qtsp qualified certification services certificate … cps firma...5.4.8 vulnerability assessment 44...
TRANSCRIPT
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 1 di 74
QTSP
QUALIFIED CERTIFICATION SERVICES
CERTIFICATE POLICY
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 2 di 74
INDEX
INDEX 2
1 SCOPE 10
1.1 OVERALL 10
1.2 DOCUMENT NAME AND IDENTIFICATION 10 1.2.1 Certificate Policy 10
1.2.2 Entry into force 11
1.2.3 Security levels 11
1.2.4 Qualified Certification Services Policy 11
1.3 PKI PARTICIPANTS 13 1.3.1 Certification Authorities 13
1.3.2 Registration Authorities 13
1.3.3 Subscribers 13
1.3.4 Relying Parties 14
1.3.5 Other Partecipants 14
1.4 USE OF THE CERTIFICATE 14 1.4.1 Permitted use of the certificate 15
1.4.2 Unauthorized use of the certificate 15
1.5 POLICY ADMINISTRATION 16 1.5.1 Administration of the document 16
1.5.2 Contact info 16
1.5.3 Responsibility of the suitability 16
1.5.4 CP approval procedures 16
1.6 DEFINITIONS AND ACRONYMS 17 1.6.1 Definitions 17
1.6.2 Acronyms 19
2 PUBLICATION 21
2.1 REPOSITORY 21
2.2 PUBLICATION OF CERTIFICATION INFORMATION 21
2.3 PUBLICATION FREQUENCY 21 2.3.1 Frequency of Terms and Conditions 21
2.3.2 Certificate publication frequency 21
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 3 di 74
2.3.3 Revocation status publication frequency 21
2.4 CHECK OF ACCESS ON REPOSITORY 21
3 IDENTIFICATION AND AUTHENTICATION 22
3.1 DENOMINATION 22 3.1.1 Types of Name 22
3.1.2 Identification requirements 23
3.1.3 Anonymous subscribers and pseudonyms 23
3.1.4 Rules fo interpretation of name 23
3.1.5 Uniqueness of names 23
3.2 VALIDATION OF THE IDENTITY 23 3.2.1 Methods to prove ownership of the private key 23
3.2.2 Authentication of an organizational entity 24
3.2.3 Authentication of an individual entity 24
3.3 IDENTIFICATION AND AUTHENTICATION FOR REISSUE 24 3.3.1 Identification and authentication for normal reissue 24
3.3.2 Identification and authentication for reissue after revocation 24
3.4 IDENTIFICATION AND AUTHENTICATION FOR RENEWAL REQUESTS 24 3.4.1 Identification and authenticationin tge case if a valid certificate 25
3.4.2 Identification and authentication in case of invalid certificate 25
3.5 IDENTIFICATION AND AUTHENTICATION IN CASE OF CERTIFICATE
MODIFICATION REQUIREMENTS 25 3.5.1 Identification and authentication in the case of a valid certificate 25
3.5.2 Identification adn authentication in case of invalid certificate 25
3.6 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUESTS 25
4 CERTIFICATE LIFE CYCLE REQUIREMENTS 26
4.1 REQUEST OF A CERTIFICATE 26 4.1.1 Submission of the certificate request 26
4.1.2 Enroll Process and responsibility 26
4.2 PROCEDURES FO MANAGING THE CERTIFICATE REQUEST 26 4.2.1 Performing identification and authentication fuctions 26
4.2.2 Approval or rejection 27
4.2.3 Request exection time 27
4.3 ISSUE OF CERTIFICATE 27 4.3.1 CA actions during the issuance of the certificate 27
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 4 di 74
4.3.2 Notification to the holder about the issue of the certificate 27
4.4 ACCEPTANCE OF THE CERTIFICATE 27 4.4.1 Conduct on acceptance of the cetificate 27
4.4.2 Publication of the certificate by the CA 27
4.5 KEY PAIR AND CERTIFICATE USAGE 28 4.5.1 Subscriber private key and certificate usage 28
4.5.2 Interested parties – Public key and use of the certificate 28
4.6 RENEWAL 29 4.6.1 Requirements for renewal of the certificate 29
4.6.2 Submission request for renewal 29
4.6.3 Renewal request process 29
4.6.4 Notification of certificate issue 30
4.6.5 Conduct on the acceptance of the renewal of the certificate 30
4.6.6 Publication of the renewed certificate by the CA 30
4.7 REISSUE 30 4.7.1 Requirements fo reissuing 30
4.7.2 Submission request for reissuing 30
4.7.3 Reissue request process 30
4.7.4 Notification of the issuance of the certificate 30
4.7.5 Conduct on the acceptance on the reissuing of the certificate 31
4.7.6 Issued certificate publication 31
4.7.7 Notification to other entities of the certificate reissue 31
4.8 MODIFICATIONS TO THE CERTIFICATE 31
4.9 REVOCATION AND SUSPENSION OF THE CERTIFICATE 31 4.9.1 Circumstances fo revocation. 31
4.9.2 Submission of revocation request 32
4.9.3 Processes for revocation management 32
4.9.4 Grace Period richiesta di request for revocation 33
4.9.5 Time eithin which the CA must process the request for revocation 33
4.9.6 Requirements on the control of revocation by interested parties 33
4.9.7 Frequency Issuing CRL 33
4.9.8 Maximum latency on CRL 33
4.9.9 Availability of OCSP service 33
4.9.10 OCPS service requirements 33
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 5 di 74
4.9.11 Particular requirements on key compromise 34
4.10 CERTIFICATE STATUS VERIFICATION SERVICES 34 4.10.1 Operational features 34
4.10.2 Service availability 34
4.11 END OF SUBSCRIPTION 34
4.12 KEY ESCROW E RECOVERY 35 4.12.1 Policy and practices Key Escrow and Recovery 35
4.12.2 Encapsulation key symmetrical encryption policies recovery 35
5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS 36
5.1 PHYSICAL CONTROLS 36 5.1.1 Location site and features 36
5.1.2 Physical access 36
5.1.3 Power supply and air conditioning 37
5.1.4 Exposure to water 38
5.1.5 Prevention and fire potection 38
5.1.6 Media Storage 39
5.1.7 Provisions on the disposal of apparatus 39
5.1.8 Off-Site Backup 39
5.2 PROCEDURAL CONTROLS 39 5.2.1 Roles 40
5.2.2 Number of peaple required for task 40
5.2.3 Identification and authentication fo roles 40
5.2.4 Roles requiring segregation 40
5.3 PERSONNEL CONTROL 41 5.3.1 Qualifications, experience and clarity of requirements 41
5.3.2 Background verification procedures 41
5.3.3 Training requirements 42
5.3.4 Refresh rate 42
5.3.5 Sanctions on unauthorised shares 42
5.3.6 Requirements on consultants 42
5.3.7 Documentation provided to staff 43
5.4 AUDIT PROCEDURES 43 5.4.1 Types of events stored 43
5.4.2 Frequency of audit processes 43
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 6 di 74
5.4.3 Audit log retention period 44
5.4.4 Audit log protection 44
5.4.5 Audit log backup procedures 44
5.4.6 Audit event collection system 44
5.4.7 Verbosity error notification 44
5.4.8 Vulnerability Assessment 44
5.5 STORING RECORDS 45
5.6 CA KEY CHANGEOVER 45
5.7 COMPROMOSE AND DISASTER RECOVERY 45 5.7.1 Indente and compromise management procedures 46
5.7.2 Computing Resources, Software, and/or corrupted data 46
5.7.3 Private key compromise procedures 46
5.7.4 Capacity of business continuity in case of disaster 47
5.8 CESSATION OF ACTIVITY 47
6 TECHNICAL SECURITY CONTROLS 48
6.1 GENERATING AND INSTALLING KEY PAIR 48 6.1.1 Generating key pair 48
6.1.2 Private key realease to subscribers 48
6.1.3 Issuing the public key to the certificate 48
6.1.4 Issuing the CA public key to interested parties 49
6.1.5 Key length 49
6.1.6 Key generation parameters and quality control 49
6.1.7 Key usage purposes (see key usage field X. 509 v3) 49
6.2 PRIVATE KEY PROTECTION AND CONTROLS ON CRYPTOGRAPHIC
COMPONENT 49 6.2.1 Standard and cryptographic module controls 50
6.2.2 Private key segregation control (MofN) 50
6.2.3 Key Escrow private key 50
6.2.4 Backup private key 50
6.2.5 Key storage 50
6.2.6 Trasfer of the private key to/from the cryptographic module 50
6.2.7 Storing the private key on the cryptographic module 51
6.2.8 Private key activation method 51
6.2.9 Method of deactivating private key 51
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 7 di 74
6.2.10 Method of destruction of the private key 52
6.2.11 Cryptographic module evaluation 52
6.3 OTHER ASPECTS OF KEY MANAGEMENT 52 6.3.1 Public key storage 52
6.3.2 Validity of the certificate and keys 52
6.4 ACTIVATION DATA 53 6.4.1 Activation data generation and installation 53
6.4.2 Activation data protection 53
6.5 COMPUTER SECURITY CONTROLS 53 6.5.1 Specific technical security requirements on IT system 53
6.5.2 Assessment of IT system security 54
6.6 LIFE CYCLE OF ROADWORTHINESS TEST 54 6.6.1 Control of development system 54
6.6.2 Security management controls 54
6.6.3 Life cycle of security controls 55
6.7 NETWORK SECURITY CHECKS 55
6.8 TIME-STAMPING 56
7 CERTIFICATE, CRL, AND OCSP PROFILES 57
7.1 CERTIFICATE PROFILE 57 7.1.1 Specification X509 57
7.1.2 Certificate extensions 57
7.1.3 Object Identifier algorithms 58
7.1.4 Composition of the name 58
7.1.5 Constraints on name 58
7.1.6 Certficiate Object Identifier policy 58
7.1.7 Usage of policy constraints extension 58
7.1.8 Syntax and semantics of policy qualifiers 58
7.1.9 Semantics management fo critical policy extensions 58
7.2 CRL PROFILE 59 7.2.1 Version 59
7.2.2 Specifyng CRL extensions 59
7.3 OCSP PROFILE 60 7.3.1 Version 60
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 8 di 74
7.3.2 OCSP extensions 60
8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS 61
8.1 FREQUENCIES OR ASSESSMENT REQUIREMENTS 61
8.2 IDENTITY/QUALIFICATION OF ASSESSOR 61
8.3 INDIPENDENCE OF THE ASSESSOR 61
8.4 TOPICS COVERED BY THE ASSESSMENT 61
8.5 ACTIONS TAKEN IN THE EVENT OF NON-COMPLIANCE 62
8.6 COMMUNICATING THE RESULT 62
9 LEGAL ECONOMIC ASPECTS 63
9.1 RATES 63
9.2 FINANCIAL LIABILITIES 63 9.2.1 Insurance coverage 63
9.3 CONFIDENTIALITY OF BUSINESS INFORMATION 63
9.4 PRIVACY OF PERSONAL INFORMATION 63 9.4.1 Data protection mode 64
9.5 INTELLECTUAL PROPERTY RIGHTS 68
9.6 DECLARATIONS AND WARRANTIES 68 9.6.1 Statements and warranties of the CA 68
9.6.2 Declarations and guarantees of RA 69
9.6.3 Declatations and warranties of the subscriber 69
9.7 WARRANTY STATEMENTS 69
9.8 LIABILITY LIMIT 69
9.9 ALLOWANCES 70
9.10 SERVICE LIFE AND TERMINATION 70 9.10.1 Duration 70
9.10.2 Resolution 70
9.10.3 Effects of cessation 71
9.11 NOTIFICATIONS AND COMMUNICATIONS WITH USERS 71
9.12 CHANGES TO THE CP 71 9.12.1 Procedures for the dissemination of CP 71
9.12.2 Notification and timing mechanism 72
9.12.3 Circumstancs under which it is necessary to change OID 72
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 9 di 74
9.13 DISPUTE RESOLUTION 72
9.14 GOVERNMENT LAWS 72
9.15 COMPLIANCE WITH LAWS IN FORCE 72
10 REFERENCES 73
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 10 di 74
1 SCOPE
This document contains the policies for issuing qualified certificates (Certificate Policy - hereinafter
CPS) defined for the Lottomatica S.p.A. qualified trust service provider and concerning the
subscription service.
This CP is compatible with the requirements set out in European Regulation 910/2014 - eIDAS, and
the activity described is compatible with the provisions for services provided by Qualified Trust
Service (hereinafter QTSP) Providers.
The QTSP (Lottomatica S.p.A.) reserves the right to make changes to this document for technical
requirements or for changes to the procedures that have occurred either because of legal
regulations or regulations or for optimization of the working cycle.
Each new version of the manual annuls and replaces the previous versions, which remain applicable
to certificates issued during their validity and until their expiration date.
1.1 OVERALL
The qualified signature CP contains the definition of rules that specify the usability of a certification
for a community and / or class of applications with common security requirements. The information in this document is structured to be compatible with what is contained in the RFC
3647 public specification. This CP consists of 9 chapters that contain the security requirements, processes, and practices
defined by the QTSP to be followed during the service delivery.
Certificates issued in accordance with this CP have the identification criteria (OIDs) to which the certificates must conform.
This CP defines basic requirements for certificates with particular reference to the QTSP certificate. The way these requirements are met and the detailed descriptions of the methods in this document
are included in the Certificate Practice Statement document (CPS) issued by QTSP.
1.2 DOCUMENT NAME AND IDENTIFICATION
1.2.1 Certificate Policy
Below are the main identification data of this CP:
Entity Lottomatica S.p.A.
Name of the document Qualified Certification Services
- Certificate Policies
Version 1.0
Date 27/04/2017
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 11 di 74
1.2.2 Entry into force
This document is in force since 27/04/2017.
This CP and the related CPSs based on this document are reviewed annually as well as the related
applicability criteria. This CP includes specific requirements for services provided to Italian customers, operating with
Italian law in Italian. Certificates issued to customers are issued with the usage restrictions specified in chap. 1.4.
1.2.3 Security levels
The Lottomatica S.p.A. qualified trust service provider defines security levels, bearing in mind that
the Certified Certificate Issue is intended to issue Qualified Signature Certificates on HSM equipment
in accordance with this CP.
1.2.4 Qualified Certification Services Policy
All Certificates issued by QTSP refer to specific policies for which they are issued.
The following OID is a unique identifier issued to Lottomatica S.p.A.
Table 1 - policy Lottomatica
(1) International Organization for Standardization (ISO)
(3) Organization identification schemes registered according to ISO/IEC
6523-2
(76) UNINFO
(49) Lottomatica SPA
In the following table, the OID of the specification of this document:
Table 2 – document policy
(1.3.76.49) Lottomatica S.p.A.
(1) Lottomatica S.p.A. Certification Authority
(1) documents
(1) public documents
(10) Lottomatica Certification Services – Certificate Policy
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 12 di 74
(1) Main version
(0) Sub version
For the purpose of QTSP, Lottomatica S.p.A. Defines the following OID afferent to as many types of
certificate:
Table 3 – Certificate Policy
OID Description Abbrevation
(1.3.76.49) Lottomatica S.p.A.
(1) Lottomatica S.p.A. Certification
Authority
(2) Certificates
(1) public
(20) Qualified signature certificate
issued per person Natural on
HSM device
IGTCP01
(21) Qualified signature certificate
issued per person Natural on a
HSM device with reduced
temporal validity
IGTCP02
(22) Qualified Individual Nature
Certificate issued on a HSM
device for internal use
IGTCP03
(23) Qualified signature certificate
issued to Legal entity on HSM
device for Automatic Signature
IGTCP04
(1) Main version
(0) Sub version
The certificate policy referred to in Table 1 refers to certificates issued to natural persons.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 13 di 74
In the case the certificate policy is related to the release on HSM, the Qualified Trust Services
Provider:
Ensures that the private key associated with the Certificate is stored exclusively on a
security device compliant with the certification specifications in 6.2.1;
The Qualified Trust Services Provider provides identification processes in accordance with the
privacy law requirements and described in the relevant CPS.
About this CP:
Each policy certificate conforms to the policy [QCPS-n-QSCD] defined in the standard [3].
1.3 PKI PARTICIPANTS
1.3.1 Certification Authorities
Qualified Trust Service Provider issues certificates as part of a trusted service. For example, it
identifies the applicant person, manages records, accepts variations related to certificates, and
publishes policies related to the Certificate, Public Keys, and information about the current status of
the certificate (especially about its revocation). This activity is also defined as certification services.
1.3.2 Registration Authorities
The Registration Authority is a component of the QTSP. The operation of the Registration Authority
must comply with the requirements described in this CP, CPS and other documents. The QTSP is in all cases fully responsible for the proper functioning of the Registration Authority.
1.3.3 Subscribers
For the purposes of the limitations set out in Chapter 1.4, four types of subscribers are defined:
1. Registration Authority Officer - RAO; These are natural persons delegated by Lottomatica S.p.A.
To operate the identification and registration of subscribers belonging to the business channel; Such
registrations are subscribed by RAO through the qualified electronic signature of the declarations
related to the registration operation;
2. Users of the business channel (hereinafter B2B); These are legal persons who have qualified
electronic signatures for the signing of contract documents related to activities related to
Lottomatica S.p.A., its parent companies and / or subject to joint control.
3. Consumer channel customers (hereinafter B2C user); These are physical clients of CartaLIS Imel
S.p.A.
A subsidiary of Lottomatica Holding S.p.A., also a subsidiary of Lottomatica S.p.A., holding a
payment card in the "base" version issued by the latter, using the qualified electronic signature for
the contractual documents required to evolve it paper. The qualified electronic signing certificate for
the B2C user is of a 2one-shot type, meaning that it can be used for one subscription only.
4. Certificate Holders for Automatic Signature (hereinafter Automatic Signature).
5. Employees or employees of Lottomatica S.p.A. (Hereinafter referred to as internal user), its
parent companies and / or jointly controlled.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 14 di 74
The relationship between QTSP and subscribers is governed by specific documents governing the
terms and conditions, signed by holders of the service release as specified in Chapter 9.6.3.
1.3.4 Relying Parties
The QTSP can be used by external entities for the activities of identification and registration of the
holders, in particular:
For B2B users, identification and registration is performed by RAO.
For the B2C service, identification and registration is carried out by the CartaLIS
Collaborators network, such as legal entities represented by point of sale (PdV), which may
be exercised by PdVs of delegated operators nominally by the same legal representatives.
The relationship between CartaLIS and the Employees is governed by a service contract
covering, inter alia, the Monetary Services on which the Collaborators offer is enabled on
behalf of CartaLIS IMEL S.p.A. In order to be able to deliver Monetary Services on behalf of
CartaLIS IMEL S.p.A., the Employees are previously identified and subject to appropriate
verification in accordance with the provisions of the current anti-money laundering
legislation. They must also follow and pass an initial training course with which they are
Provided for anti-money laundering obligations, including those relating to identification
activities and appropriate B2C verification. CartaLIS IMEL S.p.A. Also provides for the
upgrading of the same training courses and information disclosure to the entire sales
network that is allowed in conjunction with changes in the reference regulations or
variations in the commercial proposal regarding the method of distribution and distribution
of the electronic money through that sales network.
CartaLIS IMEL S.p.A. Is a company subject to joint control by Lottomatica S.p.A.
For other types of users (RAO, internal, automated signature holders), the identification
activity performed by internal staff at the QTSP.
1.3.5 Other Partecipants
Not defined.
1.4 USE OF THE CERTIFICATE
The certified usability area is determined by what is contained in the extensions of the certificate
itself. Limitations of use can also be specified within this CP and its CPS.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 15 di 74
1.4.1 Permitted use of the certificate
The certificates are issued with the use restrictions listed in two languages as stated below.
Certificate of the user Rao, B2B (IGTCP01) and B2C (IGTCP02)
Usage limited to the relationships established by the owner with any subject, only for
activities attributable to Lottomatica S.p.A. and its controlling companies and/or
companies under common control;
L'uso è limitato a rapporti instaurati dal Titolare con qualsiasi soggetto, purché connessi
con attività riconducibili a Lottomatica S.p.A., società sue controllanti e/o sottoposte a
comune controllo.
Certificate of Internal user (IGTCP03) Usage limited to the relationships established with any subject, only for activities
attributable to Lottomatica S.p.A. and its controlling companies and/or companies under
common control;
L'uso è limitato a rapporti instaurati con qualsiasi soggetto, purché connessi con attività
riconducibili a Lottomatica S.p.A., società sue controllanti e/o sottoposte a comune
controllo.
Automatic Signature user Certificate (IGTCP04) The certificate to which IGTCPS04 is issued with the limitations of use in double language as
specified below:
The certificate may only be used for unattended/automatic digital signature;
Il presente certificato è valido solo per firme apposte con procedura automatica.
1.4.2 Unauthorized use of the certificate
QTSP Certificate
The Lottomatica S.p.A. root certificate and its private key can not be used before the actual
publication.
Subscriber Certificate
It is not permitted to use the certificate issued to the holder in accordance with this CP, and its
private keys, for purposes other than those specified in 1.4.1.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 16 di 74
1.5 POLICY ADMINISTRATION
1.5.1 Administration of the document
The staff data that administers this Certificate Policy are as follows:
Organization name Lottomatica S.p.A.
Address Viale del Campo Boario 56/d, 00154 Rome
Phone (+39) 06 518991
Email [email protected]
1.5.2 Contact info
For issues related to this CP, you can contact the contacts as follows
Contact Carmine Tufano
Organization name Lottomatica S.p.A.
Address Viale del Campo Boario 56/d, 00154 Rome
Phone (+39) 06 518991
Fax -
Email [email protected]
1.5.3 Responsibility of the suitability
The certifier is responsible for the compliance of the CPS with this document, and for the provision
of the services in accordance with the laws contained therein.
CPS and its provision of services are subject to the vigilance of the AgID, (Agency for Digital Italy).
The trust list (TSL) of the Trust service providers is published on the website of the Agid.
1.5.4 CP approval procedures
The Qualified Trust Service Provider describes the approval procedures of the CPS, which includes
compliance with this CP.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 17 di 74
In particular, this document is subject to a review process, at least annually, revised by the Digital
Signature Organizational Structure Manager and the modifications made are submitted to the CTO's
final approval.
1.6 DEFINITIONS AND ACRONYMS
1.6.1 Definitions
From the European Regulation 910-2014 eIDAS, Art 3:
(1) ‘electronic identification’ means the process of using person identification data in electronic form
uniquely representing either a natural or legal person, or a natural person representing a legal
person;
(2) ‘electronic identification means’ means a material and/or immaterial unit containing person
identification data and which is used for authentication for an online service;
(3) ‘person identification data’ means a set of data enabling the identity of a natural or legal person,
or a natural person representing a legal person to be established;
(4) ‘electronic identification scheme’ means a system for electronic identification under which
electronic identification means are issued to natural or legal persons, or natural persons
representing legal persons;
(5) ‘authentication’ means an electronic process that enables the electronic identification of a natural
or legal person, or the origin and integrity of data in electronic form to be confirmed;
(6) ‘relying party’ means a natural or legal person that relies upon an electronic identification or a
trust service;
(7) ‘public sector body’ means a state, regional or local authority, a body governed by public law or
an association formed by one or several such authorities or one or several such bodies governed
by public law, or a private entity mandated by at least one of those authorities, bodies or
associations to provide public services, when acting under such a mandate;
(8) ‘body governed by public law’ means a body defined in point (4) of Article 2(1) of Directive
2014/24/EU of the European Parliament and of the Council;
(9) ‘signatory’ means a natural person who creates an electronic signature;
(10) ‘electronic signature’ means data in electronic form which is attached to or logically associated
with other data in electronic form and which is used by the signatory to sign;
(11) ‘advanced electronic signature’ means an electronic signature which meets the requirements set
out in Article 26;
(12) ‘qualified electronic signature’ means an advanced electronic signature that is created by a
qualified electronic signature creation device, and which is based on a qualified certificate for
electronic signatures;
(13) ‘electronic signature creation data’ means unique data which is used by the signatory to create
an electronic signature;
(14) ‘certificate for electronic signature’ means an electronic attestation which links electronic
signature validation data to a natural person and confirms at least the name or the pseudonym
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 18 di 74
of that person;
(15) ‘qualified certificate for electronic signature’ means a certificate for electronic signatures, that is
issued by a qualified trust service provider and meets the requirements laid down in Annex I;
(16) ‘trust service’ means an electronic service normally provided for remuneration which consists of:
(a) the creation, verification, and validation of electronic signatures, electronic seals or electronic
time stamps, electronic registered delivery services and certificates related to those services,
or
(b) the creation, verification and validation of certificates for website authentication; or
(c) the preservation of electronic signatures, seals or certificates related to those services;
(17) ‘qualified trust service’ means a trust service that meets the applicable requirements laid down
in this Regulation;
(18) ‘conformity assessment body’ means a body defined in point 13 of Article 2 of Regulation (EC)
No 765/2008, which is accredited in accordance with that Regulation as competent to carry out
conformity assessment of a qualified trust service provider and the qualified trust services it
provides;
(19) ‘trust service provider’ means a natural or a legal person who provides one or more trust
services either as a qualified or as a non-qualified trust service provider;
(20) ‘qualified trust service provider’ means a trust service provider who provides one or more
qualified trust services and is granted the qualified status by the supervisory body;
(21) ‘product’ means hardware or software, or relevant components of hardware or software, which
are intended to be used for the provision of trust services;
(22) ‘electronic signature creation device’ means configured software or hardware used to create an
electronic signature;
(23) ‘qualified electronic signature creation device’ means an electronic signature creation device
that meets the requirements laid down in Annex II;
(24) ‘creator of a seal’ means a legal person who creates an electronic seal;
(25) ‘electronic seal’ means data in electronic form, which is attached to or logically associated with
other data in electronic form to ensure the latter’s origin and integrity;
(26) ‘advanced electronic seal’ means an electronic seal, which meets the requirements set out in
Article 36;
(27) ‘qualified electronic seal’ means an advanced electronic seal, which is created by a qualified
electronic seal creation device, and that is based on a qualified certificate for electronic seal;
(28) ‘electronic seal creation data’ means unique data, which is used by the creator of the electronic
seal to create an electronic seal;
(29) ‘certificate for electronic seal’ means an electronic attestation that links electronic seal validation
data to a legal person and confirms the name of that person;
(30) ‘qualified certificate for electronic seal’ means a certificate for an electronic seal, that is issued
by a qualified trust service provider and meets the requirements laid down in Annex III;
(31) ‘electronic seal creation device’ means configured software or hardware used to create an
electronic seal;
(32) ‘qualified electronic seal creation device’ means an electronic seal creation device that meets
mutatis mutandis the requirements laid down in Annex II;
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 19 di 74
(33) ‘electronic time stamp’ means data in electronic form which binds other data in electronic form
to a particular time establishing evidence that the latter data existed at that time;
(34) ‘qualified electronic time stamp’ means an electronic time stamp which meets the requirements
laid down in Article 42;
(35) ‘electronic document’ means any content stored in electronic form, in particular text or sound,
visual or audiovisual recording;
(36) ‘electronic registered delivery service’ means a service that makes it possible to transmit data
between third parties by electronic means and provides evidence relating to the handling of the
transmitted data, including proof of sending and receiving the data, and that protects
transmitted data against the risk of loss, theft, damage or any unauthorised alterations;
(37) ‘qualified electronic registered delivery service’ means an electronic registered delivery service
which meets the requirements laid down in Article 44;
(38) ‘certificate for website authentication’ means an attestation that makes it possible to
authenticate a website and links the website to the natural or legal person to whom the
certificate is issued;
(39) ‘qualified certificate for website authentication’ means a certificate for website authentication,
which is issued by a qualified trust service provider and meets the requirements laid down in
Annex IV;
(40) ‘validation data’ means data that is used to validate an electronic signature or an electronic
seal;
(41) ‘validation’ means the process of verifying and confirming that an electronic signature or a seal
is valid.
1.6.2 Acronyms
QTSP Qualified Trust Service Provider
CA Certification Authority
HSM Hardware Security Module
HA High Availability
CRL Certificate Revocation List
OCSP Online Certificate Protocol Status
TSA Time Stamp Authority
TSU Time Stamp Unit
QSCD Qualified Signature Creation Device
RAO Registration Authority Operator
RA Registration Authority
PKI PKI Public Key Infrastructure - This term means a series of agreements that allow trusted
third parties to verify and / or guarantee the identity of a user, as well as associate a public
key with a user, usually by means of distributed software co-ordinated on Different systems.
Public keys typically take the form of digital certificates.
PIN Personal Identification Number
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 20 di 74
PUK Personal Unlock Key
SN Serial Number.
SSL Secure Socket Layer – Standard protocol for managing secure Internet transactions based
on the use of public key cryptographic algorithms.
WS Web Service
ICT Information and Communication Technology
VPN Virtual Private Network
PdV Sales points
DC Data Center
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 21 di 74
2 PUBLICATION
2.1 REPOSITORY
The QTSP publishes this CP, CPS, and other documents containing the terms and conditions on
which its service is based.
The QTSP ensures that the availability of its systems is at least 99.7% on an annual basis, while service timing may not exceed 8 hours in each case.
2.2 PUBLICATION OF CERTIFICATION INFORMATION
The CA certificate is available at the address https://ca.firmadigitale.lottomaticaitalia.it Certification
portal.
Certificate status verification information, is published by CRL available over HTTP, and through the
OCSP url specified in the certificate.
2.3 PUBLICATION FREQUENCY
2.3.1 Frequency of Terms and Conditions
The publication of new versions of the CP is in accordance with the procedures described in
paragraph 9.12.
2.3.2 Certificate publication frequency
The QTSP publishes the CA root certificate before the startup. The QTSP does not publish the
subscriber's certificate.
2.3.3 Revocation status publication frequency
The State related to certificates issued to subscribers by the QTSP, it must be immediately available as required for the OCSP service.
Information about the status of the certificates shall be published in the repository of Front end,
inside the revocation list (CRL). The requirements related to the update frequency, are specified in Chapter 4.10. Updating the revocation list is in accordance with what is specified in chap. 4.9.7.
2.4 CHECK OF ACCESS ON REPOSITORY
Access to the public repository of certificates must be permitted in accordance with the provisions of
art. 34 of the DPCM of 22 February 2013 [33].
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 22 di 74
3 IDENTIFICATION AND AUTHENTICATION
3.1 DENOMINATION
This Chapter establishes the requirements of the data indicated in the certificate issued to the
subscribers, in accordance with this CP
3.1.1 Types of Name
This CP requires the Subject field specification to be compatible with the following:
• Common Name (CN) – OID: 2.5.4.3 name of Subject;
The Common Name field specifies the name of a natural person.
The possibility of using a pseudonym is governed by law.
• Surname – OID: 2.5.4.4 – The surname of the natural person
In this field, the subject's surname must be specified.
The use of a pseudonym is governed by law.
• Given Name – OID: 2.5.4.42 – The name of the natural person.
In this field, the subject’s name must be specified.
The possibility of using a pseudonym is governed by law.
• Pseudonym – OID: 2.5.4.65 Subject pseudonym.
Subject pseudonym can be specified in this field.
The use of a pseudonym is governed by law.
Serial Number – OID: 2.5.4.5 Unique Subject Identifier.
In this field, a unique reference to a Subject's identity document must be specified.
• Organization – OID: 2.5.4.10 Il nome della Organizzazione
Organization Identifier – OID: 2.5.4.97 – The name of the Organization.
• Normally this field contains a numeric identifier associated with the Organization, such as
VAT.
• Organizational Unit (OU) – OID: 2.5.4.11 – The name of the organizational unit.
In this field you can specify the name of an organizational unit belonging to the Organization.
The "OU" field can only be specified if the fields "O", "L" and "C" are present.
• Country (C) – OID: 2.5.4.6 – Country identification.
The field includes the two-letter code of the country to which the organization belongs. For Italy
this field is "IT"
• Locality Name(L) – OID: 2.5.4.7 – Name of locality
For an organization, the field specifies the location where the location is located. In the case of a
certificate that is not associated with an Organization, the field is not used.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 23 di 74
3.1.2 Identification requirements
The recognition of the Subscriber must be through the determination of the validity of identity
documents provided by the holder. The identity validation process is performed in the manner specified in the CPS.
3.1.3 Anonymous subscribers and pseudonyms
QTSP may allow the use of alias by law.
3.1.4 Rules fo interpretation of name
See chapter 3.1.2.
3.1.5 Uniqueness of names
The subject must be uniquely identifiable within the QTSP systems. The holder's personal data is
accompanied by a serial Number as specified in chapter 3.1.1 (Identity document ID).
The uniqueness of the name must comply with those specified in document EN 319412 p02 [15] v
2.1.1 cap 4.2.4.
Disputes related to the name
The QTSP must verify the credentials provided by the subscriber, which must be reported in the
certificate. QTSP is in the position to revoke the certificate in the case of illegal use of names or
data.
3.2 VALIDATION OF THE IDENTITY
The identity validation process is detailed in its CPS. The QTSP stores all the information provided in the identification phase of subscribers and in
particular the identification number and the expiration of the identification document.
3.2.1 Methods to prove ownership of the private key
Before issuing a certificate, the QTSP shall ensure and verify that the requester hasunder his sole
control the private key from the public key of the certificate.
The mode by which this requirement is satisfied, it must be specified in the CPS.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 24 di 74
3.2.2 Authentication of an organizational entity
The QTSP issues qualified electronic signature certificates only to natural persons.
3.2.3 Authentication of an individual entity
The identity verification process associated with the issue of a qualified electronic certificate in
accordance with Article 24 of Regulation 910/2014 (eIDAS) is ensured through "the physical
presence of a natural person" or "at a distance, by means of electronic identification means
"(paragraphs 1a and 1b).
The methods for identifying the subscriber are detailed in the relevant CPS.
3.3 IDENTIFICATION AND AUTHENTICATION FOR REISSUE
Re-issuing the certificate is the process in which the QTSP issues a new certificate instead of the
previous one for contractual necessity where: • Limits of validity have been reached;
• Canceling the previous certificate;
• By changing one of the master data related to the certificate or the use of the signature. In case of issue, the QTSP must always verify the existence and validity of the holder's certificates.
The subscriber's identification must in any case comply with the provisions of section 3.2.3. More details are provided in the relevant CPS.
3.3.1 Identification and authentication for normal reissue
A reissue of the certificate must always provide for the verification of documents and personal
information as defined in 3.2.3.
3.3.2 Identification and authentication for reissue after revocation
A reissue of the certificate as a result of the revocation, must always provide for verification
of personal information as defined in 3.2.3.
.
3.4 IDENTIFICATION AND AUTHENTICATION FOR RENEWAL REQUESTS
The renewal of the certificate is executed for contractual needs and at the same time where it is
imminent to reach the validity limits of the certificate.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 25 di 74
3.4.1 Identification and authenticationin tge case if a valid certificate
The valid certificate is renewed only if it is near the expiration date. Re-issuing of the certificate
must include verification of the personal data as specified in 3.2.3.
3.4.2 Identification and authentication in case of invalid certificate
Re-issuing of the certificate involves the verification of the persoanl data as specified in 3.2.3.
3.5 IDENTIFICATION AND AUTHENTICATION IN CASE OF CERTIFICATE
MODIFICATION REQUIREMENTS
If you need to make changes to the certificate, it will be revoked and resubmitted with the new
personal data. The new issue of the certificate requires the verification of the personal data as specified in 3.2.3.
3.5.1 Identification and authentication in the case of a valid certificate
Identification and Authentication in the case of a valid certificate may be carried out following verification of the expiration of the certificate itself.
The new issue of the certificate requires the verification of the personal data as specified in 3.2.3.
3.5.2 Identification adn authentication in case of invalid certificate
The new issue of the certificate involves the verification of personal information.
3.6 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUESTS
The QTSP must receive and process requests for revocation of the signature certificate. The QTSP
must ensure that requests are executed quickly, verifying their acceptance by the responsible staff.
Requests received must be processed within a maximum 24-hour time span. Once the request has
been approved, it must be processed within 1 hour.
Suspension of the Certificate may be requested by the Certificate Holders, in writing to the QTSP
mailbox, [email protected].
The identity of the person submitting the request must be verified by the QTSP before the request
is executed. These aspects are detailed in the CPS.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 26 di 74
4 CERTIFICATE LIFE CYCLE REQUIREMENTS
4.1 REQUEST OF A CERTIFICATE
The qualified electronic signature certificate issued by Lottomatica S.p.A., is used mainly as an
instrument itself associated subscription by Lottomatica S.p.A. of reports associated with business
activities related to Lottomatica S.p.A., parent companies and/or under common control, within the
limits of use specified in cap 1.4.
Each new process of issuing a certificate of subscription is subject to verification of the identity of
the subject in accordance to what is specified in Chapter 3, and in particular in the manner
described in Chapter 3.2.3.
The identification and registration of owner details are validated through different ways depending
on the type of user, as specified in Chapter 1.3.3.
The processes associated with the certificate request, are detailed in CPS.
4.1.1 Submission of the certificate request
The certificate request can be validated only by following the procedures of the holder's identity.
Confirmation of the validity of the data is processed according to the channel where the holder to
whom the certificate is issued by qualified personnel. In any case, request validation for issuing the
certificate, is performed by RAO personnel for all users.
4.1.2 Enroll Process and responsibility
The enroll process has the primary task of issuing the subscription certificate.
Before the procedure is initiated, the subscriber must be called upon to check his / her personal
data and view the terms and conditions of the service.
The QTSP, upon receipt of the confirmation on the start of the issuing procedure, must record the
holder's personal data before proceeding to the certificate generation.
The events following the confirmation of the master and the service terms of the service must be
recorded by the QTSP and filed for a period of 20 years.
If the subscriber's identity is not validated by the subscriber, the enrolling process must not be
executed.
4.2 PROCEDURES FO MANAGING THE CERTIFICATE REQUEST
4.2.1 Performing identification and authentication fuctions
The QTSP identifies the subscriber according to what is published in chapt. 3.2.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 27 di 74
4.2.2 Approval or rejection
Approval of the request may take place if:
• The holder has the requirements associated with the RAO's finding of his identity;
• The holder agrees to the terms and conditions of service delivery.
Rejection of the request may take place if:
• None of the conditions for approval have been verified;
• The holder has another valid certificate on his behalf, which does not fall under the terms of
the renewal.
4.2.3 Request exection time
The certificate must be issued at the end of positive feedback following the procedures for
determining the identity of the holder.
4.3 ISSUE OF CERTIFICATE
The QTSP can issue the certificate, only to validate the process of recording the subscriber data by
the RAO. Further details are specified in the relevant CPS.
4.3.1 CA actions during the issuance of the certificate
The certificate must be issued with the safety measures in accordance with the applicable
regulations.
4.3.2 Notification to the holder about the issue of the certificate
The QTSP must inform the holder about the issuance of the certificate.
4.4 ACCEPTANCE OF THE CERTIFICATE
4.4.1 Conduct on acceptance of the cetificate
The QTSP publishes subscription certificates for the generation of the same. The terms related to
this publication are contained in the Service Terms and Conditions document accepted by the holder.
4.4.2 Publication of the certificate by the CA
The QTSP does not publicize the generated certificates. The related conditions are contained in the
general conditions of service accepted by the holder.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 28 di 74
4.5 KEY PAIR AND CERTIFICATE USAGE
4.5.1 Subscriber private key and certificate usage
The subscriber uses his own private key corresponding to the certificate issued to him only for the
purposes of the qualified electronic signature and only in accordance with the conditions specified in
cap 1.4. Any other use of the certificate, including authorization and / or digit, is prohibited.
The subscription operation is used by the holders according to the following scheme:
• For B2B and B2C users, the subscription is only for the signature of PDF and PDF / A files,
exclusively in the context of a process related to the contractualization of the user, realized through
IT solutions (eg web portals, systems for use Internal) devoted to this purpose;
• The RAO user signs exclusively the B2B user registration form, through IT solutions (eg web
portals, systems for internal use) devoted to this purpose;
• For internal users, it is allowed to sign documents using IT solutions devoted to this purpose and
can only be used limited to the activities of Lottomatica s.p.a., parent companies and / or jointly
controlled. Specifically, such IT solutions accept any document or file format, enabling application
signature in formats:
Or PAdES / PAdES-T for PDF documents;
Or CAdES / CAdES-T for all other documents.
• For Automatic Signing Users, document signatures are only made by Lottomatica S.p.A, parent
companies and / or under common control, appropriately configured to use the Automatic Signature
Certificate. These systems accept any document or file format, enabling application signature in
formats:
Or PAdES / PAdES-T for PDF documents;
Or CAdES / CAdES-T for all other documents.
Lottomatica S.p.A. warrants that the signed document, does not contain macros, executable codes,
or other elements such as to activate features that may modify the acts, facts or data in the same
representations, in compliance with Article 4, paragraph 3 of the DPCM February 22, 2013 [33],
A private key corresponding to an expired, revoked or suspended certificate should not be used for
the creation of a qualified electronic signature.
The subscriber must ensure adequate protection of qualifying electronic signature activation data
(password and OTP code).
4.5.2 Interested parties – Public key and use of the certificate
The parties concerned with the verification of a qualified electronic signature must proceed
according to what is contained in the CPS with particular regard to the following:
• The parties concerned must verify the validity and the revocation status of the certificate;
• The parties concerned must ensure that the certificate of signature has been issued by
Lottomatica S.p.A. By acknowledgment of the Lottomatica CA root certificate, published by AgID on
its site;
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 29 di 74
• The qualified electronic signature certificate and the corresponding public key should only be used
for validating the signature itself;
• The parties concerned must take into account the limitations of use indicated in the certificate, in
accordance with what is contained in Chapter 1.4;
The QTSP provides services to allow subscribers and interested parties to verify the certificates
issued.
4.6 RENEWAL
Renewal of the certificate means the regeneration of the keys and the certificate, provided for in
the case of the expiration of the certificate.
4.6.1 Requirements for renewal of the certificate
The renewal procedure is for all users with the exception of B2C users, for which the qualified
electronic signature service is of one-shot type, and therefore the validity of the certificate is limited
to one signature operation.
Renewal of the certificate can only be performed when the following conditions are verified:
• The previous qualified electronic signature certificate is not suspended or revoked;
• The identity of the holder indicated in the certificate is still valid; identity verification is performed
by an RAO (B2B user) or RAA (Internal User, RAO, Automatic Signature) consistent with the process
that was executed with the first issue of the certificate .
The enrollment procedure performed in the context of renewal of the certificate involves the
generation of a new private key and a new certificate to be associated with the owner, with the
same technical modalities specified for the first issue.
4.6.2 Submission request for renewal
The processes associated with the renewal request for the certificate are detailed in the CPS.
4.6.3 Renewal request process
In the process of evaluating the renewal request, the QTSP must ensure that:
The renewal request is authentic;
The applicant is authorized to proceed;
The applicant confirms that the Subject data indicated in the certificate is still valid;
That the certificate to be renewed is not suspended or revoked;
Whether the algorithms used are still valid during the validity period of the certificate;
The methods used for identification and authentication for the renewal process are described in
chap. 3.4.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 30 di 74
4.6.4 Notification of certificate issue
The QTSP must notify the holder of the renewal of the certificate.
4.6.5 Conduct on the acceptance of the renewal of the certificate
Once the certificate is issued, the holder is called upon to confirm the data contained therein through the qualified electronic signature to which the certificate is connected.
4.6.6 Publication of the renewed certificate by the CA
The QTSP publishes subscription certificates for the generation of the same. The conditions related
to this publication are accepted by the subscriber through explicit consent just before the certificate
entry stage (see section 4.1.2).
4.7 REISSUE
Reissuing the certificate refers to the regeneration of the keys and the certificate, provided in the
cases specified in 4.7.1.
4.7.1 Requirements fo reissuing
Reissuing the certificate can only be performed when the following conditions are true:
• The previous qualified electronic signature certificate is revoked;
• The identity of the holder indicated in the certificate is still valid;
4.7.2 Submission request for reissuing
As in chap 4.6.2.
4.7.3 Reissue request process
As in chap 4.6.3.
4.7.4 Notification of the issuance of the certificate
As in chap 4.6.4.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 31 di 74
4.7.5 Conduct on the acceptance on the reissuing of the certificate
As in chap 4.6.5.
4.7.6 Issued certificate publication
As in chap 4.6.6.
4.7.7 Notification to other entities of the certificate reissue
As in chap 4.6.7.
4.8 MODIFICATIONS TO THE CERTIFICATE
The QTSP does not make changes to the certificate.
4.9 REVOCATION AND SUSPENSION OF THE CERTIFICATE
Revocation of the certificate means the procedure by which the QTSP terminates the validity of a
certificate before its natural expiration date. The revocation of a certificate is permanent and not
reversible; A revoked certificate can not return.
In the event of revocation of the certificate, the QTSP may delete the keys of the subscriber using
the procedures in accordance with the HSM user manual, and with what is specified in the
certification documents.
Following the revocation of the certificate, the QTSP notifies the holder of the change in the status
of the certificate.
Suspending the certificate is the procedure by which the QTSP temporarily terminates the validity of
a certificate. Suspension has a temporal character; The suspended certificate may be revoked or,
before expiration dates are met, it may return.
In accordance with the DPCM 22 February 2013 [33], art. 26, the suspension of the certificate is
carried out by the QTSP by inserting its SerialNumber (CRL) code within the CRL with appropriate
on-hold motivation. The maximum length of the suspension is 60 days, after which time the
certificate is revoked if the request for re-activation by the holder has not been received.
4.9.1 Circumstances fo revocation.
The QTSP may revoke the subscriber's certificate in the following cases:
Changing Certificate Subject Data;
QTSP verifies that the certificate data does not match the reality;
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 32 di 74
The holder requires the withdrawal of the certificate in writing;
The QTSP verifies that the private key is not under the exclusive control of the subscriber;
The QTSP verifies that the certificate is used outside the allowed scope
QTSP verifies that the public key contained in the certificate is not compatible with what is
specified in chapters 6.1.5 and 6.1.6;
The QTSP verifies that the certificate has not been issued in accordance with this CP and its
CPS;
QTSP verifies that the subscriber's private key has been or could have been compromised;
The QTSP terminates its certification activity;
The law in force requires the revocation;
The QTSP may suspend the subscriber's certificate in the following scenarios:
The holder requires the suspension of the certificate;
For subscriber B2C following a single signing operation
CPS may include additional conditions for which revocation is envisaged.
4.9.2 Submission of revocation request
The request for revocation may be requested by:
• The subscriber;
• The legal representative of the subscriber;
• The QTSP.
4.9.3 Processes for revocation management
QTSP provides a certificate revocation tool, exclusively through its Revocable Certificate Reliability
feature, upon authentication, on the Certification Portal.
The QTSP verifies the authenticity and validity of the request before proceeding to revoke the
certificate.
The QTSP notifies the subscriber of the transaction through the email provided by the holder at
registration.
The suspension request procedure provides that:
The Certificate Holder sends an e-mail to the QTSP mailbox
The QTSP verifies the identity of the holder through the Registration Authority (RAA or
RAO);
The Registration Authority submits the request to the CA and, as soon as it is made out, sends a
confirmation email to the Holder.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 33 di 74
4.9.4 Grace Period richiesta di request for revocation
The QTSP must declare a "grace period" associated with the validity of the certificate as a result of
a revocation. QTSP specifies this value within its CPS.
4.9.5 Time eithin which the CA must process the request for revocation
The QTSP must process withdrawal and suspension requests in accordance with ETSI 319 411-1
Clause 6.2.4.
4.9.6 Requirements on the control of revocation by interested parties
In order to comply with the revocation check, it is recommended to check all certificates included in
the certification chain. Verification must include checking validity of certificates, policies contained in
the certificate together with key usage, certificate status checking based on information contained
in the CRL or the OCSP.
4.9.7 Frequency Issuing CRL
In compliance with the standard EN 319 411 01 v 1.1.1 Chap. 6.3.9 C [12], the QTSP must update
the revocation lists at least once a day.
4.9.8 Maximum latency on CRL
The QTSP must verify that the latency related to publication of revocation lists, are
minimal. Latency times are specified in the CPS.
4.9.9 Availability of OCSP service
The QTSP must provide an OCSP service to validate the certificate.
4.9.10 OCPS service requirements
The QTSP OCSP service must be compatible with the requirements specified in Chap 4.10.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 34 di 74
4.9.11 Particular requirements on key compromise
If the private key is compromised, the QTSP publishes the status change of the certificate and
notifies the event to the affected parties. In the case of compromising the private key of an end-
user, QTSP revokes the certificate by specifying as the reasonCode the value "keyCompromise (1)".
4.10 CERTIFICATE STATUS VERIFICATION SERVICES
The QTSP, in order to ascertain the validity of a certificate, must provide the following services:
• OCSP - Online Certificate revocation status;
• CRL - certificate revocation lists.
The revoked certificates must be included in the CRL. The revoked certificates can not be canceled by the CRL, even after the expiration date.
In case of state change, at the completion of the process, the QTSP instantly updates the CRL which is subsequently published in accordance with the latency times specified in cap 4.9.8. Since
then, the OCSP service must provide information about the new status of the certificate.
The QTSP also publishes a portal (online verifier) for the validation of a signed digital signature document, publicly available at the following url:
http://ver.ca.firmadigitale.lottomaticaitalia.it
The Online Verifier is a web-based component implemented in java, based on the DSS project
recommended by the European Commission for the recognition of computer documents signed in the different Member States.
4.10.1 Operational features
The QTSP must update the revocation lists at least once every 24 hours.
4.10.2 Service availability
The QTSP should ensure the availability of CRLs and terms and conditions of the certificates issued
at 99.7% on an annual basis, ensuring that unscheduled unavailability of the system does not
exceed 8 hours.
The QTSP should ensure the availability of services in connection with revocation checking for
certificates issued at 99.7% on an annual basis, ensuring that the unavailability of the service does
not exceed 8 hours.
The response time of the OCSP service must not exceed 10 seconds.
4.11 END OF SUBSCRIPTION
The QTSP may revoke the holder's certificate in case of termination of the contractual
arrangements with the subscriber.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 35 di 74
4.12 KEY ESCROW E RECOVERY
QTSP does not provide key escrow tools applied to the private key belonging to a subscriber.
4.12.1 Policy and practices Key Escrow and Recovery
QTSP does not provide key escrow tools applied to the private key belonging to a subscriber.
4.12.2 Encapsulation key symmetrical encryption policies recovery
The QTSP does not provide tools for key escrow applied to the private key belonging to
a Subscriber.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
36
5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS
5.1 PHYSICAL CONTROLS
QTSP adopts a set of technical and organizational measures that allow site access control and the
safeguarding of corporate assets from thefts / disappearances and / or voluntary and involuntary
damages. The definition of physical security policies is part of a wider process aimed at protecting
information media and assuming a risk assessment activity that identifies the risks associated with
the censored assets.
5.1.1 Location site and features
The CED systems related to the production environment and those related to DR QTSP's site, are
running on a HW infrastructure located on two separate sites.
Data centers are interconnected by a private backbone network and both connected to Internet
access networks with bandwidth that provide qualified services with the same performance. The
interconnection of individual DCs to both the public and private networks is implemented through
redundant connections.
This infrastructure ensures that the indicators described in section 4.10.2 are respected.
The CED area of the primary site is made with adequate construction criteria, ensuring fire
resistance in case of fire outside the building. The rooms that host the apparatus are equipped with
counter-floors and counter-ceilings, in compliance with standards and standards of reference. The
infrastructures are all made with the use of combustible, sound-absorbing and antismashing
materials.
In the processing room there is a lighting system that complies with the regulations and is equipped
with an adequate emergency system.
5.1.2 Physical access
Primary site
The building and safe areas of Lottomatica S.p.A. are protected by an access control system in order to guarantee the entry to the only authorized personnel.
Lottomatica S.p.A. Defines internal security policy procedures that regulate physical access to the venue and reserved areas for both employees and occasional or habitual visitors.
In particular, a number of behavioural rules are envisaged:
Il required:
• Access the workplace using its access credentials (eg magnetic badges) from the prepared passes
and the ways established by the company;
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 37 di 74
• Observe the rules from time to time given in writing or verbally by persons responsible for access
to restricted areas;
• Respect corporate procedures for requesting access to external staff (consultants, regular and casual visitors);
• Communicate promptly any breaches of the rules to your Responsible Authority, to supervise your home or directly to the Security Area.
It is forbidden: • Give third parties their access credentials, even temporarily, and in the event of failure, possession
must be timely communicated to the Security Area;
• Access restricted areas unless you have a specific authorization; • For those who are in possession of the foreseen authorization, allow access to unauthorized or
badge personnel.
Regarding physical access control, Lottomatica S.p.A. has implemented the following controls:
• Access is only allowed to holders of unexpired badges issued by the security area; • The badge is assigned to employees and visitors after the identification and authorization of a
Lottomatica S.p.A. internal referral; • The release of the badge must be consistent with the employee's profile and allow access only to
areas of strict competence;
• Supervisors at any time can check the validity of the badge and therefore, if they are required, they must be promptly exhibited.
Access events (entry and exit) are logged.
DR site
The building and safe areas of the Dr Site are protected by an access control system in order to
guarantee entry to only authorized personnel.
Data center that hosts the site of Dr, is classifiable as an intermediate between tier III and IV. The entire external perimeter of the DC, completely fenced, is illuminated in night time and
constantly monitored by a CCTV system consisting of fixed cameras and sun, all brought to a system of screens installed in the room directed by the vigilance and supervised H24x7. Images are
recorded on a digital device for ex post checks and verifications.
Sensitive internal areas are controlled in the same way It is guaranteed to the staff Lottomatica S.p.A.. The 24h access with permanent badge assigned on
the basis of lists provided by Lottomatica S.p.A.. Any third-party non-identifiable ex-ante suppliers are authorized from time to time.
5.1.3 Power supply and air conditioning
Primary site
All the environments of the CED are adequately air conditioned through dedicated systems. As already mentioned, the conditioning system of the CED area is a direct expansion. Each unit is in
turn made up of two separate circuits. The total installed power is over 40% over the thermal load
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 38 di 74
of the apparatus. The modularity, together with the total power reserve, allows to cope with the
stops for programmed maintenance and temporary failures.
Internal procedures ensure proper system maintenance. The power supply is provided by the medium voltage distribution network by means of double ring
connection. The medium voltage delivery cabin is physically separated from the cabin housing the two transformers, redundant configuration. The primary site also has uninterruptible power supplies
to meet temporary power supply needs. All alarms from the systems that are relevant to the service continuity of the CED (including power supply, air conditioning, fire prevention, anti-flooding) are
managed by a supervisory system.
DR site
All DC processing rooms are air-conditioned by the use of chilled water cooled conditioners.
Refrigerant power is produced by two active-standby refrigeration units located in distant areas. All
alarms from the systems that are relevant to the service continuity of the CED (including power
supply, air conditioning, fire prevention, anti-flooding) are managed by a supervisory system
5.1.4 Exposure to water
Primary site
The CED is maintained at temperature and humidity levels that prevent condensation. In the
technical premises there are no liquid piping pipes, except those of the condensation system and
the water supply to the humidifiers of the air-conditioning system. These two systems are equipped
with special precautions in order to avoid water leakage. Thanks to the adoption of a system for the
air conditioning of the direct expansion type, they are absent in the pressure water piping room. In
case of eventuality, an alarm system is installed that signals and locates any unlikely spillages of
water below the raised floor, allowing the control staff to verify the causes and eliminate them.
DR site
The processing room near the ends of distribution of the coolant that serves the air conditioners is
equipped with water detection sensors that bring to the system of monitoring of the plants, manned
24x7x365.
5.1.5 Prevention and fire potection
Primary site
The site where the CED is located is equipped with fire protection systems under the law. The CED
fire alarm system consists of a smoke detection system and a fm200 gas extinguishing fire. The
system can operate both in automatic and manual mode. The sensors of the detection system are
inserted both at ceiling and below the technical floor with repeating gems of the operating state of
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 39 di 74
the single sensor.
DR site
The CED is equipped with a capillary centralised smoke detection system, which is headed to the supervised control room.
The processing rooms and the premises of the technological plants have the centralised smoke detection system also extended to the space under the floating floor and are equipped with
automatic gas extinguishing systems in the ceiling, in the environment and under the floating floor,
enslaved to the detection system and partitioned so as to confine the areas of activation. The activation of the extinguishing system is automatic, and controlled by control units to the
detection system
5.1.6 Media Storage
Media storage activities are defined within internal security procedures.
5.1.7 Provisions on the disposal of apparatus
As a result of internal assessments or reports relating to failures, obsolescence or maintenance of
hardware and/or media, the technical staff identifies the assets to be verified. If the hardware or media support is working and reusable, you can delete the information in it, also
availing itself of appropriate products that make the shredding of the data or formats at low level (such deletion is compulsory especially in cases where the data in question are deemed sensitive or
judicial for the purposes of the Legislative Decree 196/03 [34] all. b Technical specification in
matters of minimum safety measures, rule 22) and the reuse of hardware or medium support as needed.
If it is impossible to restore the correct operation of the hardware or media medium, the safe deletion of the data contained in it by physical destruction (CD, DVDs made illegible with deep
incisions, dat tape cutting) or profound alteration of the hardware and the subsequent request for
the disposal of the property at internal structures in accordance with internal procedures on the disposal of company assets.
5.1.8 Off-Site Backup
Backup activities are defined within internal security procedures.
5.2 PROCEDURAL CONTROLS
The QTSP applies internal processes aimed at ensuring that its systems are managed in a secure
manner.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 40 di 74
Procedural precautions have the objective of integrating the effectiveness of physical security
measures, together with those which apply to staff, by appointing and identifying trusted
(unambiguous) roles, and to the computer application of the associated identification and authentication mechanisms.
The QTSP guarantees that its operation complies with the laws in force and its internal regulations.
5.2.1 Roles
In the exercise of its functions, the QTSP creates recognized roles, to which authorization
mechanisms are applied commensurate with the related responsibilities. In compliance with the DPCM 22 February 2013 [33], art. 38, the QTSP has defined the
organizational structure that oversees the main roles defined for the management of qualified
digital signature services and Timestamp , which foresees the existence of the following figures: • Responsible for the certification and timestamping
service • the registration authority responsible
• Security Officer • Responsible for audits and inspections (auditing)
• Responsible for the technical management of systems
• Responsible for technical and logistical services • Responsible for technical services of timestamping
5.2.2 Number of peaple required for task
The QTSP ensures the simultaneous presence of at least 2 people, with specially approved roles, during the following critical security operations:
• Generating the Private QTSP CA Key;
• Backup of the QTSP CA Private Key;
• Activating the QTSP CA Private Key. At least one of the people present, must play an administrative role.
The above-mentioned operations must be carried out in the presence of the persons expressly authorised.
5.2.3 Identification and authentication fo roles
Users who manage the IT services of QTSP must have a unique and personal identification. Users can only have access to critical systems, only after identification and authentication.
Access permissions must be revoked immediately in the event of termination of the user's behalf.
5.2.4 Roles requiring segregation
The QTSP applies as specified in DPCM February 22, 2013 [33], art. 38 paragraph 3 and 4.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 41 di 74
In this area:
• Security Officer can not assume other roles between those defined in 5.2.1;
• The person in charge of monitoring and inspection (auditing) can not assume other roles between those defined in 5.2.1;
5.3 PERSONNEL CONTROL
Lottomatica S.p.A. defines and applies criteria and modes through which: • Consider aspects related to information security in the human resource management
process; • Improve the sensitivity and awareness of staff about information security issues.
These criteria and procedures apply to selection, job placement, staff training, and termination of
employment. As part of the selection, training and human resources
5.3.1 Qualifications, experience and clarity of requirements
As part of the selection, training and human resources management processes, Lottomatica S.p.A. ensures:
• That all staff have the necessary skills, reliability, experience and qualifications and have received adequate training in security and rules on the protection of personal data, depending
on the function carried out;
• That, where possible, staff meet the requirements of experience and qualification through
qualifications, training courses and/or demonstrated experience;
• that the relevant levels of the Organization are made available at least yearly updates on
possible new threats, methodologies and tools to protect the security.
5.3.2 Background verification procedures
As part of the recruiting activity, the breeders pay attention, in addition to the potential
compatibility of candidates with the professional needs of Lottomatica S.p.A., to the relevant elements in terms of safety, such as:
• The length of previous professional experience and the reasons justifying the conclusion of the report;
• The business sector and businesses within which the previous professional activities were carried out (with particular attention to those that can be considered suppliers,
customers or, if necessary, competitors);
• In the case of a non-EU worker, a copy of the valid residence permit, or, if this has
expired, a copy of the renewal request formulated in the terms of the law.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 42 di 74
5.3.3 Training requirements
Lottomatica S.p.A. is responsible for implementing employees, an appropriate training plan aimed at
improving the processes related to the activity of the QTSP. While respecting those that may be the contingent requirements that lead to planning a training
course, the objectives common to all courses are:
• Increase the level of awareness about the security issues associated with the QTSP
activity;
• Make staff aware of corporate policies and guidelines, roles and corporate responsibility responsibilities.
• Lottomatica S.p.A. carries out training activities in accordance with the following requirements:
• Staff responsible for preparing and delivering training must have the necessary qualifications and experience in terms of company training;
• RAOs are provided with the training manual and the appropriate training to properly carry out the identification and registration of the Clients and carry out the verification of the
effectiveness of the training;
• Where deemed necessary, training activities may also be extended to suppliers and
collaborators;
• It is necessary to ensure the programming and delivery of all the courses provided by the
regulations applicable to the Company's activity;
• Ensure knowledge of existing legislation on Qualified Trustee Services as well as best practices and standards;
• The definition of training plans for Qualified Trustee Services must comply with the Personal Data Protection Code (D.Lgs. 196/2003), in particular Annex B.
5.3.4 Refresh rate
Lottomatica S.p.A. training program on a regular basis, based on the results of testing the course
participants and/or on the basis of internal requirements.
5.3.5 Sanctions on unauthorised shares
In relation to sanctions in case of different behavior than is required by the company in the
documents concerning the safety (work instructions, policies, procedures etc.),
Lottomatica S.p.A. will reference the system of penalties provided for by the NATIONAL
COLLECTIVE LABOUR AGREEMENT.
5.3.6 Requirements on consultants
The aspects connected with the control of the staff belonging to the external consultants and
collaborators area, it is governed by internal business procedures, which define the criteria and
processes for the identification of rules and requirements that Lottomatica S.p.A. considers relevant
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 43 di 74
in the field of supply and conclusion of contracts with third parties, taking into account the
characteristics of the report that Lottomatica S.p.A. establishes with the same.
5.3.7 Documentation provided to staff
When a candidate is selected and included in Lottomatica's staff, the human resorces Management
Area guarantees:
• Letter of recruitment;
• Possible mailing letter with other Lottomatica S.p.A. companies;
• Information on the processing of personal data collected (Ctrl.2);
• Employee information on health and safety at work;
• Code of Conduct;
• Behavioral rules for the safe management of company assets. The "Code of Conduct", in particular, includes:
• References to all the rules to which it has acceded and what violations or infringements of the Code may involve disciplinary action;
• Indications that employees are required to declare any conflict of interest with the work
they are doing as soon as this occurs;
• Specific examples of conflict of interest;
• Indications regarding hospitality / donations / gifts provided by Third Parties with which Lottomatica S.p.A. has contractual and economic relationships.
5.4 AUDIT PROCEDURES
The QTSP can adopt IT tools that ensure the collection of events associated with the Certificater
activity.
5.4.1 Types of events stored
The QTSP, through specialized instruments, implements a monitoring of events associated with the
activity of QTSP in accordance with specified in chap. v 1.1.1 6.4.5 standard EN 319 411 2 [13].
5.4.2 Frequency of audit processes
Technical audit
Lottomatica S.p.A. activates the test processes and technical safety tests against the following case:
• new Releases;
• Periodic planning;
• Specific requests or events. The typology of such tests and verifications depends on the cases that activates the process.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 44 di 74
System audits
All business structures affected by the activities of QTSP are subject to verification inspection at least once a year in relation to the activities prescribed by the information security management
system. The frequency of the checks is defined in function:
• The importance and/or the criticality of the activities carried out by the individual structures;
• The results of previous audits;
• Any significant changes in the company organization and/or the activities carried out.
5.4.3 Audit log retention period
The audit log retention period is 20 years, in agreement with the DPCM 22 February 2013 [33].
5.4.4 Audit log protection
Audit log protection must be in compliance with the standard EN 319 401 v 1.1.1 [10] in Chap 7.10.
5.4.5 Audit log backup procedures
Backup procedures for log management systems ensure that logs are stored in accordance with the
5.4.3.
5.4.6 Audit event collection system
The QTSP adopts automated systems that ensure the collection activity on a continuous basis.
5.4.7 Verbosity error notification
The QTSP adopts internal communication procedures, following the detection of an error message
in the system.
5.4.8 Vulnerability Assessment
The activity of vulnerability assessment consists in evaluating the level and effectiveness of the
security of the ICT system through automatic scans aimed at detecting known vulnerabilities of ICT
systems in relation to operating system components and middleware software (eg. Application
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 45 di 74
server) and infrastructure (e.g. system monitoring) resident. This activity is accomplished through
the use of specific automatic tools that, starting from a specific set of tests (Baseline/template):
• Conduct technical checks on the known vulnerabilities of ICT systems;
• Produce reports detailing the test results and vulnerabilities detected. Considering the entire set of technical tests that the specific automatic scanning tool can operate,
specific subsets of these technical checks, called the baseline/template, are defined and adopted, which are suitable and applicable to the type of target systems to be verified.
Lottomatica S.p.A. Activates the processes of VA in the face of the following case:
• new Releases;
• Periodic planning (1 year for primary site and DR);
• Specific requests or events. Are also carried out at least once a year the Penetration testing.
5.5 STORING RECORDS
Record archiving complies with the standard EN 319 401 v 1.1.1 [10] in chap. 7.10. The retention
period applied to logs is 20 years.
5.6 CA KEY CHANGEOVER
In order to ensure its operation, the QTSP ensures that the renewal of his certificate
is made sufficient time prior to the expiration of the same. The QTSP ensures that in the event of renewal, a new key pair is generated in accordance with
the regulations.
It also specifies that:
• the new certificate is published to the public repository of certificate, in compliance with as provided in this chapter CP 6.1.4;
• new user subscription certificates are issued using the new certificate renewed;
• the old keys and certificate are kept by law.
5.7 COMPROMOSE AND DISASTER RECOVERY
In the event of a disaster, the QTSP shall take all necessary measures to minimize the damage
caused by the lack of service, and implement an operational plan designed to restore the services within the time stated in this CPS.
The recovery point objective (RPO) must allow a limited loss of data, commensurate with business objectives. The RPO set for this infrastructure, is 2 hours.
Based on the assessment of the accident, the QTSP will take all corrective measures to prevent future recurrence of the incident.
The QTSP adopts a plan inside for safety to ensure that DR test are carried out regularly, ensuring that the observations resulting from technical problems or non-compliance associated with the
reactivation of the services, are subject to revision and improvement of the said plan.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 46 di 74
The QTSP directs the resolution of each vulnerability considered critical within 48 hours of its
discovery, through an appropriate plan of re-entry.
The QTSP provides, within internal procedures, the implementation of an emergency plan in case you detect a security breach or a loss of data integrity with a significant impact on trust services
provided or on personal particulars stored ("data breach"). In particular, in accordance with article 19 of regulation and IDAs [1] security incidents are classified with 5 levels of severity:
1. No impact 2. no significant Impact (impact on assets but not on services core)
3. Significant impact (impact on a customers)
4. severe Impact (impact on a large part of the clientele) 5. Disastrous (impact on the entire organization and on all certificates issued)
This plan allows you to limit the impact of the security breach and to notify: • Interested parties (AgID, Guarantor Privacy and Holders) within 24 hours of the violation being
detected in case of security incidents classified with a severity level 3, 4 and 5
• to AgID within 5 days from the detection of the violation, in the case of security incidents classified with a severity level 3, 4 and 5
5.7.1 Indente and compromise management procedures
The QTSP has a business continuity plan that adopts in case of incident and management of the
compromise.
5.7.2 Computing Resources, Software, and/or corrupted data
The QTSP must adopt redundant system design criteria in order to avoid loss of service in the case
of point of failure acronyms.
The QTSP must adopt and maintain the same HW/SW systems between the primary site and the Dr site, in order to avoid problems in the restore of the service data between the sites.
The QTSP must adopt backup policies to ensure the operational transfer on the Dr site, consistent with the RPO stated in the CPS. The backup activities are performed by the authorized personnel
("system operators"), consistent with the 6.4.8 C clause of the ETSI en 319411-1 standard. The QTSP must adopt and maintain a document for the activation of the DR site.
5.7.3 Private key compromise procedures
In the case of compromise of the CA private key, the QTSP must take the following actions without
delay:
• All certificates attributable to the compromised key are revoked;
• A new private key is generated for restoring services;
• The information relating to the compromise is published for each subscriber and third parties concerned.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 47 di 74
5.7.4 Capacity of business continuity in case of disaster
The tasks to be performed in the event of a disaster must be defined in the QTSP Business
continuity plan. The existence of a second site, activated in the event of a disaster, must allow the complete restore
of the functionality included in the services offered by the QTSP. The QTSP is obliged to notify the subscribers and the third parties concerned, the activation of the
site as a result of disaster, and to communicate its restoration at the end of the need.
5.8 CESSATION OF ACTIVITY
The cessation of the activity of the QTSP complies with what is specified in the code of the Digital
Administration, published with D. LGs. Of March 7, 2005, N. 82 and updated with the D. LGs
179/2016.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 48 di 74
6 TECHNICAL SECURITY CONTROLS
The QTSP must use systems that are predisposed with high reliability criteria applied to the individual element, or connected with the supplied service. The systems must provide protections
on the management of cryptographic keys, and on the activation data for the entire lifecycle of the
same. The capacity of the systems must be connected with the demand, and must be monitored on a
continuous basis. Growth must be estimated to ensure the availability of systems and storage media.
6.1 GENERATING AND INSTALLING KEY PAIR
The QTSP must ensure that the production and management of private keys complies with the
standards laid down in the rules in force.
6.1.1 Generating key pair
The QTSP is responsible for generating the following key types:
1. Certification Keys, Associated with the CA Service; 2. Subscription keys, intended for the subscriber;
All keys are generated by means of an HSM device conforming to the certification standards
contained in ch. 1.2.1.
The QTSP confirms that the process of generating the keys of CA and that of the holders is carried out in accordance with the technical rules as in force, as specified in EN 319 411 01 v1.1.1, with
particular reference to chapters 6.5.1, 6.5.2 and 6.5.3.
The key generation process must comply with what is specified in EN 319 411 01 v1.1.1, with particular reference to sections 6.5.1, 6.5.2 and 6.5.3.
6.1.2 Private key realease to subscribers
The private subscription key is guarded by the QTSP through the use of technological instruments
and controls complying with the legislation provided for the remote signature. The QTSP also guarantees that the credentials connected with the use of the private key are issued
securely only and exclusively to the Subscriber.
6.1.3 Issuing the public key to the certificate
The keys of the QTSP must be generated at the time of system initialization (key ceremony). Key
generation and certificate request must be handled securely using the modes specified in the
product manuals.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 49 di 74
6.1.4 Issuing the CA public key to interested parties
As specified in chap. 2.2, QTSP makes available the certificate containing the public key:
• on the certifying portal;
In accordance with point H of annex I to the European regulation 910/2014 [1], the publication link
of that certificate must also be included within the subscription certificates issued by the QTSP.
6.1.5 Key length
The QTSP must use algorithms and policy on the key length as specified in the ETSI standard TS
119 312 [19].
6.1.6 Key generation parameters and quality control
The requirements for key generation parameters are given in Cap 6.1.1. The QTSP ensures that the HSM covered by certification, operate in compliance with what is
foreseen by the achieved safety milestone.
6.1.7 Key usage purposes (see key usage field X. 509 v3)
The CA certificate can be used in accordance with the following:
• Certificate signing;
• CRL signing;
• Offline CRL signing.
The qualified electronic signature certificate of the holder is generated in accordance with the
requirements for the qualified electronic signature, the key-usage of which includes the following:
• Non-repudiation.
More details are listed in Chap 7.1.2.
6.2 PRIVATE KEY PROTECTION AND CONTROLS ON CRYPTOGRAPHIC COMPONENT
The QTSP must ensure safe management of private keys and must prevent the publication,
copying, deletion, modification and unauthorized use.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 50 di 74
6.2.1 Standard and cryptographic module controls
The HSM device used by the QTSP must be included in the list of devices published by the
European Commission under the title "Compilation of member States notification on SSCDs and
QSCDs".
6.2.2 Private key segregation control (MofN)
The QTSP ensures the simultaneous presence of at least 2 people operating on the HSM, with
specially approved roles, during the performance of critical security operations, in accordance with
the specified in 5.2.2.
6.2.3 Key Escrow private key
The QTSP does not provide key escrow tools that are applied to the CA's private key.
6.2.4 Backup private key
The QTSP must make security copies of the CA private key, and at least one copy must be kept in a
location other than that of the QTSP.
Backup procedures must take place in accordance with the segregation criteria specified in ch.
6.2.2.
Security measures applied to production systems must be the same as apply to backups.
The QTSP does not make copies of the private keys of the subscribers, with the exception of the
copies made to facilitate the activation of the DR site.
6.2.5 Key storage
The QTSP does not store the CA's private key.
6.2.6 Trasfer of the private key to/from the cryptographic module
The CA's private key of the QTSP is kept safely through the security mechanisms provided by
the HSM, and covered by certification. The CA's private key is never stored unencrypted.
The QTSP can export the private key outside the perimeter of the HSM solely for backup purposes.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 51 di 74
6.2.7 Storing the private key on the cryptographic module
The CA stores the private key used for the services provided, in accordance with this CP, exclusively
on HSM. The technical and safety aspects related to the storage of the private key are defined by the
technical specifications of the product, and verified by the certification tests.
6.2.8 Private key activation method
The private key of the QTSP CA must be activated in accordance with the procedures and
requirements defined in the product manuals, and as specified in the certification documents. In the case of a subscriber's private key, QTSP ensures that the activation data is generated and
managed in a secure manner to prevent unauthorized use of the private key. The QTSP must also ensure that:
• The private key for the subscriber has not been used for qualified electronic signature before delivery to the holder;
• Before the signature is executed, the Subscriber will authenticate to its own slot.
6.2.9 Method of deactivating private key
CA Private Keys
The QTSP CA key must be disabled in accordance with the procedures specified in the owner's
Manual of the HSM, and with what is specified in the documents of certification.
End-User Private Keys
The private key issued to the Subscriber must be deactivated in accordance with the procedures
specified in the HSM user's manual, and as specified in the certification documents. The HSM must ensure that the keys are disabled in the following cases:
• Power failure of the device;
• The subscriber closes the signature application;
• For some reason, connecting to the signing application closes the connection unexpectedly.
• The key that is disabled can be reused only after a new subscriber authentication to the device.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 52 di 74
6.2.10 Method of destruction of the private key
QTSP CA key
The QTSP CA key can be deleted in accordance with the procedures specified in the HSM user
manual, and as specified in the certification documents. The procedures must ensure that the private key so deleted cannot be recovered in any way.
The cancellation operation must be carried out under the control of authorised operators and consistent with the segregation criteria specified in Chap 6.2.2.
Each backup copy of the private key must be destroyed in accordance with the procedures specified
in the HSM user manual, and as specified in the certification documents. This procedure should prevent the possibility of retrieving the private key.
Subscriber private key
The subscriber's private key can be deleted in accordance with the procedures specified in the HSM
user's manual, and as specified in the certification documents.
6.2.11 Cryptographic module evaluation
The evaluation of the certifications associated with the cryptographic module used by the QTSP, are
compatible with what is specified in Chapter 6.2.1.
6.3 OTHER ASPECTS OF KEY MANAGEMENT
6.3.1 Public key storage
The QTSP stores each certificate issued by its own CA.
6.3.2 Validity of the certificate and keys
Certificate and CA root keys
The validity period of the CA certificate of the QTSP, and its key pair, is 30 years. The validity period of the certificate and its keys shall in no case be greater than the validity of the
algorithms used as determined by the authorities concerned.
Certificate and key subscriber
The validity of the subscription certificate issued to the end user:
• It must not in any case be greater than the validity of the algorithms used as determined by the authorities concerned;
• It must not in any case be greater than the validity of the CA certificate of the QTSP that issued it.
The validity of the qualified certificate is specified in the CPS.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 53 di 74
6.4 ACTIVATION DATA
6.4.1 Activation data generation and installation
The QTSP CA key must be protected in accordance with the procedures specified in the HSM user manual, and as specified in the certification documents.
In the case of password-based activation, the QTSP applies sufficient complexity criteria in order to
ensure an adequate level of protection.
• In the event of activation of keys intended for the subscriber, the QTSP must ensure: • That activation data used to activate the private key is created using quality-generating
numbers / letters generation policies;
• That activation data be communicated to the subscriber safely;
• That the subscriber maintains exclusive control over such credentials. Activation of the private key must be done using two-factor authentication credentials, one known
and one of type OTP.
6.4.2 Activation data protection
Private key activation data associated with the Subscriber's certificate, may be stored
by QTSP solely for the purpose of delivery to the holder. Data storage must be
done securely through encryption security information.
6.5 COMPUTER SECURITY CONTROLS
6.5.1 Specific technical security requirements on IT system
The configuration, maintenance or consultation operations on the IT systems of the QTSP are carried out by ensuring the following requirements:
• That the identity of the user is verified before access to the system or application;
• That roles are assigned to users in order to ensure that they have the appropriate
permissions;
• Significant security log events are recorded, which are subsequently archived according
to the applicable rules;
• That critical QTSP processes are protected by appropriate network policies in order to prevent unauthorized access;
• There are adequate recovery systems that will ensure operational continuity due to malfunctioning of primary systems.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 54 di 74
6.5.2 Assessment of IT system security
In order to ensure the safety and quality of the systems, the QTSP adopts control systems inspired
by globally accepted international standards, the suitability of which is certified by an Independent
assessor ISO 27001.
6.6 LIFE CYCLE OF ROADWORTHINESS TEST
6.6.1 Control of development system
The QTSP, in its systems, adopts commercial-type solutions. These solutions are not used for any other purpose than those envisaged for the certification activity of Lottomatica S.p.A. QTSP.
Lottomatica S.p.A. also adopts prevention tools that can protect its systems from executing dangerous code. The search for dangerous code is carried out on a continuous basis, through
internal security assessments.
The QTSP uses adequate and up-to-date personnel for the installation or maintenance of its SW/HW systems.
6.6.2 Security management controls
The QTSP ensures that the programs, or security patches, are installed in the correct version and that they do not contain any unauthorized modifications.
Lottomatica S.p.A. defines the application and verification of policies and procedures for the planning, safe development, testing, acceptance and operational management of ICT systems.
The technical areas of Lottomatica S.p.A.:
• Monitor the use of resources by ensuring, through appropriate projections and estimates, the current and future performance of ICT systems. These estimates address the retrieval of
new resources to ensure future operations;
• In collaboration with areas requiring the development or acquisition of new systems or features, establish acceptance criteria, including specific safety criteria, for new ICT systems,
for upgrades and for new versions; These criteria support and guide testing tests
• Perform a code review activity (static code analysis) aimed at identifying vulnerabilities within the source code followed by any remediation activities with code modification;
• Perform systems testing, in a dedicated test environment using data that is appropriately selected and separated from those used in production environments.
• Perform dynamic analysis analysis of software reactions to various input types for Web
applications;
• Define and evaluate the acceptance criteria of ICT systems based on the requirements and
resources used, recovery procedures, emergency measures, business continuity conditions and impact analysis
• Perform patch management activities, as a result of vulnerability detection, patch release communication from software vendors or major accredited sector bodies, in order to mitigate,
where necessary, system vulnerabilities.
• Manage the activities of change management and capacity management in order to ensure
that the application of the necessary changes on ICT environments take due account of the
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 55 di 74
potential risks introduced by the changes, ensure the availability/performance of the systems
and network and safety apparatus used to identify any problems on such systems or
apparatus, at the same time, defining the relevant corrective actions, and optimize the physical resources of systems and apparatus.
The production environments are suitably separated and isolated from the environments dedicated to testing and testing. This separation is carried out on a physical, logical, procedural and
organizational level through a clear attribution of responsibilities.
6.6.3 Life cycle of security controls
QTSP ensures the protection of safety components in their life cycle. In particular, regarding HSM:
Check the scope certifications;
That at the reception of the apparatus, they are not "tampered";
That tamper protection is ensured during exercise;
that the content of the user manual or certification documents continues to be applied;
That private keys are deleted from unused equipment, in a way that is not possible to
restore them;
6.7 NETWORK SECURITY CHECKS
In order to ensure a level of security of the Lottomatica S.p.A. corporate network:
• Establishes responsibilities and procedures for network management;
• Implement controls to ensure data security through the network and protection against
unauthorized access to related services. This goal is achieved through the separate division of
logic in the network and the proper use of advanced security management tools (eg firewall,
traffic monitoring probes, ...);
• Defines and implements specific controls to safeguard the integrity and confidentiality of
critical data in transit over the public network and in particular on wireless networks;
• Activate monitoring and logging capabilities to check and record any faults. Network
management activities are coordinated both to optimize business services and to ensure that
controls are effectively applied across the entire infrastructure;
• Configure firewall and router devices so that only the ports strictly necessary for operating
services are left open.
• It provides rules for assigning privileges to personnel accessing configuration and
diagnostics ports. The configuration of perimeter logic security devices is subject to periodic
revision and updating activities;
• Adopt the principles of segregation of networks according to the following criteria:
o A logical segregation between the network that provides Corporate services and
the network hosting the QTSP systems;
o A departmental logic segregation within each of the two subnets based on the
type of service offered.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 56 di 74
• Use of secure channels or encrypted information exchange tools to protect communications
between physically separate networks that use the Internet as a means of communication
(HTTPS over Internet or encrypted VPN tunnels);
• Ensures that devices that handle high critical data or infrastructures reside on dedicated
hardware, and in particular do not coexist with other services that may compromise security;
• Test and exercise devices are properly dimensioned according to the specifications of the
services they are to deliver and the amount of data / traffic they will need to manage;
• The networks must be physically safe with regard to wiring (electrical and data transport),
machine placement and presence of UPS.
6.8 TIME-STAMPING
The QTSP uses its own timestamp systems in accordance with the CP and CPS released ad hoc for
this service.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 57 di 74
7 CERTIFICATE, CRL, AND OCSP PROFILES
7.1 CERTIFICATE PROFILE
The QTSP has a root CA destined for issuing qualified electronic signature certificates and related
certification services.
The CA certificate and the Subscriber certificate issued by the QTSP are compatible with the following standards:
• ITU X.509 Information technology - Open Systems Interconnection - The Directory:
Publickey and attribute certificate frameworks [28]
• RFC 5280 [25]
• RFC 6818 [26]
• ETSI EN 319 412-1 [14]
• ETSI EN 319 412-2 [15]
• ETSI EN 319 412-5 [18]
7.1.1 Specification X509
The X. 509 standard adopted for root CA and subscription certificates are of type "V3".
The QTSP uses the following basic extensions: • version
The certificate is compatible with the version "V3" • Serial Number
The application of the serial Number field is in accordance with what is specified in the
document en 319 412 01 v 1.1.1 • Algorithm identifier
The OID of the algorithm used for certificate certification; • signature
Electronic signature performed by QTSP for certificate certification, performed as specified
in the "Algotithm identifier" field; • Issuer
The distinguished name of the entity that issued the certificate. • Valid from & valid to
The validity period of the certificate. The time is recorded according to the UTC reference in accordance with RFC 5280.
• subject
The unique identifier of the subject. • Subject Public Key value
The public key associated with the subject.
7.1.2 Certificate extensions
The QTSP uses certificate extensions that are compatible with the X. 509 standard [28].
The definition of the certificate profiles is reported in its CPS.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 58 di 74
7.1.3 Object Identifier algorithms
Only the identifier (OID) of the algorithms used must be used, in accordance with welcome
specified in chapter 6.1.5. The algorithms that can be used by the CA are listed in the CPS.
7.1.4 Composition of the name
The composition of the name identifying the distinguish name, is made in accordance to what is specified by RFC 5280 [25], ETSI EN 412-2 [15], ETSI EN 319 319 412-3[16] and [17] ETSI
EN 319 412-4. The certificate must contain a unique OID of the Subject as defined in Chapter3.1.1.
The value in the "Issuer DN" is identical to the value of the field "Subject DN" contained in the CA certificate QTSP.
7.1.5 Constraints on name
Not present.
7.1.6 Certficiate Object Identifier policy
The QTSP must include in the certificates issued the certificate policy in accordance with this CP, marked non-critical, and as specified in chap. 7.1.2.
7.1.7 Usage of policy constraints extension
Not present.
7.1.8 Syntax and semantics of policy qualifiers
Specified in 7.1.2.
7.1.9 Semantics management fo critical policy extensions
Specified in 7.1.2.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 59 di 74
7.2 CRL PROFILE
7.2.1 Version
The QTSP releases a certificate revocation list (CRL) with the "V2" version, in accordance with the
RFC 5280 [25] standard.
7.2.2 Specifyng CRL extensions
In accordance with RFC 5280 [25], the CRL issued by CA may include the following extensions: • Version
The value of the field is "1". • Signature Algorithm Identifier
The identifier (OID) of the algorithm used to create the electronic signature certifying the CRL. The
expected algorithm is "sha256WithRSAEncryption" (1.2.840.113549.1.1.11). • Signature
The electronic signature certifying the CRL. • Issuer
The entity issuing the CRL.
• This Update The date of entry into force of the CRL. The value must be in accordance with the UTC standard in
accordance with RFC 5280 [25]. • Next Update
The next release of the CRL. The value must be in accordance with the UTC standard in accordance
with RFC 5280 [25]. • Revoked Certificates
The list of revoked certificate serial numbers including time. The list of suspended or revoked Certificates with the serial number of the Certificate and with the
suspension or revocation time.
The mandatory extensions that must be present in the CRL are:
• CRL number - does not criticize A progressive serial number identifying the single CRL
The following extension can be used by CA • expiredCertsOnCRL - does not criticize
CA indicates through this extension that the expired certificates are not removed from the CRL (see
section 4.10). The notation is in agreement with the X.509 specification.
The list of revoked certificates includes the following extensions: • Reason Code - does not criticize
The reason for the revocation of the certificate.
• Invalidity Date - not critical
The time reference from which the key is considered compromised.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 60 di 74
7.3 OCSP PROFILE
The QTSP provides an OCSP compliant service to RFC 2560 [22] and RFC 6960 [27] standards.
7.3.1 Version
The OCSP service provided is compatible with the version "v1" in accordance withwhat is
specified in RFC 2560 [22] and RFC 6960 [27].
7.3.2 OCSP extensions
The extensions present in the OCSP protocol must be those provided in compliance with RFC 6960
[27].
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 61 di 74
8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS
QTSP's work towards compliance in force, is under the supervision of the AgID, Italy Digital Agency. Compliance verification activity shall be conducted in phase QTSP certification and
thereafter annually, through inspection sites at which the QTSP delivers its services.
The Audit work aims to ensure that the work of QTSP is in accordance with the regulation and IDAs [1], and compliance to the applicable national laws and specifications of services set out in
this CP and CPS, The Audit work conforms to the following reference documents:
• REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE
Council of July 23, 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC [1];
• ETSI EN 319 403 V 2.2.2 (2015-08) Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment-Requirements for conformity assessment bodies assessing Trust
Service Providers; [11] • ETSI EN 319 401 V 2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);General Policy
Requirements for Trust Service Providers [10]
• ETSI EN 319 411-1 V 1.1.1 (2016-02); Electronic Signatures and Infrastructures(ESI); Policy and security requirements for Trust Service Providers issuingcertificates; Part 1:
General requirements [12] • ETSI EN 319 411-2 v 2.1.1 (2016-02); Electronic Signatures and Infrastructures(ESI); Policy
and security requirements for Trust Service Providers issuingcertificates; Part 2: Requirements
for trust service providers issuing qualified certificates EU; [13]
The result of the Audit is confidential and can only be accessed by authorized persons.
8.1 FREQUENCIES OR ASSESSMENT REQUIREMENTS
The QTSP compliance audit activity is conducted on a biennial basis with annual surveillance.
8.2 IDENTITY/QUALIFICATION OF ASSESSOR
The assessor must have conformity certification of trust service providers and the services they
provide in the face of Regulation (EU) 910/2014. The unique body of accreditation of attestatori of conformity for Italy is Accredia.
8.3 INDIPENDENCE OF THE ASSESSOR
The QTSP guarantees that the person/company performing the assessment is:
• Independent of the property and management of the QTSP
• Has no business relationship with the QTSP
8.4 TOPICS COVERED BY THE ASSESSMENT
The audit activity is carried out on the following areas:
• Compliance with existing standards;
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 62 di 74
• Compliance with technical standards;
• Compliance with CP and CPS;
• Adequacy of covered processes;
• Documentation;
• Physical security;
• Adequacy of staff;
• IT security;
• Compliance with roles on data protection;
8.5 ACTIONS TAKEN IN THE EVENT OF non-COMPLIANCE
The auditor shall compile a report on the basis of the checks carried out. Any non-compliance can
be handled as follows:
• Suggestions on modifications to be considered;
• Derogations which constitute a mandatory warning.
8.6 COMMUNICATING THE RESULT
The Auditor reports the outcome of the AgID report certifying / confirming the status of QTSP through the issuance of the Certificate of Conformity for Qualified Trustees. The QTSP TSA
Certificate X.509 is published in the Lists of Qualified Trust Services Providers..
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 63 di 74
9 LEGAL ECONOMIC ASPECTS
9.1 RATES
The digital signature service is provided by Lottomatica S.p.A a free of charge, and is exclusively
linked to the contracting of customers belonging to the various sales channels. Therefore the
application of tariffs is not foreseen.
9.2 FINANCIAL LIABILITIES
Lottomatica S.p.A. is responsible for the provision of services related to the activity of the QTSP. For the purposes of qualification and accreditation, in compliance with art 29 of the CAD [35]
paragraph 3a, Lottomatica S.p.A. Has a share capital of Euro 65,050,000.00.
9.2.1 Insurance coverage
Lottomatica S.p.A. Has entered into an insurance policy to guarantee a compensation limit of €
5,000,000, 00.
9.3 CONFIDENTIALITY OF BUSINESS INFORMATION
The Digital Signature service is provided free of charge by Lottomatica S.p.A. and is solely linked to
the contractualisation of customers belonging to the various sales channels. No tariffs are therefore
foreseen.
9.4 PRIVACY OF PERSONAL INFORMATION
In view of the great importance attached to the subject of personal data processing within
Lottomatica S.p.A., an internal organizational and regulatory system is in place to ensure that all
personal data processing takes place in compliance with the applicable legal provisions and the
principles of fairness And the legality stated in the code of ethics. The range of measures envisaged
and implemented by the implemented system also incorporates the minimum measures provided by
the Personal Data Protection Code, DL 196/03 [34].
This system is characterized by some important elements, among which the following are:
Employees who received the appointment of employees in accordance with art. 30 of
Legislative Decree No. 196/03 [34], have received detailed instructions on the modalities
and security measures to be taken to deal with personal data;
The processing of personal data is under the supervision of those responsible for the
treatment, who are also formally appointed, who have in turn received the necessary
instructions and operating instructions;
Appropriate business functions have the task of defining the information security policies
and, with the help of internal audit functions, to verify that they are effectively applied;
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 64 di 74
The policy system is based on the correct classification of assets. With the help of risk
assessment tools, the most appropriate security measures are identified for the protection
of individual assets, the definition of controls and the application of the most appropriate
monitoring and verification systems;
The protection of personal data is not an independent process, but is fully integrated into
the current management of corporate asset security;
Physical security and safeguarding of the company's material assets and security and crisis
management policy are defined by taking into account the principles of personal data
protection and the need to protect such data as laid down by law.
As part of the company's security policies, technical and organizational solutions have been
developed to protect the data transmitted and stored on the network and corporate systems,
including, but not limited to, the following:
Continuous virus protection;
hardening of the systems used;
Software distribution for the automatic update of security patches on corporate systems;
Tool and methodologies for vulnerability assessment and risk analysis;
Computer protection and corporate network access points (eg Access Control,
Authentication Credentials, etc.);
Partitioning and protecting internal networks;
Monitoring the network and systems for preventing and contrasting security incidents.
9.4.1 Data protection mode
This chapter of the CP is intended to illustrate the procedures and methods of operation adopted by
QTSP for the processing of personal data, in carrying out its certification activities. The personal data relating to the applicant, the holder of the registration certificates, to
the interested party and anyone accessing the service will be processed, storedand protected
by QTSP as provided by Legislative Decree n. 196 of June 30, 2003 [34] and subsequent provisions issued by the authority for the protection of personal data.
The terminology that appears in this chapter corresponds to that adopted by the DL 196/03 [34]. In particular:
a) Holder means a natural person, a legal person, a public administration and any other body, association or body to which decisions are made regarding the purposes and the means of
processing personal data, including the security profile ( The QTSP);
b) Responsible means the natural person, the legal person, the public administration and any other body, association or body authorized by the holder to process personal data;
c) For Officer means the natural person authorized to carry out processing operations by the holder or by the person in charge;
d) Interested means the natural person, legal person, entity or association to which the personal
data (ie the applicant for registration, the certificate holder, the third party concerned or anyone who accesses the service);
In particular, the QTSP:
• Appoint, where appropriate, a Data Controller Manager within his / her own business organization
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 65 di 74
by communicating it analytically and in writing to the tasks he / she must perform, pursuant to Art. 29 of DL 196/03 [34]. Specifically, if designated, the person responsible for the treatment:
o It is identified among persons who, by experience, capacity and reliability, provide the
appropriate guarantee of full compliance with applicable treatment provisions, including the safety profile (paragraph 2);
o Observe the instructions given by the Owner, who, also through periodic verifications, monitors compliance with the processing provisions and instructions (paragraph 5).
• Identify and appoint the Data Processing Officers (that is, the Identity Agents and how many others will handle the data related to the service), operating under the direct authority of the
Service Manager, following the instructions given in accordance with Art. . 30 of DL 196/03 [34];
• Appointment of external Data Processing Officers by analytically specifying the tasks in writing and also by regular checks to check compliance with legal provisions and instructions.
Definition and identification of “personal data”
According to Art. 1, paragraph 2, lett. B) of Legislative Decree No. 196/03 [34], personal data shall
mean "any information relating to a natural person, legal person, entity or association, identified or
identifiable, including by reference to any other information, including a personal identification number "; Therefore the personal identification numbers provided by the QTSP, the pointers and
the PINs are also personal data. Personal data may also be those relating to the user, or to any third parties and content in the
information fields on the forms and archives - electronic or printed - of registration, revocation,
exchange of data and certificates, of To the relevant chapters of the relevant CPS. In order to ensure proper treatment, the security measures prepared by the QTSP and analytically described in
the Safety Plan are carried out in accordance with DL 196/03 [34].
Protection and rights of interested parties
Regarding the processing of personal data, QTSP guarantees the protection of the interested parties in accordance with the DL 196/03 [34]. In particular:
• Interested parties are provided with the necessary information in accordance with art. 13 (such as the holder, the modalities and purposes of the processing, the scope of
communication and dissemination, and the rights of access to your data in accordance with article 7);
• Interested parties are requested, where necessary, written consent to the processing of their personal data.
Application of the code for the protection of personal data
General requirements
From a general point of view, the QTSP:
• Provides, retains, and updates, in the scope of certification activities, a Certificate Register, and a
Registry of Data Sheets containing personal data, embedded in the Data Holder's databases and
used in the management of all stages of the certification activity.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 66 di 74
In particular, the Registry of Cartacei Archives consists of copies of the documentation obtained
during the identification of the RAO subscribers and the Internal Use subscribers. This register is
kept in a safe located in the area of the CTO Italy function, which is accessible to a limited number
of Lottomatic employees authorized to do so. The safe key is kept at the Guardian's Office (present
h24) located inside the Via Boario 56 building. To get the access key to the safe you need to be
included in the list of authorized personnel and the outlet In charge and delivery of the key.
As far as the Certificate Register is concerned, it is an internal function of the RA and not publicly
displayed, containing all certificates issued. The Web-accessible interface (https) requires access
credentials, and applies role-based policies that enable the operator to access the required data,
providing search functions to facilitate the need. Certificates are physically stored on a media
database, located within the CEDs where the QTSP infrastructure is hosted, accessed only by
authorized personnel.
Technical and organizational requirements
From the technical point of view, the QTSP, (the person responsible if appointed) through its appointees, shall take the appropriate measures in relation to the registration, processing,
preservation, protection of personal data, cancellation/destruction, in accordance with the
modalities indicated below.
1. Registration
• It guarantees the preservation of the technical data relating to the structure and format of
the computer and paper archives containing personal data and their physical location; • Supervises the organization and classification in a unique way of the archives, as well as
of their backup copies, taking care to minimise copies, total or partial, of each file according to the modalities described in the plan for the safety of the QTSP. In this regard, it is stated
that, in the event of events that would compromise the operational capacity of the QTSP at
the main place of business, an operational plan is defined that guarantees the availability of the certificate register and the functionality of revocation of valid certificates;
• Supervises the organization and classification of the registration forms in a unique way, acceptance, request revocation, change of data and any other document containing
personal information, taking care to minimize copies, total or partial, of each file according
to the modalities described in the plan for the safety of the QTSP.
2. Processing
• Checks that the processing of the aforementioned archives and of the personal data
contained therein is carried out exclusively for the purposes indicated in the informative
given pursuant to art. 13 of DL 196/03 [34];
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 67 di 74
• Verifies, depending on the type of processing, the output formats and the final destination
of the data in order to ensure its protection, as provided in the following;
• Detects the eventual generation of new archives within the processing phases, supervising
their classification
3. Conservation
• Supervises the classification of any archives – and the data contained therein – subject to
pure and simple preservation (historical and/or backup archives), reporting the duration of
the preservation (including initial and final date), the nature of the support and the place of
preservation;
• Ensure that all archives belonging to temporarily blocked or suspended procedures are
processed as personal data storage archives;
• Verifies that the procedures for the preservation of all documents used within the
certification activity are consistent with the protection of personal data.
4. Deletion/Destruction
• Check the registration – possibly in an automated manner – of the deletion/destruction of
individual personal data from the archives, by bringing back the type of data, the archive
concerned, the date of cancellation/destruction, and the origin of the deletion/destruction
(at the request of the interested party, procedural, accidental, etc.);
• Verifies the registration of the deletion/destruction of entire archives, in accordance with
the procedures set out in the previous paragraph and in accordance with the provisions of
DL 196/03 [34], in addition to the updating of the Register of computer and paper archives.
5. Protection
• Protects the confidentiality of personal data by establishing the modalities of access to the
computer and paper archives by the qualified entities belonging to the organization of the QTSP. In
particular:
classifies the persons empowered to access them according to their duties. In particular, it
is stated that the QTSP has defined and implements specific policies for the management
of authentication credentials and for the construction and use of passwords;
Records the data protection modalities, both as regards the logical security of computer
files (security software, processing log generation mode, etc.) and physical (local
supervision, document archiving, security copy management);
ensures the confidentiality of the personal data contained in the different output formats of
the processing phases (paper, on terminal, etc.) by establishing the necessary operating
modes, both manual and automated;
supervises the internal circulation of information contained in printouts (printouts) or other
media;
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 68 di 74
ensures the distribution of output on terminal in accordance with the user profiles
designated by the security officer.
• Protects the integrity of the data individually considered and the archives as a whole, during
all phases of treatment, establishing the necessary operational modalities, both manual and
automated;
• Guarantees the availability of the data, so that the holder can fulfil the requests for
consultation/verification by the interested parties under the current legislation.
Further processing of data, beyond that provided for by DL 196/03 [34], may be envisaged at
contractual level between the QTSP and the public or private organisation requiring the issuance of
several certificates, on behalf of subscribers to her. In this case, these agreements are reported
within the contract of purchase of the certificates by the organization itself.
Release of personal circumstances
Without prejudice to the right of the person concerned to request and obtain from the QTSP information concerning his personal data, as provided by art. 7 of DL 196/03 [34], the QTSP, in
carrying out its certification activities, can carry out operations of communication and dissemination
of personal data. In particular:
• Personal data may be communicated to the judicial authority, in accordance with the provisions of the current legislation;
• Particular contractual agreements may provide for further recipients and forms of communication than those provided for in the legislation in force. However, these
communications will be carried out in compliance with current legislation;
9.5 INTELLECTUAL PROPERTY RIGHTS
This CP is owned by Lottomatica S.p.A. Which reserves all rights to it. In relation to the ownership of other data and information the applicable laws apply.
9.6 DECLARATIONS AND WARRANTIES
9.6.1 Statements and warranties of the CA
The QTSP is responsible for the obligations contained in this CP, its CPS and the contractually
supplied services to the subscribers.
The QTSP is responsible for: • For compliance with the procedures stated in this CP, and described in the CPS;
• To cover damages resulting from non-compliance with the terms and conditions of the
service accepted by the Subscriber, through the covers specified in this CP.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 69 di 74
The QTSP is not responsible for: • To cover damages resulting from non-compliance by the Subscriber of what is contained
in the terms and conditions of the service accepted by it.
In the nature and limitations of use of the qualified electronic signature service, QTSP is launching a
plan to improve the accessibility of the service for disabled people through Web content accessibility
solutions.
The QTSP is responsible for the obligations referred to in Art. 32 of the CAD (Obligations of the
Qualified Holder and Qualified Electronic Services Provider).
9.6.2 Declarations and guarantees of RA
The QTSP through the services provided by RA, is responsible for compliance with the requirements
contained in this CP, in the relevant CPS. In detail refer to the CAP. 9.6.2 of the CPS.
9.6.3 Declatations and warranties of the subscriber
Subscriber representations and warranties are specified in its CPS.
9.7 WARRANTY STATEMENTS
The QTSP as follows: related responsibilities excludes
• Subscribers who do not comply with what is contained in the terms and conditions of use of the service;
• failure to provide information or reporting requirements due to problems associated with the availability of the Internet, or part thereof;
• vulnerability or errors associated with the cryptographic algorithms used for regulatory compliance.
9.8 LIABILITY LIMIT
Lottomatica will in no way be liable for the following:
• damages of any kind, direct and / or indirect, or prejudice caused by anyone caused by:
(A) incomplete, false or incorrect information by the proprietor of the information for which the
Certification Authority has not stated or is otherwise required to carry out specific checks and
verifications;
B) tampering or service interventions made by the Owner or by third parties not authorized by the
Certification Authority;
C) impossibility to use the Service determined by a total or partial interruption of call termination or
data transmission provided by telecommunications operators solely for facts not attributable to the
Certification Authority;
D) erroneous use of identification codes by the Owner;
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 70 di 74
E) Delays, interruptions, errors or malfunctions of the Service attributable to the Certification
Authority or arising out of the incorrect use of the Service by the Owner;
F) the use of the Service outside of current regulatory requirements;
G) failure to disclose information that the Owner should have communicated to the Certification
Authority and / or to the Custodian under the terms of the Contract;
H) breach of obligations that, under the provisions of this document or the law in force, are borne
by the Owner;
• damages of any kind, whether direct or indirect, or prejudiced by anyone who suffered, insofar as
they could have been avoided or restricted by the Owners through the proper use of the Service.
Except as provided for by applicable law, Lottomatica will in no case be liable for direct and / or
indirect damages and / or damages (including, but not limited to, loss of profit, loss of productivity,
overheads, lost earnings, loss of information and any other economic loss) suffered by the Owner
following and / or during the use of the Service due to malfunction of the Service not attributable to
Lottomatica.
Notwithstanding the foregoing, Lottomatica's overall liability is limited to compensation for direct
and / or indirect damages and / or consequential damages in cases of guilty, gross negligence or
negligence, within the limits set forth in clauses 9.2 and 9.2.1.
9.9 ALLOWANCES
The coverage of allowances associated with damages to all parties (holders, third parties concerned,
recipients) is guaranteed in this CP to the extent specified in chapter 9.2.1.
9.10 SERVICE LIFE AND TERMINATION
9.10.1 Duration
The service life is aligned at the end of the duration of the certificates issued by the QTSP (Ref.
6.3.2)
9.10.2 Resolution
In the event of a breach of only one of the obligations incumbent upon the Owner, the Service
Agreement will automatically be resolved for the purposes and for the purposes referred to in art.
1456 c.c., with simultaneous revocation of the certificates issued, without prejudice to any eventual
reparation in respect of those responsible for the violations. The Service Agreement will also be
automatically resolved in all cases of revocation of the certificate. The QTSP has the right to
withdraw at any time from the Service Agreement by giving notice to the Holder with a notice of 10
(ten) days and, consequently, to revoke issued certificates.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 71 di 74
9.10.3 Effects of cessation
The term "termination" means the process by which the QTSP ceases its activity as a qualified trust
service provider.
The QTSP publishes in the CPS the details of the information connected with the termination procedures, as a result of which the CA certificate is revoked along with all valid certificates at that
time.
9.11 NOTIFICATIONS AND COMMUNICATIONS WITH USERS
The QTSP communicates with its subscribers using:
• For general communication, through the Certification Portal;
• For important communications, Through the Certification Portal;
Through email addressed to subscribers;
All personal notifications shall be notified personally to subscribers through personal
email, confirmed by the owner at the time of registration.
9.12 CHANGES TO THE CP
QTSP reserves the right to modify the terms included in this CP in the event of:
• Modification of standards;
• Changes to security requirements;
• various and eventual; In exceptional cases, any changes can be taken with immediate effect.
9.12.1 Procedures for the dissemination of CP
The QTSP reviews the present CP on an annual basis. The revised document is associated with a new version, and changes the effective taking
into account any processes associated with approving it.
The approved document is published on the Cerificate portal of 14 days before the actual Certification effective date. The new document, as amended, is also sent to the
supervisory body, for Italy, the AgID. The QTSP can accept comments associated with what is published, through the email address:
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Page 72 di 74
9.12.2 Notification and timing mechanism
The QTSP notifies interested parties of the publication of the new version of the document, as
specified in Chap. 9.12.1.
9.12.3 Circumstancs under which it is necessary to change OID
The QTSP releases a new version in the case of integration of the OID specified in this CP.
9.13 DISPUTE RESOLUTION
The QTSP aims at a peaceful and negotiated settlement of disputes arising from the provision of its
services.
9.14 GOVERNMENT LAWS
The QTSP operates at all times in accordance with the Italian and European laws on the subject.
9.15 COMPLIANCE WITH LAWS IN FORCE
This CP complies with the following applicable laws:
• REGULATION (EU) No 910/2014 of the European Parliament and of the Council COUNCIL OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services in electronic commerce and repealing Directive
1999/93 / EC [1];
• DPCM 22 February 2013 [33];
• ETSI EN 319 401 V2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers [10];
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Pagina 73 di 74
This document, in paper format, is to be considered unchecked unless there is the signature of the
person who approves and issues the document.
10 REFERENCES
[1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July
2014 on electronic identification and trust services for electronic transactions in the internal market
and repealing Directive 1999/93/EC .
[10] ETSI EN 319 401 V2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);
General Policy Requirements for Trust Service Providers.
[11] ETSI EN 319 403 V2.2.2 (2015-08) Electronic Signatures and Infrastructures (ESI); Trust
Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing
Trust Service Providers;.
[12] ETSI EN 319 411-1 V1.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);
Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General
requirements .
[13] ETSI EN 319 411-2 v2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);
Policy and security requirements for Trust Service Providers issuing certificates; Part 2:
Requirements for trust service providers issuing EU qualified certificates; (Replaces ETSI TS 101
456).
[14] ETSI EN 319 412-1 V1.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);
Certificate Profiles; Part 1: Overview and common data structures.
[15] ETSI EN 319 412-2 V2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);
Certificate Profiles; Part 2: Certificate profile for certificates issued to natural persons; (Replaces
ETSI TS 102 280).
[16] ETSI EN 319 412-3 V1.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);
Certificate Profiles; Part 3: Certificate profile for certificates issued to legal persons (Replaces ETSI
TS 101 861).
[17] ETSI EN 319 412-4 V1.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);
Certificate Profiles; Part 4: Certificate profile for web site certificates.
[18] ETSI EN 319 412-5 V2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);
Certificate Profiles; Part 5: QCStatements.
[19] ETSI TS 119 312 V1.1.1 (2014-11); Electronic Signatures and Infrastructures (ESI);
Cryptographic Suites.
[20] ISO/IEC 15408-2002 "Information Technology - Methods and Means of a Security
Evaluation Criteria for IT Security" .
[21] ISO/IEC 19790:2012: "Information technology – Security techniques – Security
requirements for cryptographic modules".
[22] IETF RFC 2560: X.509 Internet Public Key Infrastructure - Online Certificate Status
Protocol (OCSP), June 1999.
[23] IETF RFC 3647: Internet X.509 Public Key Infrastructure - Certificate Policy and
Certification Practices Framework, November 2003.
[24] IETF RFC 4043: Internet X.509 Public Key Infrastructure - Permanent Identifier, May
2005.
[25] IETF RFC 5280: Internet X.509 Public Key Infrastructure - Certificate and Certificate
Revocation List (CRL) Profile, May 2008.
[26] IETF RFC 6818: Updates to the Internet X.509 Public Key Infrastructure - Certificate and
Certificate Revocation List (CRL) Profile, January 2013.
[27] IETF RFC 6960: X.509 Internet Public Key Infrastructure - Online Certificate Status
Protocol (OCSP), June 2013.
Type POLITICS Code LTIS-PY-00001/17
Title
QTSP
QUALIFIED CERTIFICATION
SERVICES - CERTIFICATE POLICY
Revision 1.0
Date 27/04/2017
Classification: Public
Pagina 74 di 74
[28] ITU X.509 Information technology - Open Systems Interconnection - The Directory:
Publickey and attribute certificate frameworks.
[29] FIPS PUB 140-2 (2001 May 25): Security Requirements for Cryptographic Modules.
[30] Common Criteria for Information Technology Security Evaluation, Part 1 - 3.
[31] CEN Workgroup Agreement CWA 14167-2: Cryptographic module for CSP signing
operations with backup - Protection profile - CMCSOB PP.
[32] CEN CWA 14169: Secure Signature-creation devices "EAL 4 +", March 2004.
[33] DPCM 22 February 2013-Technical rules on the generation, enforcement and verification of advanced, qualified and digital electronic signatures
[34] Code for the protection of Personal data, Decree Law 196/03.
[35] Digital Administration Code (CAD) DL N. 82 7 March 2005, and subsequent amendments
(DL 179/2016)