certification practice statement digisign certification ... public document 1st edition, 2.3rd...

Download Certification Practice Statement DigiSign Certification ... Public Document 1st Edition, 2.3rd Version

Post on 16-Jul-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Copyright © DigiSign. All rights reserved. This document shall not be duplicated, used, or disclosed in whole or in part for any purposes other than those approved by DigiSign.

    Certification Practice Statement

    DigiSign Certification Authority

    Qualified Electronic Certificates

    compliant with eIDAS Regulation and national legislation

    Category: Public Document Language: English

    Written by: Policies and Procedures Management Body

    Verified by: Internal Auditor Edition: 2

    Approved by: General Manager Version: 1

    OID: 1.3.6.1.4.1.34285.1.1.1.2.3.1.0

    DIGISIGN S.A.

    2 – 6 Virgil Madgearu street, 1st District

    014135, Bucharest, Romania

    +4 031 620 20 00

    +4 031 620 20 80

    office@digisign.ro

    www.digisign.ro

  • Public Document 2nd Edition, 1st Version Page 1 of 62

    Document history

    Edition Version Description Date Author

    1 0

    First release: Certification Practice Statement for DigiSign Certification Authority, compliant with eIDAS Regulation and national legislation

    May 15, 2017

    Policies and Procedures

    Management Body

    1 1 Updates as per the recommendations resulted after the audit

    June 15, 2017

    Policies and Procedures

    Management Body

    1 2 Updating features for end user certificates November 17,

    2017

    Policies and Procedures

    Management Body

    1 3 Updating with new identity validation method and added new authorities

    November 22, 2018

    Policies and Procedures

    Management Body

    2 0 Updating with new identity validation method October 15,

    2019

    Policies and Procedures

    Management Body

    2 1 Minor updates July 28, 2020

    Policies and Procedures

    Management Body

  • Public Document 2nd Edition, 1st Version Page 2 of 62

    Table of Contents

    1. Introduction ..................................................................................................... 4

    1.1. Information regarding this document ............................................................. 4

    1.2. Certification process overview ....................................................................... 5

    1.2.1. DigiSign PKI Hierarchy ........................................................................... 6

    1.2.2. DigiSign PKI Participants ........................................................................ 7

    1.3. Aria de aplicabilitate a certificatelor ............................................................. 10

    1.4. CPS Management ...................................................................................... 13

    2. Publication and repository responsabilties ........................................................... 13

    3. Identification and authentication ....................................................................... 14

    3.1. Naming .................................................................................................... 14

    3.2. Initial identity validation ............................................................................. 15

    3.3. Identification and authentication for rekey and renewal requests ..................... 18

    3.4. Identification and authentication for revocation or suspension requests ............ 19

    4. Certificate life cycle operational requirements ..................................................... 19

    4.1. Registration form ...................................................................................... 20

    4.2. Certification application .............................................................................. 20

    4.3. Enrollment process .................................................................................... 21

    4.4. Certificate issuance ................................................................................... 22

    4.5. Certificate acceptance and publication .......................................................... 23

    4.6. Certificate applicability and key usage .......................................................... 23

    4.7. Certificate rekey ........................................................................................ 23

    4.8. Certificate revocation ................................................................................. 25

    4.9. Certificate suspension ................................................................................ 27

    4.10. Certificate status and verification ............................................................... 28

    4.10.1. CRL verification ................................................................................. 28

    4.10.2. OCSP verification ............................................................................... 29

    4.10.3. Public Electronic Register .................................................................... 29

    5. Facility, management and operational controls .................................................... 29

    5.1. Physical security controls ............................................................................ 30

    5.2. Procedural controls .................................................................................... 32

    5.3. Personnel controls ..................................................................................... 33

    5.4. Audit logging procedures ............................................................................ 35

    5.5. Records archival ........................................................................................ 36

    5.6. Compromise and Disaster Recovery ............................................................. 37

    5.7. CA or RA termination ................................................................................. 38

  • Public Document 2nd Edition, 1st Version Page 3 of 62

    6. Technical security controls ............................................................................... 39

    6.1. Key pair generation and installation ............................................................. 39

    6.2. Private key protection and cryptographic module engineering controls .............. 42

    6.4. Activation data .......................................................................................... 45

    6.5. Computer security controls ......................................................................... 45

    6.6. Life cycle technical controls ........................................................................ 46

    6.7. Network security controls ........................................................................... 46

    7. Certificate, CRL and OCSP profiles ..................................................................... 47

    7.1. Certificate profiles ..................................................................................... 47

    7.2. CRL profiles .............................................................................................. 52

    7.3. OCSP profiles ............................................................................................ 53

    8. Compliance audit and other assessments ........................................................... 54

    8.1. Frequency and circumstances of assessment ................................................. 54

    8.2. Identity and qualifications of assessor .......................................................... 54

    8.3. Assessor’s relationship to the assessed entity ................................................ 54

    8.4. Topics covered by assessment .................................................................... 55

    8.5. Actions taken as a result of a deficiancy ....................................................... 55

    8.6. Communication of audit’s results ................................................................. 55

    9. Other business and legal matters ...................................................................... 55

    9.1. Fees ........................................................................................................ 55

    9.2. Financial responsability .............................................................................. 56

    9.3. Confidentiality of business information ......................................................... 56

    9.4. Protection of personal information ............................................................... 58

    9.5. Intellectual property rights ......................................................................... 58

    9.6. Responsabilities and warranties ................................................................... 58

    9.7. Limitations of liability ................................................................................. 60

    9.8. Indemnities .............................................................................................. 60

    9.9. Term and termination ................................................................................ 60

    9.10. Individual notices and communications with participants ............................... 60

    9.9. Dispute resolution procedures ..................................................................... 60

    9.10. Governing law ...................

Recommended

View more >