Trust Services Practice Statement Under approval by Supervisory Body Category: Practice Statement Document No.: NAMTSP-TSPS-MO-v1.0.docx Written by: TSP Director Confidentiality notice: Public Document Verified by: TSP Director Version: 1.0 Approved by: CEO Issue date: 30/06/2016 Namirial S.p.A. Chief Executive Officer (Dr. Davide Ceccucci)
36
Embed
Trust Services - Namirial Support · Each first-level chapter includes reference to the corresponding chapter in ETSI EN 319 401 [2]. 1.1 Overview NAMIRIAL operates a Public Key infrastructure
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
1 IntroductionThis document is the Namirial S.p.A. Trust Services Practice Statement (hereafter NAMIRIAL PS) and outlines theprinciplesandpracticescommontoallNamirial’strustservices.ThisdocumentappliestoallentitiesparticipatinginorusingNamirial’strustservices.ThisdocumentdescribesthepracticesusedtocomplywiththeRegulation(EU)No910/2014(eIDAS).
• parts that are specific to the Time-Stamping service are described within the Time-Stamping AuthorityPracticeStatement.
Pursuant totheIETFRFC3647[4]thisdocument isdivided intonineparts.Topreserve theoutlinespecifiedbyRFC3647 [4], section headings thatdonot apply have the statement "Not applicable". Sections that describe actionsspecific to a single service contain only references to service-specific practice statements. If the subsections areomitted, asingle reference applies toallofthem.Each first-level chapter includes reference to the correspondingchapter inETSIEN319401[2].
1.1 OverviewNAMIRIAL operates a Public Key infrastructure in order to provide Trust Services. NAMIRIAL is currently usingdifferentrootcertification authorities,oneforeachservice.NAMIRIALdoesnotuseSubordinate CA-s.
TheNamirialS.p.A. TrustServicesPracticesStatement (NAMIRIALPS)presents thecriteriaestablished byNAMIRIALtoprovide electronic Trust Services, which enhance trust and confidence inelectronic transactions.NAMIRIAL PSdescribesNamirialS.p.A.(NAMIRIAL) practices of providing Qualified TrustServices inconformity with theeIDASregulation [1], legalactsofItaly, ETSIEN319401GeneralPolicyRequirements forTrustService Providers [2],andother related service-based standard requirements. Additionally NAMIRIAL follows CA/Browser Forum BaselineRequirements Certificate Policy fortheIssuance andManagement ofPublicly-Trusted Certificates [3].
This NAMIRIAL PS describes practices necessary for the achievement of the security level approved by theNAMIRIAL management.NAMIRIAL has achieved ISO/IEC 27001:2013certification.The statement of applicabilityincludesmoredetailed description ofsecuritymeasures.
In theeventof conflictbetweentheNAMIRIALPSandthepracticestatementsof specificservices,theprovisions ofthe practice statements of specific services shall prevail. In the event of conflict betweenthe original documentin English and the translateddocument in Italian, the original document inEnglish shallprevail.
1.2 DocumentNameandIdentificationThisdocument iscalled“NamirialS.p.A.TrustServices Practice Statement”.
1.3.3 SubscribersSubscriber is specified in relevant service-based Policy and/or Practice Statement.Obligations andwarranties ofSubscriber aredescribed intheclause9.6.3ofthisNAMIRIALPS.
1.5.4 NAMIRIALPSApprovalProceduresAmendmentswhich do not change the meaning of the certificationpractice, such as correctionsofmisspellings,translation and updating of contact details, are documented in the versions and changes section of the presentdocumentandthefractionpartofthedocumentversionnumbershallbeenlarged.
The NAMIRIAL PS is approved by the NAMIRIAL Chief Executive Officer and the TSP Director. NAMIRIAL ensuresthatthepractices areproperly implemented byconducting regular internal auditsandconformity assessments.
All amendmentswill be submitted to the SupervisoryBody and the amended versionofNAMIRIALPS is publishedelectronicallyonNAMIRIAL’swebsitein“UnderapprovalbySupervisoryBody”state.DuringthisphasetheSubscriberhas the chance to provide reasoned comments. Once the Supervisory Body has approved the amendments theamendedversionofNAMIRIALPSisdefinitivelypublishedwiththestate“ApprovedbySupervisoryBodyon<date>”andthedocumentbecomeseffectivefromtheapprovaldatebytheSupervisoryBody.
PublicKey the key pair that may be publiclydisclosedby the holder ofcorresponding privatekeyandthatisusedbyRelyingPartytoverifydigitalsignaturescreatedwiththeholder’scorrespondingprivate key and/or to encrypt messagesso that they can bedecrypted onlywiththeholder’s corresponding privatekey.
RootCA thetoplevelCertificationAuthoritywhosecertificateisdistributedby applicationsoftwaresuppliersand that issuessubordinate NAMIRIALCAcertificates.
Sensitive Information informationwhichallowsforsimulationorreplicationofservice,oralsoforthedestructionorpublicationoftheserviceprivatekey.Italsoincludes personalinformation.
NAMIRIALCA aCertificationAuthorityofNAMIRIALwhosecertificate issignedbytheRootCA,oranother subordinate CA
Subscriber Certificate publickeyof a user,togetherwithsomeotherinformation,renderedun-forgeable byenciphermentwiththeprivatekeyoftheCertification Authority,which issued it.
- the creation,verification,and validationof ElectronicSignatures, electronicsealsorelectronic time-stamps,electronicallyregistereddeliveryservicesandcertificates related totheseservices or
- the creation, verificationand validationof certificatesforwebsiteauthentication or
- -thepreservationofElectronicSignatures,sealsorcertificates related totheseservices.
ETSI European TelecommunicationsStandards Institute
HSM Hardware SecurityModules
RA Registration Authority
NAMIRIAL NamirialS.p.A.TrustServiceProvider
NAMIRIALPS NamirialS.p.A.TrustServiceProvider Practice Statement
TSA Time-Stamping Authority
TSP TrustServiceProvider
TrustServicesPracticeStatement
Version1.0date30/06/2016
PublicDocument page14of36
TSU Time-Stamping Unit
UTC Coordinated Universal Time
2 Publication andRepository responsibilities
2.1 RepositoriesNAMIRIAL ensures that its repository is available 24 hours a day, 7 days a week with a minimum of 99,44%availability overallperyearwithascheduleddown-timethatdoesnotexceed0,28%annually.
2.2 PublicationofInformationNAMIRIALpublishes initspublicwebsitethe following information:
- The document “Operative Manual for the Certification Service” (as required by national laws), whichrepresentstheservice-basedpolicyandpracticestatementfortheCertificationServiceandcontains:
• CertificatePolicy(CP),
• CertificationPraticeStatement(CPS),
• conditions forinsurance policy,
• profiles,
• conditions foruseofcertificates,
• theURLsofCertificate Revocation Lists
- TrustServices Practices Statement;
- The Time-Stamping Authority Practice Statement, which represents the service-based policy and practicestatementfortheTime-StampingService;
2.2.1 PublicationandNotificationPoliciesThisNAMIRIAL PS is published inNAMIRIAL's publicwebsite.NAMIRIAL PS is published in “under approval” statebeforetobecomeseffective.
2.4 AccessControlsonRepositoriesInformation published inNAMIRIAL’srepositoryispublicandnotconsidered confidential information.
NAMIRIAL has implementedsecurity measuresin order to prevent unauthorizedaccess to add, delete, ormodifyentries into its repository. Publishing into NAMIRIAL’s repository is restricted to authorized employees ofNAMIRIAL.
5 Facility,Management,andOperationalcontrolsIn the fieldof securitymanagement,NAMIRIAL guides itselfby the generally recognisedstandards,e.g. ISO/IEC27001 [5],andotherstandards required byregulations andlaw.TheNAMIRIAL'ssecuritymanagementpolicydocumentsincludethesecuritycontrolsandoperatingprocedures forthe NAMIRIAL facilities, systems and information assets providing the services. NAMIRIAL carries outandrevisesrisk assessment regularly in order to evaluate business risks and determine the necessary security requirementsandoperational procedures.TheNAMIRIALmanagement establishes thesecurity policy,which forms abasis forconsistency andcompletenessofinformation security andmanagement support.
TheNAMIRIALChiefExecutiveOfficerapprovespoliciesandpractices relatedtoinformation security fortheoverallNAMIRIAL services. The NAMIRIAL management communicates information security policies and procedures toemployees and relevant external parties who are impacted by it. In addition, the NAMIRIAL managementsetsout the NAMIRIAL approach to manage information security objectives for Trust Services, including auditableprocedures forinternal control.
5.1 PhysicalControlsTheNAMIRIAL services relies on secured premises to host its CA. NAMIRIAL is using physically separated space inserverroomsspecificallydesignedfordatacenteroperations.
5.1.1 SiteLocationandConstructionTheNAMIRIALservicesareconductedwithinaphysically protected environment thatdeters,prevents, anddetectsunauthoriseduse of, access to, or disclosure of Sensitive Informationand systems whethercovertorovert.
Theprotection provided iscommensurate with the identified risks. TheNAMIRIALensures thatphysical accesstocritical services iscontrolled andthatphysical riskstoitsassetsareminimised.
TrustServicesPracticeStatement
Version1.0date30/06/2016
PublicDocument page17of36
5.1.2 PhysicalAccessTheNAMIRIALdatacentersareprotected byaminimumofthreetiersofphysical security,withaccess tothelowertier requiredbefore gaining access to the higher tier. Access to the highest tier requirestheparticipation oftwopersons inTrustedRoles.
- heating, ventilation, airconditioning systems tocontrol thetemperature andrelativehumidity.
5.1.4 WaterExposuresNAMIRIAL has taken reasonable precautions to minimise the impact of water exposure to the informationsystems.
5.1.5 FirePreventionandProtectionNAMIRIAL has taken reasonableprecautionsto preventand extinguishfires or other damagingexposuretoflameorsmoke. Thefireprevention andprotectionmeasures oftheNAMIRIALhavebeendesigned tocomplywith localfiresafetyregulations.
5.1.6 MediaStoragePortable media, appliances and software may be removed from the premises of the NAMIRIAL pursuant to theestablishedprocedure.
5.1.7 WasteDisposalMediacontainingSensitive Informationare securelydisposedof whenno longer required.Paperdocuments andmaterials with Sensitive Information are shredded before disposal. Media used to collect or transmit SensitiveInformation are rendered unreadable before disposal. Anymedia with Sensitive Information removed from use(removable media, harddisksetc.)aresanitisedwhendecommissionedorrecycled forother use, toprevent dataleaks.
5.1.8 Off-SiteBackupNAMIRIAL performs routine backups of critical system data, audit log data, and other Sensitive Information.TheNAMIRIAL has dual data centres to ensure availability requirements. Databases in dual data centres aresynchronisedin real time. In addition,routine backupsare performed.Backupsof the most critical information(e.g.keysandconfigurations) arekeptoff-site insecure storage.
- System Administrators: they are responsible for the installation, configuration and maintenance of theinformation systems,includingperformingthesystembackupandrecovery;
- Security Officers: theyareresponsible for the administration of and the implementation of thesecuritypractices;
TrustServicesPracticeStatement
Version1.0date30/06/2016
PublicDocument page18of36
- FacilityOfficers:theyareinvolvedinday-to-dayoperations,particularlyinrelationtobuildingsandpremises.Likely areas of responsibility include for example: building and grounds maintenance, health and safety,physicalsecurityandspacemanagement.
- System&Regulatory Auditors: they are is responsible for carrying out regular comprehensive review ofNAMIRIAL'sadherenceallapplicablelaws,regulationsandstandards;forthattheyhaveaccesstomonitorthedocumentarchivesandinformationsystemauditlogs.
- Data PrivacyOfficer: oversees all the activities related to the development, implementation,maintenanceandadherencetotheorganization’sprivacypoliciesandprocedures.Thesepoliciescoverthecollection,use,disclosureandprivacyofpersonalinformationincompliancewiththeItalianPrivacylaw(LegislativeDecreeno.196/2003).ThistrustedrolereportdirectlytotheBoardofDirectors.
- InformationSecurity&RiskManager:he/sheisresponsibleforthemanagementofinformationsecurityandrisk throughthe implementationof informationsecuritypolicies,proceduresandguidelines.He/she isalsoresponsible for conducting information security audits and carrying out periodical second-level internalcontrols.ThistrustedrolereportdirectlytotheBoardofDirectors.
- RA Administrator: manages and controls the internal RA operators within the Registration Authority ofNAMIRIALandtheexternalRAoperatorswithintheLRAs(LocalRegistrationAuthorities).
- RAOperator: onbehalfof theRegistrationAuthority (RA), theyare responsible for carryingout thedutiesoutlined in conformity with the NAMIRIAL policies and procedures specified for the identification andregistrationofsubscribers.
Security operations aremanaged by NAMIRIAL personnel in Trusted Roles, butmay actually be performed byanon-specialist,operationalpersonnel(undersupervision).
The roles of RA Administrator and RA Operator are also considered security critical as they are responsible foridentification and authentication of subjects of certificates and may be responsible for registration, certificatesuspension,termination ofsuspension andrevocation procedures.
5.2.2 NumberofPersonsRequiredperTaskTheNAMIRIAL has established, maintains and enforces rigorous control procedures toensure the segregationofduties based on job responsibility and toensure thatmultiple Trusted Persons are required toperform sensitivetasks.
The following activities require aminimumoftwodifferenttypesofSystem Administrators inTrusted Roles:
- generation ofcertification keys;
- backupofthecertification keys;
- restoration ofthecertification keys;
- management ofHSM-sandCAcoresystems located inSecureZone;
- physical visittodatacentres.
5.2.3 IdentificationandAuthenticationforEachRoleAllTrustedRolesareperformedbypersonsassigned into this rolebyNAMIRIALmanagementandacceptedby thispersontofulfillthisrole.
5.2.4 RolesRequiringSeparationofDutiesThe Trusted Roles of the SecurityOfficer, System& Regulatory Auditor and SystemAdministrators are completelyseparate and are staffed by different persons. A single person cannot have simultaneously types of SystemAdministrator.
5.3 PersonnelControls
5.3.1 Qualifications,Experience,andClearanceRequirementsTheemployeesoftheNAMIRIALhavereceivedadequatetrainingandhaveallthenecessaryexperienceforcarryingoutthedutiesspecified in the employment contract and job description beforetheyperformanyoperationalorsecurityfunctions.
All the employees of the NAMIRIAL have signed a non-disclosure agreement(NDA) to maintain the secrecy ofconfidentialinformationthathascometotheirknowledgeinthecourseoftheirperformance.
NAMIRIALmanagementhasappropriateexpertise,andisfamiliarwithsecurityprocedures.AnypersoninaTrustedRole is informed of his responsibility through its job description and/or procedures related to system security andpersonnelcontrol.
All personnel in Trusted Roles are free from any interests that may affect their impartiality regarding NAMIRIALoperations.
5.3.2 BackgroundCheckProceduresForallpersonnelseekingtobecomepersonnelinTrustedRoles,theverificationofidentityisperformedthroughthepersonal (physical) presence of such personnel before the personnel in Trusted Roles can perform the NAMIRIALoperational or security functions. Furthermore, officially recognised documents of identification e.g., ID card orpassportsarechecked.Suitabilityisfurtherconfirmedthroughbackgroundcheckingprocedures.
Backgroundverificationchecksarecarriedoutin accordancewithrelevantlaws,regulationsandprinciples ofethics.Thechecksareproportional tothebusiness requirements, theclassification oftheinformation tobeaccessed, andthe perceived risks. These checks are conducted on all candidates for employment and on contracted partnersdirectlyperforming theTrustServiceprovidingoperationswithaccess toproduction data.
5.3.3 TrainingRequirementsThe employeesof NAMIRIAL have receivedadequatetrainingand have all the necessaryexperienceforcarryingout the duties specified in the employment contract and job description before they performany operationalorsecurity functions.
NAMIRIAL ensures that all personnel performing managerial duties with respect to the operation of theNAMIRIALreceive comprehensive awareness training in:
Italian Legislative Decree n. 231 of 8 June 2001introduced the administrative liability of legal entities and theirrespectivebodiesforspecifictypesofcriminaloffencesprovidedundertheItalianCriminalCode(suchasthecrimesagainsttheItalianpublicauthorities,corporatecrimes,marketabuseetc.)andcommittedandprosecutableinItalybysubjectshavingthefunctionsofrepresenting,administeringordirectingthe legalentityoroneof itsadministrativeunits having a financial and functional autonomy or by part of their "staff' in the interest or to the benefit of thecompany.
Inintroducingtheserulesoncorporateliability,thedecreeprovides,however,foraspecificformofexemptionfromliability if the company proves to have adopted and effectively implemented an appropriateOrganizational,ManagementandControlModel(hereinafterthe"Model")inordertopreventsuchcrimesandthattheresponsibilityforsupervising the functioningandtheobservanceof theModeland forupdating it isbeingentrustedtoaspecificbody("SupervisoryCommittee")ofthelegalentityprovidedwithautonomouspowersofinitiativeandcontrol.
5.3.8 DocumentationSuppliedtoPersonnelThe NAMIRIAL gives its personnel (including persons in Trusted Roles) the requisite training and otherdocumentation needed toperform their jobresponsibilities competently andsatisfactorily.
TheNAMIRIALCAisanoff-lineCAwhicheventsarestoredinanexter-nalmediaaftereachoperations.Thismediaisstored in an environment with a sufficient security level. These journals allow to ensure the auditability and ac-countabilityoftheactions(timestamp,personname).
5.4.3 Retention period foraudit logTheGdCareexternalizedeverydayandstored in a storageserverinsideNAMIRIAL premises. TheyarekeptuntiltheexpirationofthelastcertificateissuedtheCA.
5.5.2 RetentionPeriodforArchiveTheretention period forarchive isdescribed inclause5.4.3ofthisNAMIRIALPS.
5.5.3 ProtectionofArchiveRegardless of their storage media, archives are protected in integrity, and are only accessible by authorizedpersonnel. The media holding the archivedata and the applications required to process the archivedata aremaintained toensure thatthearchivedatacanbeaccessed forthetimeperiod required.
5.5.4 ArchiveBackupProceduresNotapplicable.
5.5.5 RequirementsforTime-StampingofRecordsDatabase entries contain accurate time anddate information. The time-stamps arenot cryptography-based.
5.5.6 ArchiveCollectionSystem(InternalorExternal)The NAMIRIAL uses an internal archive collection system. LRA-s may use external archive collection system forphysical archive records.
5.7.1 IncidentandCompromiseHandlingProceduresNAMIRIAL has implemented a business continuity p lan , which covers procedures of risk assessment, incidenthandling(includesaresponse toincidentsanddisasters), recoveryandrecoveryexercises.
NAMIRIAL carries out an annual risk assessmentof NAMIRIAL’s Trust Services to prevent possible danger to theavailability of NAMIRIAL’s operations and tominimise the risk of losing control of the Trust Services. The list ofsituations considered as emergency situations is determined by the risk assessment. The result of the riskassessment includesthe requirements for recoveryplans and recoverytestingscenarios.Therecovery plans andtesting scenarios includeatleastthefollowing threats:
- for NAMIRIAL CA and NAMIRIAL TSA, the private key used for the provisioning of the service iscompromisedorthere isaserious suspicion thereof;
- forNAMIRIALTSA,thelossofsynchronisation ofatime-stamping service clock.
The proceduresfor the handlingof informationsecurity incidents,emergencysituationsand criticalvulnerabilitiesaredocumented intheinternalNAMIRIAL’sIncidentReportingandManagement Procedure. Theobjectiveofthatregulation is the immediate response and recovery of availability and the continuous protection of NAMIRIALservices.
Recovery plansaretestedannually.
Intheeventofanemergency, NAMIRIALwillinformalltheSubscribers andRelyingParties immediately (oratleastwithin24 hoursof the crisis committee’sdecision)of the emergency situationand proposed solution throughpublic information communication channels.
NAMIRIALwillinformwithoutunduedelaybutinanyeventwithin24hoursafterhavingbecomeawareofit,theSupervisory Body and, where applicable, other relevant bodies as national CERT or Italian Data ProtectionAuthorityandpartnerssuchasAcrobatAdobe(forAATL)ofanybreachofsecurityor lossof integritythathasasignificantimpactontheTrustServiceprovidedoronthepersonaldatamaintainedtherein.
5.7.2 ComputingResources,Software,and/orDataareCorruptedThe event of the corruption of computer resources, software and data is handled according to the NAMIRIALinternalSecurityIncidentManagementPolicy.
5.7.4 BusinessContinuityCapabilitiesAfteraDisasterIn order to ensure the business continuity capabilities after a disaster NAMIRIAL organises periodically crisismanagement trainings. The NAMIRIAL Incident Reporting and Management Procedure defines how crisismanagementandcommunication takeplace inemergency situations.
There is an internal agreement about priorities for systems and services recovery after the emergency situationor/and service interruption. NAMIRIALmaintains necessary back-up copies and archives to able to restore data
TrustServicesPracticeStatement
Version1.0date30/06/2016
PublicDocument page23of36
after the emergencysituation.Backupsof the most critical information (e.g. keys andconfigurations) are keptoff-site insecure storage.
NAMIRIAL has dual data centres to ensure the availability of services. NAMIRIAL office and data centres areindependent of each other. In case of the emergency in data centres guidance’s, source codes and othernecessary materials are available from NAMIRIAL Office. In case of the emergency situation in NAMIRIAL officeservices indatacentreswillcontinue towork.
NAMIRIAL ensures that potential disruptions to Subscribers and Relying Parties areminimised as a result ofthecessation ofNAMIRIAL's services, and inparticular, itensures thecontinued maintenance ofinformationrequiredtoverify thecorrectness ofTrustService Tokens.
- NAMIRIAL informs the following of the termination: all Subscribers and other entities with which theNAMIRIAL has agreements or other forms of established relations. In addition, this information will bemadeavailable tootherRelyingParties;
- NAMIRIAL maintains the documentation related to they supply of the Trust Service and informationneeded toverify the Trust Service Tokens ifNAMIRIAL isnot terminated according to the clause 5.4and5.5. In case NAMIRIAL will be terminated, NAMIRIAL hands over the aforementioned documentationrelated to the supply of the service and information needed to verify the Trust Service Tokens to theSupervisory Bodypursuant totheestablished procedure.
Incaseofcompromise theNAMIRIALwilladditionally:
- Indicate thatTrust Service Tokens andvalidity information issued using thisCAorTSUkeymaynolongerbevalid;
- Revoke anyCAandTSUcertificate thathasbeen issued forNAMIRIALwhenNAMIRIAL is informed ofthecompromise ofanotherCAorTSA.
The requirements are applicable also in case of LRA-s termination. NAMIRIAL takes over the documentation andinformation related to the supply of the Trust Service and provides evidence of the operation for a timeperioddefined inrelevant service-based Policyand/orPractice Statement.
6 Technical securitycontrols
6.1 KeyPairGenerationandInstallationNAMIRIAL uses cryptographic keys for its Trust Services and follows industry best practices for key lifecyclemanagement, keylengthandalgorithms.
The Trust Service keypair generation and the private key storage occur in the HSM, which is used for providingkeys, thatarecertifiedatthelevelEAL4+oftheCommonCriteriaandqualifiedbytheANSSIatthehighestlevel.Theymeetthefollowingrequirements:
• Beingabletoidentifyandauthenticateitsusers;• Limitingaccesstoitsservicesdependingontheuserandtherolehehasbeenassigned;• Being able to perform a set of tests to verify it is operating properly and enter a safe state if an error is
CAprivatekeysandcannotbeforgedwithouttheknowledgeoftheprivatekeys;• Creatingauditlogsforeverymodificationregardingsecurity;• If backup and restore of private keys is provided, ensuring the confidentiality and the integrity of the
NAMIRIAL has documented procedure for conducting NAMIRIAL CA key pair generation for all CA’s. NAMIRIALproduces areportproving thattheceremonywascarriedoutinaccordancewiththestatedprocedureandthattheintegrity and confidentiality of the key pairwas ensured. Report is signed by the responsible for the certificationservice and the internal auditor. The procedures for key ceremony are documented in NAMIRIAL internalprocedures.
The SubscriberPrivate Key generationis specified in relevant service-basedPolicy and/or PracticeStatement.
6.1.4 CAPublicKeyDeliverytoRelyingPartiesAll NAMIRIAL Trust Services public keys are distributed in the form of X.509 certificates issued by the NAMIRIALCA. The primary distribution mechanism for the NAMIRIAL Trust Service certificates is via the NAMIRIALrepositoryathttps://docs.namirialtsp.com/certificates/.The NAMIRIAL takes obligation to provide the NAMIRIALTrust Service certificatestoTrustedListofItaly.
Cryptographicmodule standardsand controls for cryptographicdevices which carry the SubscriberPrivate Key isspecified inrelevant service-based Policyand/orPractice Statement.
6.2.2 PrivateKey(noutofm)Multi-PersonControlThe access to theNAMIRIALCA keys isdivided into sixparts (2outof6) that are secured bydifferent persons inTrustedRoles.Foractivation ofthesigning keyoftheNAMIRIALthepresence ofatleasttwoauthorized persons isrequired inaccordance withclause5.2.2ofthisPS.
For activation of the certification key of the NAMIRIAL the presence of at least two authorised persons isrequired asexplained inclause6.2.2 inthisNAMIRIALPS.
6.2.6 PrivateKeyTransferIntoorFromaCryptographicModuleAll NAMIRIAL CA keys are generated by and in the a cryptographic module. The NAMIRIAL generates CA keypairs intheHSMinwhich thekeyswillbeused.
6.2.8 MethodofActivatingPrivateKeyThe NAMIRIAL CA private keys are activated according to the specifications of the cryptographic modulemanufacturer. For activation of the certification key of the NAMIRIAL the presence of at least two authorisedpersons isrequired asexplained inclause6.2.2ofthisNAMIRIALPS.
6.2.10 MethodofDestroyingPrivateKeyMethod of the destroying NAMIRIAL CA private keys and internal control mechanisms depend from the optionsavailable tospecific secure cryptographic module.Whenakeyisdestroyed,theCAensuresthatallcorrespondingbackupcopiesarealsodestroyed.
6.3.2 CertificateOperationalPeriodsandKeyPairUsagePeriodsThe operational period ofacertificate ends upon revocation. The operational period forkey pairs is thesameasthe operationalperiodfor the certificates,exceptthat they may continueto be usedforsignatureverification.
In addition, the NAMIRIAL stops issuing new certificates at an appropriate date prior to the expiration of theCA's certificatesuch that no Subscribercertificateexpires after the expirationof the CA certificate.
If an algorithm or the appropriate key length offers no sufficient security during the validity period of thecertificate, the concerned certificate will be revoked and a new certificate application will be initiated. Theapplicability ofcryptographic algorithmsandparameters isconstantly supervisedbytheNAMIRIALmanagement.
6.4.1 ActivationDataGenerationandInstallationThe NAMIRIAL CA private key activation data generation and installation is performed according to the usermanualofHSM.
The Subscriber'sPrivate Key PINs generation and installationis specified in relevant service-basedPolicy and/orPractice Statement.
6.5.1 SpecificComputerSecurityTechnicalRequirementsThe NAMIRIAL ensures that the certification system components are secure and correctly operated, with anacceptable riskoffailure.
The NAMIRIAL certification services system components are managed in accordance with defined changemanagement procedures. These procedures include system testing in an isolated test environment and therequirement that change must be approved by the Security Officer. The approval is documented for furtherreference.
All critical software components of theNAMIRIAL are installed andupdated from trusted sources only. Therearealso internal procedures toprotect theintegrity ofcertification service components against viruses,malicious andunauthorised software.
All media containing production environment software and data, audit, archive, or backup information arestored within the NAMIRIAL with appropriate physical and logical access controls designed to limit access toauthorised personnel and protect such media from accidental damage (e.g., water, fire, and electromagnetic).Media containingSensitive Informationare securelydisposedof when no longer required. All removable mediaareusedonlyfortheintendedperiodoftheuser(eitherbytimeorbynumberofuses).
NAMIRIALhasnodefined capacitymanagement process. Theperformance ofNAMIRIALservices and ITsystems ismonitored byServiceManagers andchanges aredonewhennecessary according tointernalchange managementprocedure.
Incident response andvulnerabilitymanagement procedures aredocumented inaninternaldocument.Monitoringsystem detects and alarms of abnormal system activities that indicate potential security violation, includingintrusion intothenetwork.
Paper documents and materials with Sensitive Information are shredded before disposal. Media usedto collectortransmit Sensitive Information arerendered unreadable beforedisposal.
NAMIRIAL’spersonnel areauthenticated beforeusingcriticalapplications related totheservices.
User accounts are created for personnel in specific roles that need access to the system in question.Allusersmust log inwith theirpersonal account, andadministrative commands areonlyavailable withexplicit permission.File system permissions and other features availablein the operating system security model are used topreventany other use. User accounts are removedas soon as possible when the role change dictates. Access rules areauditedannually.
6.6.1 SystemDevelopmentControlsAn analysis of security requirements is carried out at the design and requirements specification stage of anysystems development project undertaken by the NAMIRIAL; or an analysis is carried out on behalf of theNAMIRIALtoensurethatsecurityisbuiltintotheInformationTechnology'ssystems.
The software will beapprovedbytheServiceManagersandwill originate from atrusted source. Newversions ofsoftware are tested in a testing environment of the appropriate service and their deployment is conductedaccording todocumented changemanagement procedures.
6.6.2 SecurityManagementControlsMeasuresare implemented inthe informationsystemoftheNAMIRIAL, includingallworkstationsforguaranteeingthe integrity of software and configurations, as well as for detecting fraudulent software and restricting itsspread.Onlythesoftware directlyusedforperforming thetasks isused intheinformation system.
6.6.3 LifeCycleSecurityControlsTheNAMIRIALpolicies andassets for information security are reviewedat planned intervals,or should significantchangesoccur,theyarereviewedtoensuretheircontinuingsuitability,adequacyandeffectiveness.
The configurations of the NAMIRIAL systems are regularly checked for changes that violate the NAMIRIALsecurity policies. A review of configurations of the issuing systems, security support systems, and front-end/internal-support systemsoccursatleastonaweeklybasis.TheSecurityOfficerapproves changesthathaveanimpactonthelevelsecurityprovided.TheNAMIRIALhasprocedures forensuring thatsecurity patches areappliedto the certification system withina reasonabletime periodafter they becomeavailable,but not later than six
TrustServicesPracticeStatement
Version1.0date30/06/2016
PublicDocument page28of36
months following theavailability of the security patch. The reasons for not applying any security patches will bedocumented.
The NAMIRIAL manages the registration of information assets and classifies all information assets into securityclasses according to the results of the regular security analysis consistent with the risk assessment. AllNAMIRIALpolicies and assets related to information security will be reviewed internally at planned intervals, or shouldsignificantchangesoccur,theywillbereviewedtoensuretheircontinuing suitability,adequacyandeffectiveness.
6.7 NetworkSecurityControlsThe NAMIRIAL network is divided into zones by security requirements. Communication between the zones isrestricted. Onlytheprotocols needed fortheNAMIRIALservices areallowed through thefirewalls.
Thefront-end systemsareinaDMZprotected byafirewallandTLSoffloadservers.Actualsecurity-critical servicesand corresponding HSMs run in a secure zone that is separated by dedicated firewallandhasnodirect Internetaccess.
The root CA is in ahigh security zone and is air-gapped from all the other networks. The NAMIRIAL systemsareconfigured with only these accounts, applications, services, protocols, and ports that are used in the TrustServiceoperations.
The security of the NAMIRIAL internal network and external connections is constantly monitored to prevent allaccess toprotocols andservices notrequired fortheoperation oftheTrustServices.
The NAMIRIAL performes a vulnerability scan twice a year on public and private IP addresses identified byNAMIRIAL.
The NAMIRIAL undergoes a penetration test on the certification systems annually at the set up and after theinfrastructure orapplication upgrades ormodifications determined significant bytheNAMIRIAL.
TheNAMIRIAL records evidence that each vulnerability scan and penetration testwas performed by apersonorentity with the skills, tools, proficiency,code of ethics, and independencenecessary to provide areliable report.
6.8 Time-StampingNAMIRIAL is providing time-stamping service as qualifed Trust Service and is specified in Namirial S.p.A. Time-Stamping Authority Practice Statement [6].
TheNAMIRIALdoesnotusetime-stampinginrelationtocertificationservice.Databaseentriescontainaccurate timeand date information.The time information is not cryptographic-based.The maximumallowed time varianceinall parts of the certification system is 1 second. This is guaranteed by an internal Reference Clock service,according to which the chronologies of all parts of the certification system are synchronised. The ReferenceClock uses GPS (Global Positioning System) as a primarytime source which determines preciseness of the timeintheNAMIRIAL’ssystem.
During the qualification process, a first compliance audit has been performed by an accredited organization asrequestedbytheregulatoryproceeding.
8.2 Identity/qualificationsofassessorThe assessor must act with rigor in order to ensure that policies, statements and services are properlyimplementedandtodetectthenon-complianceitemswhichmightjeopardizethesecurityoftheservice.
Incaseofresult“tobeconfirmed”,theassessmentteamidentifiesthenon-compliancesandprioritizesthem.TheTSP then schedules the correction of these non-compliances. A validation audit then checks for their effectivecorrections.
8.6 CommunicationofresultsThe audit results are made available to the Executive Management Committee of NAMIRIAL and to thequalificationorganisminchargeofthequalificationoftheTSP.
9.3.1 ScopeofConfidentialInformationAll information that has become known while providing services and that is not intended for publication (e.g.information that had been known to NAMIRIAL because of operating and providing Trust Services) isconfidential. Subscriberhasarighttogetinformation fromNAMIRIALabouthim/herself according tolegalacts.
9.3.2 InformationNotWithintheScopeofConfidentialInformationAny information not listed as confidential or intended for internal use is public information. Informationconsidered public inNAMIRIALislisted inclause2.2ofthisNAMIRIALPS.
TrustServicesPracticeStatement
Version1.0date30/06/2016
PublicDocument page31of36
Additionally, non-personalised statistical data about NAMIRIAL’s services is also considered public information.NAMIRIALmaypublishnon-personalised statistical dataabout itsservices.
9.3.3 ResponsibilitytoProtectConfidentialInformationNAMIRIAL secures confidential information and information intended for internal use from compromise andrefrains fromdisclosing ittothirdpartiesbyimplementing different security controls.
Disclosure or forwarding of confidentialinformationto a third party is permitted only with the writtenconsentofthelegalpossessoroftheinformationonthebasisofacourtorderorinothercasesprovidedbylaw.
9.4.3 ResponsibilitytoProtectPrivateInformationNAMIRIALensures protection ofpersonal information byimplementing security controls asdescribed inchapter5ofthisNAMIRIALPS.
9.4.4 NoticeandConsenttoUsePrivateInformationThe exacttermsunderwhichthe subscribergrantsNAMIRIAL his/hernoticeand consentto use his/herpersonalinformation aredescribed inhttps://docs.namirialtsp.com/privacy/.
9.4.5 DisclosurePursuanttoJudicialorAdministrativeProcessThe circumstances underwhich NAMIRIALmaydisclose the subscriber’s personal information tothirdpartiesaredescribed inhttps://docs.namirialtsp.com/privacy/.
9.4.6 OtherInformationDisclosureCircumstancesThe circumstances underwhich NAMIRIALmaydisclose the subscriber’s personal information tothirdpartiesaredescribed inhttps://docs.namirialtsp.com/privacy/.
9.5 IntellectualPropertyRightsThe products operated to provide the PKI belong toNAMIRIAL. Any use or reproduction, total or partial, of theseelementsand/orinformationwithin,byanymeans,isstrictlyprohibitedandisaforgerypunished,unlessNAMIRIALhaspreviouslygivenitswrittenagreement.
9.6 RepresentationsandWarranties
9.6.1 TrustServiceProviderRepresentationsandWarrantiesNAMIRIAL is party to the mutual agreementsand obligationsbetweenthe TSP, Subscribers,and RelyingParties.ThisNAMIRIALPSandservice-based Practice Statements areintegralpartsoftheseagreements.
- where the breach of security or loss of integrity is likely to adversely affect a natural or legalperson towhom theTrusted Service hasbeen provided, notify thenatural or legal person ofthebreach ofsecurityorlossofintegritywithoutunduedelay;
- ensure a conformity assessment according to requirements and present the conclusion of conformityassessmentbodytotheSupervisoryBodytoensurecontinualstatusofTrustServicesintheTrustedList;
- provide itsservices consistentwiththerequirements andtheprocedures defined inthecontractbetweenNAMIRIALandLRA,inthisNAMIRIALPSandservice-based Policies andPractice statements;
- provide itsemployees withnecessary training forsupplyofhigh-quality service;
- without undue delay after having become aware of it,will notify NAMIRIAL of any breach of securityorloss of integrity that has a significant impact on the Trust Service provided or on the personal datamaintained therein.
- observethe requirementsprovidedby NAMIRIAL in this NAMIRIAL PS and the respectiveservice-basedpolicies and/orpractice statements;
- supply true andadequate information intheapplication for the services, and intheevent ofachangeinthe data submitted, he/she shall notify the correct data in accordance with the rules established in theservice-based policies andpractice statements;
- beaware of the fact thatNAMIRIALmay refuse toprovide the service if the Subscriber has intentionallypresented false, incorrect orincomplete information intheapplication fortheservice;
- besolely responsible forthemaintenance ofhis/her private keyandTrustService Tokens. TheSubscribershall use his/her private key and Trust Service Tokens in accordance with this NAMIRIAL PS, service-based practice statements andservice termsandconditions.
- study the risks and liabilities related to the acceptance of Trust Service Tokens. The risks and liabilitieshavebeen setout inthisNAMIRIALPS, intheappropriate service-based policies andpracticestatementsandintheservice termsandconditions.
- verify the validity of Trust Service Tokens on the basis of validation services offered by NAMIRIALusing:
o publishedinformationonNAMIRIAL’swebsitehttps://docs.namirialtsp.com/or
- is liable for theperformanceofall itsobligationsspecified inclause9.6.1 to theextentprescribed by thelegislation oftheRepublic ofItaly;
- has compulsory insurance contracts,which cover all NAMIRIAL Trust Services to ensure compensation fordamagewhichiscausedasaresultofviolationoftheobligationsofNAMIRIAL.
9.8 LimitationsofLiabilityThe upper limit of the liability for any claim is established in the referred policy available athttps://docs.namirialtsp.com/insurance/.
9.9 IndemnitiesIndemnities between theSubscriber andNAMIRIALareregulated inservicebasedTermsandConditions.
9.10 TermandTermination
9.10.1 TermRefertoclause2.2.1ofthisNAMIRIALPS.
9.10.2 TerminationThis NAMIRIAL PS and/or service-based Practice Statements remain in force until they are replaced by a newversionorwhentheyareterminated duetoTrustServiceorNAMIRIAL’stermination.
Upon NAMIRIAL’s termination, NAMIRIAL is obliged to ensure the protection of personal and confidentialinformation.
TrustServicesPracticeStatement
Version1.0date30/06/2016
PublicDocument page34of36
9.10.3 EffectofTerminationandSurvivalNAMIRIAL communicates the conditions and effect of this NAMIRIAL PS’s and/or service-based PracticeStatements termination via its public repository. The communication specifies which provisions survivetermination.
At a minimum,all responsibilitiesrelatedto protectingpersonalandconfidentialinformation,alsomaintenanceofpublic information of repository, NAMIRIAL archives for determined period and logs survive termination. AllSubscriber agreements remaineffective untilthecertificate isrevoked orexpired, evenifthisNAMIRIALPSand/orservice-based Practice Statements terminate.
Termination of this NAMIRIAL PS and/or service-based Practice Statements cannot be done before terminationactionsdescribed inclause5.8ofthisNAMIRIALPS.
9.11 IndividualNoticesandCommunicationswithParticipantsIn general, NAMIRIAL’s website http://www.namirialtsp.com will be used to make any type of notification andcommunication.Other meansof individualnoticesand communicationis specifiedin relevantservice-basedPolicyand/orPractice Statement.
9.13 DisputeResolutionProvisionsAll disputes between the parties will be settled by negotiations. If the parties fail to reach and amicableagreement, thedisputewillberesolved atthecourtofthelocationofNAMIRIAL.
The other parties will be informed of any claim or compliant not later than 30 calendar days after thedetectionofthebasisoftheclaim,unlessotherwise provided bylaw.
9.15 CompliancewithApplicableLawNAMIRIAL ensures compliance with the legal requirements to meet all applicable statutory requirements forprotecting records fromloss,destruction andfalsification, andtherequirements ofthefollowing:
eIDAS - Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 onelectronic identification and trust services for electronic transactions in the internal market and repealingDirective 1999/93/EC [1];
- ItalianDataProtectionCode[7];
- relatedEuropean Standards:
o ETSIEN319401Electronic Signaturesand Infrastructures (ESI);GeneralPolicyRequirements for TrustServiceProviders [2];
TrustServicesPracticeStatement
Version1.0date30/06/2016
PublicDocument page35of36
o ETSIEN319411-1Electronic Signatures andInfrastructures (ESI);PolicyandSecurityrequirements forTrustServiceProviders issuingcertificates; Part1:Generalrequirements [9];
o ETSIEN319411-2 Electronic Signatures and Infrastructures (ESI); Policy andsecurityrequirementsforTrust Service Providers issuing certificates; Part 2: Policy requirements for certification authoritiesissuingqualified certificates [9];
9.16.1 EntireAgreementNAMIRIAL contractually obligates each L RA and other participants to comply with this NAMIRIAL PS andapplicable industryguidelines.NAMIRIALalso requireseachpartyusing its productsandservices to enter intoanagreementthat delineatesthe termsassociatedwiththe productor service.If an agreementhasprovisions thatdiffer from thisNAMIRIAL PS, then the agreement with that party prevails, but solely with respect to that party.Thirdpartiesmaynotrelyonorbringaction toenforce suchagreement.
9.16.2 AssignmentAny entities operating under this NAMIRIAL PS may not assign their rights or obligationswithout the priorwritten consent of NAMIRIAL. Unless specified otherwise in a contract with a party, NAMIRIAL does not providenoticeofassignment.
9.16.3 SeverabilityIf any provision of this NAMIRIAL PS is held invalid or unenforceable by a competent court or tribunal, theremainder of the NAMIRIAL PS remains valid and enforceable. Each provision of this NAMIRIAL PS that providesforalimitationofliability,disclaimerofawarranty,oranexclusionofdamagesisseverableandindependent ofanyotherprovision.
9.16.4 Enforcement(Attorneys'FeesandWaiverofRights)NAMIRIAL may claim indemnificationand attorneys'fees from a party for damages,losses, and expensesrelatedto that party's conduct. NAMIRIAL’s failure to enforce a provision of this NAMIRIAL PS does not waiveNAMIRIAL’srighttoenforcethesameprovision laterorrighttoenforceanyotherprovisionofthisNAMIRIALPS.Tobeeffective,waiversmustbeinwritingandsignedbyNAMIRIAL.
9.16.5 ForceMajeureThe subject ofForce Majeure and other parties are responsiblefor any consequencescaused bycircumstancesbeyond his reasonable control, including but without limitation to war (whether declared or not), acts ofgovernment or the European Union, export or import prohibitions, breakdown or general unavailability oftransport,generalshortagesof energy,fire, explosions,accidents,strikes or otherconcerted actions ofworkmen,lockouts, sabotage, civilcommotion andriots.
Communication and performance in the case of Force Majeure are regulated between the parties with theagreements.
Non-fulfilment of the obligations arising from the NAMIRIAL PS and/or relevant service-related Policies and/orPracticeStatementsisnotconsideredaviolationifsuchnon-fulfilmentisoccasionedbyForceMajeure.Noneoftheparties shall claim damage orany other compensation from the other parties fordelaysornon-fulfilmentof thisNAMIRIALPSand/orrelevantservice-relatedPoliciesand/orPracticeStatements causedbyForceMajeure.
[II] ETSI EN 319 401 ElectronicSignaturesand Infrastructures(ESI); General Policy RequirementsforTrustServiceProviders;
[III] CA/BrowserForum, Baseline RequirementsCertificatePolicy for the Issuanceand ManagementofPublicly-TrustedCertificates,https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.3.pdf;
[IV] RFC 3647 –Request ForComments 3647, Internet X.509 Public Key Infrastructure, Certificate PolicyandCertification Practices Framework, https://www.ietf.org/rfc/rfc3647.txt;