM), may be consulted

in the site http://www.cert.fnmt.es/dpcs/.




Version 1.3

Page 21 of 27

The FNMT-RCM will send an email notification to the address provided by the

Applicant in the Certificate application, informing the Applicant that the Natural Person

Certificate is available for download.

12.2.4. Acceptance, downloading and installation of the Natural Person Certificate

91. In less than one (1) hour after the confirmation of the personal identity of the Holder, the

FNMT-RCM will make available exclusively to the Holder for retrieval the Natural Person

Certificate, at the website http://www.cert.fnmt.es.

92. In this guided process, the Applicant will be asked to enter the National Identity Document

(DNI) or Foreign Resident Identification Number (NIE), first surname, and the corresponding

application code obtained in this process. This application code will be used as the accepted

key for the generation by the Holder of an electronic signature of the conditions of use of the

Certificate, as a mandatory requirement to download the certificate and accept the conditions

of use, sending these signed conditions to the FNMT-RCM. If the Natural Person Certificate

has not been generated yet for any reason, the process will inform the applicant of this.

93. When the Natural Person Certificate is downloaded, it will be installed on the support on

which the Keys will be generated during the application process (cryptographic token or if

not, the Navigator from which the application was made). The aforementioned website of the

FNMT-RCM indicates the supported Browsers and the certificate installation requirements.

12.2.5. Validity of the Natural Person Certificate

12.2.5.1. Expiration

94. The Natural Person Certificates issued by the FNMT-RCM shall be valid for a period of four

(4) years from the moment the Certificate is issued, provided that its validity is not

extinguished. After this period, if the Certificate is still active, it will expire and a new one

will need to be issued if the Holder wishes to continue to use the services of the Trust Services

Provider.

12.2.5.2. Invalidation of the Certificate

95. The Natural Person Certificates issued by the FNMT-RCM shall be invalidated in the

following cases:

a) Termination of the Certificate’s period of validity.

b) Termination of the activity as a Trust Services Provider by the FNMT-RCM, unless the

Certificates issued by the FNMT-RCM have been transferred to another Trust Services

Provider, with prior express consent by the Signatory.

In these two cases [a) and b)], the effectiveness of the Certificates shall cease from the

moment these circumstances occur.

c) Suspension or revocation of the Certificate for any of the causes included in this

document.

http://www.cert.fnmt.es/



Version 1.3

Page 22 of 27

96. For the aforementioned purposes, the issuing of a Natural Person Certificate, when there is

another for the same Holder in force (whether this is a Certificate issued under the terms of

this policy or is an FNMT Class 2CA Certificate, issued under the policy with

OID1.3.6.1.4.1.5734.3.5) shall immediately result in the revocation of the previous

Certificate. The only exception to this occurs when the issuing of a Natural Person Certificate

is as a result of a renewal process for the certificate within a period of sixty (60) days prior to

the expiration date, in which the Certificate that is close to expiring shall remain valid until

its validity period has expired. During this time, if the Certificate in question is revoked in

accordance with the following section, the validity of both Certificates shall be extinguished.

12.2.6. Revocation of the Natural Person Certificate

12.2.6.1. Causes for revocation

97. The following causes shall be allowed for the revocation of a Natural Person Certificate:

a) The request by the Holder for revocation. This should be requested in all of the

following cases:

Loss of the Certificate support.

Use by third parties of the Signature Creation Data corresponding to the

Signature Verification Data contained in the Certificate and linked to the

personal identity of the Holder.

The violation or endangerment of the secrecy of the Signature Creation Data.

Failure to accept new conditions that may be included in the issuing of new

Certification Practice Statements, within one month of publication.

b) Judicial or administrative resolutions that order this.

c) Decease or full or supervening incapacity of the Holder.

d) Inaccuracies in the information provided by the Applicant to obtain the Certificate, or

the alteration of the information provided to obtain the Certificate, or the modification

of the verified circumstances for the issuing of the Certificate, in such a way that it is

no longer consistent with reality.

e) Contravening of a significant obligation of this Certification Practices Statement by the

Certificate Holder or Applicant, if, in the latter case, this may have affected the

procedure for the issuing of the Certificate.

f) The violation or endangerment of the secrecy of the Signature Creation Data.

g) Contravening of a significant obligation in this Certification Practices Statement by a

Registry Office, if this may have affected the procedure for the issuing of the Certificate.

h) Termination of the contract signed between the Holder and the FNMT-RCM.

98. Under no circumstances does the FNMT-RCM assume any obligation to verify the

circumstances mentioned in letters c) to f) of this section; the FNMT-RCM must be notified

by certified communication by delivery of the documents and information required to verify

this.



Version 1.3

Page 23 of 27

99. The FNMT-RCM shall be liable for the consequences resulting from failure to revoke a

Certificate in following cases only:

The revocation should have been carried out by certified request by the Holder, or

by means of the systems provided by the FNMT-RCM for this purpose.

The FNMT-RCM has been notified of the revocation request or the cause behind

the request by a judicial or administrative resolution.

That causes c) to f) of this section have been reported by certified communication,

with prior identification of the Holder and/or Applicant of the revocation (or the

person with sufficient powers of representation, in the case of supervening

incapacity of the Holder).

100. Actions that constitute crime or omission of which the FNMT-RCM does not have knowledge

that are carried out on the information and/or Certificate and inaccuracies or lack of diligence

in notification of the FNMT-RCM shall release the FNMT-RCM of liability.

12.2.6.2. Effects of revocation

101. The revocation or suspension of the Natural Person Certificate, in other words, the

extinguishing of its effectiveness, shall take effect on the date on which the FNMT-RCM has

certain knowledge of any of the determining circumstances, and from the moment that this is

indicated in its Certificate status information and consultation service.

102. The revocation of the Natural Person Certificate, in addition to the extinguishing of its

effects, also supposes the termination of the relationship and usage regime for the Certificate

in question with the FNMT-RCM.

12.2.6.3. Revocation procedure

103. The request for the revocation of Natural Person Certificates may be made during the validity

period indicated in the Certificate.

104. The revocation of a Natural Person Certificate may only be requested by the Holder or person

with sufficient powers of representation, in the case of supervening incapacity of the Holder,

under the terms specified in these Specific Certification Practices and Policies.

105. Nevertheless, the FNMT-RCM may revoke the Natural Person Certificates itself in the cases

included in this Certification Practices Statement.

106. The Holder may request the revocation of his/her Natural Person Certificate in accordance

with the following procedures:

A) If the Holder is in possession of a Natural Person Certificate and its associated

Signature creation data, it is possible to authenticate the Holder’s identity based on

this certificate, so the revocation of the Certificate may be requested via Internet, or

any other equivalent method that allows the connection to the URL

http://www.ceres.fnmt.es, following the directions indicated on the website. This

service will be available twenty-four (24) hours a day, 365 days a year, except in



Version 1.3

Page 24 of 27

circumstances beyond the control of FNMT-RCM or during maintenance operations.

The FNMT-RCM will announce maintenance operations at the URL

http://www.ceres.fnmt.es, if possible, with at least forty-eight (48) hours’ notice, and

will try to resolve the situation within a period of no more than twenty-four (24)

hours.

B) If the Holder does not possess the Natural Person Certificate and its associated

Signature creation data, revocation of the Certificate may be requested using any one

of the following methods:

1) Visiting one of the Registry Offices implemented by the User entities with

which the FNMT-RCM has signed the corresponding agreement, where the

Holder will accredit his/her identity.

2) By phone at 902 200 616 of FNMT-RCM, where the Holder will be asked the

pertinent questions in order to verify the identity of the person making the

request. This service shall be available twenty-four (24) hours a day, 365 days

a year.

107. As soon as the revocation has been resolved, the Signer will receive the notification of the

revocation of the Certificate sent to the email address specified in the request.

108. In all of the aforementioned cases of these specific Certification Practices which require

identification and electronic identification is possible, the functions planned for the DNIe in

accordance with the specific legislation shall be taken into account by the FNMT-RCM.

109. Once the FNMT-RCM has revoked the Certificate, it will publish the corresponding

Certificate Revocation List in the secure Directory, containing the serial number of the

revoked Certificate, the date and time of revocation, and the cause for the revocation.

12.2.7. Suspension of the Natural Person Certificate

110. Suspension of a Certificate leaves the Certificate in question without effect for a period of

time and under certain conditions.

111. The suspension of Certificates shall be considered to be a temporary revocation of their

effectiveness, so that procedures and entities provided to request and process the revocation

of the Certificate are also applicable in the case of suspension.

12.2.7.1. Causes for suspension of the Certificate

112. The FNMT-RCM may suspend the effectiveness of the Natural Person Certificates at the

request of the legitimate interested party or of the Judicial Authorities, or in the case of

justified doubt in regard the concurrency of the causes for the invalidation of the Certificates

included in the section “Causes for revocation” of this document.

113. Likewise, the suspension request may be due to the existence of a judicial or administrative

proceeding or investigation that is underway, the conclusion of which may determine that the

Certificate is effectively affected by a cause for revocation. In these cases, the FNMT-RCM,

http://www.ceres.fnmt.es/




Version 1.3

Page 25 of 27

at the request of the legitimate interested party, shall suspend the validity of the Certificate

for the required time, and once this time has elapsed, shall revoke the Certificate unless the

legitimate interested party requests the reactivation of the Certificate by the FNMT-RCM by

means of certified communication.

12.2.7.2. Effects of suspension

114. The suspension of Certificates leaves a Certificate without effect (extinguishes its validity)

for a period of time and in a series of specific conditions.

12.2.7.3. Procedure for the suspension of Certificates

115. The request for the suspension of the Natural Person Certificates may only be done through

the Registry Offices implemented by the User entities with which the FNMT-RCM has signed

the corresponding agreements.

116. The FNMT-RCM shall suspend the Certificate for a period of thirty (30) days, after which

time it will extinguish the Certificate through its direct revocation by the Trust Services

Provider of the FNMT-RCM, unless the suspension has been lifted by a request for the

cancellation of the suspension by the Holder or an authorised third party. This

notwithstanding, the time limit of the suspension of the Certificate may be altered based on

judicial or administrative procedures that may affect it.

117. If the Certificate expires or its revocation is requested during the suspension period, the

consequences shall be the same as for unsuspended Certificates that are affected by expiration

or revocation

12.2.8. Renewal of the Natural Person Certificate

118. Natural Person Certificates may only be renewed a single time. Holders who have already

renewed their Certificates and would like to continue using a Natural Person Certificate under

the terms of these Specific Certification Practices and Policies, must request a new Certificate

and confirm their identity in accordance with the procedure described in the section

“Verification of identity by physical visit” in this document.

119. The renewal of the Natural Person Certificates issued by the FNMT-RCM to the Holders of

the Certificates may be requested provided that at the time of the request they have a

Certificate in force and the associated Signature creation data, and that this request is made

during the sixty (60) days prior to the Expiration of the Certificate.

120. The renewal of a Natural Person Certificate shall consist of the generation of new Signature

verification data and Signature creation data, as well as the issuing of a new Natural Person

Certificate. The renewal request will be made through the URL http://www.ceres.fnmt.es.

121. The Certificate that is close to expiration shall remain valid until its period of effectiveness

expires. If the revocation of the Natural Person Certificate is requested during the periods of

time that the Holder has two active Certificates, the FNMT-RCM shall revoke both

Certificates.




Version 1.3

Page 26 of 27

122. The procedure established for the renewal of a Natural Person Certificate does not require

the physical visit by the person making the request, because the person will be identified

telematically by using his/her Signature creation data. Both application process as well as the

process for obtaining the Certificate will be done telematically, requiring in any case the

generation of an Advanced electronic signature by the person making the request, using a

Qualified Certificate, of the renewal application document. However, telematic renewal of

the Natural Person Certificate shall only be allowed if less than 5 years have elapsed since

the physical visit and identification of the Holder established in article 13.4 of the Electronic

Signature Act 59/2003, of 19 December.

123. The functions of the DNIe shall be taken into account for the purposes of identification, in

accordance with its specific legislation.

124. The use of renewed Natural Person Certificates is subject to the same general and specific

conditions that are in effect at any given time and that are established for this type of

Certificates in their corresponding Certification Practices Statement.

12.3. VERIFICATION OF THE STATUS OF THE NATURAL PERSON CERTIFICATE

125. The status of the Natural Person Certificate may be verified through the Information and

consultation service on the state of validity of the certificatesthrough the OCSP protocol.

126. This service will be available twenty-four (24) hours a day, 365 days a year, except in

circumstances beyond the control of FNMT-RCM or during maintenance operations. The

FNMT-RCM will announce maintenance operations at the URL http://www.ceres.fnmt.es, if

possible, with at least forty-eight (48) hours’ notice, and will try to resolve the situation within

a period of no more than twenty-four (24) hours.

127. This service functions as follows: the OCSP server receives the OCSP request made by an

OCSP Client registered in the system and verifies the status of the Certificates included in the

request. If the request is valid, and OCSP response will be generated with the information of

the current status of the Certificates included in the request. Such OCSP response is signed

with the Signature creation data associated to specific OCSP server for “AC FNMT

Usuarios”, protecting the integrity and authenticity of the information provided about the

revocation status of the Certificates.

128. The User entity shall be responsible for obtaining an OCSP Client to operate with the OCSP

server provided by the FNMT-RCM.




Version 1.3

Page 27 of 27

ANNEX I: IDENTIFICATION OF THE CERTIFICATION AUTHORITY CERTIFICATE AC FNMT

USUARIOS

The Certification Authority AC FNMT Usuarios uses the following certificate for the signing / sealing

of Certificates and CRLs:

“CA FNMT Users” Certification Authority Certificate

- Name: CN = CA FNMT Usuarios, OU = Ceres, O = FNMT-RCM, C = ES

- Serial number: 45 5f 3a e1 5c 21 cd ba 54 4f 82 aa 47 51 eb db

- Valid from: Tuesday, 28 October 2014 12:48:58

- Valid until: Sunday, 28 October 2029 12:48:58

- Digital fingerprint (sha1) : 80 8B 72 E43B 57 4C F5 87 7C B8 41 A8 DF 88 39 6D 38 AB

94

- Digital fingerprint (sha256) : 60 12 93 CA 20 B0 9A 03 29 5D 19 62 56 C6 95 3F F9 EB

A8 11 DB 8E 3C E1 40 41 3C 1B FF E9 A8 69

SPECIFIC CERTIFICATION PRACTICES AND POLICY … · specific certification practices and policy for natural person certificates from the “ac fnmt usuarios” name date prepared by:

Documents