public - zaba.hr · zagrebačka banka d.d. – certificate policy for qualified trust services v1.4...

PUBLIC

Zagrebačka banka d.d.

Certificate Policy for Qualified Trust Services

Version: 1.4 from 10.9.2019.

CONTENT:

1 INTRODUCTION ......................................................................................................................................................... 5

1.1. OVERVIEW ............................................................................................................................................................. 5 1.1.1. Hierarchy in Zaba QPKI............................................................................................................................... 5 1.1.2. Certificate Policy scope and purpose .......................................................................................................... 6 1.1.3. Certificate types ........................................................................................................................................... 7

1.2. DOCUMENT NAME AND IDENTIFICATION ..................................................................................................................... 8 1.3. PKI PARTICIPANTS ................................................................................................................................................. 8

1.3.1. Policy Management Authority ...................................................................................................................... 8 1.3.2. Certification authorities ................................................................................................................................ 8 1.3.3. Registration authorities ................................................................................................................................ 8 1.3.4. Provider of qualified Electronic Time-Stamping services ............................................................................. 8 1.3.5. Subscribers ................................................................................................................................................. 9 1.3.6. Relying parties ............................................................................................................................................. 9 1.3.7. Other participants ........................................................................................................................................ 9

1.4. CERTIFICATE USAGE ............................................................................................................................................... 9 1.4.1. Appropriate certificate uses ......................................................................................................................... 9 1.4.2. Prohibited certificate uses ......................................................................................................................... 10

1.5. POLICY ADMINISTRATION ...................................................................................................................................... 10 1.6. DEFINITIONS AND ACRONYMS ................................................................................................................................. 10

1.6.1. Definitions .................................................................................................................................................. 10 1.6.2. Acronyms .................................................................................................................................................. 15

2 PUBLICATION AND REPOSITORY RESPONSIBILITIES ...................................................................................... 16

3 IDENTIFICATION AND AUTHENTICATION ............................................................................................................ 17

3.1. NAMING............................................................................................................................................................... 17 3.2. INITIAL IDENTITY VALIDATION .................................................................................................................................. 17 3.3. IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS .................................................................................. 18 3.4. IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST ............................................................................ 18

4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ............................................................................ 19

4.1. CERTIFICATE APPLICATION .................................................................................................................................... 19 4.2. CERTIFICATE APPLICATION PROCESSING ................................................................................................................. 19 4.3. CERTIFICATE ISSUANCE ........................................................................................................................................ 19 4.4. CERTIFICATE ACCEPTANCE .................................................................................................................................... 19 4.5. KEY PAIR AND CERTIFICATE USAGE ......................................................................................................................... 20 4.6. CERTIFICATE RENEWAL ......................................................................................................................................... 20 4.7. CERTIFICATE RE-KEY ............................................................................................................................................ 20 4.8. CERTIFICATE MODIFICATION .................................................................................................................................. 21 4.9. CERTIFICATE REVOCATION AND SUSPENSION ........................................................................................................... 21 4.10. CERTIFICATE STATUS SERVICES ......................................................................................................................... 22 4.11. END OF SUBSCRIPTION ...................................................................................................................................... 22 4.12. KEY ESCROW AND RECOVERY ............................................................................................................................ 22 4.13. QUALIFIED TIME-STAMP SERVICE ...................................................................................................................... 22

5 FACILITY, MANAGEMENT AND OPERATIONAL CONTROLS ............................................................................. 24

5.1. PHYSICAL CONTROLS ........................................................................................................................................... 24 5.2. PROCEDURAL CONTROLS ...................................................................................................................................... 24 5.3. PERSONNEL CONTROLS ........................................................................................................................................ 24 5.4. AUDIT LOGGING PROCEDURES ............................................................................................................................... 25 5.5. RECORDS ARCHIVAL ............................................................................................................................................. 25 5.6. KEY CHANGEOVER ................................................................................................................................................ 25 5.7. COMPROMISE AND DISASTER RECOVERY ................................................................................................................. 25 5.8. CA OR RA TERMINATION ....................................................................................................................................... 26

6 TECHNICAL SECURITY CONTROLS ..................................................................................................................... 27

6.1. KEY PAIR GENERATION AND INSTALLATION............................................................................................................... 27 6.2. PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS ................................................ 28

Zagrebačka banka d.d. – Certificate Policy for Qualified Trust Services

v1.4 from 10.9.2019. page 2

PUBLIC

6.3. OTHER ASPECTS OF KEY PAIR MANAGEMENT ........................................................................................................... 28 6.4. ACTIVATION DATA ................................................................................................................................................. 29 6.5. COMPUTER SECURITY CONTROLS ........................................................................................................................... 29 6.6. LIFE CYCLE TECHNICAL CONTROLS ......................................................................................................................... 29 6.7. NETWORK SECURITY CONTROLS ............................................................................................................................ 29 6.8. TIME-STAMPING ................................................................................................................................................... 30

7 CERTIFICATE, CRL, AND OCSP PROFILES ......................................................................................................... 31

7.1. CERTIFICATES PROFILES ....................................................................................................................................... 31 7.2. CRL PROFILE ...................................................................................................................................................... 38

7.2.1. CRL and CRL entry extensions ................................................................................................................. 38 7.3. OCSP PROFILE ................................................................................................................................................... 38

8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS ............................................................................................ 39

8.1. FREQUENCY OR CIRCUMSTANCES OF ASSESSMENT .................................................................................................. 39 8.2. IDENTITY/QUALIFICATIONS OF ASSESSORS ............................................................................................................... 39 8.3. ASSESSOR'S RELATIONSHIP TO ASSESSED ENTITY .................................................................................................... 39 8.4. TOPICS COVERED BY ASSESSMENT ......................................................................................................................... 39 8.5. ACTIONS TAKEN AS A RESULT OF DEFICIENCY .......................................................................................................... 39 8.6. COMMUNICATION OF RESULTS ............................................................................................................................... 40

9 OTHER BUSINESS AND LEGAL MATTERS .......................................................................................................... 41

9.1. FEES .................................................................................................................................................................. 41 9.2. FINANCIAL RESPONSIBILITY .................................................................................................................................... 41 9.3. CONFIDENTIALITY OF BUSINESS INFORMATION ......................................................................................................... 41

9.3.1. Scope of confidential information .............................................................................................................. 41 9.3.2. Information not within the scope of confidential information ...................................................................... 41 9.3.3. Responsibility to protect confidential information ....................................................................................... 41

9.4. PRIVACY OF PERSONAL INFORMATION ..................................................................................................................... 41 9.5. INTELLECTUAL PROPERTY RIGHTS .......................................................................................................................... 42 9.6. REPRESENTATIONS AND WARRANTIES .................................................................................................................... 42

9.6.1. CA representations and warranties ........................................................................................................... 42 9.6.2. RA representations and warranties ........................................................................................................... 43 9.6.3. Subscriber representation and warranties ................................................................................................. 43 9.6.4. Relying party representations and warranties ........................................................................................... 44 9.6.5. Representations and warranties of other participants ............................................................................... 44

9.7. DISCLAIMER OF WARRANTIES ................................................................................................................................. 44 9.8. LIMITATIONS OF LIABILITY ...................................................................................................................................... 45 9.9. INDEMNITIES ........................................................................................................................................................ 45 9.10. TERM AND TERMINATION ................................................................................................................................... 45

9.10.1. Term .......................................................................................................................................................... 45 9.10.2. Termination ............................................................................................................................................... 45 9.10.3. Effect of termination and survival .............................................................................................................. 45

9.11. INDIVIDUAL NOTICES AND COMMUNICATION WITH PARTICIPANTS ............................................................................. 45 9.12. AMENDMENTS .................................................................................................................................................. 45 9.13. DISPUTE RESOLUTION PROVISIONS ..................................................................................................................... 46 9.14. GOVERNING LAW .............................................................................................................................................. 46 9.15. COMPLIANCE WITH APPLICABLE LAW ................................................................................................................... 46 9.16. MISCELLANEOUS PROVISIONS ............................................................................................................................ 46


v1.4 from 10.9.2019. page 3

PUBLIC

REFERENT DOCUMENTED INFORMATION

Core legislation

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC

Act Implementing Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Council Directive 1999/93 / EC (Croatian Official Gazette (hereinafter referred to as Official Gazette) 62/2017)

Subordinate Regulations

Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market

Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down standards for the security assessment of Qualified signature and seal creation devices pursuant to Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market

Other legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Standardization Documents

ISO/IEC 27001:2013 – Information technology – Security techinques – Information security management

ISO/IEC 27002:2013 – Information technology – Security techinques – Code of practice for information security management

FIPS PUB 140-1, Minimum level 2 – Federal Information Processing Standards Publication 140-1 – Security requirements for cryptographic modules, minimum level 2

FIPS PUB 140-2, Minimum level 2 – Federal Information Processing Standards Publication 140-2 – Security requirements for cryptographic modules, minimum level 2

CWA 14169 - CEN Workshop Agreement CWA 14169 – Secure signature-creation devices »EAL 4+«: 2004

IETF/RFC 3647 (2003) – Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework

IETF RFC 5280 – Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

IETF RFC 3739 – Internet X.509 Public Key Infrastructure – Qualified Certificates Profile

IETF RFC 6960 – X.509 Internet Public Key Infrastructure – Online Certificate Status Protocol – OCSP

CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates

ETSI EN 319 401 V2.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers

ETSI EN 319 411-1 V1.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements

ETSI EN 319 411-2 V2.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust ServiceProviders issuing certificates; Part 2: Requirements for trust service providers issuing EU Qualified Certificates

ETSI EN 319 412-1 V1.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI);Certificate Profiles; Part 1: Overview and common data structures


v1.4 from 10.9.2019. page 4

PUBLIC

ETSI EN 319 412-2 V2.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 2: Certificate profile for certificates issued to natural persons

ETSI EN 319 412-3 V1.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 3: Certificate profile for certificates issued to legal persons

ETSI EN 319 412-5 V2.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 5: QCStatements

ETSI EN 319 421 V1.1.1 (2016-03) Electronic Signatures and Infrastructures (ESI); Policy and Security Requirements for Trust Service Providers issuing Time-Stamps

ETSI EN 319 422 V1.1.1 (2016-03) Electronic Signatures and Infrastructures (ESI); Time-Stamping protocol and time-stamp token profiles

ETSI TS 119 312 – Electronic Signatures and Infrastructures (ESI); Cryptographic Suites

CEN/TS 419 261:2015 – Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures

HRS CEN/TS 419 241:2014 – Sigurnosni zahtjevi za pouzdane sustave za izradu elektroničkog potpisa na strani servera (CEN/TS 419241:2014); Security Requirements for Trustworthy Systems Supporting Server Signing (CEN/TS 419241:2014)

Zagrebačka bank's documents

Certification Policy for Qualified Trust Services

Certification Practice Statement for Qualified Certificates for Electronic Signatures and Seals

Qualified Electronic Time-Stamping Authority Practice Statement


v1.4 from 10.9.2019. page 5

PUBLIC

1 INTRODUCTION

Zagrebačka banka d.d. (hereinafter referred to as: Bank) has business opportunity to offer to their individual and corporate clients, products and services on direct channels for which handwritten signature is mandatory and notary services in not obligatory. According to legal regulation in Croatia and EU, Qualified electronic signature is the equivalent of handwritten signature.

Bank implement PKI (Public Key Infrastructure) – Zaba QPKI with aim to issue Qualified Certificates to their clients and provide Qualified Trust Services:

Qualified Electronic Signature for natural persons,

Qualified Electronic Seal for legal persons and

Qualified Electronic Time-Stamp.

Qualified Certificates for electronic signatures and seals will be used for clients transactions authorization, which ensures data integrity and authenticity of origin. Qualified Electronic Time-Stamp will be primarily used for time-stamping and long time validity of Qualified electronic signatures and seals.

Qualified Trust Services are regulated by Law on electronic signature and eIDAS - EU regulation No. 910/2014 on electronic identification and trust services for electronic transactions in the European internal market, and this Certificate Policy is in compliance with these regulation.

Scope of this Certificate Policy is Zaba QPKI system with focus on complete certificate management lifecycle and all Qualified Trust Services provided by Bank.

Certificate Policy will be published on Bank’s website.

Bank will issue following certificates for natural and legal persons (hereinafter referred to as: "Subscriber"):

QCP-n-qscd – EU Qualified Certificates issued to natural persons with private key related to the certified public key in a QSCD – certificate for Qualified electronic signature only, remotely issued and stored on Bank’s infrastructure,

QCP-l-qscd- EU Qualified Certificates issued to legal persons with private key related to the certified public key in a QSCD – certificate for Qualified electronic seal only, remotely issued and stored on Bank’s infrastructure.

More detailed descriptions for rules and procedures in scope of this policy are in Certification Practices Statement documents.

1.1. Overview

1.1.1. Hierarchy in Zaba QPKI

Hierarchical structure of Zaba QPKI is based on Zaba Root QCA and two-tier architecture of production Certification Authorities (hereinafter referred to as: "CA"):

Root Certificate Authority: Zaba Root QCA, Subordinate Certificate Authority: Zaba QCA.

Zaba Root QCA issued a self-signed Zaba Root QCA certificate as well as certificates to its subordinate CA Zaba QCA.

Scope of Certificate Policy and certification practices is Zaba Root QCA and complete Zaba QPKI hierarchy based on Zaba Root QCA.

Zaba QCA is CA (hereinafter referred to as: "Zaba QCA") who issue certificates for Subscribers.

Bank has an established service of remote electronic signing and sealing through which generation and management of private keys in the name of the Signatory and the Creator of a sign or seal shall be performed by Bank as a Qualified Trust Service Provider. The remote electronic signing and sealing service shall create Qualified electronic signatures and seals based on EU Qualified Certificates.


v1.4 from 10.9.2019. page 6

PUBLIC

Certificate hierarchy in Zaba QPKI

Policy and practices documents hierarchy in Zaba QPKI

1.1.2. Certificate Policy scope and purpose

Purpose of Certificate Policy for Qualified Trust Services is to define basic rules and principles of certification services for all PKI participants on the basis of which Bank as a Qualified Trust Service Provider shall provide Qualified Certificate issuing services for electronic signatures and Qualified Certificate issuing services for electronic seals.

Scope of this Certificate Policy are Qualified Trust Services provided by Bank, which are full lifecycle management of Qualified Certificates for natural and legal persons issued on secure cryptographic devices - QSCD devices and issuing Qualified Electronic Time-Stamps. Furthermore, the scope of this Certificate Policy includes usage of Qualified Certificates for the remote electronic signing and sealing service.

Certificates from this Certificate Policy constitute Register of digital certificates (Zaba QRDC), which is based on Root CA: Zaba Root QCA and subordinate Zaba QCA.

Zaba Root QCA

1.3.6.1.4.1.47380.1.5.3.2

Zaba QCA

1.3.6.1.4.1.47380.2.3.4.2

Zaba QCA certificates for natural persons

------

Qualified Certificates for electronic signature on

QSCD (QCP-n-qscd)

1.3.6.1.4.1.47380.5.6.2.2

Zaba QCA certificates for legal persons

-----

Qualified Certificates for electronic seal on QSCD

(QCP-l-qscd)

1.3.6.1.4.1.47380.5.4.3.2

Zaba QCA certificates for Bank's IT equipment

------

Certificate for signing response from OCSP service (NCP+) Zaba

QOCSP1.3.6.1.4.1.47380.5.2.4.1

Certificate for time-stamping Zaba QTSA

(NCP+)

1.3.6.1.4.1.47380.5.2.5.3

Certificate for signing response from OCSP

service (NCP+) Zaba Root QOCSP

1.3.6.1.4.1.47380.2.5.1.2

Certificate Policy for Qualified Trust Services

1.3.6.1.4.1.47380.1.5.1.1

Certification Practice Statement for Qualified Certificate for electronic

signature and seal1.3.6.1.4.1.47380.1.5.2.1

Qualified Electronic Time-Stamping Authority

Practice Statement

1.3.6.1.4.1.47380.1.5.3.1


v1.4 from 10.9.2019. page 7

PUBLIC

Bank notify all their clients, which are using Qualified Trust Services from Bank, on rules and principles defined in this Certificate Policy.

Certificate Policy is approved by Zaba PMA and will be published on Bank’s website http://www.zaba.hr/cps.

More detailed descriptions for rules and procedures in scope of this policy are in Certification Practice Statement documents.

1.1.3. Certificate types

Zaba Root QCA issue these certificates:

Certificate name: CP OID:

Zaba Root QCA 1.3.6.1.4.1.47380.1.5.3.2

Certificate for subordinate Zaba QCA 1.3.6.1.4.1.47380.2.3.4.2

Certificate for signing response from OCSP service (NCP+) 1.3.6.1.4.1.47380.2.5.1.2

Bank as Qualified Trust Service Provider issue EU Qualified Certificates for electronic signatures and seals.

This Certificate Policy defines the rules of certification for Qualified Certificates issued by Zaba QCA, which comply with the requirements of the Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (hereinafter referred to as: of Regulation (EU) No 910/2014).

This Certificate Policy defines the groups and types of certificates and corresponding security levels. Groups of certificates are determined by the type of the Certification Subject. Each type of certificate shall have a Bank and ETSI OID of the OID Certificate Policy (CP OID). With the CP OID, the Signatories, Creators of a Seal and Relying Parties shall determine the certificate's adequacy for a certain application. Each type of certificate shall have a specified security level that determines the certificate reliability level.

Bank as Qualified Trust Service Provider issue these groups of certificates in the scope of this Certificate Policy:

Zaba QCA certificates for natural persons;

Zaba QCA certificates for legal persons;

Zaba QCA certificates for Bank's IT equipment;

The following table show groups and types of Qualified Certificates from the scope of this Certificate Policy:

Group of certificates: Certificate type: CP OID:

Zaba QCA certificates for natural

persons EU Qualified Certificates for electronic

signature on QSCD (QCP-n-qscd) 1.3.6.1.4.1.47380.5.6.2.2

Zaba QCA certificates for legal

persons EU Qualified Certificates for electronic seal

on QSCD (QCP-l-qscd) 1.3.6.1.4.1.47380.5.4.3.2

Zaba QCA certificates for Bank's

IT equipment Certificate for signing response from OCSP

service (NCP+) 1.3.6.1.4.1.47380.5.2.4.1

Certificate for time-stamping service (NCP+) 1.3.6.1.4.1.47380.5.2.5.3

1.1.3.1 Zaba QCA certificates for natural persons

Zaba QCA certificates for natural persons is for personal clients of Bank's direct channel services.

In scope of this Certificate Policy is certificate for natural persons:

QCP-n-qscd – EU Qualified Certificates issued to natural persons with private key related to the certified public key in a QSCD – certificate for Qualified electronic signature only on Bank's direct channel services, remotely issued and stored on Bank’s infrastructure.

1.1.3.2 Zaba QCA certificates for legal persons

Zaba QCA certificates for legal persons is for corporate clients of Bank's direct channel services.

In scope of this Certificate Policy is certificate for legal persons:

QCP-l-qscd – EU Qualified Certificates issued to legal persons with private key related to the certified public key in a QSCD – certificate for Qualified electronic seals only on Bank's direct channel services, remotely issued and stored on Bank’s infrastructure.

1.1.3.3 Zaba QCA certificates for Bank's IT equipment

Purpose of Zaba QCA certificates for Bank's IT equipment is to provide secure and reliable function for other PKI services.

http://www.zaba.hr/cps


v1.4 from 10.9.2019. page 8

PUBLIC

In scope of this Certificate Policy are:

Certificate for signing response from OCSP service (NCP+) – NCP+: Normalized Certificate using

a secure cryptographic device (HSM) for signing response from OCSP service,

Certificate for Qualified Electronic Time-Stamping service (NCP+) – NCP+: Normalized Certificate using a secure cryptographic device (HSM) for time-stamp service.

1.2. Document name and identification

IANA (Internet Assigned Numbers Authority) assigned OID to Bank: 1.3.6.1.4.1.47380.

Document name: Certificate Policy for Qualified Trust Services

Version: 1.4

Approvement date: 10. 9. 2019.

Effective date: 25. 11. 2019.

OID: 1.3.6.1.4.1.47380.1.5.1.1

Document is published on URL: http://www.zaba.hr/cps

1.3. PKI participants

Parcticipants within Zaba QPKI are:

Policy Management Authority, PMA;

Certification Authority, CA;

Registration Authority, RA;

Time-Stamp Authority, TSA;

Subscribers;

Relying Parties;

other participants:

o IT providers for hardware and software for PKI;

o cryptography devices providers (HSM, smart cards);

o other authorities;

1.3.1. Policy Management Authority

Security department in Bank is responsible for Certificate Policy (hereinafter referred as: Zaba PMA). Zaba PMA is responsible for development, implementation and maintenance of Certificate Policy, certificate practice statement and other documentation for Zaba QPKI.

1.3.2. Certification authorities

Certification authorities in Zaba QPKI under this Certificate Policy are Zaba Root QCA and Zaba QCA.

Certificates issued by Zaba Root QCA and Zaba QCA are explained in Sections 1.1.1. and 1.1.3.

Representations and warranties of Certificate authorities are described in Section 9.6.1.

1.3.3. Registration authorities

Subscriber registration for Bank's Qualified Certificates shall be performed in Bank Registration Authorities.

Zaba QPKI Registration authorities (hereinafter referred as: Zaba RA) are Bank's branches.

In Zaba RA registration processes are performed by Bank's employees in branches responsible for RA processes (hereinafter referred as: RA officers).

Zaba RA shall perform registration authority tasks in compliance with this Certificate Policy.

Representations and warranties of Registration authorities are described in Section 9.6.2.

1.3.4. Provider of qualified Electronic Time-Stamping services

Bank uses Zaba QTSA to provide its Qualified Electronic Time-Stamping Service used for time-stamping and long time validity of Qualified electronic signatures and seals. Bank shall provide Qualified Electronic Time-Stamping Service for Subscribers of Qualifed Certificates for electronic signature and seal. Bank shall not provide Qualified Electronic Time-Stamping Service separately from Qualifed Certificates for electronic signature and seal.



v1.4 from 10.9.2019. page 9

PUBLIC

1.3.5. Subscribers

Subscriber is Bank's client - a legal or a natural person that has, by concluding an agreement with Bank as a Qualified Trust Service Provider, taken over the contractual obligations of the Subscriber.

In order to use a certification service, Subscribers shall complete the registration procedure and submit their applications, as well as accept Subscriber obligations and responsibilities referred to in Section 9.6.3 of this Certificate Policy. Subscribers shall conclude the Subscriber Agreement with Bank, as a legal base for issuing Qualified Certificate.

Certification Subject is identified as a Subject in the certificate, and is the holder of the private key connected to the public key in the certificate.

Subscribers for Qualified Certificates are Subscribers for Qualified Electronic Time-Stamps, used for time-stamping and long time validity of Qualified electronic signatures and seals.

1.3.6. Relying parties

Relying Parties are natural or legal persons that rely upon a Qualified Trust Service. Relying Parties, based on the certificate, shall conduct validation of the electronic signature or seal, and act based on reasonable reliance on the certificate.

Representations and warranties of relyling parties are described in Section 9.6.4..

1.3.7. Other participants

Other participants of Zaba QPKI are legal persons that are not using Qualified Trust Services, but they are participants in processes that supports Qualified Trust Services. Other participants are: IT providers for hardware and software for PKI, cryptography devices providers (HSM, smart cards), conformity assessments bodies and other authorities.

1.4. Certificate usage

The Relying Party shall be responsible for accepting and realization of reasonable confidence in the certificate. The Relying Party should apply following criteria for acceptance of certificate:

legal requirements related to electronic signature or seal;

all information from certificate, Certificate Policy, certificate practice statement and other documents;

potential impact or loss, caused by fraudulent activities in transaction ro communication;

any information on compliance or non-compliance related to subject, implemented IT solution, communication or transaction;

1.4.1. Appropriate certificate uses

A key pair shall not be used for any other purpose except the one for that it is generated. The certificate indicates the key usage.

Certificates issued by Zaba Root QCA and Zaba QCA are explained in Sections 1.1.1. and 1.1.3.

1.4.1.1 Zaba QCA certificates for natural persons

Zaba QCA certificates for natural persons is for personal clients of Bank's direct channel services.

In scope of this Certificate Policy is certificate for natural persons:

QCP-n-qscd – EU Qualified Certificates issued to natural persons with private key related to the certified public key in a QSCD – certificate for Qualified electronic signature only on Bank's direct channel services, remotely issued and stored on Bank’s infrastructure.

QCP-n-qscd certificates are in compliance with ETSI/EN 319 411-2 and shall be used for Qualified electronic signature only.

Extension keyUsage for these certificates is critical and has value nonRepudation. These Qualified Certificates are base for Qualified electronic signature which ensures data integrity and authenticity of origin.

1.4.1.2 Zaba QCA certificates for legal persons

Zaba QCA certificates for legal persons is for corporate clients of Bank's direct channel services.

In scope of this Certificate Policy is certificate for legal persons:

QCP-l-qscd – EU Qualified Certificates issued to legal persons with private key related to the certified public key in a QSCD – certificate for Qualified electronic seal only on Bank's direct channel services, remotely issued and stored on Bank’s infrastructure.


v1.4 from 10.9.2019. page 10

PUBLIC

QCP-l-qscd certificates are in compliance with ETSI/EN 319 411-2 and shall be used for Qualified electronic seal only.

Extension keyUsage for these certificates is critical and has value nonRepudation. These Qualified Certificates are base for Qualified electronic seal which ensures data integrity and authenticity of origin.

1.4.1.3 Certificate for time-stamping service and Qualified Electronic Time-Stamps

Zaba QCA certificate for time-stamping service is a NCP+: Normalized Certificate using a secure cryptographic device (HSM) for time-stamp service and it is in compliance with ETSI/EN 319 411-3 and can be used for issuing Qualified time-stamps only. This certificate guarantees electronic identity for Zaba QTSA service.

Extension keyUsage for this certificate is critical and value is set on digitalSignature and nonRepudation, and has additional extension extKeyUsage mark as critical and value is set on timeStamping.

Qualified time-stamps issued by Zaba QTSA may be used for any purpose requiring evidence of the existence of a particular data in electronic form in the time specified in the issued time-stamp and should provide long term validity for electronically signed or sealed documents.

1.4.1.4 Certificate for signing response from OCSP service

Zaba QCA certificate for signing response from OCSP service is a NCP+: Normalized Certificate using a secure cryptographic device (HSM) for OCSP service and it is in compliance with ETSI/EN 319 411-3 and can be used for signing response from OCSP service only. This certificate guarantees electronic identity for Zaba QOCSP service.

Extension keyUsage for this certificate is critical and value is set on digitalSignature and nonRepudation, and has additional extension extKeyUsage mark as critical and value is set on OCSPSigning.

1.4.2. Prohibited certificate uses

Except for the appropriated use of Qualified Certificates described in Section 1.4.1 hereof, all other use of Qualified Certificates issued in line with this Certificate Policy shall be prohibited.

Bank recommends to the Relying Parties to check OIDs of certificates referred in Section 1.1.2. hereof.

1.5. Policy Administration

Contact details for administration and content of this Certificate Policy are given below:

Mailing address:


Upravljanje sustavom zaštite

Samoborska 145, 10090 Zagreb, Hrvatska

Telephone: +385-1-6104-225

Telefax: +385-1-6325-425

E-mail: [email protected]

Certificate Policy is published on: http://www.zaba.hr/cps

Zaba PMA is responsible for development, implementation and maintenance of Certificate Policy, Certification Practice Statement for Qualified Certificates for electronic signature and seals, Qualified Electronic Time-Stamping Authority Practice Statement and other documentation for Zaba QPKI.

1.6. Definitions and acronyms

1.6.1. Definitions

Activation data - Confidential data necessary to access or activate the cryptographic module. Activation data

may be PIN, password or electronic key which the person knows or possesses.

Advanced electronic seal - Electronic seal that meets the following requirements:

it is uniquely linked to the Creator of a seal;

it is capable of identifying the Creator of a seal;

it is created using electronic seal creation data that the Creator of a seal can, with a high level of

confidence under its control, use for electronic seal creation; and



v1.4 from 10.9.2019. page 11

PUBLIC

it is linked to the data to which it relates in such a way that any subsequent change in the data is

detectable.

Advanced electronic signature - Electronic signature that meets the following requirements:

it is uniquely linked to the Signatory;

it is capable of identifying the Signatory;

it is created using electronic signature creation data that the Signatory can, with a high level of

confidence, use under its exclusive control; and

it is linked to the signed data in such a way that any subsequent change in the data is detectable.

Associated Person - Natural person employed at the legal person or otherwise associated with the legal

person, and who is authorized by the same legal person to receive certificates. Such certificate identifies both

the person and the legal person, and indicates that the person is associated with the legal person.

Audit log journal - Set of records to log automatically events that are relevant in compliance with Regulation

(EU) No910/2014.

Authentication - An electronic process that enables the electronic identification of a natural or legal person,

or the origin and integrity of data in electronic form to be confirmed.

Authorised Representative - Natural person authorised legally or by proxy to represent the Creator of a seal

in the issuance procedure and/or revocation of the Certificate for the Electronic Seal.

CA Certificate - Public-key certificate for one CA issued by another CA or by the same CA.

Certificate for electronic seal - Electronic attestation that connects the electronic seal validation data with

the legal person and confirms the name of that person.

Certificate for electronic signature - Electronic attestation that connects the electronic signature validation

data with the natural person and confirms at least the name or pseudonym of that person.

Certificate Policy - A named set of rules which indicates the certificate applicability on a certain group and/or

class of applications with common security requirements.

Certificate reactivation - An action that makes a suspended certificate valid from the moment of reactivation.

Certificate revocation - An action that makes a certificate irrevocably invalid from the moment of revocation.

Certificate Revocation List - Signed list indicating a set of certificates that are no longer considered valid by

the certificate issuer.

Certificate suspension - An action that makes a certificate invalid from the moment of suspension.

Suspended certificate may be reactivated and thus made valid again.

Certificate validation - Process of verifying and confirming that a certificate is valid.

Certification Authority - Authority trusted by one or more users to create and assign public-key certificates.

Certification Authority may be:

1. a trust service provider that creates and assigns public key certificates; or

2. a technical certificate generation service that is used by a certification service provider that creates

and assign public key certificates.

Certificate password – complex password mandatory to access private key of EU Qualified Certificate for

natural person – represents sole control for Subscriber.

Certification Practice Statement - Statement of the practices which a Certification Authority employs in

issuing managing, revoking, and renewing or re-keying certificates.

Certification services - Services of issuance and lifecycle management of certificates.

Certification system - System of IT products and components organised for providing certification services.


v1.4 from 10.9.2019. page 12

PUBLIC

Conformity Assessment Body - A body defined in point 13 of Article 2 of Regulation (EC) No765/2008, which

is accredited in accordance with that Regulation as competent to carry out conformity assessment of a

Qualified Trust Service Provider and the Qualified Trust Services it provides.

Coordinated Universal Time - Second-based time scale as defined by ITU-R Recommendation (UTC)

TF.460-5. For most practical applications, UTC is equivalent to mean solar time of the Prime Meridian (0°).

More precisely, UTC is a compromise between the very stable atomic time (fr. Temps Atomique International

- TAI) and solar time derived from irregular Earth's rotation (in relation to the agreed Greenwich mean siderea

time (GMST)).

Creator of a seal - A legal person who creates an electronic seal.

Cryptographic module - Software or device of a certain security level which shall:

generate a key pair and/or

protect cryptographic information, and/or

perform cryptographic functions.

Distinguished Name (DN) - A unique name of the Subject entered in the certificate. The distinguished name

uniquely identifies the Subject to whom the certificate is issued and it is unique within one CA.

Electronic seal - Data in electronic form, which is attached to or logically associated with other data in

electronic form to ensure the latter’s origin and integrity.

Electronic Seal Creation Data - Unique data, which is used by the creator of the electronic seal to create an

electronic seal.

Electronic Seal Creation Device - Configured software or hardware used to create an electronic seal.

Electronic signature - Data in electronic form which is attached to or logically associated with other data in

electronic form and which is used by the signatory to sign.

Electronic Signature Creation - Unique data which is used by the signatory to create an electronic data

signature.

Electronic Signature Creation - Configured software or hardware used to create an electronic device

signature.

Electronic Time-Stamp - Data in electronic form which binds other data in electronic form to a particular time

establishing evidence that the latter data existed at that time.

EU Qualified Certificate - Qualified Certificate as specified in the Regulation (EU) No910/2014.

Key Pair - Two uniquely linked cryptographic keys, one of which is a private key and another is a public key.

Legal person -

1. Legal persons, such as:

companies;

credit and financial institutions;

public and private institutions;

associations with legal personality;

non-profit and non-government organizations with legal personality,

funds with legal personality;

local and regional self-government units (municipalities,towns and counties) etc.

2. Public authorities, such as:

state authorities;

state administration bodies;

state agencies etc.

3. Natural persons with a registered business, such as:

trades people;


v1.4 from 10.9.2019. page 13

PUBLIC

attorneys;

notaries public etc.

Legal Representative - A person legally authorised to represent the Subscriber which is a Legal person.

Mobile token – software token on mobile device, which Bank assigns to clients as strong authentication device

in compliance with Regulation (EU) No 910/2014, Act Implementing Regulation (EU) No 910/2014 1502/2015

and Bank’s Terms and Conditions for Direct channels for natural and legal persons.

Natural person – citizen - Natural person requesting the certification service for the purpose of the use of the

certificate for and on her/his own behalf, and excluding any natural person with registered business activity,

any self-employed natural person and any natural person acting for and on behalf of another natural or legal

person (Associated Person).

Policy Management Authority - Body with final authority and responsibility for specifying and (PMA)

approving the Certificate Policy.

Private Key - In a public key cryptographic system, that key of an entity's key pair which is known only by that

entity.

Public Directory - IT system which is used for online publication of information concerning certificates,

including information on certificate revocation.

Public Key - In a public key cryptographic system, that key of an entity's key pair which is known only by that

entity.

Public Key Infrastructure (PKI) - Infrastructure able to support the management of public keys able to support

authentication, encryption, integrity or non-repudiation services.

QSCD Device - Qualified Electronic Signature/Seal Creation Device (see term "Qualified Electronic Signature

Creation Device" or "Qualified Electronic Seal Creation Device").

Qualified Auditor - Natural or legal person that meets the requirements stated in the document Baseline

Requirements, published by the CA/Browser Forum.

Qualified Certificate for the Electronic Seal - A certificate for an electronic seal, that is issued by a Qualified

Trust Service Provider and meets the requirements laid down in Annex III of Regulation (EU) No 910/2014 .

Qualified Certificate for the Electronic Signature - A certificate for electronic signatures, that is issued by a

Qualified Trust Service Provider and meets the requirements laid down in Annex I of Regulation (EU) No

910/2014 .

Qualified Electronic Seal - An advanced electronic seal, which is created by a Qualified electronic seal

creation device, and that is based on a Qualified Certificate for electronic seal.

Qualified Electronic Seal Creation Device - An electronic seal creation device that meets mutatis mutandis

the requirements laid down in Annex II of Regulation (EU) No 910/2014.

Qualified Electronic Signature - An advanced electronic signature that is created by a Qualified electronic

signature creation device, and which is based on a Qualified Certificate for electronic signatures.

Qualified Electronic Signature Creation Device - An electronic signature creation device that meets the

requirements laid down in Annex II of the Regulation (EU) No 910/2014 .

Qualified Electronic Time-Stamp - Electronic Time-Stamp that meets the following requirements:

it binds the date and time to data in such a manner as to reasonably preclude the possibility of the

data being changed undetectably;

it is based on an accurate time source linked to Coordinated Universal Time; and

it is signed using an advanced electronic signature or sealed with an advanced electronic seal of the

Qualified Trust Service Provider, or by some equivalent method.

Qualified Trust Service Provider - Trust Service Provider that provides one or more Qualified Trust Services

and is granted the Qualified status by the supervisory body.


v1.4 from 10.9.2019. page 14

PUBLIC

Registration Authority - Authority responsible for identification and authentication of certification subjects, as

well as other persons or organisations.

Registration Officer - Person responsible for data confirmation necessary for certificate issuance and

authorisation of application for certificate issuance.

Regular Certificate Renewal - Certificate renewal in Zaba QPKI means issuance of a new certificate the

parameters of which are the same as the parameters of the certificate to which the application relates, but with

a new public key, new certificate serial number, new operational period and new signature of the same CA,

and is carried out in the defined period before the expiry of certificate validity.

Relying Party - Natural or legal person that relies upon an electronic identification or a trust service.

Remote electronic signing and sealing service - Service that coordinates and manages the process through

which the end-user may, by using his/her personal device, remotely sign or seal a document or another

information by using a signing key stored in this service, remotely from the users.

Revocation Officer - Person responsible for the change of the certificate's operative status.

Root CA - Certification authority which is at the highest level within trust service providers domain and which

is used to sign subordinate CA(s)

Root CA Certificate - CA Certificate that the Root CA issued to itself.

Secure Cryptographic Device - Device which holds the Subscriber's private key, protects this key

against compromise and performs signing or decryption functions on behalf of the user.

Signatory - A natural person who creates an electronic signature.

Signature verification - Process of checking the cryptographic value of a signature using signature verification

data.

Signature verification data - Data, such as codes or public cryptographic keys, used for the purpose of

verifying a signature.

State Administration Body - State authority body responsible for performing state administration tasks in the

administrative domain of its competence. State administration bodies include ministries, state offices,

administrative organizations and county state administration offices or other state administration bodies

established by the applicable law in force.

Subject - Entity identified in a certificate as the holder of the private key associated to the public key given in

the certificate.

Subscriber - Legal or natural person bound by agreement with a trust service provider to any Subscriber

obligations.

Trust Service Provider - A natural or a legal person who provides one or more trust services either as a

Qualified or as a non-Qualified Trust Service Provider.

Trusted list - List that provides information about the status and the status history of the trust services from

trust service providers regarding compliance with the applicable requirements and the relevant provisions of

the applicable legislation.

Trusted roles - Roles which are responsible for secure operation of the trust service provider. Trusted Roles

and the corresponding responsibilities shall be clearly described by the Trust Service Provider in the

employee's job description.

TSA system - Composition of IT products and components organized to support the provision of time-

stamping services.

Validation - Process of verifying and confirming that an electronic signature or a seal is valid.

Validation data - Data used for electronic signature or electronic seal validation.

Zaba QPKI – PKI implemented in Bank for providing Qualified Trust Services.


v1.4 from 10.9.2019. page 15

PUBLIC

Zaba QPKI Private Keys – Private keys for key Zaba QPKI components: Zaba Root QCA, Zaba QCA, Zaba

QTSA and Zaba QOCSP and Subscriber private keys stored on HSM/QSCD devices in Zaba QPKI protected

zones.

Zaba QRDC – Register of digital certificates, which is based on Root CA: Zaba Root QCA and subordinate

Zaba QCA.

Zaba RA – Registration authorities for Zaba QPKI are Bank's branches.

1.6.2. Acronyms

CA – Certification Authority

CP – Certificate Policy

CPS – Certification Practice Statement

CRL – Certificate Revocation List

CSP – Certification Service Provider

DN – Distinguished Name

DR – Disaster Recovery

IS – Information system

ISO – International Standards Organization

LDAP – Lightweight Directory Access Protocol

OCSP – Online Certificate Status Protocol

OID – Object Identifier

PKCS – Public Key Criptography Standards

PKI – Public Key Infrastructure

PMA – Policy Management Authority

QTSA – Qualified Time-Stamping Authority

RA – Registration Authority

SSCD – Secure Signature Creation Device

SSL/TLS – Secure Sockets Layer/Transport Layer Security

TL – Trusted List

TP – Time-Stamp Policy

TSU – Time-Stamping Unit

URL – Uniform Resource Locator

UTC – Coordinated Universal Time


v1.4 from 10.9.2019. page 16

PUBLIC

2 PUBLICATION AND REPOSITORY RESPONSIBILITIES

Zaba QPKI repository shall be managed by Bank as Qualified Trust Service Provider. Bank is responsible for Zaba QPKI repository and documents and information on repository.

Repository is consist from two parts documents on Bank's web and public LDAP information.

The following documents are available at Zaba QPKI web pages: http://www.zaba.hr/cps:

this document Certificate Policy and its summary document;

Certification Practice Statement for Qualified Cerificate for electronic signature and seal and Qualified Time-Stamp Authority Practice Statement;

the CA certificate for Zaba Root QCA and Zaba QCA;

application form for Subscribers;

manuals and instructions to use software to sign and

CRL for Zaba Root QCA and CRL for Zaba QCA.

Bank manages and publishes the list of revoked certificates in order to provide information on the status of certificates. The revocation list is updated following every request and is published at least every 24 hours for Zaba QCA (issues Subscribers certificates).

The revocation and list can be consulted on one of the following links:

OCSP - http://ocsp.zaba.hr

LDAP - ldap://ldap.zaba.hr

Bank ensures high availability of Zaba QPKI repository.



v1.4 from 10.9.2019. page 17

PUBLIC

3 IDENTIFICATION AND AUTHENTICATION

Bank, which acts as Zaba RA, identifies natural or legal persons for a certificate and ensures the authenticity of the request as described in the following Sections.

The identification and authentication of the certificate-holder take place at the application for the first Bank service. Bank shall not perform additional identification and authentication for Qualified Time-Stamp service, because this service is provide to Subsrcibers of Qualified Certificates only.

3.1. Naming

The Subject's name shall be entered in each certificate for natural or legal person. „Subject“ field in certificate is in compliance with IETF RFC 5280 and X.501 standard and need to be meaningful. Details on certificate profiles are in Section 7.1. hereof.

The uniqueness of the Distinguished Name shall be secured by the Serial Number attribute value in the certificate Subject field.

Anonymity or pseudonymity of Subscribers shall not be supported.

3.2. Initial identity validation

For EU Qualified Certificates for natural persons (QCP-n-qscd): The identity of the natural person and, any specific attributes of the person necessary for certificate, shall be verified:

a) by the physical presence of the natural person in Bank’s branch; or

b) using methods which provide equivalent assurance in terms of reliability to the physical presence and for

which the Bank can prove the equivalence according to the Regulation (EU) No 910/2014.

Bank using methods of strong authentication (i.e. mobile token) as equivalent to physical presence. Bank’s issue Qualified Certificates to their clients and risk is further reduced using same strong authentication methods for securing different direct channel services together with anti-fraud tools (i.e. to detect compromised mobile tokens).

For EU Qualified Certificates for legal persons (QCP-l-qscd): The identity of the natural person and, any specific attributes of the person necessary for certificate, shall be verified:

a) by the physical presence of an Authorised Representative of legal person in Bank’s branch; or

b) using methods which provide equivalent assurance in terms of reliability to the physical presence and for

which the Bank can prove the equivalence according to the Regulation (EU) No 910/2014.

Bank using methods of strong authentication (i.e. electronic certificate on SSCD and mobile token) as equivalent to physical presence. Bank’s issue Qualified Certificates to their clients and risk is further reduced using same strong authentication methods for securing different direct channel services together with anti-fraud tools (i.e. to detect compromised mobile tokens or certificates).

During physical presence verification natural persons and Authorised Representative of legal person shall prove their identity by means of a valid ID card or a passport. Natural persons and Authorised Representative of legal person, whose ID card or passport has not been issued in the Republic of Croatia, shall prove their identity by a valid identification document they used to enter the Republic of Croatia.

For the purposes of initial natural person identification and authentication, Bank shall collect and verify the following personal data:

name and surname,

date, place and country of birth,

OIB (if OIB is assigned),

data on the identity document,

mailing address,

e-mail address,

telephone number.

Legal persons shall prove their identity according to internal Bank's regulation and other regulation for legal persons (i.e. Anti-Money Laundering Law stipulations).

Legal persons identification and identity authentication shall be carried out by checking:

Legal person registered name,

Legal person legal existence,


v1.4 from 10.9.2019. page 18

PUBLIC

Registration with the competent registry,

Company number from the competent registry,

Legal person OIB, if assigned,

Legal person registered office address.

3.3. Identification and authentication for re-key requests

A routine certificate renewal shall be carried out near the end of certificate life cycle and shall include the procedure of generating a new Subscriber's key pair (see 4.6 and 4.7). Identification and authentication is based on valid Qualified Certificate and strong authentication methods.

Expired or revoked Qualified Certificate cannot be used for identification and authentication for re-key after revocation. In that case identification and authentication is based on strong authentication methods.

3.4. Identification and authentication for revocation request

Bank shall identify and authenticate natural or legal persons for certificate revocation by different methods depending on the channel used for sending request:

revocation request in person in the Bank's branch - identification and authentication shall be carried out by a direct identification of the natural person or Authorised Representative of legal person as in Section 3.2.;

revocation request via mail, telefax or a courier service - identification and authentication shall be carried out in the Bank's branch by verifying the copy of the identification document;

revocation request via phone - identification and authentication shall be carried out by returned call form the Bank on telephone number previously stored in Bank's database.

Revocation request via email is not supported in Zaba QPKI.

Certificate suspension is not supported in Zaba QPKI.

For what reasons certificates can be revoked:

compromise of subject's private key,

death of the subject,

unexpected termination of a Subscriber's or subject's agreement or business functions,

violation of contractual obligations.

The maximum delay between receipt of a revocation request and the decision to change its status information being available to all relying parties shall be at most 24 hours.

The maximum delay between the confirmation of the revocation of a certificate to become effective and the actual change of the status information of this certificate being made available to relying parties shall be at most 60 minutes.

Bank manages and publishes the list of revoked certificates in order to provide information on the status of certificates. The revocation list is updated following every request and is published at least every 24 hours for Zaba QCA (issues Subscribers certificates).

The revocation list can be consulted on one of the following links:

OCSP - http://ocsp.zaba.hr

LDAP - ldap://ldap.zaba.hr


v1.4 from 10.9.2019. page 19

PUBLIC

4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS

4.1. Certificate Application

Application for certificate can be submit by Bank's clients natural or legal persons.

Prior to the initial issuance of each certificate the Subscriber shall conclude a certification service agreement with Bank. In the case of a certificate for electronic seal the agreement shall be signed by the Authorised Representative.

The certificate application may be submitted to Registration Authorities within Bank's branches.

The application for the issuance of Qualified Certificate for natural person shall be submitted by natural person.

The application for the issuance of Qualified Certificates for legal person shall be submitted by the Authorised Representative.

The certificate application may also be submitted in electronic form, then application is signed using mobile token or electronic certificate on SSCD.

The Subscribers shall conclude a Certification Service Agreement with Bank, whereby they shall accept this Certificate Policy and Certification Services Terms and Conditions.

The Subscriber shall sign the Agreement in the same manner as signing the certificate application, that is, as described in this Section.

In the certificate application process Applicants shall submit the certificate application completed accurately and entirely as well as duly sealed and signed, and the documentation enclosed or provided shall be accurate and complete, as well as valid at the time the certificate application is submitted.

Process for certificate application is described in Certification practice statement for Qualified Certificates for electronic signature and seals.

The Subscriber's obligations and responsibilities are given in the Section 9.6.3 hereof.

The RA obligations and responsibilities are given in the Section 9.6.2 hereof.

4.2. Certificate application processing

Identification and authentication of the Applicants is performed as described in Chapter 3. hereof.

Zaba RA shall verify the data in the documents enclosed by the Applicant and confirm the accuracy and completeness of the information in the certificate application. The approval or rejection of certificate applications shall be performed by the Zaba RA. Zaba RA will notify rejected Applicant with explanation and reasons for rejection.

Under normal circumstances, the certificate application processing time shall be up to three business days from the receipt of the application by Zaba RA.

4.3. Certificate issuance

Zaba QCA shall issue the certificate after all data verification processes have been performed and the certificate application approved. Certificate issuance is carried out in secure manner to ensure the authenticity of the certificate. For this reason, Bank has implemented measures to prevent forgery of certificates.

During certificate issuance process Zaba QCA shall:

generate the Subscriber's key pair in line with Section 6.1. hereof,

create the certificate, as applied for, for the Subscriber's public key delivered in line with Section 6.1. hereof,

make the certificate available to the Signatory or the Authorised Representative of legal person for the purpose of its online retrieving,

make the certificate available on Zaba QPKI repository.

4.4. Certificate acceptance

Before entering into a contractual relationship with a Subscriber, Bank shall inform the Subscriber of the terms and conditions regarding use of the certificate.

Acceptance of the certificate by the Signatory, or Authorised Representative, shall be a prerequisite for using the certificate.

By accepting the certificate, the Signatory, or Authorised Representative, shall accept that all the data entered in the certificate are accurate and true at the moment of its acceptance, and that they are not misleading.


v1.4 from 10.9.2019. page 20

PUBLIC

During or immediately upon acceptance of the certificate, the Signatory, or Authorised Representative, shall verify its contents. If any part of the certificate contents is unacceptable, the Signatory, or Authorised Representative, shall immediately notify Bank thereof, stating the reasons for the non-acceptance of the certificate.

The Signatory, or Authorised Representative, shall be considered to have accepted the certificate at the moment of its first use. If the Signatory, or Authorised Representative, has not used the issued certificate at least once within eight (8) days of its receipt, nor has refused to accept the certificate within this period, the certificate shall be considered accepted.

Zaba Root QCA and Zaba QCA certificates shall published on web site of Zaba QPKI repository.

Zaba QCA don't publish certificates on public directory and don't notify other sides on certificate issuance.

4.5. Key pair and certificate usage

The Subscriber key pair referred to in Section 6.1. hereof shall be managed by Bank, as a Qualified Trust Service Provider, on behalf of the Signatory, or the Creator of a Seal, and with regard to these keys undertakes to ensure:

that the electronic signature private key is used solely under the control of the Signatory (natural person),

that the electronic seal private key is used under the control of the Creator of a Seal (Authorised Representative of legal person),

that digital signatures are only created by a QSCD device,

that Qualified Certificates for natural person shall be used for electronic signatures only,

that Qualified Certificates for legal person shall be used for electronic seals only.

The Subscriber's obligations shall include:

an obligation to provide the Zaba QCA with accurate and complete information in accordance with the requirements of the present document, particularly with regards to registration;

an obligation for the key pair to be only used in accordance with any limitations notified to the Subscriber and the subject if the subject is a natural or legal person;

prohibition of unauthorized use of the subject's private key;

an obligation to notify the Zaba QCA without any reasonable delay, if any of the following occur up to the end of the validity period indicated in the certificate:

o the subject's private key has been lost, stolen, potentially compromised;

o control over the subject's private key has been lost due to compromise of activation data (e.g. PIN code) or other reasons;

o inaccuracy or changes to the certificate content, as notified to the Subscriber or to the subject;

The Relying Party that intends to rely on the certificate issued in accordance with this Certificate Policy, shall:

take care of the appropriate use and of the prohibited use of the certificate,

verify the validity period of all the certificates in the certification chain,

verify the revocation and suspension status of certificate.

4.6. Certificate renewal

Every certificate renewal in Zaba QPKI shall imply certificate issuance with a new key pair to the same Subject. Such certificate renewal procedure is described in Section 4.7 hereof.

4.7. Certificate re-key

Bank shall issue a certificate with the same parameters as the parameters of the certificate to which the application refers, but with a new public key, new certificate serial number, new validity period and a new signature by the Zaba QCA.

Routine certificate renewal shall be performed if the Subscriber certificate is about to expire and the Subscriber intends to continue to use the service. A certificate may be so renewed if the following conditions have been met:

the validity of the certificate has not expired

the certificate shall expire in a period shorter than 30 days,


v1.4 from 10.9.2019. page 21

PUBLIC

the certificate has not been revoked or suspended,

subject data and other attributes contained in the certificate are accurate and complete at the moment of submitting the certificate renewal application,

Subsriber's agreement with Bank has longer validity than validity of re-key certificate.

If Subscriber's agreement with Bank will expire before re-key certificate, than agreement shall be renewed before certificate.

Certificate renewal or certificate issuance after expiry may be requested by the same entities that can request the certificate issuance, according to Section 4.1 hereof.

Process for certificate renewal has performed under Zaba QCA control and it is described in Certification practice statement for Qualified Certificates for electronic signature and seals.

Bank shall notify the Signatory, or the Authorised Representative, about the upcoming certificate expiry (30 days before), and invite them to renew the certificate and perform generation of a new key pair.

4.8. Certificate modification

Signatory, or Authorised Representative of legal person shall notify Bank about the need of modification of data contained in the certificate within two days and request certificate data modification.

Bank shall carry out certificate data modification only during validity period of the certificate has not been revoked or expired.

Modifications in valid certificates shall be performed by revoking existing certificate and issuing new certificate with updated information in certificate and new key pair.

Circumstances for certificate modification for Qualified Certificates for natural or legal persons can be change of:

Signatory's name or surname,

name of legal person,

name of the place of residence of the natural person or the name of the place of registered office of the legal person,

e-mail address.

Circumstances for certificate modification for certificates for Bank's IT equipment can be change of:

server name or application/service name,

name of legal person,

name of the place of registered office of the legal person,

e-mail address,

certificate extensions.

Certificate modification may be requested by the same entities that can request the certificate issuance, according to Section 4.1 hereof.

4.9. Certificate revocation and suspension

Bank shall revoke certificates in a timely manner based on authorized and validated certificate revocation requests.

Bank shall revoke any non-expired certificate:

that is no longer compliant with the CP under which it has been issued; or

that the Bank is aware of changes which impact the validity of the certificate; or

for which the used cryptography is no longer ensuring the binding between the subject and the public key; or

in event of loss or permanent unavailability of the private key;or

if Bank has received the official notice of death of the Signatory or loss of the Signatory's legal capacity;or

in the event of termination of the Certification Service Agreement by the Subscriber;or

in the event of an official notification on the use of the certificate for illegal purposes;or

if Bank determines that the certificate with its technical characteristics, profile or content no longer provides the appropriate level of trust to Relying Parties;or

in cases when this is required by law or other regulations.


v1.4 from 10.9.2019. page 22

PUBLIC

Certificate revocation may be requested by the same entities that can request the certificate issuance, according to Section 4.1 hereof.

Immediately upon the occurrence of any reason for revocation listed above in this Section, the written certificate revocation request shall be completed accurately and entirely, as well as signed and submitted as soon as possible in one of the following ways:

by personal delivery to Zaba RA – Bank's branches during office hours, or

by mail or courier at Zaba RA – Bank's branches address.

Certificate shall be revoked in the shortest reasonable time period, and not later than 24 hours from the receipt of the corresponding request.

Certificate revocation procedures are described more detailed in Certification practice statement for Qualified Certificates for electronic signature and seals.

4.10. Certificate status services

Revocation status information shall be available 24 hours per day, 7 days per week. Upon system failure, service or other factors which are not under the control of Bank, the service shall be available in accordance with the Business Continuity Plan.

Bank provides information about the revocation status of a certificate by way of the OCSP service or by publication of CRL. Certificate revocation status information shall be available during certificate validity period and after the certificate’s expiry.

It is recommended to Relying Parties that they use Zaba QOCSP service (http://ocsp.zaba.hr) for certificate status verification, and the status verification through retrieval of a CRL may be used as an alternative verification method in case of OCSP service unavailability or if the Relaying Party's application supports the verification of certificate status only via CRL.

Address for complete CRL for Zaba QCA certificates on web server:

http://www.zaba.hr/crl/ZabaQCA.crl

Address for complete CRL for Zaba QCA certificates on public directory:

ldap://ldap.zaba.hr/CN=ZabaQCA, O=Zagrebacka banka d.d., C=HR?certificateRevocationList;binary

4.11. End of subscription

If a Subscriber terminates the Agreement before the expiry of a certificate, Zaba QCA shall revoke all certificates associated with that Agreement.

4.12. Key escrow and recovery

The security of any duplicated subject's private keys shall be at the same level as for the original subject's private keys. The number of any duplicated subject's private keys shall not exceed the minimum needed to ensure continuity of the service.

4.13. Qualified Time-Stamp Service

Qualified Electronic Time-Stamps shall be signed using the RSA private key of Zaba QTSA having a length of 2048 bits and by using the cryptographic algorithms SHA-256 i RSA.

Zaba QTSA shall ensure that Qualified Electronic Time-Stamps are issued in a secure manner and provide an accurate time designation.

For each qualified electronic time-stamp, it shall be ensured that:

it includes the OID of this Policy under which it was issued (QTP OID);

it includes a unique identifier;

the time used in TSU may be matched to the actual time received from a reliable source;

it includes accurate time information provided by TSU at the time of issuing the electronic time-stamp;

it includes a hash representation of the electronic record for which an electronic time-stamp is to be issued;

it is signed using a TSU private key intended solely for the purpose of time-stamp signing;

it includes the identifier of the country where Zaba QTSA is established;

it includes the identifier for Zaba QTSA; and

http://ocsp.zaba.hr/


v1.4 from 10.9.2019. page 23

PUBLIC

it includes the identifier of the issuing TSU.

An electronic time-stamp shall be issued as recommended by ITF RFC 3161 and ETSI EN 319 421, with a profile compliant with ETSI EN 319 422.

As a Qualified Electronic Time-Stamping Service Provider, Bank is required to provide accurate information of the time incorporated in an electronic time-stamp. The UTC time incorporated in each electronic time-stamp has a guaranteed accuracy of 1 s.

Bank shall ensure that the Zaba QTSA system’s time is correctly synchronized with the UTC time within the accuracy limits, in particular by:

periodic clock calibrations;

protecting against TSU time tampering;

detecting any drifts or jumps out of synchronization with the UTC time, and

providing for leap second events.

The primary reliable source of UTC time in the Zaba QTSA system is the satellite GPS signal.

As an alternative reliable source of UTC time, the Zaba QTSA system utilizes UTC data obtained through an Internet connection using the NTP protocol that enables synchronization with the reliable source of the UTC time of reference laboratory.

In case of unavailability of the primary reliable source of UTC time Zaba QTSA system automatically switches to the alternate reliable source of UTC time.


v1.4 from 10.9.2019. page 24

PUBLIC

5 FACILITY, MANAGEMENT AND OPERATIONAL CONTROLS

5.1. Physical Controls

Bank shall implement physical controls to ensure:

adequate site location and construction,

secure physical access,

adequate power and air conditioning,

protection from water exposures,

secure media storage,

secure waste disposal and

adequate off-site backup.

Physical controls are described in more detail in Certification practice statement for Qualified Certificates for electronic signature and seals.

5.2. Procedural controls

Information and communication system management tasks, certificate life cycle management tasks, administering and implementation of security procedures, and Zaba QPKI operation supervision tasks shall be carried out within separate Bank organizational units.

Tasks, obligations and responsibilities of employees shall be divided according to appropriate trusted roles. Trusted roles shall comprise the basis of trust in Zaba QPKI and shall be assigned to authorised employees from competent Bank organizational units. Each trusted role shall be documented with a clearly defined description of tasks and responsibilities.

Trusted roles shall include the roles of Security Officer, System Administrator, System Operator, Registration Officer, Revocation Officer and System Auditor.

Zaba QPKI tasks shall be performed exclusively by authorised persons and with sufficient number of full-time employees with knowledge, experience and qualifications.

The most critical functions are carried out with procedures based on "four eyes" control and a strong authentication process. Procedural controls are more detailed described in Certification practice statement for Qualified Certificates for electronic signature and seals.

5.3. Personnel controls

Based on job descriptions for Zaba QPKI, candidates must possess the appropriate expert knowledge, experience, qualifications and education for work with cryptographic technologies, protection of computer systems, IT security and protection of personal data.

Employees working at Zaba QPKI shall not be employed nor have any business relationship with other Qualified Trust Service Providers.

Prior to starting work at jobs in Zaba QPKI, Bank shall carryout adequate candidate checks in order to assess their expertise, ability and reliability in accordance with the needs of Zaba QPKI tasks.

Employees carrying out tasks within Zaba QPKI shall be provided with education and training in accordance with their trusted roles.

Renewal of knowledge of Zaba RA employees, given the jobs they perform, shall be conducted regularly, at least once every two years.

In case of unauthorized actions or other violations of the policies and procedures of the Bank, the appropriate disciplinary measures are decided and are commensurate with the frequency and severity of actions.

For external contractors who carry out some of the services within the scope of Qualified Certificate issuance services for Bank, the same requirements as those that apply to internal employees shall apply when working in Zaba QPKI.

The documentation required for the implementation of their work tasks according to the roles assigned and pertaining authorisations shall be supplied to each employee.


v1.4 from 10.9.2019. page 25

PUBLIC

5.4. Audit logging procedures

The audit logging procedures on Zaba QPKI components are carried out using the audit log journal that automatically logs events relevant for security. The audit log journal is hosted on servers in protected zones. In particular, the information stored within the audit log journal are:

management of life cycles of CA keys of Zaba QPKI,

registration data of a natural and legal person,

preparation and issuing of secure cryptographic or QSCD devices on which Qualified Certificates shall also be issued,

cryptographic key life cycles and key management,

life cycles of Subscribers' certificates issued by Zaba QCA,

requests for revocation of certificates and correspondingly conducted activities,

management of lifecycles of TSU keys and certificates within Zaba QTSA,

synchronization of the TSU clock with UTC and detection of any UTC time synchronization failure,

physical security access to and alarms from dedicated Zaba QPKI protected zones.

Audit logs are available for 12 months and will be stored in order to provide proof of the certification in judicial proceedings even in the event of CA termination.

Audit logs in Zaba QPKI shall be regularly inspected on a daily basis. More detailed description on audit logging is in Certification practice statement for Qualified Certificates for electronic signature and seals.

5.5. Records archival

Zaba QPKI shall archive the below specified data which, depending on the type, may come in electronic and/or paper form:

data and pertaining documentation collected during the process of registration of natural and legal persons,

certificates and data related to the life cycle of Subscribers' certificates,

agreements connected to the provision of certification services,

data and documentation related to secure cryptographic or QSCD devices,

records of revoked certificates, data about revocation of certificates and pertaining documentation,

Certificate Policies, Practice Statements, Services Terms and Conditions,

relevant the audit logs,

other Zaba QPKI documents.

Each archived record shall contain data indicating the time referring to it.

All archived data and documentation shall be kept for at least 10 years.

More detailed description on records archival is in Certification practice statement for Qualified Certificates for electronic signature and seals.

5.6. Key changeover

Bank shall ensure that Zaba QCA continually provides Qualified Trust Services with its valid key pair and corresponding CA certificate.

Bank shall notify the participants of Zaba QPKI about changes to its public key and new CA certificate in a timely manner. The new corresponding public key shall be accessible to Zaba QPKI participants in the same way as the previous Zaba QCA public key.

5.7. Compromise and disaster recovery

The Business Continuity Plan for Zaba QPKI shall regulate the procedures in the event of the occurrence of incidents or system compromise and shall be revised once a year.

In reference to the Zaba QPKI, the following are considered critical incidents:

compromise of CA private keys and HSM devices that contain private keys,

malfunctions or damage to equipment and network resources of Zaba QPKI,

compromise of used cryptographic algorithms,

Zaba QTSA private key compromise or UTC synchronization failure procedures,


v1.4 from 10.9.2019. page 26

PUBLIC

failure to publish certificate status (CRL and OCSP),

natural disasters (fire, earthquake, flood, …) and other disasters (epidemic, terrorism, …).

In case of Zaba QCA private key compromise Bank shall immediately stop the use of the compromised private key and Zaba Root QCA shall revoke Zaba QCA certificate. Bank shall revoke Subscribers' certificates issued by comprimised CA. Bank shall indicate that certificates and revocation status information issued using this CA key may no longer be valid.

Bank shall notify the following participants of Zaba QPKI about the revocation of Zaba QCA certificates:

Subscribers,

Relying parties.

After determining and eliminating the cause responsible for CA key compromise, Bank shall if appropriate, undertake measures to prevent the recurrence of such an event. Zaba Root QCA shall issue a new CA certificate for Zaba QCA with a new public CA key.

Zaba QCA shall by using the new private CA key, issue certificates to existing registered Subscribers, and all following information about revocation of certificates shall be signed using the new key. The new CA certificate shall be accessible to Zaba QPKI participants in the same way as the previous Zaba QCA certificate.

If the cryptographic algorithms and parameters become insufficient for its remaining intended usage, unable to provide the required security and protection, Bank shall revoked compromise certificates.

Bank shall notify in due time:

Subscribers,

Relying parties.

Bank shall using other appropriate secure cryptographic algorithms and issue new certificates.

5.8. CA or RA termination

About the planned termination of any providing Qualified Trust Services, Bank shall:

notify all Subscribers, Relying parties and national authority at least three months before the planned termination of providing Qualified Trust Services,

invest efforts to continue providing Qualified Trust Services by another Qualified Trust Service Provider and shall forward to this service provider all documentation collected in the Subscriber registration procedure, as well as all documentation about issued certificates.

In case that Bank cannot provide continue of service with other Qualified Trust Service Provider, Bank shall:

revoke all issued Qualified Certificates and destroy Subscriber’s private keys in cases where Bank keeps and manages the Subscriber’s keys,

revoke the CA certificates and destroy their related private keys.

In the event of termination to provide Qualified Certificate issuance services, Bank shall archive, protect and keep records according to this Certificate Policy, so that the records shall be accessible for providing evidence to court, administrative and other proceedings in accordance with the valid provisions of legislation, or Bank shall contract such archiving, protection and keeping of records by another legal person.


v1.4 from 10.9.2019. page 27

PUBLIC

6 TECHNICAL SECURITY CONTROLS

This Chapter shall describe protection measures undertaken with the aim of achieving the required level of security for cryptographic key, activation data, critical security parameters, key management and other technical security measures for Zaba QPKI and for issuing Subscriber certificates.

6.1. Key pair generation and installation

Bank shall carryout key pair generation using algorithms for key generation in compliance with the standardization document ETSI TS 119 312.

The procedure for generation of Zaba Root QCA and Zaba QCA key pairs shall be carried out through a formal key pair generation ceremony.

The formal key pair generation ceremony shall be carried out according to key generation protocol documenting the steps performed during a ceremony. The protocol for key generation shall be in accordance with technical security measures according to the standard HRN ETSI EN 319 411-1 and with the requirements of CA/Browser Forum.

Key pairs for Zaba Root QCA and Zaba QCA shall be generated, under at least dual control of authorised persons with trusted roles in Zaba QPKI, in HSM that meet the requirements for QSCD.

Zaba Root QCA and Zaba QCA shall be located in Zaba QPKI protected during and after the key pair generation ceremony, and access to them shall be allowed only to Zaba QPKI authorised persons with trusted roles exercising at least dual control.

The Zaba Root QCA and Zaba QCA key pair generation ceremony procedure shall be videotaped or the conducted procedure shall be witnessed by a Qualified auditor.

Public keys of Zaba Root QCA or Zaba QCA shall be accessible to Relying parties on Zaba QPKI web repository.

Key pairs for Zaba QTSA and Zaba QOCSP shall be generated in protected zone in HSM, under at least dual control of authorised persons with trusted roles in Zaba QPKI.

Key pairs for the following types of Qualified Certificates issued by Zaba QCA shall be generated on QSCD devices in Bank's protected zone:

Qualified Certificate for natural person for electronic signature (QCP-n-qscd),

Qualified Certificate for legal person for electronic seal (QCP-l-qscd).

The aforementioned QSCD guarantee:

the generation of asymmetric key pairs with the same generation probability of all the possible key pairs,

the electronic identification of the person who starts the generation procedure,

protection of the private key from unauthorized access,

the cipher cryptographic elaborations,

the correspondence of the pair to the requirements due to the generation and verification algorithms used,

that during Qualified signing operations and other operations connected to the use of certificates the signature module never communicates the private keys of the certificate-holder externally.

Bank, as the Qualified Trust Service Provider shall manage the Subscriber private key, generated by Zaba QCA, which shall be used in the remote electronic signing and sealing service, on behalf of the Signatory or Authorised Representative of legal person. Bank shall keep this private key in a secure way, protected from disclosure, copying, changes, damage and use by unauthorised persons. The private key shall never be delivered to Signatory or Authorised Representative of legal person. In the remote electronic signing and sealing service, Bank shall ensure that the Signatory has his/her corresponding private key under his/her sole control and that the Authorised Representative of legal person has a corresponding private key under his/her control.

Public key delivery to certificate issuer Zaba QCA shall be done in secure manner to protect integrity and authenticity using PKCS#10 standard. Delivery is in electronic form after identification and authentication of Signatory or Authorised Representative.

Key lengths and algorithms

Key lengths and algorithms used in Zaba QPKI are:

Zaba Root QCA – key length = 4096 bit, algorithm=sha256WithRSA;

Zaba QCA – key length = 4096 bit, algorithm=sha256WithRSA;


v1.4 from 10.9.2019. page 28

PUBLIC

Zaba QTSA – key length = 2048 bit, algorithm=sha256WithRSA;

Zaba OCSP – key length = 2048 bit, RSA keys;

Zaba RA – key length = 2048 bit, RSA keys;

Subscribers – key length = 2048 bit, RSA keys.

Key usage purposes (as per X.509 v3 key usage field) are defined in Section 1.4.1. hereof.

6.2. Private Key Protection and Cryptographic Module Engineering Controls

Private keys for Zaba Root QCA and subordinated Zaba QCA shall be generated and protected by HSMs that comply with the requirements of the standard FIPS 140-2 level 3.

For the Qualified Certificate QCP-n-qscd and QCP-l-qscd, the protection of private keys shall be carried out with QSCD devices. The Qualified electronic signature creation devices used to generate and protect Subscriber's private key are certified on Common Criteria EAL4 + (protection Profile CWA14169), FIPS 140-2 level 3 and meets the requirements of Annex II of the eIDAS Regulation (Requirements for Qualified electronic signature creation devices). Bank shall monitor the certification status of these QSCD devices.

For the NCP+ certificates (Zaba QTSA and Zaba QOCSP), the protection of private keys shall be carried out with secure cryptographic devices that comply with the requirements of standard FIPS 140-2 level 3.

The Zaba Root QCA, Zaba QCA, Zaba QTSP, Zaba QOCSP private keys and Subscriber private keys (hereinafter referred as: Zaba QPKI private keys) of remote electronic signing and sealing service shall be managed by physical access to a HSM, with authorisation by two authorised persons with Zaba QPKI trusted roles.

Security copies of Zaba Root QCA, Zaba QCA, Zaba QTSP, Zaba QOCSP private keys shall be made in premises with the highest level of security within Zaba QPKI protected zones with dual control by authorised persons with Zaba QPKI trusted roles.

Only authorised persons with Zaba QPKI trusted roles with dual control shall have physical access to copies of these private keys.

Subscriber private keys associated with Qualified Certificates used in remote electronic signing and sealing service shall be retrieved from HSMs solely in the encrypted form and shall be stored in Zaba QPKI protected zones. Backup of these encrypted private keys shall be carried out in Zaba QPKI protected zones and shall be initiate by authorised person, under dual control. Backup of these encrypted private keys shall be stored in Zaba QPKI protected zones at separate locations. The number of backup Qualified Certificate private keys shall not exceed the number essential for securing the continuity of services.

More detailed description on private key protection is in Certification practice statement for Qualified Certificates for electronic signature and seals.

6.3. Other aspects of key pair management

Public Zaba Root QCA, Zaba QCA, Zaba QTSA and Zaba QOCSP keys shall comprise a constituent part of associated CA certificates that are archived and shall be kept in the archive for the period referred in accordance with Section 5.5.of this Certificate Policy.

The period of validity of certificates according to types shall be defined in following table:

Certificate Validity

Zaba Root QCA 20 years

Zaba QCA 10 years

Zaba QTSA service 10 years

Singing response from OCSP service 1 year

QCP-l-qscd Qualified Certificate for legal person 2 years

QCP-n-qscd Qualified Certificate for natural person 1 year

The validity period of other Zaba QPKI certificates shall not be outside the validity period of Zaba Root QCA certificate.

The validity period of a private key shall be equal to the validity period of the pertaining certificate. Certificates and pertaining keys shall not be used after the expiry of the validity period of the certificate, after certificate revocation.


v1.4 from 10.9.2019. page 29

PUBLIC

6.4. Activation data

Activation data related Zaba Root QCA, Zaba QCA, Zaba QTSP and Zaba QOCSP private keys shall be generated and installed during private keys pair.

Activation data related Subscriber's private keys shall be generate during registration process.

Activation data connected with the Zaba QPKI private keys shall be kept in a secure manner.

Activation data for Zaba Root QCA, Zaba QCA, Zaba QTSP and Zaba QOCSP private keys shall protect using smartcard and PIN.

Activation data for Subscriber's private keys shall protect by using mobile token and certificate password for natural persons checked on HSM.

6.5. Computer security controls

The PKI is logically separated from other IT infrastructure of the Bank and has its own network equipment (switches, firewalls), physical servers and virtual machines, management console.

Bank's IT infrastructure and Zaba QPKI are in compliance with standards:

ISO/IEC 27001,

ISO/IEC 27002,

HRN ETSI/EN 319 411-1,

HRN ETSI/EN 319 411-2,

CA/Browser Forum Baseline Requirements and

HRN ETSI/EN 319 421.

6.6. Life cycle technical controls

The security controls of the Bank guarantee, through the following support processes, the protection of computing resources, in terms of confidentiality, integrity and availability along the entire life cycle of software and hardware infrastructure.

IT risk management, aimed at the identification and risk assessment connected with the use of IT controls and security countermeasures suitable for ensuring the required security levels;

Security incidents management, the set of activities put in place in order to minimize the impact of the security incidents and to ensure the reactivation of services. The process is based on a formal procedure previously defined and periodically tested and updated;

Business continuity management of business processes and information systems, to response to crises and disaster events, to minimize impact and ensure recovery;

Vulnerability and Patch Management process with the aim to identify and mitigate new vulnerabilities and threats;

Change management for any changes to be made to operational systems is subject to a formal process, in order to ensure the maintenance of the security levels on the affected systems;

Security events and information monitoring, to detect unauthorized access to Bank's information system;

6.7. Network security controls

The Zaba QPKI infrastructure uses a layered defense approach, by placing servers and appliances on different network levels, separated by firewall, which allow only authorized communication flows.

The procedures to configure network components ensure the management of changes, the restriction of access to the components, prevention of unauthorized accesses/improper changes to the configurations.

The configuration procedures of network components ensure:

the management of configurations changes,

restricting access to components using a least privilege principle,

prevention of improper or unauthorized accesses or changes.

The certification service uses a network-based security infrastructure firewalling mechanisms and TLS (Transport Layer Security) in order to realize a secure channel between all communication parties. All network flows (protocols, source, destination) moving between different security domains are identified, classified and


v1.4 from 10.9.2019. page 30

PUBLIC

authorized. The system is also supported by specific security products (network intrusion detection, network intrusion protection, malware protection) and from all the relevant management procedures.

Periodically or after every significant change a penetration testing of the infrastructure is carried out.

6.8. Time-Stamping

The time in the Zaba QPKI system shall be synchronised with UTC time (external time source supplied with satellite GPS synchronization). Zaba QPKI audit logs shall contain the accurate data about the date and time they originated, with a minimal deviation of less than +/- 1 second.


v1.4 from 10.9.2019. page 31

PUBLIC

7 CERTIFICATE, CRL, AND OCSP PROFILES

This Chapter contains certificate profiles, CRL profiles and OCSP service responses, that Bank as Qualified Trust Service Provider provide to clients in compliance with this Certificate Policy.

EU Qualified Certificate (QCP-n-qscd and QCP-l-qscd) profiles are aligned with standard HRN ETSI/EN 319 412-5.

Normalized certificate (NCP+) profiles are aligned with standards HRN ETSI/EN 319 411-3 and recommendation IETF RFC 5280.

CRL profiles issued by Zaba Root QCA and subordinated Zaba QCA are aligned with recommendation IETF RFC 5280.

OCSP profile response of Zaba QOCSP service is aligned with recommendation IETF RFC 6960.

7.1. Certificates profiles

Depend on purpose, level of security and rules of issuance, every type of certificate has unique OID (CP OID).

Basic fields Zaba Root QCA certificate:

Field Attribute Value

Version Version X.509 V3

serialNumber CertificateSerialNumber 32 bits of entropy, 12 or 13 octets long serial number, (24-26 hex

characters)

signatureAlgorithm AlgorithmIdentifier sha256WithRSAEncryption OID: 1.2.840.113549.1.1.11

signatureValue Certificate issuer’s signature

Issuer commonName Zaba Root QCA

organizationName Zagrebacka banka d.d.

countryName HR

Validity notBefore Certificate issuance time

notAfter Certificate issuance time + 20 years

Subject commonName Zaba Root QCA


countryName HR

subjectPublic KeyInfo AlgorithmIdentifier rsaEncryption OID: 1.2.840.113549.1.1.1

subjectPublicKey Public key CA: 4096 bits

Extension Zaba Root QCA certificate:

Extension Critical Attribute Value

KeyUsage YES digitalSignature,nonRepudiation,KeyCertSign,cRLSign

BasicConstraints YES cA=true

AuthorityKeyIdentifier NO keyIdentifier 160-bit SHA-1 hash of the value of the BIT STRING

subjectPublicKey (defined according to RFC 5280, Section

4.2.1.2 method (1))

SubjectKeyIdentifier NO keyIdentifier 160-bit SHA-1 hash of the value of the BIT STRING


4.2.1.2 method (1))

Basic fields subordinated Zaba QCA certificate:




v1.4 from 10.9.2019. page 32

PUBLIC



characters)





countryName HR



Subject commonName Zaba QCA


countryName HR



Extensions of subordinated Zaba QCA certificate:


KeyUsage YES digitalSignature,nonRepudiation,KeyCertSign,cRLSign

certificatePolicies NO policyIdentifier OID: 1.3.6.1.4.1.47380.2.3.4.2

cPSuri http://www.zaba.hr/cps

policyQualifiers CPS

BasicConstraints YES cA=true

pathLen=0

CRLDistributionPoints NO DistributionPoint URI: http://www.zaba.hr/crl/ZabaRootQCA.crl

Authority Information

Access NO id-ad-ocsp Authority Info Access

Access Method=Online Certificate Status Protocol

(1.3.6.1.5.5.7.48.1)

Alternative Name:

URL=http://ocsp.zaba.hr/zabarootqca

id-ad-caIssuers [2]Authority Info Access

Access Method=Certification Authority Issuer

(1.3.6.1.5.5.7.48.2)

Alternative Name:

URL=http://www.zaba.hr/cert/ZabaRootQCA.cer



4.2.1.2 method (1))



4.2.1.2 method (1))

Basic fields for certificate for signing response for Zaba Root QOCSP service:




characters)


http://www.zaba.hr/crl/ZabaRootQCA.crl

http://ocsp.zaba.hr/zabarootqca

http://www.zaba.hr/cert/ZabaRootQCA.cer


v1.4 from 10.9.2019. page 33

PUBLIC






countryName HR


notAfter Certificate issuance time + 1 year

Subject commonName Zaba Root QOCSP


countryName HR



Extensions for certificate for signing response for Zaba Root QOCSP service:


KeyUsage YES digitalSignature digitalSignature bit set

nonRepudiation nonRepudiation bit set

extKeyUsage NO OCSPSigning OID: 1.3.6.1.5.5.7.3.9

ocsp-nocheck NO OID: 1.3.6.1.5.5.7.48.1.5, value NULL




BasicConstraints NO cA=FALSE

pathLenConstraint=None


http://www.zaba.hr/crl1/ZabaQCA.crl


Access

NO id-ad-ocsp http://ocsp.zaba.hr/zabarootqca

id-ad-caIssuers http://www.zaba.hr/crl/ZabaRootQCA.crl



4.2.1.2 method (1))



4.2.1.2 method (1))

Basic fields for certificate for signing response for Zaba QOCSP service:




characters)



Issuer commonName Zaba QCA








v1.4 from 10.9.2019. page 34

PUBLIC


countryName HR



Subject commonName Zaba QOCSP


countryName HR


subjectPublicKey Public Key CA: 2048 bits

Extensions for certificate for signing response for Zaba QOCSP service:




extKeyUsage NO OCSPSigning OID: 1.3.6.1.5.5.7.3.9

ocsp-nocheck NO OID: 1.3.6.1.5.5.7.48.1.5, value NULL









Access





4.2.1.2 method (1))



4.2.1.2 method (1))

Basic fields Zaba QTSA certificate issued by Zaba QCA:



serialNumber CertificateSerialNumber 16 or 17 octets, with 64 bits entropy





countryName HR



Subject commonName Zaba QTSA







v1.4 from 10.9.2019. page 35

PUBLIC



countryName HR


subjectPublicKey Subject's public key: 2048 bits

Extensions Zaba QTSA certificate issued by Zaba QCA:




Subject Directory

Attributes NO 1.2.840.113533.7.68.29 18

privateKeyUsagePeriod NO notBefore Certificate issuance time


extKeyUsage YES timeStamping

OID: 1.3.6.1.5.5.7.3.8




qCStatements NO esi4-qcStatement-1 OID: 0.4.0.1862.1.1

esi4-qcStatement-5 OID: 0.4.0.1862.1.5

https://www.zaba.hr/cps/ZABA_QTSA_PS1-3-hr.pdf

https://www.zaba.hr/cps/ZABA_QTSA_PS1-3-en.pdf

esi4-qcStatement-6 OID: 0.4.0.1862.1.6.2





4.2.1.2 method (1))



4.2.1.2 method (1))




Access



Basic fields EU Qualified Certificate for natural person (QCP-n-qscd):


Version Version 2 (X.509 V3)

serialNumber CertificateSerialNumber 32 bits of entropy, 12 or 13 octets long serial number, (24-26 hex characters)





countryName HR







v1.4 from 10.9.2019. page 36

PUBLIC




Subject countryName HR

givenName Signatory’s name as specified in the their identity document

Surname Signatory’s surname(s) as specified in the their identity document

commonName Signatory’s name and surname as specified in the their identity document

organizationName OSOBNI

serialNumber TINHR-OIB (ISO code of the Signatory’s country of residence, a unique 11-digit

identifier of the natural person OIB)


subjectPublicKey Signer's public key: RSA 2048 bits

Extensions EU Qualified Certificate for natural person (QCP-n-qscd):


AuthorityKeyIdentifier NO keyIdentifier 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey

(defined according to RFC 5280, Section 4.2.1.2 method (1))

SubjectKeyIdentifier NO keyIdentifier 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey


KeyUsage YES nonRepudiation nonRepudiation bit set


policyQualifiers policyQualifierID: id-qt-cps { id-qt 1 } cPSuri:

https://www.zaba.hr/cps/ZABA_QCA_CPS1-3-hr.pdf cPSuri:

https://www.zaba.hr/cps/ZABA_QCA_CPS1-3-en.pdf

policyIdentifier qcp-natural-qscd (2), OID: 0.4.0.194112.1.2

subjectAltName NO rfc822Name Optional. Contains Signatory’s e-mail address.



CRLDistributionPoints NO DistributionPoint URI: https://www.zaba.hr/crl/ZabaQCA.crl

https://www.zaba.hr/crl1/ZabaQCA.crl

URI: ldap://ldap.zaba.hr/CN=Zaba QCA, O=Zagrebacka banka d.d.,

C=HR?certificateRevocationList;binary

[2]DirName:/C=HR/O=Zagrebacka banka d.d./CN=Zaba QCA/CN=CRLx


Access

NO id-ad-ocsp Authority Info Access

Access Method=Online Certificate Status

Protocol (1.3.6.1.5.5.7.48.1) Alternative Name:

URL=https://ocsp.zaba.hr/zabaqca

id-ad-caIssuers [2] Authority Info Access

Access Method=Certification Authority

Issuer (1.3.6.1.5.5.7.48.2) Alternative Name:

URL=https://www.zaba.hr/cert/ZabaQCA.cer

qCStatements NO esi4-qcStatement-

1

id-etsi-qcs-QcCompliance id-etsi-qcs 1 OID: 0.4.0.1862.1.1

esi4-qcStatement-

4

id-etsi-qcs-QcSSCD OID: 0.4.0.1862.1.4

esi4-qcStatement-

5

id-etsi-qcs-QcPDS OID: 0.4.0.1862.1.5

https://www.zaba.hr/cps/PDS-en.pdf, en

https://www.zaba.hr/cps/PDS-hr.pdf, hr

esi4-qcStatement-

6

id-etsi-qct-esign OID: 0.4.0.1862.1.6.1

Basic fields EU Qualified Certificate for legal person (QCP-l-qscd):


v1.4 from 10.9.2019. page 37

PUBLIC

Polje Atribut Vrijednost

Version Version 2 (X.509 V3)

serialNumber CertificateSerialNumber 32 bits of entropy, 12 or 13 octets long serial number, (24-26 hex characters)





countryName HR



Subject countryName HR

organizationName Full registered Short Name of state administration body or Name if Short Name is not

registered.

organizationIdentifier VATHR-OIB (OIB personal identification number for lega person in Republic

Croatia)

commonName Name commonly used by the subject to represent itself.

subjectPublic

KeyInfo

AlgorithmIdentifier rsaEncryption OID: 1.2.840.113549.1.1.1

subjectPublicKey Subject's public key: RSA 2048 bits

Extensions EU Qualified Certificate for legal person (QCP-l-qscd):

Ekstenzija Kritično Atribut Vrijednost

AuthorityKeyIdentifier NO keyIdentifier 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey


SubjectKeyIdentifier NO keyIdentifier 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey




policyQualifiers policyQualifierID: id-qt-cps { id-qt 1 } cPSuri:

https://www.zaba.hr/cps/ZABA_QCA_CPS1-3-hr.pdf cPSuri:

https://www.zaba.hr/cps/ZABA_QCA_CPS1-3-en.pdf

policyIdentifier qcp-legal-qscd (3), OID: 0.4.0.194112.1.3

subjectAltName NO rfc822Name Optional. Contains Creator of a seal's e-mail address..



CRLDistributionPoints NO DistributionPoint URI: https://www.zaba.hr/crl/ZabaQCA.crl

https://www.zaba.hr/crl1/ZabaQCA.crl

URI: ldap://ldap.zaba.hr/CN=Zaba QCA, O=Zagrebacka banka d.d.,

C=HR?certificateRevocationList;binary

[2]DirName:/C=HR/O=Zagrebacka banka d.d./CN=Zaba QCA/CN=CRLx


Access

NO id-ad-ocsp Authority Info Access

Access Method=Online Certificate Status

Protocol (1.3.6.1.5.5.7.48.1) Alternative Name:

URL=https://ocsp.zaba.hr/zabaqca

id-ad-caIssuers [2] Authority Info Access

Access Method=Certification Authority

Issuer (1.3.6.1.5.5.7.48.2) Alternative Name:

URL=https://www.zaba.hr/cert/ZabaQCA.cer

qCStatements NO esi4-qcStatement-

1

id-etsi-qcs-QcCompliance id-etsi-qcs 1 OID: 0.4.0.1862.1.1

esi4-qcStatement-

4

id-etsi-qcs-QcSSCD OID: 0.4.0.1862.1.4


v1.4 from 10.9.2019. page 38

PUBLIC

esi4-qcStatement-

5

id-etsi-qcs-QcPDS OID: 0.4.0.1862.1.5

https://www.zaba.hr/cps/PDS-en.pdf, en

https://www.zaba.hr/cps/PDS-hr.pdf, hr

esi4-qcStatement-

6

id-etsi-qct-eseal OID: 0.4.0.1862.1.6.2

7.2. CRL profile

CRL profiles issued by Zaba Root QCA and subordinated Zaba QCA are aligned with recommendation IETF RFC 5280.

CRL are compliant with version 2 according to the X.509 specification.

7.2.1. CRL and CRL entry extensions

CRL and CRL entry extensions used in CRL published by Zaba Root QCA and Zaba QCA:

Extensions Value

crlExtensions

cRLNumber Monotonically increasing sequence number for

AuthorityKeyIdentifier CRL in the form of 20 octets number.

crlEntryExtensions

reasonCode 160 bits SHA-1 hash

ReasonCode values:

keyCompromise,

affiliationChanged,

superseded,

cessationOfOperation,

unspecified,

certificateHold.

7.3. OCSP profile

OCSP profile response of Zaba QOCSP service is aligned with recommendation IETF RFC 6960.

OCSP profile is compliant with version: 1 (0x0).

OCSP extensions included in response from Zaba OCSP service:

1. Nonce

2. Extended Revoked Definition.


v1.4 from 10.9.2019. page 39

PUBLIC

8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS

Supervision over the work of Bank as a Qualified Trust Service Provider shall be regulated by Regulation (EU) No 910/2014 and Act Implementing Regulation (EU) no. 910/2014, and shall be carried out by national supervision authority.

Supervision over the work of Qualified Trust Service Providers in the field of collection, use and protection of a Signatory's personal data may also be carried out by government and other bodies determined by law and other rules and regulations governing personal data protection.

Compliance audit shall be carried out with the aim of confirming that Bank as a Qualified Trust Service Provider and Qualified Certificates issuance services provided by Bank, meets the requirements stipulated in Regulation (EU) No. 910/2014, Act Implementing Regulation (EU) no. 910/2014 and the standard HRN ETSI/EN 319 411-2.

8.1. Frequency or circumstances of assessment

External compliance audits shall be carried out at least each 24 months in accordance with the requirements of Regulation (EU) No. 910/2014 and the standard ETSI EN 319 403.

Internal compliance audits shall be carried out prior to the commencement of providing new Qualified Trust Services, periodically at least each 12 months, and after significant changes to Zaba QPKI operations.

8.2. Identity/qualifications of assessors

External compliance audits shall be conducted by a conformity assessment body. The competence of the conformity assessment body and the qualification of the associated assessors shall be ensured by the accreditation of the conformity assessment body according to the standard ETSI EN 319 403.

Internal compliance audits shall be conducted by internal compliance assessors who together have knowledge and understanding:

of the provisions of the standard HRN ETSI/EN 319 411-2,

of PKI areas and information security area,

of legislation in the area of providing Trust Services.

8.3. Assessor's relationship to assessed entity

The conformity assessment body and associated assessors shall be independent of Bank and Bank's assessment system. Internal compliance assessors shall be in different organizational unit than Zaba QPKI.

8.4. Topics covered by assessment

The topics of compliance assessment shall include the following areas of providing Trust Services:

integrity and accuracy of documentation,

implementation of requirements for Qualified Trust Services,

organisational processes and procedures,

technical processes and procedures,

implementing information security measures,

trustworthy systems,

physical security at subject locations.

The description of the topics of compliance assessment shall be defined in the compliance assessment plan.

8.5. Actions taken as a result of deficiency

If non-compliance in providing of Trust Services has been detected, Bank shall undertake the necessary steps to eliminate detected non-compliance, and if applicable within the period set by the supervisory body.

During stoppages in Qualified Certificate issuance due to identified significant non-compliance, Bank may issue only those certificates that are indicated as certificates for internal and testing purposes and it shall ensure that those certificates shall not be available to any other Subscriber.


v1.4 from 10.9.2019. page 40

PUBLIC

8.6. Communication of results

The results of internal compliance audits shall be of a confidential nature and Bank shall not make these public.

In the case of external compliance audits, Bank shall forward the report of the external assessor on compliance audit to the national supervisory body within three working days from receipt.


v1.4 from 10.9.2019. page 41

PUBLIC

9 OTHER BUSINESS AND LEGAL MATTERS

9.1. Fees

No fees are charged.

9.2. Financial responsibility

Bank as a Trust Services Provider shall possess financial stability and shall have at its disposal sufficient financial resources to ensure unhindered provisions of certification services in accordance with this Certificate Policy.

Bank, as a certification services provider, shall insure itself against damage liability risks occurring while carrying out Qualified Trust Services.

Bank shall additionally insure property by means of an insurance policy the covers insurance against the risk of fire, severe weather, floods, explosions, vehicle impact, aircraft fall or impact, demonstrations, insurance of equipment, machinery, electronic and communication devices, installations etc.

Bank insure against liability to employees and third party.

9.3. Confidentiality of business information

9.3.1. Scope of confidential information

Confidential business information shall include all data in any form that PKI participants exchange in any way in relation to establishing and providing Qualified Trust Service, and which PKI participants label as confidential, or as being of a specific type or having a specific level of secrecy, or which shall be confidential by their nature as their unauthorised disclosure may cause damage to the participant.

All the information about the Subscribers that are not publicly available through the certificate or through revocation list online are treated as confidential. In particular:

Subscribers’ data and issue requests,

Subscribers’ private keys and information needed to recover such private keys,

transactional data (full records or trace audits log on operations),

emergency plans and disaster recovery plans,

security measures of the hardware and software operations relating to the Qualified Trust Services.

9.3.2. Information not within the scope of confidential information

Data integrated in the content of the certificate, data about certificate status, and data and documents published in the Zaba QPKI repository shall not be considered as confidential business information.

All data in any form that PKI participants exchange in any way in relation to establishing and providing Qualified Trust Service, and which PKI participants not label as classified (publishing of this data cannot cause damage to any PKI participant).

9.3.3. Responsibility to protect confidential information

Each participant shall protect confidential business information referred to in Section 9.3.1. of this Certificate Policy, that he/she somehow became aware of, in accordance with laws regulating the information protection considering information type and information secrecy type and level. Otherwise, it shall be held liable for the damage occurred.

9.4. Privacy of personal information

Bank adopt privacy measures for protection of personal data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS).

Bank shall be responsible for the protection of personal data collected for the purpose of providing Qualified Trust Services.

During and after the Subscriber registration procedure, Bank shall be authorised to collect personal data required for valid Subscriber identification and other data required for Qualified Trust Service provision.


v1.4 from 10.9.2019. page 42

PUBLIC

Personal data collected by Bank that shall not be integrated in certificate contents, shall be considered confidential personal data duly protected by Bank.

Personal data collected by Bank during, or even after, the Subscriber registration procedure and which shall be integrated in the certificate contents shall not be considered confidential personal data due to their availability to all interested PKI participants.

Aside from the needs of fulfilling legal obligations or contractual obligations according to certification agreements, Bank may use or publish personal data on the basis of written consent from the Subscriber.

Bank shall be entitled to disclose confidential/private information in response to judicial and administrative processes.

9.5. Intellectual property rights

Bank is the exclusive owner of all rights related to the electronic certificates issued by Zaba Root QCA and Zaba QCA; the certificate revocation list; the content of the Certification Practice Statements and the Certificate Policies. Furthermore, Bank is the holder of the rights related to any other kind of document, protocol, computer program and hardware, file, directory, database and consultation service that may be generated or used in the area of the Zaba QPKI activities.

The object identifiers numbers (OIDs) used are the property of Bank and have been registered at the national competent body. No OID assigned to Bank may be used, partially or fully, except for the specific uses included in the certificate.

Bank shall not have intellectual property rights over the software used in Zaba QPKI which is owned by third parties.

9.6. Representations and warranties

9.6.1. CA representations and warranties

Bank shall be responsible for the compliance of this Certificate Policy with legislation specifically with Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS), and for implementing the provisions stipulated in this Certificate Policy, Certification services terms and conditions and in accordance with obligations in Subscriber agreements concluded with the Subscriber.

On the website of the Zaba QPKI repository, Bank shall publish the Certification services terms and conditions, this Certificate Policy, Certificate Practice Statements and other publicly available documents related to Zaba QPKI. Bank as the Qualified Trust Service Provider shall be responsible for:

proper authentication of natural and legal persons with the aim of certificate issuance,

issuing certificates in a secure manner in order to preserve their authenticity and accuracy,

compliance with its obligations.

In accordance with representations and warranties, Bank:

upon providing Qualified Trust Services, shall apply the provisions of valid regulations referred to in Section 9.14 of this Certificate Policy,

give applicants complete and clear information on the certification procedure, the requisite technical features for accessing it, the characteristics of the signatures issued on the basis of the certification service and the restrictions on the use thereof,

shall issue a certificate in a secure manner in order to preserve its authenticity and accuracy, basing it on the reliably established identity of a natural and/or legal person,

shall issue a certificate with a profile in accordance with Section 7.1 of this Certificate Policy, and according to the certificate type stated in the certificate issuance application,

shall ensure that Subscriber key pairs generated on QSCD devices in Zaba QPKI protected zones, shall be generated in a secure manner ensuring private key confidentiality, in accordance with this Certificate Policy,

shall for private Subscriber keys used in remote electronic signing and sealing service, manage these on behalf of the Signatory or Creator of a seal so that the Signatory has its private key under its sole control, or that the Creator of a seal has the corresponding private key under its control,

shall, pursuant to an authenticated and authorised application, after the conducted stipulated procedure, revoke a certificate and publish it on the list of revoked certificates,

shall provide information about the revocation status of a certificate,


v1.4 from 10.9.2019. page 43

PUBLIC

shall carry out the required security measures for protection of premises and equipment of the certification system,

shall apply organisational and technical measures for protection of the keys and certificates in accordance with this Certificate Policy,

use reliable systems for the management of the Zaba QPKI with procedures ensuring that only authorized persons can make additions and changes, that the authenticity of the data can be verified,

shall, in accordance with the Business Continuity Plan for Zaba QPKI, ensure the continous service and maximum availability of certification services,

shall monitor the availability of capacities, shall plan maintenance and further development of certification systems in accordance with future needs, standard requirements and development of technology,

shall, in accordance with Sections 9.3 and 9.4 of this Certificate Policy, protect personal data and data considered confidential and shall use this data solely for the needs of certification services within the scope of this Certificate Policy,

shall ensure that internal and external compliance audits of Bank, as a Qualified Trust Service Provider shall be carried out in accordance with Section 8.1 of this Certificate Policy.

In addition to these warranties Bank as Qualified Electronic Time-Stamping Authority shall provide its time-stamping services in accordance with Regulation (EU) No. 910/2014, Act Implementing Regulation (EU) no. 910/2014, the relevant standardization documents and recommendations, this Certificate Policy, Qualified Electronic Time-Stamping Authority practice statement and other relevant internal documentation.

In the event of a disruption in operations, Bank shall act in accordance with Section 5.8 of this Certificate Policy.

Limitations to Bank's responsibilities as a Qualified Trust Services provider shall be described in Section 9.8 of this Certificate Policy.

9.6.2. RA representations and warranties

The obligations and responsibilities of Zaba RA shall be as follows:

carrying out registration and identification procedures for natural and legal persons in the manner stipulated by this Certificate Policy,

forwarding integral, accurate and verified data about Applicants to Zaba QCA for further processing,

retention, archiving and protection of data for at least 10 years from the date of expiry of the certificate to which it refers,

protecting the archived Subscriber data against loss or breach of confidentiality, integrity and accessibility, as laid down in this Certificate Policy,

notification of the Applicant for certificate issuance about the published and accessible terms and conditions of providing Qualified Trust Services and this Certificate Policy.

9.6.3. Subscriber representation and warranties

The Subscriber shall:

in the registration process present itself in the manner stipulated in Chapter 3 and in Section 4.1 of this Certificate Policy,

carefully use and store electronic signature or electronic seal creation device, private keys and activation data in accordance with this Certificate Policy,

undertake appropriate measures for protecting electronic signature or electronic seal private keys and activation data against unauthorised access and use in accordance with Chapter 6 of this Certificate Policy,

request, as soon as possible, revocation of its certificate in the event of private key compromise, the loss or damage to the electronic signature or electronic seal creation device, private key and activation data in accordance with Section 4.9 of this Certificate Policy,

submit to the Zaba RA all necessary data and information about changes that impact or may impact the accuracy of an electronic signature or electronic seal within two days,

use the certificate and corresponding private key in accordance with the laws and other regulations of the Republic of Croatia, and in accordance with this Certificate Policy,

validate the Zaba QTSA electronic signature on the Qualified time-stamp received and verify the validity of the Zaba QTSA Certificate.


v1.4 from 10.9.2019. page 44

PUBLIC

The Subscriber shall be responsible for irregularities and damage resulting from non-fulfilment of obligations determined in the above provisions referred to in this Section.

A Subscriber who does not act in accordance with the undertaken obligations may have their certificate revoked and shall lose all rights ensuing from the Subscriber agreement.

9.6.4. Relying party representations and warranties

A Relying Party shall make an autonomous and conscious decision on reasonable certificate reliance.

Reasonable reliance shall be considered a decision by the Relying Party to rely on a certificate if at the time of reliance it has:

undertaken the necessary precautionary measures and used the certificate for the purposes stipulated in the Certificate Policy, that is, under circumstances in which reliance shall be reasonable and in good faith, and under circumstances known or that should have been known to the Relying Party prior to relying on a certificate,

checked the certificate revocation status and validity period, which the Relying party shall confirm by carrying out verification of the certificate status via the OCSP service or on the basis of the last issued CRL, as stipulated in this Certificate Policy,

checked if the electronic signature or electronic seal, created by a private key corresponding to the public key in the certificate is within the certificate validity period,

validate the electronic time-stamp signature, validity and revocation of Zaba QTSA certificate,

used the application solution and IT environment on which it may rely.

The use of the public key and certificate by a Relying party has been described in Section 4.5.2, while the requirements for checking the revocation status of the certificate shall be set out in Section 4.9.6 of this Certificate Policy.

The Relying part who has not abided by the regulations and this Certificate Policy, and has not acted in accordance with the obligations and responsibilities referred to in this Section shall alone carry the risks for reliance on such a certificate.

A Relying Party shall bear all the certificate reliance risks if it is aware of or has a reason to believe that facts exist that may cause personal or business damage due to the certificate use.

9.6.5. Representations and warranties of other participants

No stipulations.

9.7. Disclaimer of warranties

Except for representations and warranties explicitly written in Section 9.6., Bank as Qualified Trust Services provider shall not be liable for damage, including indirect damage or for any loss of profit, loss of data or other indirect damage related to Qualified Trust Services, specifically Bank is not liable for any damage caused by non-compliance with representations and warranties other PKI participants from Section 9.6.

Bank shall not be liable for damage, including indirect damage or any loss of profit, loss of data or other indirect damage related to Qualified Trust Services, caused by using certificates from other providers, or using Bank's certificates not in compliance with certificate usage from this Certificate Policy.

Bank shall not be liable for damage, including indirect damage or any loss of profit, loss of data or other indirect damage related to Qualified Trust Services:

suffered in the period from certificate revocation to the issuance of a new CRL,

damage due to unauthorised use of Subscriber keys and certificates,

damage occurring as a result of using a certificate not permitted by this Certificate Policy,

damage caused by fraudulent or negligent use of a certificate, CRL or OCSP service,

damage occurring as a result of a malfunction or error in the Subscriber's and a Relying Party's software and hardware.

Bank shall not be liable for damage, including indirect damage or any loss of profit, loss of data or other indirect damage related to Qualified Trust Services, occurring as a result of providing false data and fraudulent presentation of a Subscriber during the process of identification and authentication carried out by a Zaba RA in accordance with the requirement of this Certificate Policy.


v1.4 from 10.9.2019. page 45

PUBLIC

9.8. Limitations of liability

No stipulations.

9.9. Indemnities

Each PKI participant shall be liable to the damaged party for damages caused by failing to comply with the provisions of this Certificate Policy and relevant regulations in force.

The Signatory, legal or natural person, on behalf of whom the Signatory shall act and shall represent, and the Authorised Representative of legal person shall be liable to the damaged party or any other participant if it shall obtain and use a certificate issued by Bank based on fraudulent data provided during the certificate application.

The Relying Party shall be liable to the damaged party or any other participant if it shall rely on the issued certificate without having checked its validity as described in Section 9.6.4 of this Certificate Policy or shall use it contrary to the purposes set out in this Policy. Bank shall be responsible to Relying Party only if responsiblity is based on mutual agreement, this Certificate Policy or law regulation.

9.10. Term and termination

9.10.1. Term

This Certificate Policy document shall be valid until a new Certificate Policy document comes into force or until its termination is published. A new document version or published termination of the current version shall be published on the website of the repository referred to in Section 2.2 of this Certificate Policy, with an indication of the effective date. The new document shall be assigned a new OID and it shall contain an indication of the modifications made thereto.

9.10.2. Termination

By entering into force of the new version of Certificate Policy document for all certificates issued according to this document, provisions of this document that cannot be meaningfully replaced by the provisions of the new version of the Certificate Policy document, shall remain in force.

This document termination shall not be bound by nor shall it affect the validity of certificates issued under this document.

9.10.3. Effect of termination and survival

When a new version of the Certificate Policy shall come into force, the provisions of such document shall be applied to all certificates issued from that day on.

Certificates issued under previous Certificate Policies shall be valid until their termination, but they may be renewed in accordance with the new Certificate Policy document.

9.11. Individual notices and communication with participants

Individual and other official communication with participants shall be primarily conducted in written documents in paper or electronically, contact details for paper based communication are:

Postal address:


Upravljanje sustavom zaštite

Samoborska 145, 10090 Zagreb, Hrvatska

Telephone: +385-1-6104-225

Telefax: +385-1-6325-425

E-mail: [email protected]

When electronic mail is used, message shall be signed with advanced electronic signature.

9.12. Amendments

This Certificate Policy shall be revised as required.

Zaba PMA may correct spelling mistakes, change contact data and make other minor corrections not materially affecting the participants, without notice to the participants.


v1.4 from 10.9.2019. page 46

PUBLIC

All PKI participants may send a letter to the Zaba PMA contact address listed in Section 1.5 of this Certificate Policy, containing a proposal for corrections or for amendments to this document. The letter shall list the contact details of the person sending the modification proposal. After consideration, Zaba PMA may accept, adjust or reject proposed modifications.

Updates of this document are performed updating this entire document or by addendum and are notified to national supervision Authority and conformity assessment entity.

Major amendments to the Certificate Policy document that may materially affect the participants shall require the change of Certificate Policy document OID. Zaba PMA shall determine the new OID for the new document version.

All amendments to this Certificate Policy document shall be published in electronic form on the website of the repository referred to in Section 2.2 of this Certificate Policy.

New versions of the Certificate Policy with changed OID of the Certificate Policy document shall be published in electronic form on the website of the repository referred to in Section 2.2 of this Certificate Policy.

The effective date of amendments or newly-published Certificate Policy document shall be indicated on its cover page as well as on the website where it shall be published.

9.13. Dispute resolution provisions

In the event of a dispute or disagreement between Zaba and other participants due to actions and/or procedures regarding certification service provision regulated by this Certificate Policy, the participants shall try to reach an amicable solution. Otherwise, the matter shall be resolved by the competent court in Zagreb by application of Croatian law.

Participants may file a complaint to Bank if they believe there exist a discrepancy in the content of services in relation to the published terms and conditions of service provision. Bank shall reply to a complaint. A written complaint shall be filed in the form of paper or electronic form to addresses specified under Section 9.11 of this Certificate Policy.

9.14. Governing law

Bank shall provide Qualified Trust Services within the scope of this Certificate Policy in accordance with the provisions of Regulation (EU) No 910/2014, implementing documents adopted pursuant to Regulation (EU) No 910/2014, Act Implementing Regulation (EU) no. 910/2014 and standardization documents ETSI EN 319 401, ETSI EN 319 411-1, ETSI EN 319 411-2 and ETSI EN 319 421.

9.15. Compliance with applicable law

This Certificate Policy and certification services provision covered herein shall be in compliance with the regulations referred to in Section 9.14 of this Certificate Policy.

9.16. Miscellaneous provisions

No stipulations.