qtsp qualified certification services certificate … cps firma...5.4.8 vulnerability assessment 44...

Type POLITICS Code LTIS-PY-00001/17

Title

QTSP

QUALIFIED CERTIFICATION

SERVICES - CERTIFICATE POLICY

Revision 1.0

Date 27/04/2017

Classification: Public

di 74

QTSP

QUALIFIED CERTIFICATION SERVICES

CERTIFICATE POLICY


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

INDEX

INDEX 2

1 SCOPE 10

1.1 OVERALL 10

1.2 DOCUMENT NAME AND IDENTIFICATION 10 1.2.1 Certificate Policy 10

1.2.2 Entry into force 11

1.2.3 Security levels 11

1.2.4 Qualified Certification Services Policy 11

1.3 PKI PARTICIPANTS 13 1.3.1 Certification Authorities 13

1.3.2 Registration Authorities 13

1.3.3 Subscribers 13

1.3.4 Relying Parties 14

1.3.5 Other Partecipants 14

1.4 USE OF THE CERTIFICATE 14 1.4.1 Permitted use of the certificate 15

1.4.2 Unauthorized use of the certificate 15

1.5 POLICY ADMINISTRATION 16 1.5.1 Administration of the document 16

1.5.2 Contact info 16

1.5.3 Responsibility of the suitability 16

1.5.4 CP approval procedures 16

1.6 DEFINITIONS AND ACRONYMS 17 1.6.1 Definitions 17

1.6.2 Acronyms 19

2 PUBLICATION 21

2.1 REPOSITORY 21

2.2 PUBLICATION OF CERTIFICATION INFORMATION 21

2.3 PUBLICATION FREQUENCY 21 2.3.1 Frequency of Terms and Conditions 21

2.3.2 Certificate publication frequency 21


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

2.3.3 Revocation status publication frequency 21

2.4 CHECK OF ACCESS ON REPOSITORY 21

3 IDENTIFICATION AND AUTHENTICATION 22

3.1 DENOMINATION 22 3.1.1 Types of Name 22

3.1.2 Identification requirements 23

3.1.3 Anonymous subscribers and pseudonyms 23

3.1.4 Rules fo interpretation of name 23

3.1.5 Uniqueness of names 23

3.2 VALIDATION OF THE IDENTITY 23 3.2.1 Methods to prove ownership of the private key 23

3.2.2 Authentication of an organizational entity 24

3.2.3 Authentication of an individual entity 24

3.3 IDENTIFICATION AND AUTHENTICATION FOR REISSUE 24 3.3.1 Identification and authentication for normal reissue 24

3.3.2 Identification and authentication for reissue after revocation 24

3.4 IDENTIFICATION AND AUTHENTICATION FOR RENEWAL REQUESTS 24 3.4.1 Identification and authenticationin tge case if a valid certificate 25

3.4.2 Identification and authentication in case of invalid certificate 25

3.5 IDENTIFICATION AND AUTHENTICATION IN CASE OF CERTIFICATE

MODIFICATION REQUIREMENTS 25 3.5.1 Identification and authentication in the case of a valid certificate 25

3.5.2 Identification adn authentication in case of invalid certificate 25

3.6 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUESTS 25

4 CERTIFICATE LIFE CYCLE REQUIREMENTS 26

4.1 REQUEST OF A CERTIFICATE 26 4.1.1 Submission of the certificate request 26

4.1.2 Enroll Process and responsibility 26

4.2 PROCEDURES FO MANAGING THE CERTIFICATE REQUEST 26 4.2.1 Performing identification and authentication fuctions 26

4.2.2 Approval or rejection 27

4.2.3 Request exection time 27

4.3 ISSUE OF CERTIFICATE 27 4.3.1 CA actions during the issuance of the certificate 27


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

4.3.2 Notification to the holder about the issue of the certificate 27

4.4 ACCEPTANCE OF THE CERTIFICATE 27 4.4.1 Conduct on acceptance of the cetificate 27

4.4.2 Publication of the certificate by the CA 27

4.5 KEY PAIR AND CERTIFICATE USAGE 28 4.5.1 Subscriber private key and certificate usage 28

4.5.2 Interested parties – Public key and use of the certificate 28

4.6 RENEWAL 29 4.6.1 Requirements for renewal of the certificate 29

4.6.2 Submission request for renewal 29

4.6.3 Renewal request process 29

4.6.4 Notification of certificate issue 30

4.6.5 Conduct on the acceptance of the renewal of the certificate 30

4.6.6 Publication of the renewed certificate by the CA 30

4.7 REISSUE 30 4.7.1 Requirements fo reissuing 30

4.7.2 Submission request for reissuing 30

4.7.3 Reissue request process 30

4.7.4 Notification of the issuance of the certificate 30

4.7.5 Conduct on the acceptance on the reissuing of the certificate 31

4.7.6 Issued certificate publication 31

4.7.7 Notification to other entities of the certificate reissue 31

4.8 MODIFICATIONS TO THE CERTIFICATE 31

4.9 REVOCATION AND SUSPENSION OF THE CERTIFICATE 31 4.9.1 Circumstances fo revocation. 31

4.9.2 Submission of revocation request 32

4.9.3 Processes for revocation management 32

4.9.4 Grace Period richiesta di request for revocation 33

4.9.5 Time eithin which the CA must process the request for revocation 33

4.9.6 Requirements on the control of revocation by interested parties 33

4.9.7 Frequency Issuing CRL 33

4.9.8 Maximum latency on CRL 33

4.9.9 Availability of OCSP service 33

4.9.10 OCPS service requirements 33


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

4.9.11 Particular requirements on key compromise 34

4.10 CERTIFICATE STATUS VERIFICATION SERVICES 34 4.10.1 Operational features 34

4.10.2 Service availability 34

4.11 END OF SUBSCRIPTION 34

4.12 KEY ESCROW E RECOVERY 35 4.12.1 Policy and practices Key Escrow and Recovery 35

4.12.2 Encapsulation key symmetrical encryption policies recovery 35

5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS 36

5.1 PHYSICAL CONTROLS 36 5.1.1 Location site and features 36

5.1.2 Physical access 36

5.1.3 Power supply and air conditioning 37

5.1.4 Exposure to water 38

5.1.5 Prevention and fire potection 38

5.1.6 Media Storage 39

5.1.7 Provisions on the disposal of apparatus 39

5.1.8 Off-Site Backup 39

5.2 PROCEDURAL CONTROLS 39 5.2.1 Roles 40

5.2.2 Number of peaple required for task 40

5.2.3 Identification and authentication fo roles 40

5.2.4 Roles requiring segregation 40

5.3 PERSONNEL CONTROL 41 5.3.1 Qualifications, experience and clarity of requirements 41

5.3.2 Background verification procedures 41

5.3.3 Training requirements 42

5.3.4 Refresh rate 42

5.3.5 Sanctions on unauthorised shares 42

5.3.6 Requirements on consultants 42

5.3.7 Documentation provided to staff 43

5.4 AUDIT PROCEDURES 43 5.4.1 Types of events stored 43

5.4.2 Frequency of audit processes 43


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

5.4.3 Audit log retention period 44

5.4.4 Audit log protection 44

5.4.5 Audit log backup procedures 44

5.4.6 Audit event collection system 44

5.4.7 Verbosity error notification 44

5.4.8 Vulnerability Assessment 44

5.5 STORING RECORDS 45

5.6 CA KEY CHANGEOVER 45

5.7 COMPROMOSE AND DISASTER RECOVERY 45 5.7.1 Indente and compromise management procedures 46

5.7.2 Computing Resources, Software, and/or corrupted data 46

5.7.3 Private key compromise procedures 46

5.7.4 Capacity of business continuity in case of disaster 47

5.8 CESSATION OF ACTIVITY 47

6 TECHNICAL SECURITY CONTROLS 48

6.1 GENERATING AND INSTALLING KEY PAIR 48 6.1.1 Generating key pair 48

6.1.2 Private key realease to subscribers 48

6.1.3 Issuing the public key to the certificate 48

6.1.4 Issuing the CA public key to interested parties 49

6.1.5 Key length 49

6.1.6 Key generation parameters and quality control 49

6.1.7 Key usage purposes (see key usage field X. 509 v3) 49

6.2 PRIVATE KEY PROTECTION AND CONTROLS ON CRYPTOGRAPHIC

COMPONENT 49 6.2.1 Standard and cryptographic module controls 50

6.2.2 Private key segregation control (MofN) 50

6.2.3 Key Escrow private key 50

6.2.4 Backup private key 50

6.2.5 Key storage 50

6.2.6 Trasfer of the private key to/from the cryptographic module 50

6.2.7 Storing the private key on the cryptographic module 51

6.2.8 Private key activation method 51

6.2.9 Method of deactivating private key 51


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

6.2.10 Method of destruction of the private key 52

6.2.11 Cryptographic module evaluation 52

6.3 OTHER ASPECTS OF KEY MANAGEMENT 52 6.3.1 Public key storage 52

6.3.2 Validity of the certificate and keys 52

6.4 ACTIVATION DATA 53 6.4.1 Activation data generation and installation 53

6.4.2 Activation data protection 53

6.5 COMPUTER SECURITY CONTROLS 53 6.5.1 Specific technical security requirements on IT system 53

6.5.2 Assessment of IT system security 54

6.6 LIFE CYCLE OF ROADWORTHINESS TEST 54 6.6.1 Control of development system 54

6.6.2 Security management controls 54

6.6.3 Life cycle of security controls 55

6.7 NETWORK SECURITY CHECKS 55

6.8 TIME-STAMPING 56

7 CERTIFICATE, CRL, AND OCSP PROFILES 57

7.1 CERTIFICATE PROFILE 57 7.1.1 Specification X509 57

7.1.2 Certificate extensions 57

7.1.3 Object Identifier algorithms 58

7.1.4 Composition of the name 58

7.1.5 Constraints on name 58

7.1.6 Certficiate Object Identifier policy 58

7.1.7 Usage of policy constraints extension 58

7.1.8 Syntax and semantics of policy qualifiers 58

7.1.9 Semantics management fo critical policy extensions 58

7.2 CRL PROFILE 59 7.2.1 Version 59

7.2.2 Specifyng CRL extensions 59

7.3 OCSP PROFILE 60 7.3.1 Version 60


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

7.3.2 OCSP extensions 60

8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS 61

8.1 FREQUENCIES OR ASSESSMENT REQUIREMENTS 61

8.2 IDENTITY/QUALIFICATION OF ASSESSOR 61

8.3 INDIPENDENCE OF THE ASSESSOR 61

8.4 TOPICS COVERED BY THE ASSESSMENT 61

8.5 ACTIONS TAKEN IN THE EVENT OF NON-COMPLIANCE 62

8.6 COMMUNICATING THE RESULT 62

9 LEGAL ECONOMIC ASPECTS 63

9.1 RATES 63

9.2 FINANCIAL LIABILITIES 63 9.2.1 Insurance coverage 63

9.3 CONFIDENTIALITY OF BUSINESS INFORMATION 63

9.4 PRIVACY OF PERSONAL INFORMATION 63 9.4.1 Data protection mode 64

9.5 INTELLECTUAL PROPERTY RIGHTS 68

9.6 DECLARATIONS AND WARRANTIES 68 9.6.1 Statements and warranties of the CA 68

9.6.2 Declarations and guarantees of RA 69

9.6.3 Declatations and warranties of the subscriber 69

9.7 WARRANTY STATEMENTS 69

9.8 LIABILITY LIMIT 69

9.9 ALLOWANCES 70

9.10 SERVICE LIFE AND TERMINATION 70 9.10.1 Duration 70

9.10.2 Resolution 70

9.10.3 Effects of cessation 71

9.11 NOTIFICATIONS AND COMMUNICATIONS WITH USERS 71

9.12 CHANGES TO THE CP 71 9.12.1 Procedures for the dissemination of CP 71

9.12.2 Notification and timing mechanism 72

9.12.3 Circumstancs under which it is necessary to change OID 72


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

9.13 DISPUTE RESOLUTION 72

9.14 GOVERNMENT LAWS 72

9.15 COMPLIANCE WITH LAWS IN FORCE 72

10 REFERENCES 73


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

1 SCOPE

This document contains the policies for issuing qualified certificates (Certificate Policy - hereinafter

CPS) defined for the Lottomatica S.p.A. qualified trust service provider and concerning the

subscription service.

This CP is compatible with the requirements set out in European Regulation 910/2014 - eIDAS, and

the activity described is compatible with the provisions for services provided by Qualified Trust

Service (hereinafter QTSP) Providers.

The QTSP (Lottomatica S.p.A.) reserves the right to make changes to this document for technical

requirements or for changes to the procedures that have occurred either because of legal

regulations or regulations or for optimization of the working cycle.

Each new version of the manual annuls and replaces the previous versions, which remain applicable

to certificates issued during their validity and until their expiration date.

1.1 OVERALL

The qualified signature CP contains the definition of rules that specify the usability of a certification

for a community and / or class of applications with common security requirements. The information in this document is structured to be compatible with what is contained in the RFC

3647 public specification. This CP consists of 9 chapters that contain the security requirements, processes, and practices

defined by the QTSP to be followed during the service delivery.

Certificates issued in accordance with this CP have the identification criteria (OIDs) to which the certificates must conform.

This CP defines basic requirements for certificates with particular reference to the QTSP certificate. The way these requirements are met and the detailed descriptions of the methods in this document

are included in the Certificate Practice Statement document (CPS) issued by QTSP.

1.2 DOCUMENT NAME AND IDENTIFICATION

1.2.1 Certificate Policy

Below are the main identification data of this CP:

Entity Lottomatica S.p.A.

Name of the document Qualified Certification Services

- Certificate Policies

Version 1.0

Date 27/04/2017


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

1.2.2 Entry into force

This document is in force since 27/04/2017.

This CP and the related CPSs based on this document are reviewed annually as well as the related

applicability criteria. This CP includes specific requirements for services provided to Italian customers, operating with

Italian law in Italian. Certificates issued to customers are issued with the usage restrictions specified in chap. 1.4.

1.2.3 Security levels

The Lottomatica S.p.A. qualified trust service provider defines security levels, bearing in mind that

the Certified Certificate Issue is intended to issue Qualified Signature Certificates on HSM equipment

in accordance with this CP.

1.2.4 Qualified Certification Services Policy

All Certificates issued by QTSP refer to specific policies for which they are issued.

The following OID is a unique identifier issued to Lottomatica S.p.A.

Table 1 - policy Lottomatica

(1) International Organization for Standardization (ISO)

(3) Organization identification schemes registered according to ISO/IEC

6523-2

(76) UNINFO

(49) Lottomatica SPA

In the following table, the OID of the specification of this document:

Table 2 – document policy

(1.3.76.49) Lottomatica S.p.A.

(1) Lottomatica S.p.A. Certification Authority

(1) documents

(1) public documents

(10) Lottomatica Certification Services – Certificate Policy


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

(1) Main version

(0) Sub version

For the purpose of QTSP, Lottomatica S.p.A. Defines the following OID afferent to as many types of

certificate:

Table 3 – Certificate Policy

OID Description Abbrevation

(1.3.76.49) Lottomatica S.p.A.

(1) Lottomatica S.p.A. Certification

Authority

(2) Certificates

(1) public

(20) Qualified signature certificate

issued per person Natural on

HSM device

IGTCP01


issued per person Natural on a

HSM device with reduced

temporal validity

IGTCP02

(22) Qualified Individual Nature

Certificate issued on a HSM

device for internal use

IGTCP03


issued to Legal entity on HSM

device for Automatic Signature

IGTCP04

(1) Main version

(0) Sub version

The certificate policy referred to in Table 1 refers to certificates issued to natural persons.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

In the case the certificate policy is related to the release on HSM, the Qualified Trust Services

Provider:

Ensures that the private key associated with the Certificate is stored exclusively on a

security device compliant with the certification specifications in 6.2.1;

The Qualified Trust Services Provider provides identification processes in accordance with the

privacy law requirements and described in the relevant CPS.

About this CP:

Each policy certificate conforms to the policy [QCPS-n-QSCD] defined in the standard [3].

1.3 PKI PARTICIPANTS

1.3.1 Certification Authorities

Qualified Trust Service Provider issues certificates as part of a trusted service. For example, it

identifies the applicant person, manages records, accepts variations related to certificates, and

publishes policies related to the Certificate, Public Keys, and information about the current status of

the certificate (especially about its revocation). This activity is also defined as certification services.

1.3.2 Registration Authorities

The Registration Authority is a component of the QTSP. The operation of the Registration Authority

must comply with the requirements described in this CP, CPS and other documents. The QTSP is in all cases fully responsible for the proper functioning of the Registration Authority.

1.3.3 Subscribers

For the purposes of the limitations set out in Chapter 1.4, four types of subscribers are defined:

1. Registration Authority Officer - RAO; These are natural persons delegated by Lottomatica S.p.A.

To operate the identification and registration of subscribers belonging to the business channel; Such

registrations are subscribed by RAO through the qualified electronic signature of the declarations

related to the registration operation;

2. Users of the business channel (hereinafter B2B); These are legal persons who have qualified

electronic signatures for the signing of contract documents related to activities related to

Lottomatica S.p.A., its parent companies and / or subject to joint control.

3. Consumer channel customers (hereinafter B2C user); These are physical clients of CartaLIS Imel

S.p.A.

A subsidiary of Lottomatica Holding S.p.A., also a subsidiary of Lottomatica S.p.A., holding a

payment card in the "base" version issued by the latter, using the qualified electronic signature for

the contractual documents required to evolve it paper. The qualified electronic signing certificate for

the B2C user is of a 2one-shot type, meaning that it can be used for one subscription only.

4. Certificate Holders for Automatic Signature (hereinafter Automatic Signature).

5. Employees or employees of Lottomatica S.p.A. (Hereinafter referred to as internal user), its

parent companies and / or jointly controlled.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

The relationship between QTSP and subscribers is governed by specific documents governing the

terms and conditions, signed by holders of the service release as specified in Chapter 9.6.3.

1.3.4 Relying Parties

The QTSP can be used by external entities for the activities of identification and registration of the

holders, in particular:

For B2B users, identification and registration is performed by RAO.

For the B2C service, identification and registration is carried out by the CartaLIS

Collaborators network, such as legal entities represented by point of sale (PdV), which may

be exercised by PdVs of delegated operators nominally by the same legal representatives.

The relationship between CartaLIS and the Employees is governed by a service contract

covering, inter alia, the Monetary Services on which the Collaborators offer is enabled on

behalf of CartaLIS IMEL S.p.A. In order to be able to deliver Monetary Services on behalf of

CartaLIS IMEL S.p.A., the Employees are previously identified and subject to appropriate

verification in accordance with the provisions of the current anti-money laundering

legislation. They must also follow and pass an initial training course with which they are

Provided for anti-money laundering obligations, including those relating to identification

activities and appropriate B2C verification. CartaLIS IMEL S.p.A. Also provides for the

upgrading of the same training courses and information disclosure to the entire sales

network that is allowed in conjunction with changes in the reference regulations or

variations in the commercial proposal regarding the method of distribution and distribution

of the electronic money through that sales network.

CartaLIS IMEL S.p.A. Is a company subject to joint control by Lottomatica S.p.A.

For other types of users (RAO, internal, automated signature holders), the identification

activity performed by internal staff at the QTSP.

1.3.5 Other Partecipants

Not defined.

1.4 USE OF THE CERTIFICATE

The certified usability area is determined by what is contained in the extensions of the certificate

itself. Limitations of use can also be specified within this CP and its CPS.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

1.4.1 Permitted use of the certificate

The certificates are issued with the use restrictions listed in two languages as stated below.

Certificate of the user Rao, B2B (IGTCP01) and B2C (IGTCP02)

Usage limited to the relationships established by the owner with any subject, only for

activities attributable to Lottomatica S.p.A. and its controlling companies and/or

companies under common control;

L'uso è limitato a rapporti instaurati dal Titolare con qualsiasi soggetto, purché connessi

con attività riconducibili a Lottomatica S.p.A., società sue controllanti e/o sottoposte a

comune controllo.

Certificate of Internal user (IGTCP03) Usage limited to the relationships established with any subject, only for activities

attributable to Lottomatica S.p.A. and its controlling companies and/or companies under

common control;

L'uso è limitato a rapporti instaurati con qualsiasi soggetto, purché connessi con attività

riconducibili a Lottomatica S.p.A., società sue controllanti e/o sottoposte a comune

controllo.

Automatic Signature user Certificate (IGTCP04) The certificate to which IGTCPS04 is issued with the limitations of use in double language as

specified below:

The certificate may only be used for unattended/automatic digital signature;

Il presente certificato è valido solo per firme apposte con procedura automatica.

1.4.2 Unauthorized use of the certificate

QTSP Certificate

The Lottomatica S.p.A. root certificate and its private key can not be used before the actual

publication.

Subscriber Certificate

It is not permitted to use the certificate issued to the holder in accordance with this CP, and its

private keys, for purposes other than those specified in 1.4.1.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

1.5 POLICY ADMINISTRATION

1.5.1 Administration of the document

The staff data that administers this Certificate Policy are as follows:

Organization name Lottomatica S.p.A.

Address Viale del Campo Boario 56/d, 00154 Rome

Phone (+39) 06 518991

Email [email protected]

1.5.2 Contact info

For issues related to this CP, you can contact the contacts as follows

Contact Carmine Tufano

Organization name Lottomatica S.p.A.

Address Viale del Campo Boario 56/d, 00154 Rome

Phone (+39) 06 518991

Fax -

Email [email protected]

1.5.3 Responsibility of the suitability

The certifier is responsible for the compliance of the CPS with this document, and for the provision

of the services in accordance with the laws contained therein.

CPS and its provision of services are subject to the vigilance of the AgID, (Agency for Digital Italy).

The trust list (TSL) of the Trust service providers is published on the website of the Agid.

1.5.4 CP approval procedures

The Qualified Trust Service Provider describes the approval procedures of the CPS, which includes

compliance with this CP.

mailto:[email protected]



Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

In particular, this document is subject to a review process, at least annually, revised by the Digital

Signature Organizational Structure Manager and the modifications made are submitted to the CTO's

final approval.

1.6 DEFINITIONS AND ACRONYMS

1.6.1 Definitions

From the European Regulation 910-2014 eIDAS, Art 3:

(1) ‘electronic identification’ means the process of using person identification data in electronic form

uniquely representing either a natural or legal person, or a natural person representing a legal

person;

(2) ‘electronic identification means’ means a material and/or immaterial unit containing person

identification data and which is used for authentication for an online service;

(3) ‘person identification data’ means a set of data enabling the identity of a natural or legal person,

or a natural person representing a legal person to be established;

(4) ‘electronic identification scheme’ means a system for electronic identification under which

electronic identification means are issued to natural or legal persons, or natural persons

representing legal persons;

(5) ‘authentication’ means an electronic process that enables the electronic identification of a natural

or legal person, or the origin and integrity of data in electronic form to be confirmed;

(6) ‘relying party’ means a natural or legal person that relies upon an electronic identification or a

trust service;

(7) ‘public sector body’ means a state, regional or local authority, a body governed by public law or

an association formed by one or several such authorities or one or several such bodies governed

by public law, or a private entity mandated by at least one of those authorities, bodies or

associations to provide public services, when acting under such a mandate;

(8) ‘body governed by public law’ means a body defined in point (4) of Article 2(1) of Directive

2014/24/EU of the European Parliament and of the Council;

(9) ‘signatory’ means a natural person who creates an electronic signature;

(10) ‘electronic signature’ means data in electronic form which is attached to or logically associated

with other data in electronic form and which is used by the signatory to sign;

(11) ‘advanced electronic signature’ means an electronic signature which meets the requirements set

out in Article 26;

(12) ‘qualified electronic signature’ means an advanced electronic signature that is created by a

qualified electronic signature creation device, and which is based on a qualified certificate for

electronic signatures;

(13) ‘electronic signature creation data’ means unique data which is used by the signatory to create

an electronic signature;

(14) ‘certificate for electronic signature’ means an electronic attestation which links electronic

signature validation data to a natural person and confirms at least the name or the pseudonym


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

of that person;

(15) ‘qualified certificate for electronic signature’ means a certificate for electronic signatures, that is

issued by a qualified trust service provider and meets the requirements laid down in Annex I;

(16) ‘trust service’ means an electronic service normally provided for remuneration which consists of:

(a) the creation, verification, and validation of electronic signatures, electronic seals or electronic

time stamps, electronic registered delivery services and certificates related to those services,

or

(b) the creation, verification and validation of certificates for website authentication; or

(c) the preservation of electronic signatures, seals or certificates related to those services;

(17) ‘qualified trust service’ means a trust service that meets the applicable requirements laid down

in this Regulation;

(18) ‘conformity assessment body’ means a body defined in point 13 of Article 2 of Regulation (EC)

No 765/2008, which is accredited in accordance with that Regulation as competent to carry out

conformity assessment of a qualified trust service provider and the qualified trust services it

provides;

(19) ‘trust service provider’ means a natural or a legal person who provides one or more trust

services either as a qualified or as a non-qualified trust service provider;

(20) ‘qualified trust service provider’ means a trust service provider who provides one or more

qualified trust services and is granted the qualified status by the supervisory body;

(21) ‘product’ means hardware or software, or relevant components of hardware or software, which

are intended to be used for the provision of trust services;

(22) ‘electronic signature creation device’ means configured software or hardware used to create an

electronic signature;

(23) ‘qualified electronic signature creation device’ means an electronic signature creation device

that meets the requirements laid down in Annex II;

(24) ‘creator of a seal’ means a legal person who creates an electronic seal;

(25) ‘electronic seal’ means data in electronic form, which is attached to or logically associated with

other data in electronic form to ensure the latter’s origin and integrity;

(26) ‘advanced electronic seal’ means an electronic seal, which meets the requirements set out in

Article 36;

(27) ‘qualified electronic seal’ means an advanced electronic seal, which is created by a qualified

electronic seal creation device, and that is based on a qualified certificate for electronic seal;

(28) ‘electronic seal creation data’ means unique data, which is used by the creator of the electronic

seal to create an electronic seal;

(29) ‘certificate for electronic seal’ means an electronic attestation that links electronic seal validation

data to a legal person and confirms the name of that person;

(30) ‘qualified certificate for electronic seal’ means a certificate for an electronic seal, that is issued

by a qualified trust service provider and meets the requirements laid down in Annex III;

(31) ‘electronic seal creation device’ means configured software or hardware used to create an

electronic seal;

(32) ‘qualified electronic seal creation device’ means an electronic seal creation device that meets

mutatis mutandis the requirements laid down in Annex II;


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

(33) ‘electronic time stamp’ means data in electronic form which binds other data in electronic form

to a particular time establishing evidence that the latter data existed at that time;

(34) ‘qualified electronic time stamp’ means an electronic time stamp which meets the requirements

laid down in Article 42;

(35) ‘electronic document’ means any content stored in electronic form, in particular text or sound,

visual or audiovisual recording;

(36) ‘electronic registered delivery service’ means a service that makes it possible to transmit data

between third parties by electronic means and provides evidence relating to the handling of the

transmitted data, including proof of sending and receiving the data, and that protects

transmitted data against the risk of loss, theft, damage or any unauthorised alterations;

(37) ‘qualified electronic registered delivery service’ means an electronic registered delivery service

which meets the requirements laid down in Article 44;

(38) ‘certificate for website authentication’ means an attestation that makes it possible to

authenticate a website and links the website to the natural or legal person to whom the

certificate is issued;

(39) ‘qualified certificate for website authentication’ means a certificate for website authentication,

which is issued by a qualified trust service provider and meets the requirements laid down in

Annex IV;

(40) ‘validation data’ means data that is used to validate an electronic signature or an electronic

seal;

(41) ‘validation’ means the process of verifying and confirming that an electronic signature or a seal

is valid.

1.6.2 Acronyms

QTSP Qualified Trust Service Provider

CA Certification Authority

HSM Hardware Security Module

HA High Availability

CRL Certificate Revocation List

OCSP Online Certificate Protocol Status

TSA Time Stamp Authority

TSU Time Stamp Unit

QSCD Qualified Signature Creation Device

RAO Registration Authority Operator

RA Registration Authority

PKI PKI Public Key Infrastructure - This term means a series of agreements that allow trusted

third parties to verify and / or guarantee the identity of a user, as well as associate a public

key with a user, usually by means of distributed software co-ordinated on Different systems.

Public keys typically take the form of digital certificates.

PIN Personal Identification Number


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

PUK Personal Unlock Key

SN Serial Number.

SSL Secure Socket Layer – Standard protocol for managing secure Internet transactions based

on the use of public key cryptographic algorithms.

WS Web Service

ICT Information and Communication Technology

VPN Virtual Private Network

PdV Sales points

DC Data Center


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

2 PUBLICATION

2.1 REPOSITORY

The QTSP publishes this CP, CPS, and other documents containing the terms and conditions on

which its service is based.

The QTSP ensures that the availability of its systems is at least 99.7% on an annual basis, while service timing may not exceed 8 hours in each case.

2.2 PUBLICATION OF CERTIFICATION INFORMATION

The CA certificate is available at the address https://ca.firmadigitale.lottomaticaitalia.it Certification

portal.

Certificate status verification information, is published by CRL available over HTTP, and through the

OCSP url specified in the certificate.

2.3 PUBLICATION FREQUENCY

2.3.1 Frequency of Terms and Conditions

The publication of new versions of the CP is in accordance with the procedures described in

paragraph 9.12.

2.3.2 Certificate publication frequency

The QTSP publishes the CA root certificate before the startup. The QTSP does not publish the

subscriber's certificate.

2.3.3 Revocation status publication frequency

The State related to certificates issued to subscribers by the QTSP, it must be immediately available as required for the OCSP service.

Information about the status of the certificates shall be published in the repository of Front end,

inside the revocation list (CRL). The requirements related to the update frequency, are specified in Chapter 4.10. Updating the revocation list is in accordance with what is specified in chap. 4.9.7.

2.4 CHECK OF ACCESS ON REPOSITORY

Access to the public repository of certificates must be permitted in accordance with the provisions of

art. 34 of the DPCM of 22 February 2013 [33].


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

3 IDENTIFICATION AND AUTHENTICATION

3.1 DENOMINATION

This Chapter establishes the requirements of the data indicated in the certificate issued to the

subscribers, in accordance with this CP

3.1.1 Types of Name

This CP requires the Subject field specification to be compatible with the following:

• Common Name (CN) – OID: 2.5.4.3 name of Subject;

The Common Name field specifies the name of a natural person.

The possibility of using a pseudonym is governed by law.

• Surname – OID: 2.5.4.4 – The surname of the natural person

In this field, the subject's surname must be specified.

The use of a pseudonym is governed by law.

• Given Name – OID: 2.5.4.42 – The name of the natural person.

In this field, the subject’s name must be specified.

The possibility of using a pseudonym is governed by law.

• Pseudonym – OID: 2.5.4.65 Subject pseudonym.

Subject pseudonym can be specified in this field.

The use of a pseudonym is governed by law.

Serial Number – OID: 2.5.4.5 Unique Subject Identifier.

In this field, a unique reference to a Subject's identity document must be specified.

• Organization – OID: 2.5.4.10 Il nome della Organizzazione

Organization Identifier – OID: 2.5.4.97 – The name of the Organization.

• Normally this field contains a numeric identifier associated with the Organization, such as

VAT.

• Organizational Unit (OU) – OID: 2.5.4.11 – The name of the organizational unit.

In this field you can specify the name of an organizational unit belonging to the Organization.

The "OU" field can only be specified if the fields "O", "L" and "C" are present.

• Country (C) – OID: 2.5.4.6 – Country identification.

The field includes the two-letter code of the country to which the organization belongs. For Italy

this field is "IT"

• Locality Name(L) – OID: 2.5.4.7 – Name of locality

For an organization, the field specifies the location where the location is located. In the case of a

certificate that is not associated with an Organization, the field is not used.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

3.1.2 Identification requirements

The recognition of the Subscriber must be through the determination of the validity of identity

documents provided by the holder. The identity validation process is performed in the manner specified in the CPS.

3.1.3 Anonymous subscribers and pseudonyms

QTSP may allow the use of alias by law.

3.1.4 Rules fo interpretation of name

See chapter 3.1.2.

3.1.5 Uniqueness of names

The subject must be uniquely identifiable within the QTSP systems. The holder's personal data is

accompanied by a serial Number as specified in chapter 3.1.1 (Identity document ID).

The uniqueness of the name must comply with those specified in document EN 319412 p02 [15] v

2.1.1 cap 4.2.4.

Disputes related to the name

The QTSP must verify the credentials provided by the subscriber, which must be reported in the

certificate. QTSP is in the position to revoke the certificate in the case of illegal use of names or

data.

3.2 VALIDATION OF THE IDENTITY

The identity validation process is detailed in its CPS. The QTSP stores all the information provided in the identification phase of subscribers and in

particular the identification number and the expiration of the identification document.

3.2.1 Methods to prove ownership of the private key

Before issuing a certificate, the QTSP shall ensure and verify that the requester hasunder his sole

control the private key from the public key of the certificate.

The mode by which this requirement is satisfied, it must be specified in the CPS.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

3.2.2 Authentication of an organizational entity

The QTSP issues qualified electronic signature certificates only to natural persons.

3.2.3 Authentication of an individual entity

The identity verification process associated with the issue of a qualified electronic certificate in

accordance with Article 24 of Regulation 910/2014 (eIDAS) is ensured through "the physical

presence of a natural person" or "at a distance, by means of electronic identification means

"(paragraphs 1a and 1b).

The methods for identifying the subscriber are detailed in the relevant CPS.

3.3 IDENTIFICATION AND AUTHENTICATION FOR REISSUE

Re-issuing the certificate is the process in which the QTSP issues a new certificate instead of the

previous one for contractual necessity where: • Limits of validity have been reached;

• Canceling the previous certificate;

• By changing one of the master data related to the certificate or the use of the signature. In case of issue, the QTSP must always verify the existence and validity of the holder's certificates.

The subscriber's identification must in any case comply with the provisions of section 3.2.3. More details are provided in the relevant CPS.

3.3.1 Identification and authentication for normal reissue

A reissue of the certificate must always provide for the verification of documents and personal

information as defined in 3.2.3.

3.3.2 Identification and authentication for reissue after revocation

A reissue of the certificate as a result of the revocation, must always provide for verification

of personal information as defined in 3.2.3.

.

3.4 IDENTIFICATION AND AUTHENTICATION FOR RENEWAL REQUESTS

The renewal of the certificate is executed for contractual needs and at the same time where it is

imminent to reach the validity limits of the certificate.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

3.4.1 Identification and authenticationin tge case if a valid certificate

The valid certificate is renewed only if it is near the expiration date. Re-issuing of the certificate

must include verification of the personal data as specified in 3.2.3.

3.4.2 Identification and authentication in case of invalid certificate

Re-issuing of the certificate involves the verification of the persoanl data as specified in 3.2.3.

3.5 IDENTIFICATION AND AUTHENTICATION IN CASE OF CERTIFICATE

MODIFICATION REQUIREMENTS

If you need to make changes to the certificate, it will be revoked and resubmitted with the new

personal data. The new issue of the certificate requires the verification of the personal data as specified in 3.2.3.

3.5.1 Identification and authentication in the case of a valid certificate

Identification and Authentication in the case of a valid certificate may be carried out following verification of the expiration of the certificate itself.

The new issue of the certificate requires the verification of the personal data as specified in 3.2.3.

3.5.2 Identification adn authentication in case of invalid certificate

The new issue of the certificate involves the verification of personal information.

3.6 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUESTS

The QTSP must receive and process requests for revocation of the signature certificate. The QTSP

must ensure that requests are executed quickly, verifying their acceptance by the responsible staff.

Requests received must be processed within a maximum 24-hour time span. Once the request has

been approved, it must be processed within 1 hour.

Suspension of the Certificate may be requested by the Certificate Holders, in writing to the QTSP

mailbox, [email protected].

The identity of the person submitting the request must be verified by the QTSP before the request

is executed. These aspects are detailed in the CPS.



Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

4 CERTIFICATE LIFE CYCLE REQUIREMENTS

4.1 REQUEST OF A CERTIFICATE

The qualified electronic signature certificate issued by Lottomatica S.p.A., is used mainly as an

instrument itself associated subscription by Lottomatica S.p.A. of reports associated with business

activities related to Lottomatica S.p.A., parent companies and/or under common control, within the

limits of use specified in cap 1.4.

Each new process of issuing a certificate of subscription is subject to verification of the identity of

the subject in accordance to what is specified in Chapter 3, and in particular in the manner

described in Chapter 3.2.3.

The identification and registration of owner details are validated through different ways depending

on the type of user, as specified in Chapter 1.3.3.

The processes associated with the certificate request, are detailed in CPS.

4.1.1 Submission of the certificate request

The certificate request can be validated only by following the procedures of the holder's identity.

Confirmation of the validity of the data is processed according to the channel where the holder to

whom the certificate is issued by qualified personnel. In any case, request validation for issuing the

certificate, is performed by RAO personnel for all users.

4.1.2 Enroll Process and responsibility

The enroll process has the primary task of issuing the subscription certificate.

Before the procedure is initiated, the subscriber must be called upon to check his / her personal

data and view the terms and conditions of the service.

The QTSP, upon receipt of the confirmation on the start of the issuing procedure, must record the

holder's personal data before proceeding to the certificate generation.

The events following the confirmation of the master and the service terms of the service must be

recorded by the QTSP and filed for a period of 20 years.

If the subscriber's identity is not validated by the subscriber, the enrolling process must not be

executed.

4.2 PROCEDURES FO MANAGING THE CERTIFICATE REQUEST

4.2.1 Performing identification and authentication fuctions

The QTSP identifies the subscriber according to what is published in chapt. 3.2.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

4.2.2 Approval or rejection

Approval of the request may take place if:

• The holder has the requirements associated with the RAO's finding of his identity;

• The holder agrees to the terms and conditions of service delivery.

Rejection of the request may take place if:

• None of the conditions for approval have been verified;

• The holder has another valid certificate on his behalf, which does not fall under the terms of

the renewal.

4.2.3 Request exection time

The certificate must be issued at the end of positive feedback following the procedures for

determining the identity of the holder.

4.3 ISSUE OF CERTIFICATE

The QTSP can issue the certificate, only to validate the process of recording the subscriber data by

the RAO. Further details are specified in the relevant CPS.

4.3.1 CA actions during the issuance of the certificate

The certificate must be issued with the safety measures in accordance with the applicable

regulations.

4.3.2 Notification to the holder about the issue of the certificate

The QTSP must inform the holder about the issuance of the certificate.

4.4 ACCEPTANCE OF THE CERTIFICATE

4.4.1 Conduct on acceptance of the cetificate

The QTSP publishes subscription certificates for the generation of the same. The terms related to

this publication are contained in the Service Terms and Conditions document accepted by the holder.

4.4.2 Publication of the certificate by the CA

The QTSP does not publicize the generated certificates. The related conditions are contained in the

general conditions of service accepted by the holder.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

4.5 KEY PAIR AND CERTIFICATE USAGE

4.5.1 Subscriber private key and certificate usage

The subscriber uses his own private key corresponding to the certificate issued to him only for the

purposes of the qualified electronic signature and only in accordance with the conditions specified in

cap 1.4. Any other use of the certificate, including authorization and / or digit, is prohibited.

The subscription operation is used by the holders according to the following scheme:

• For B2B and B2C users, the subscription is only for the signature of PDF and PDF / A files,

exclusively in the context of a process related to the contractualization of the user, realized through

IT solutions (eg web portals, systems for use Internal) devoted to this purpose;

• The RAO user signs exclusively the B2B user registration form, through IT solutions (eg web

portals, systems for internal use) devoted to this purpose;

• For internal users, it is allowed to sign documents using IT solutions devoted to this purpose and

can only be used limited to the activities of Lottomatica s.p.a., parent companies and / or jointly

controlled. Specifically, such IT solutions accept any document or file format, enabling application

signature in formats:

Or PAdES / PAdES-T for PDF documents;

Or CAdES / CAdES-T for all other documents.

• For Automatic Signing Users, document signatures are only made by Lottomatica S.p.A, parent

companies and / or under common control, appropriately configured to use the Automatic Signature

Certificate. These systems accept any document or file format, enabling application signature in

formats:

Or PAdES / PAdES-T for PDF documents;

Or CAdES / CAdES-T for all other documents.

Lottomatica S.p.A. warrants that the signed document, does not contain macros, executable codes,

or other elements such as to activate features that may modify the acts, facts or data in the same

representations, in compliance with Article 4, paragraph 3 of the DPCM February 22, 2013 [33],

A private key corresponding to an expired, revoked or suspended certificate should not be used for

the creation of a qualified electronic signature.

The subscriber must ensure adequate protection of qualifying electronic signature activation data

(password and OTP code).

4.5.2 Interested parties – Public key and use of the certificate

The parties concerned with the verification of a qualified electronic signature must proceed

according to what is contained in the CPS with particular regard to the following:

• The parties concerned must verify the validity and the revocation status of the certificate;

• The parties concerned must ensure that the certificate of signature has been issued by

Lottomatica S.p.A. By acknowledgment of the Lottomatica CA root certificate, published by AgID on

its site;


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

• The qualified electronic signature certificate and the corresponding public key should only be used

for validating the signature itself;

• The parties concerned must take into account the limitations of use indicated in the certificate, in

accordance with what is contained in Chapter 1.4;

The QTSP provides services to allow subscribers and interested parties to verify the certificates

issued.

4.6 RENEWAL

Renewal of the certificate means the regeneration of the keys and the certificate, provided for in

the case of the expiration of the certificate.

4.6.1 Requirements for renewal of the certificate

The renewal procedure is for all users with the exception of B2C users, for which the qualified

electronic signature service is of one-shot type, and therefore the validity of the certificate is limited

to one signature operation.

Renewal of the certificate can only be performed when the following conditions are verified:

• The previous qualified electronic signature certificate is not suspended or revoked;

• The identity of the holder indicated in the certificate is still valid; identity verification is performed

by an RAO (B2B user) or RAA (Internal User, RAO, Automatic Signature) consistent with the process

that was executed with the first issue of the certificate .

The enrollment procedure performed in the context of renewal of the certificate involves the

generation of a new private key and a new certificate to be associated with the owner, with the

same technical modalities specified for the first issue.

4.6.2 Submission request for renewal

The processes associated with the renewal request for the certificate are detailed in the CPS.

4.6.3 Renewal request process

In the process of evaluating the renewal request, the QTSP must ensure that:

The renewal request is authentic;

The applicant is authorized to proceed;

The applicant confirms that the Subject data indicated in the certificate is still valid;

That the certificate to be renewed is not suspended or revoked;

Whether the algorithms used are still valid during the validity period of the certificate;

The methods used for identification and authentication for the renewal process are described in

chap. 3.4.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

4.6.4 Notification of certificate issue

The QTSP must notify the holder of the renewal of the certificate.

4.6.5 Conduct on the acceptance of the renewal of the certificate

Once the certificate is issued, the holder is called upon to confirm the data contained therein through the qualified electronic signature to which the certificate is connected.

4.6.6 Publication of the renewed certificate by the CA

The QTSP publishes subscription certificates for the generation of the same. The conditions related

to this publication are accepted by the subscriber through explicit consent just before the certificate

entry stage (see section 4.1.2).

4.7 REISSUE

Reissuing the certificate refers to the regeneration of the keys and the certificate, provided in the

cases specified in 4.7.1.

4.7.1 Requirements fo reissuing

Reissuing the certificate can only be performed when the following conditions are true:

• The previous qualified electronic signature certificate is revoked;

• The identity of the holder indicated in the certificate is still valid;

4.7.2 Submission request for reissuing

As in chap 4.6.2.

4.7.3 Reissue request process

As in chap 4.6.3.

4.7.4 Notification of the issuance of the certificate

As in chap 4.6.4.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

4.7.5 Conduct on the acceptance on the reissuing of the certificate

As in chap 4.6.5.

4.7.6 Issued certificate publication

As in chap 4.6.6.

4.7.7 Notification to other entities of the certificate reissue

As in chap 4.6.7.

4.8 MODIFICATIONS TO THE CERTIFICATE

The QTSP does not make changes to the certificate.

4.9 REVOCATION AND SUSPENSION OF THE CERTIFICATE

Revocation of the certificate means the procedure by which the QTSP terminates the validity of a

certificate before its natural expiration date. The revocation of a certificate is permanent and not

reversible; A revoked certificate can not return.

In the event of revocation of the certificate, the QTSP may delete the keys of the subscriber using

the procedures in accordance with the HSM user manual, and with what is specified in the

certification documents.

Following the revocation of the certificate, the QTSP notifies the holder of the change in the status

of the certificate.

Suspending the certificate is the procedure by which the QTSP temporarily terminates the validity of

a certificate. Suspension has a temporal character; The suspended certificate may be revoked or,

before expiration dates are met, it may return.

In accordance with the DPCM 22 February 2013 [33], art. 26, the suspension of the certificate is

carried out by the QTSP by inserting its SerialNumber (CRL) code within the CRL with appropriate

on-hold motivation. The maximum length of the suspension is 60 days, after which time the

certificate is revoked if the request for re-activation by the holder has not been received.

4.9.1 Circumstances fo revocation.

The QTSP may revoke the subscriber's certificate in the following cases:

Changing Certificate Subject Data;

QTSP verifies that the certificate data does not match the reality;


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

The holder requires the withdrawal of the certificate in writing;

The QTSP verifies that the private key is not under the exclusive control of the subscriber;

The QTSP verifies that the certificate is used outside the allowed scope

QTSP verifies that the public key contained in the certificate is not compatible with what is

specified in chapters 6.1.5 and 6.1.6;

The QTSP verifies that the certificate has not been issued in accordance with this CP and its

CPS;

QTSP verifies that the subscriber's private key has been or could have been compromised;

The QTSP terminates its certification activity;

The law in force requires the revocation;

The QTSP may suspend the subscriber's certificate in the following scenarios:

The holder requires the suspension of the certificate;

For subscriber B2C following a single signing operation

CPS may include additional conditions for which revocation is envisaged.

4.9.2 Submission of revocation request

The request for revocation may be requested by:

• The subscriber;

• The legal representative of the subscriber;

• The QTSP.

4.9.3 Processes for revocation management

QTSP provides a certificate revocation tool, exclusively through its Revocable Certificate Reliability

feature, upon authentication, on the Certification Portal.

The QTSP verifies the authenticity and validity of the request before proceeding to revoke the

certificate.

The QTSP notifies the subscriber of the transaction through the email provided by the holder at

registration.

The suspension request procedure provides that:

The Certificate Holder sends an e-mail to the QTSP mailbox

[email protected] .;

The QTSP verifies the identity of the holder through the Registration Authority (RAA or

RAO);

The Registration Authority submits the request to the CA and, as soon as it is made out, sends a

confirmation email to the Holder.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

4.9.4 Grace Period richiesta di request for revocation

The QTSP must declare a "grace period" associated with the validity of the certificate as a result of

a revocation. QTSP specifies this value within its CPS.

4.9.5 Time eithin which the CA must process the request for revocation

The QTSP must process withdrawal and suspension requests in accordance with ETSI 319 411-1

Clause 6.2.4.

4.9.6 Requirements on the control of revocation by interested parties

In order to comply with the revocation check, it is recommended to check all certificates included in

the certification chain. Verification must include checking validity of certificates, policies contained in

the certificate together with key usage, certificate status checking based on information contained

in the CRL or the OCSP.

4.9.7 Frequency Issuing CRL

In compliance with the standard EN 319 411 01 v 1.1.1 Chap. 6.3.9 C [12], the QTSP must update

the revocation lists at least once a day.

4.9.8 Maximum latency on CRL

The QTSP must verify that the latency related to publication of revocation lists, are

minimal. Latency times are specified in the CPS.

4.9.9 Availability of OCSP service

The QTSP must provide an OCSP service to validate the certificate.

4.9.10 OCPS service requirements

The QTSP OCSP service must be compatible with the requirements specified in Chap 4.10.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

4.9.11 Particular requirements on key compromise

If the private key is compromised, the QTSP publishes the status change of the certificate and

notifies the event to the affected parties. In the case of compromising the private key of an end-

user, QTSP revokes the certificate by specifying as the reasonCode the value "keyCompromise (1)".

4.10 CERTIFICATE STATUS VERIFICATION SERVICES

The QTSP, in order to ascertain the validity of a certificate, must provide the following services:

• OCSP - Online Certificate revocation status;

• CRL - certificate revocation lists.

The revoked certificates must be included in the CRL. The revoked certificates can not be canceled by the CRL, even after the expiration date.

In case of state change, at the completion of the process, the QTSP instantly updates the CRL which is subsequently published in accordance with the latency times specified in cap 4.9.8. Since

then, the OCSP service must provide information about the new status of the certificate.

The QTSP also publishes a portal (online verifier) for the validation of a signed digital signature document, publicly available at the following url:

http://ver.ca.firmadigitale.lottomaticaitalia.it

The Online Verifier is a web-based component implemented in java, based on the DSS project

recommended by the European Commission for the recognition of computer documents signed in the different Member States.

4.10.1 Operational features

The QTSP must update the revocation lists at least once every 24 hours.

4.10.2 Service availability

The QTSP should ensure the availability of CRLs and terms and conditions of the certificates issued

at 99.7% on an annual basis, ensuring that unscheduled unavailability of the system does not

exceed 8 hours.

The QTSP should ensure the availability of services in connection with revocation checking for

certificates issued at 99.7% on an annual basis, ensuring that the unavailability of the service does

not exceed 8 hours.

The response time of the OCSP service must not exceed 10 seconds.

4.11 END OF SUBSCRIPTION

The QTSP may revoke the holder's certificate in case of termination of the contractual

arrangements with the subscriber.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

4.12 KEY ESCROW E RECOVERY

QTSP does not provide key escrow tools applied to the private key belonging to a subscriber.

4.12.1 Policy and practices Key Escrow and Recovery

QTSP does not provide key escrow tools applied to the private key belonging to a subscriber.

4.12.2 Encapsulation key symmetrical encryption policies recovery

The QTSP does not provide tools for key escrow applied to the private key belonging to

a Subscriber.


Title

QTSP



Revision 1.0

Date 27/04/2017


36

5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS

5.1 PHYSICAL CONTROLS

QTSP adopts a set of technical and organizational measures that allow site access control and the

safeguarding of corporate assets from thefts / disappearances and / or voluntary and involuntary

damages. The definition of physical security policies is part of a wider process aimed at protecting

information media and assuming a risk assessment activity that identifies the risks associated with

the censored assets.

5.1.1 Location site and features

The CED systems related to the production environment and those related to DR QTSP's site, are

running on a HW infrastructure located on two separate sites.

Data centers are interconnected by a private backbone network and both connected to Internet

access networks with bandwidth that provide qualified services with the same performance. The

interconnection of individual DCs to both the public and private networks is implemented through

redundant connections.

This infrastructure ensures that the indicators described in section 4.10.2 are respected.

The CED area of the primary site is made with adequate construction criteria, ensuring fire

resistance in case of fire outside the building. The rooms that host the apparatus are equipped with

counter-floors and counter-ceilings, in compliance with standards and standards of reference. The

infrastructures are all made with the use of combustible, sound-absorbing and antismashing

materials.

In the processing room there is a lighting system that complies with the regulations and is equipped

with an adequate emergency system.

5.1.2 Physical access

Primary site

The building and safe areas of Lottomatica S.p.A. are protected by an access control system in order to guarantee the entry to the only authorized personnel.

Lottomatica S.p.A. Defines internal security policy procedures that regulate physical access to the venue and reserved areas for both employees and occasional or habitual visitors.

In particular, a number of behavioural rules are envisaged:

Il required:

• Access the workplace using its access credentials (eg magnetic badges) from the prepared passes

and the ways established by the company;


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

• Observe the rules from time to time given in writing or verbally by persons responsible for access

to restricted areas;

• Respect corporate procedures for requesting access to external staff (consultants, regular and casual visitors);

• Communicate promptly any breaches of the rules to your Responsible Authority, to supervise your home or directly to the Security Area.

It is forbidden: • Give third parties their access credentials, even temporarily, and in the event of failure, possession

must be timely communicated to the Security Area;

• Access restricted areas unless you have a specific authorization; • For those who are in possession of the foreseen authorization, allow access to unauthorized or

badge personnel.

Regarding physical access control, Lottomatica S.p.A. has implemented the following controls:

• Access is only allowed to holders of unexpired badges issued by the security area; • The badge is assigned to employees and visitors after the identification and authorization of a

Lottomatica S.p.A. internal referral; • The release of the badge must be consistent with the employee's profile and allow access only to

areas of strict competence;

• Supervisors at any time can check the validity of the badge and therefore, if they are required, they must be promptly exhibited.

Access events (entry and exit) are logged.

DR site

The building and safe areas of the Dr Site are protected by an access control system in order to

guarantee entry to only authorized personnel.

Data center that hosts the site of Dr, is classifiable as an intermediate between tier III and IV. The entire external perimeter of the DC, completely fenced, is illuminated in night time and

constantly monitored by a CCTV system consisting of fixed cameras and sun, all brought to a system of screens installed in the room directed by the vigilance and supervised H24x7. Images are

recorded on a digital device for ex post checks and verifications.

Sensitive internal areas are controlled in the same way It is guaranteed to the staff Lottomatica S.p.A.. The 24h access with permanent badge assigned on

the basis of lists provided by Lottomatica S.p.A.. Any third-party non-identifiable ex-ante suppliers are authorized from time to time.

5.1.3 Power supply and air conditioning

Primary site

All the environments of the CED are adequately air conditioned through dedicated systems. As already mentioned, the conditioning system of the CED area is a direct expansion. Each unit is in

turn made up of two separate circuits. The total installed power is over 40% over the thermal load


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

of the apparatus. The modularity, together with the total power reserve, allows to cope with the

stops for programmed maintenance and temporary failures.

Internal procedures ensure proper system maintenance. The power supply is provided by the medium voltage distribution network by means of double ring

connection. The medium voltage delivery cabin is physically separated from the cabin housing the two transformers, redundant configuration. The primary site also has uninterruptible power supplies

to meet temporary power supply needs. All alarms from the systems that are relevant to the service continuity of the CED (including power supply, air conditioning, fire prevention, anti-flooding) are

managed by a supervisory system.

DR site

All DC processing rooms are air-conditioned by the use of chilled water cooled conditioners.

Refrigerant power is produced by two active-standby refrigeration units located in distant areas. All

alarms from the systems that are relevant to the service continuity of the CED (including power

supply, air conditioning, fire prevention, anti-flooding) are managed by a supervisory system

5.1.4 Exposure to water

Primary site

The CED is maintained at temperature and humidity levels that prevent condensation. In the

technical premises there are no liquid piping pipes, except those of the condensation system and

the water supply to the humidifiers of the air-conditioning system. These two systems are equipped

with special precautions in order to avoid water leakage. Thanks to the adoption of a system for the

air conditioning of the direct expansion type, they are absent in the pressure water piping room. In

case of eventuality, an alarm system is installed that signals and locates any unlikely spillages of

water below the raised floor, allowing the control staff to verify the causes and eliminate them.

DR site

The processing room near the ends of distribution of the coolant that serves the air conditioners is

equipped with water detection sensors that bring to the system of monitoring of the plants, manned

24x7x365.

5.1.5 Prevention and fire potection

Primary site

The site where the CED is located is equipped with fire protection systems under the law. The CED

fire alarm system consists of a smoke detection system and a fm200 gas extinguishing fire. The

system can operate both in automatic and manual mode. The sensors of the detection system are

inserted both at ceiling and below the technical floor with repeating gems of the operating state of


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

the single sensor.

DR site

The CED is equipped with a capillary centralised smoke detection system, which is headed to the supervised control room.

The processing rooms and the premises of the technological plants have the centralised smoke detection system also extended to the space under the floating floor and are equipped with

automatic gas extinguishing systems in the ceiling, in the environment and under the floating floor,

enslaved to the detection system and partitioned so as to confine the areas of activation. The activation of the extinguishing system is automatic, and controlled by control units to the

detection system

5.1.6 Media Storage

Media storage activities are defined within internal security procedures.

5.1.7 Provisions on the disposal of apparatus

As a result of internal assessments or reports relating to failures, obsolescence or maintenance of

hardware and/or media, the technical staff identifies the assets to be verified. If the hardware or media support is working and reusable, you can delete the information in it, also

availing itself of appropriate products that make the shredding of the data or formats at low level (such deletion is compulsory especially in cases where the data in question are deemed sensitive or

judicial for the purposes of the Legislative Decree 196/03 [34] all. b Technical specification in

matters of minimum safety measures, rule 22) and the reuse of hardware or medium support as needed.

If it is impossible to restore the correct operation of the hardware or media medium, the safe deletion of the data contained in it by physical destruction (CD, DVDs made illegible with deep

incisions, dat tape cutting) or profound alteration of the hardware and the subsequent request for

the disposal of the property at internal structures in accordance with internal procedures on the disposal of company assets.

5.1.8 Off-Site Backup

Backup activities are defined within internal security procedures.

5.2 PROCEDURAL CONTROLS

The QTSP applies internal processes aimed at ensuring that its systems are managed in a secure

manner.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

Procedural precautions have the objective of integrating the effectiveness of physical security

measures, together with those which apply to staff, by appointing and identifying trusted

(unambiguous) roles, and to the computer application of the associated identification and authentication mechanisms.

The QTSP guarantees that its operation complies with the laws in force and its internal regulations.

5.2.1 Roles

In the exercise of its functions, the QTSP creates recognized roles, to which authorization

mechanisms are applied commensurate with the related responsibilities. In compliance with the DPCM 22 February 2013 [33], art. 38, the QTSP has defined the

organizational structure that oversees the main roles defined for the management of qualified

digital signature services and Timestamp , which foresees the existence of the following figures: • Responsible for the certification and timestamping

service • the registration authority responsible

• Security Officer • Responsible for audits and inspections (auditing)

• Responsible for the technical management of systems

• Responsible for technical and logistical services • Responsible for technical services of timestamping

5.2.2 Number of peaple required for task

The QTSP ensures the simultaneous presence of at least 2 people, with specially approved roles, during the following critical security operations:

• Generating the Private QTSP CA Key;

• Backup of the QTSP CA Private Key;

• Activating the QTSP CA Private Key. At least one of the people present, must play an administrative role.

The above-mentioned operations must be carried out in the presence of the persons expressly authorised.

5.2.3 Identification and authentication fo roles

Users who manage the IT services of QTSP must have a unique and personal identification. Users can only have access to critical systems, only after identification and authentication.

Access permissions must be revoked immediately in the event of termination of the user's behalf.

5.2.4 Roles requiring segregation

The QTSP applies as specified in DPCM February 22, 2013 [33], art. 38 paragraph 3 and 4.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

In this area:

• Security Officer can not assume other roles between those defined in 5.2.1;

• The person in charge of monitoring and inspection (auditing) can not assume other roles between those defined in 5.2.1;

5.3 PERSONNEL CONTROL

Lottomatica S.p.A. defines and applies criteria and modes through which: • Consider aspects related to information security in the human resource management

process; • Improve the sensitivity and awareness of staff about information security issues.

These criteria and procedures apply to selection, job placement, staff training, and termination of

employment. As part of the selection, training and human resources

5.3.1 Qualifications, experience and clarity of requirements

As part of the selection, training and human resources management processes, Lottomatica S.p.A. ensures:

• That all staff have the necessary skills, reliability, experience and qualifications and have received adequate training in security and rules on the protection of personal data, depending

on the function carried out;

• That, where possible, staff meet the requirements of experience and qualification through

qualifications, training courses and/or demonstrated experience;

• that the relevant levels of the Organization are made available at least yearly updates on

possible new threats, methodologies and tools to protect the security.

5.3.2 Background verification procedures

As part of the recruiting activity, the breeders pay attention, in addition to the potential

compatibility of candidates with the professional needs of Lottomatica S.p.A., to the relevant elements in terms of safety, such as:

• The length of previous professional experience and the reasons justifying the conclusion of the report;

• The business sector and businesses within which the previous professional activities were carried out (with particular attention to those that can be considered suppliers,

customers or, if necessary, competitors);

• In the case of a non-EU worker, a copy of the valid residence permit, or, if this has

expired, a copy of the renewal request formulated in the terms of the law.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

5.3.3 Training requirements

Lottomatica S.p.A. is responsible for implementing employees, an appropriate training plan aimed at

improving the processes related to the activity of the QTSP. While respecting those that may be the contingent requirements that lead to planning a training

course, the objectives common to all courses are:

• Increase the level of awareness about the security issues associated with the QTSP

activity;

• Make staff aware of corporate policies and guidelines, roles and corporate responsibility responsibilities.

• Lottomatica S.p.A. carries out training activities in accordance with the following requirements:

• Staff responsible for preparing and delivering training must have the necessary qualifications and experience in terms of company training;

• RAOs are provided with the training manual and the appropriate training to properly carry out the identification and registration of the Clients and carry out the verification of the

effectiveness of the training;

• Where deemed necessary, training activities may also be extended to suppliers and

collaborators;

• It is necessary to ensure the programming and delivery of all the courses provided by the

regulations applicable to the Company's activity;

• Ensure knowledge of existing legislation on Qualified Trustee Services as well as best practices and standards;

• The definition of training plans for Qualified Trustee Services must comply with the Personal Data Protection Code (D.Lgs. 196/2003), in particular Annex B.

5.3.4 Refresh rate

Lottomatica S.p.A. training program on a regular basis, based on the results of testing the course

participants and/or on the basis of internal requirements.

5.3.5 Sanctions on unauthorised shares

In relation to sanctions in case of different behavior than is required by the company in the

documents concerning the safety (work instructions, policies, procedures etc.),

Lottomatica S.p.A. will reference the system of penalties provided for by the NATIONAL

COLLECTIVE LABOUR AGREEMENT.

5.3.6 Requirements on consultants

The aspects connected with the control of the staff belonging to the external consultants and

collaborators area, it is governed by internal business procedures, which define the criteria and

processes for the identification of rules and requirements that Lottomatica S.p.A. considers relevant


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

in the field of supply and conclusion of contracts with third parties, taking into account the

characteristics of the report that Lottomatica S.p.A. establishes with the same.

5.3.7 Documentation provided to staff

When a candidate is selected and included in Lottomatica's staff, the human resorces Management

Area guarantees:

• Letter of recruitment;

• Possible mailing letter with other Lottomatica S.p.A. companies;

• Information on the processing of personal data collected (Ctrl.2);

• Employee information on health and safety at work;

• Code of Conduct;

• Behavioral rules for the safe management of company assets. The "Code of Conduct", in particular, includes:

• References to all the rules to which it has acceded and what violations or infringements of the Code may involve disciplinary action;

• Indications that employees are required to declare any conflict of interest with the work

they are doing as soon as this occurs;

• Specific examples of conflict of interest;

• Indications regarding hospitality / donations / gifts provided by Third Parties with which Lottomatica S.p.A. has contractual and economic relationships.

5.4 AUDIT PROCEDURES

The QTSP can adopt IT tools that ensure the collection of events associated with the Certificater

activity.

5.4.1 Types of events stored

The QTSP, through specialized instruments, implements a monitoring of events associated with the

activity of QTSP in accordance with specified in chap. v 1.1.1 6.4.5 standard EN 319 411 2 [13].

5.4.2 Frequency of audit processes

Technical audit

Lottomatica S.p.A. activates the test processes and technical safety tests against the following case:

• new Releases;

• Periodic planning;

• Specific requests or events. The typology of such tests and verifications depends on the cases that activates the process.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

System audits

All business structures affected by the activities of QTSP are subject to verification inspection at least once a year in relation to the activities prescribed by the information security management

system. The frequency of the checks is defined in function:

• The importance and/or the criticality of the activities carried out by the individual structures;

• The results of previous audits;

• Any significant changes in the company organization and/or the activities carried out.

5.4.3 Audit log retention period

The audit log retention period is 20 years, in agreement with the DPCM 22 February 2013 [33].

5.4.4 Audit log protection

Audit log protection must be in compliance with the standard EN 319 401 v 1.1.1 [10] in Chap 7.10.

5.4.5 Audit log backup procedures

Backup procedures for log management systems ensure that logs are stored in accordance with the

5.4.3.

5.4.6 Audit event collection system

The QTSP adopts automated systems that ensure the collection activity on a continuous basis.

5.4.7 Verbosity error notification

The QTSP adopts internal communication procedures, following the detection of an error message

in the system.

5.4.8 Vulnerability Assessment

The activity of vulnerability assessment consists in evaluating the level and effectiveness of the

security of the ICT system through automatic scans aimed at detecting known vulnerabilities of ICT

systems in relation to operating system components and middleware software (eg. Application


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

server) and infrastructure (e.g. system monitoring) resident. This activity is accomplished through

the use of specific automatic tools that, starting from a specific set of tests (Baseline/template):

• Conduct technical checks on the known vulnerabilities of ICT systems;

• Produce reports detailing the test results and vulnerabilities detected. Considering the entire set of technical tests that the specific automatic scanning tool can operate,

specific subsets of these technical checks, called the baseline/template, are defined and adopted, which are suitable and applicable to the type of target systems to be verified.

Lottomatica S.p.A. Activates the processes of VA in the face of the following case:

• new Releases;

• Periodic planning (1 year for primary site and DR);

• Specific requests or events. Are also carried out at least once a year the Penetration testing.

5.5 STORING RECORDS

Record archiving complies with the standard EN 319 401 v 1.1.1 [10] in chap. 7.10. The retention

period applied to logs is 20 years.

5.6 CA KEY CHANGEOVER

In order to ensure its operation, the QTSP ensures that the renewal of his certificate

is made sufficient time prior to the expiration of the same. The QTSP ensures that in the event of renewal, a new key pair is generated in accordance with

the regulations.

It also specifies that:

• the new certificate is published to the public repository of certificate, in compliance with as provided in this chapter CP 6.1.4;

• new user subscription certificates are issued using the new certificate renewed;

• the old keys and certificate are kept by law.

5.7 COMPROMOSE AND DISASTER RECOVERY

In the event of a disaster, the QTSP shall take all necessary measures to minimize the damage

caused by the lack of service, and implement an operational plan designed to restore the services within the time stated in this CPS.

The recovery point objective (RPO) must allow a limited loss of data, commensurate with business objectives. The RPO set for this infrastructure, is 2 hours.

Based on the assessment of the accident, the QTSP will take all corrective measures to prevent future recurrence of the incident.

The QTSP adopts a plan inside for safety to ensure that DR test are carried out regularly, ensuring that the observations resulting from technical problems or non-compliance associated with the

reactivation of the services, are subject to revision and improvement of the said plan.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

The QTSP directs the resolution of each vulnerability considered critical within 48 hours of its

discovery, through an appropriate plan of re-entry.

The QTSP provides, within internal procedures, the implementation of an emergency plan in case you detect a security breach or a loss of data integrity with a significant impact on trust services

provided or on personal particulars stored ("data breach"). In particular, in accordance with article 19 of regulation and IDAs [1] security incidents are classified with 5 levels of severity:

1. No impact 2. no significant Impact (impact on assets but not on services core)

3. Significant impact (impact on a customers)

4. severe Impact (impact on a large part of the clientele) 5. Disastrous (impact on the entire organization and on all certificates issued)

This plan allows you to limit the impact of the security breach and to notify: • Interested parties (AgID, Guarantor Privacy and Holders) within 24 hours of the violation being

detected in case of security incidents classified with a severity level 3, 4 and 5

• to AgID within 5 days from the detection of the violation, in the case of security incidents classified with a severity level 3, 4 and 5

5.7.1 Indente and compromise management procedures

The QTSP has a business continuity plan that adopts in case of incident and management of the

compromise.

5.7.2 Computing Resources, Software, and/or corrupted data

The QTSP must adopt redundant system design criteria in order to avoid loss of service in the case

of point of failure acronyms.

The QTSP must adopt and maintain the same HW/SW systems between the primary site and the Dr site, in order to avoid problems in the restore of the service data between the sites.

The QTSP must adopt backup policies to ensure the operational transfer on the Dr site, consistent with the RPO stated in the CPS. The backup activities are performed by the authorized personnel

("system operators"), consistent with the 6.4.8 C clause of the ETSI en 319411-1 standard. The QTSP must adopt and maintain a document for the activation of the DR site.

5.7.3 Private key compromise procedures

In the case of compromise of the CA private key, the QTSP must take the following actions without

delay:

• All certificates attributable to the compromised key are revoked;

• A new private key is generated for restoring services;

• The information relating to the compromise is published for each subscriber and third parties concerned.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

5.7.4 Capacity of business continuity in case of disaster

The tasks to be performed in the event of a disaster must be defined in the QTSP Business

continuity plan. The existence of a second site, activated in the event of a disaster, must allow the complete restore

of the functionality included in the services offered by the QTSP. The QTSP is obliged to notify the subscribers and the third parties concerned, the activation of the

site as a result of disaster, and to communicate its restoration at the end of the need.

5.8 CESSATION OF ACTIVITY

The cessation of the activity of the QTSP complies with what is specified in the code of the Digital

Administration, published with D. LGs. Of March 7, 2005, N. 82 and updated with the D. LGs

179/2016.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

6 TECHNICAL SECURITY CONTROLS

The QTSP must use systems that are predisposed with high reliability criteria applied to the individual element, or connected with the supplied service. The systems must provide protections

on the management of cryptographic keys, and on the activation data for the entire lifecycle of the

same. The capacity of the systems must be connected with the demand, and must be monitored on a

continuous basis. Growth must be estimated to ensure the availability of systems and storage media.

6.1 GENERATING AND INSTALLING KEY PAIR

The QTSP must ensure that the production and management of private keys complies with the

standards laid down in the rules in force.

6.1.1 Generating key pair

The QTSP is responsible for generating the following key types:

1. Certification Keys, Associated with the CA Service; 2. Subscription keys, intended for the subscriber;

All keys are generated by means of an HSM device conforming to the certification standards

contained in ch. 1.2.1.

The QTSP confirms that the process of generating the keys of CA and that of the holders is carried out in accordance with the technical rules as in force, as specified in EN 319 411 01 v1.1.1, with

particular reference to chapters 6.5.1, 6.5.2 and 6.5.3.

The key generation process must comply with what is specified in EN 319 411 01 v1.1.1, with particular reference to sections 6.5.1, 6.5.2 and 6.5.3.

6.1.2 Private key realease to subscribers

The private subscription key is guarded by the QTSP through the use of technological instruments

and controls complying with the legislation provided for the remote signature. The QTSP also guarantees that the credentials connected with the use of the private key are issued

securely only and exclusively to the Subscriber.

6.1.3 Issuing the public key to the certificate

The keys of the QTSP must be generated at the time of system initialization (key ceremony). Key

generation and certificate request must be handled securely using the modes specified in the

product manuals.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

6.1.4 Issuing the CA public key to interested parties

As specified in chap. 2.2, QTSP makes available the certificate containing the public key:

• on the certifying portal;

In accordance with point H of annex I to the European regulation 910/2014 [1], the publication link

of that certificate must also be included within the subscription certificates issued by the QTSP.

6.1.5 Key length

The QTSP must use algorithms and policy on the key length as specified in the ETSI standard TS

119 312 [19].

6.1.6 Key generation parameters and quality control

The requirements for key generation parameters are given in Cap 6.1.1. The QTSP ensures that the HSM covered by certification, operate in compliance with what is

foreseen by the achieved safety milestone.

6.1.7 Key usage purposes (see key usage field X. 509 v3)

The CA certificate can be used in accordance with the following:

• Certificate signing;

• CRL signing;

• Offline CRL signing.

The qualified electronic signature certificate of the holder is generated in accordance with the

requirements for the qualified electronic signature, the key-usage of which includes the following:

• Non-repudiation.

More details are listed in Chap 7.1.2.

6.2 PRIVATE KEY PROTECTION AND CONTROLS ON CRYPTOGRAPHIC COMPONENT

The QTSP must ensure safe management of private keys and must prevent the publication,

copying, deletion, modification and unauthorized use.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

6.2.1 Standard and cryptographic module controls

The HSM device used by the QTSP must be included in the list of devices published by the

European Commission under the title "Compilation of member States notification on SSCDs and

QSCDs".

6.2.2 Private key segregation control (MofN)

The QTSP ensures the simultaneous presence of at least 2 people operating on the HSM, with

specially approved roles, during the performance of critical security operations, in accordance with

the specified in 5.2.2.

6.2.3 Key Escrow private key

The QTSP does not provide key escrow tools that are applied to the CA's private key.

6.2.4 Backup private key

The QTSP must make security copies of the CA private key, and at least one copy must be kept in a

location other than that of the QTSP.

Backup procedures must take place in accordance with the segregation criteria specified in ch.

6.2.2.

Security measures applied to production systems must be the same as apply to backups.

The QTSP does not make copies of the private keys of the subscribers, with the exception of the

copies made to facilitate the activation of the DR site.

6.2.5 Key storage

The QTSP does not store the CA's private key.

6.2.6 Trasfer of the private key to/from the cryptographic module

The CA's private key of the QTSP is kept safely through the security mechanisms provided by

the HSM, and covered by certification. The CA's private key is never stored unencrypted.

The QTSP can export the private key outside the perimeter of the HSM solely for backup purposes.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

6.2.7 Storing the private key on the cryptographic module

The CA stores the private key used for the services provided, in accordance with this CP, exclusively

on HSM. The technical and safety aspects related to the storage of the private key are defined by the

technical specifications of the product, and verified by the certification tests.

6.2.8 Private key activation method

The private key of the QTSP CA must be activated in accordance with the procedures and

requirements defined in the product manuals, and as specified in the certification documents. In the case of a subscriber's private key, QTSP ensures that the activation data is generated and

managed in a secure manner to prevent unauthorized use of the private key. The QTSP must also ensure that:

• The private key for the subscriber has not been used for qualified electronic signature before delivery to the holder;

• Before the signature is executed, the Subscriber will authenticate to its own slot.

6.2.9 Method of deactivating private key

CA Private Keys

The QTSP CA key must be disabled in accordance with the procedures specified in the owner's

Manual of the HSM, and with what is specified in the documents of certification.

End-User Private Keys

The private key issued to the Subscriber must be deactivated in accordance with the procedures

specified in the HSM user's manual, and as specified in the certification documents. The HSM must ensure that the keys are disabled in the following cases:

• Power failure of the device;

• The subscriber closes the signature application;

• For some reason, connecting to the signing application closes the connection unexpectedly.

• The key that is disabled can be reused only after a new subscriber authentication to the device.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

6.2.10 Method of destruction of the private key

QTSP CA key

The QTSP CA key can be deleted in accordance with the procedures specified in the HSM user

manual, and as specified in the certification documents. The procedures must ensure that the private key so deleted cannot be recovered in any way.

The cancellation operation must be carried out under the control of authorised operators and consistent with the segregation criteria specified in Chap 6.2.2.

Each backup copy of the private key must be destroyed in accordance with the procedures specified

in the HSM user manual, and as specified in the certification documents. This procedure should prevent the possibility of retrieving the private key.

Subscriber private key

The subscriber's private key can be deleted in accordance with the procedures specified in the HSM

user's manual, and as specified in the certification documents.

6.2.11 Cryptographic module evaluation

The evaluation of the certifications associated with the cryptographic module used by the QTSP, are

compatible with what is specified in Chapter 6.2.1.

6.3 OTHER ASPECTS OF KEY MANAGEMENT

6.3.1 Public key storage

The QTSP stores each certificate issued by its own CA.

6.3.2 Validity of the certificate and keys

Certificate and CA root keys

The validity period of the CA certificate of the QTSP, and its key pair, is 30 years. The validity period of the certificate and its keys shall in no case be greater than the validity of the

algorithms used as determined by the authorities concerned.

Certificate and key subscriber

The validity of the subscription certificate issued to the end user:

• It must not in any case be greater than the validity of the algorithms used as determined by the authorities concerned;

• It must not in any case be greater than the validity of the CA certificate of the QTSP that issued it.

The validity of the qualified certificate is specified in the CPS.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

6.4 ACTIVATION DATA

6.4.1 Activation data generation and installation

The QTSP CA key must be protected in accordance with the procedures specified in the HSM user manual, and as specified in the certification documents.

In the case of password-based activation, the QTSP applies sufficient complexity criteria in order to

ensure an adequate level of protection.

• In the event of activation of keys intended for the subscriber, the QTSP must ensure: • That activation data used to activate the private key is created using quality-generating

numbers / letters generation policies;

• That activation data be communicated to the subscriber safely;

• That the subscriber maintains exclusive control over such credentials. Activation of the private key must be done using two-factor authentication credentials, one known

and one of type OTP.

6.4.2 Activation data protection

Private key activation data associated with the Subscriber's certificate, may be stored

by QTSP solely for the purpose of delivery to the holder. Data storage must be

done securely through encryption security information.

6.5 COMPUTER SECURITY CONTROLS

6.5.1 Specific technical security requirements on IT system

The configuration, maintenance or consultation operations on the IT systems of the QTSP are carried out by ensuring the following requirements:

• That the identity of the user is verified before access to the system or application;

• That roles are assigned to users in order to ensure that they have the appropriate

permissions;

• Significant security log events are recorded, which are subsequently archived according

to the applicable rules;

• That critical QTSP processes are protected by appropriate network policies in order to prevent unauthorized access;

• There are adequate recovery systems that will ensure operational continuity due to malfunctioning of primary systems.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

6.5.2 Assessment of IT system security

In order to ensure the safety and quality of the systems, the QTSP adopts control systems inspired

by globally accepted international standards, the suitability of which is certified by an Independent

assessor ISO 27001.

6.6 LIFE CYCLE OF ROADWORTHINESS TEST

6.6.1 Control of development system

The QTSP, in its systems, adopts commercial-type solutions. These solutions are not used for any other purpose than those envisaged for the certification activity of Lottomatica S.p.A. QTSP.

Lottomatica S.p.A. also adopts prevention tools that can protect its systems from executing dangerous code. The search for dangerous code is carried out on a continuous basis, through

internal security assessments.

The QTSP uses adequate and up-to-date personnel for the installation or maintenance of its SW/HW systems.

6.6.2 Security management controls

The QTSP ensures that the programs, or security patches, are installed in the correct version and that they do not contain any unauthorized modifications.

Lottomatica S.p.A. defines the application and verification of policies and procedures for the planning, safe development, testing, acceptance and operational management of ICT systems.

The technical areas of Lottomatica S.p.A.:

• Monitor the use of resources by ensuring, through appropriate projections and estimates, the current and future performance of ICT systems. These estimates address the retrieval of

new resources to ensure future operations;

• In collaboration with areas requiring the development or acquisition of new systems or features, establish acceptance criteria, including specific safety criteria, for new ICT systems,

for upgrades and for new versions; These criteria support and guide testing tests

• Perform a code review activity (static code analysis) aimed at identifying vulnerabilities within the source code followed by any remediation activities with code modification;

• Perform systems testing, in a dedicated test environment using data that is appropriately selected and separated from those used in production environments.

• Perform dynamic analysis analysis of software reactions to various input types for Web

applications;

• Define and evaluate the acceptance criteria of ICT systems based on the requirements and

resources used, recovery procedures, emergency measures, business continuity conditions and impact analysis

• Perform patch management activities, as a result of vulnerability detection, patch release communication from software vendors or major accredited sector bodies, in order to mitigate,

where necessary, system vulnerabilities.

• Manage the activities of change management and capacity management in order to ensure

that the application of the necessary changes on ICT environments take due account of the


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

potential risks introduced by the changes, ensure the availability/performance of the systems

and network and safety apparatus used to identify any problems on such systems or

apparatus, at the same time, defining the relevant corrective actions, and optimize the physical resources of systems and apparatus.

The production environments are suitably separated and isolated from the environments dedicated to testing and testing. This separation is carried out on a physical, logical, procedural and

organizational level through a clear attribution of responsibilities.

6.6.3 Life cycle of security controls

QTSP ensures the protection of safety components in their life cycle. In particular, regarding HSM:

Check the scope certifications;

That at the reception of the apparatus, they are not "tampered";

That tamper protection is ensured during exercise;

that the content of the user manual or certification documents continues to be applied;

That private keys are deleted from unused equipment, in a way that is not possible to

restore them;

6.7 NETWORK SECURITY CHECKS

In order to ensure a level of security of the Lottomatica S.p.A. corporate network:

• Establishes responsibilities and procedures for network management;

• Implement controls to ensure data security through the network and protection against

unauthorized access to related services. This goal is achieved through the separate division of

logic in the network and the proper use of advanced security management tools (eg firewall,

traffic monitoring probes, ...);

• Defines and implements specific controls to safeguard the integrity and confidentiality of

critical data in transit over the public network and in particular on wireless networks;

• Activate monitoring and logging capabilities to check and record any faults. Network

management activities are coordinated both to optimize business services and to ensure that

controls are effectively applied across the entire infrastructure;

• Configure firewall and router devices so that only the ports strictly necessary for operating

services are left open.

• It provides rules for assigning privileges to personnel accessing configuration and

diagnostics ports. The configuration of perimeter logic security devices is subject to periodic

revision and updating activities;

• Adopt the principles of segregation of networks according to the following criteria:

o A logical segregation between the network that provides Corporate services and

the network hosting the QTSP systems;

o A departmental logic segregation within each of the two subnets based on the

type of service offered.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

• Use of secure channels or encrypted information exchange tools to protect communications

between physically separate networks that use the Internet as a means of communication

(HTTPS over Internet or encrypted VPN tunnels);

• Ensures that devices that handle high critical data or infrastructures reside on dedicated

hardware, and in particular do not coexist with other services that may compromise security;

• Test and exercise devices are properly dimensioned according to the specifications of the

services they are to deliver and the amount of data / traffic they will need to manage;

• The networks must be physically safe with regard to wiring (electrical and data transport),

machine placement and presence of UPS.

6.8 TIME-STAMPING

The QTSP uses its own timestamp systems in accordance with the CP and CPS released ad hoc for

this service.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

7 CERTIFICATE, CRL, AND OCSP PROFILES

7.1 CERTIFICATE PROFILE

The QTSP has a root CA destined for issuing qualified electronic signature certificates and related

certification services.

The CA certificate and the Subscriber certificate issued by the QTSP are compatible with the following standards:

• ITU X.509 Information technology - Open Systems Interconnection - The Directory:

Publickey and attribute certificate frameworks [28]

• RFC 5280 [25]

• RFC 6818 [26]

• ETSI EN 319 412-1 [14]

• ETSI EN 319 412-2 [15]

• ETSI EN 319 412-5 [18]

7.1.1 Specification X509

The X. 509 standard adopted for root CA and subscription certificates are of type "V3".

The QTSP uses the following basic extensions: • version

The certificate is compatible with the version "V3" • Serial Number

The application of the serial Number field is in accordance with what is specified in the

document en 319 412 01 v 1.1.1 • Algorithm identifier

The OID of the algorithm used for certificate certification; • signature

Electronic signature performed by QTSP for certificate certification, performed as specified

in the "Algotithm identifier" field; • Issuer

The distinguished name of the entity that issued the certificate. • Valid from & valid to

The validity period of the certificate. The time is recorded according to the UTC reference in accordance with RFC 5280.

• subject

The unique identifier of the subject. • Subject Public Key value

The public key associated with the subject.

7.1.2 Certificate extensions

The QTSP uses certificate extensions that are compatible with the X. 509 standard [28].

The definition of the certificate profiles is reported in its CPS.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

7.1.3 Object Identifier algorithms

Only the identifier (OID) of the algorithms used must be used, in accordance with welcome

specified in chapter 6.1.5. The algorithms that can be used by the CA are listed in the CPS.

7.1.4 Composition of the name

The composition of the name identifying the distinguish name, is made in accordance to what is specified by RFC 5280 [25], ETSI EN 412-2 [15], ETSI EN 319 319 412-3[16] and [17] ETSI

EN 319 412-4. The certificate must contain a unique OID of the Subject as defined in Chapter3.1.1.

The value in the "Issuer DN" is identical to the value of the field "Subject DN" contained in the CA certificate QTSP.

7.1.5 Constraints on name

Not present.

7.1.6 Certficiate Object Identifier policy

The QTSP must include in the certificates issued the certificate policy in accordance with this CP, marked non-critical, and as specified in chap. 7.1.2.

7.1.7 Usage of policy constraints extension

Not present.

7.1.8 Syntax and semantics of policy qualifiers

Specified in 7.1.2.

7.1.9 Semantics management fo critical policy extensions

Specified in 7.1.2.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

7.2 CRL PROFILE

7.2.1 Version

The QTSP releases a certificate revocation list (CRL) with the "V2" version, in accordance with the

RFC 5280 [25] standard.

7.2.2 Specifyng CRL extensions

In accordance with RFC 5280 [25], the CRL issued by CA may include the following extensions: • Version

The value of the field is "1". • Signature Algorithm Identifier

The identifier (OID) of the algorithm used to create the electronic signature certifying the CRL. The

expected algorithm is "sha256WithRSAEncryption" (1.2.840.113549.1.1.11). • Signature

The electronic signature certifying the CRL. • Issuer

The entity issuing the CRL.

• This Update The date of entry into force of the CRL. The value must be in accordance with the UTC standard in

accordance with RFC 5280 [25]. • Next Update

The next release of the CRL. The value must be in accordance with the UTC standard in accordance

with RFC 5280 [25]. • Revoked Certificates

The list of revoked certificate serial numbers including time. The list of suspended or revoked Certificates with the serial number of the Certificate and with the

suspension or revocation time.

The mandatory extensions that must be present in the CRL are:

• CRL number - does not criticize A progressive serial number identifying the single CRL

The following extension can be used by CA • expiredCertsOnCRL - does not criticize

CA indicates through this extension that the expired certificates are not removed from the CRL (see

section 4.10). The notation is in agreement with the X.509 specification.

The list of revoked certificates includes the following extensions: • Reason Code - does not criticize

The reason for the revocation of the certificate.

• Invalidity Date - not critical

The time reference from which the key is considered compromised.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

7.3 OCSP PROFILE

The QTSP provides an OCSP compliant service to RFC 2560 [22] and RFC 6960 [27] standards.

7.3.1 Version

The OCSP service provided is compatible with the version "v1" in accordance withwhat is

specified in RFC 2560 [22] and RFC 6960 [27].

7.3.2 OCSP extensions

The extensions present in the OCSP protocol must be those provided in compliance with RFC 6960

[27].


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS

QTSP's work towards compliance in force, is under the supervision of the AgID, Italy Digital Agency. Compliance verification activity shall be conducted in phase QTSP certification and

thereafter annually, through inspection sites at which the QTSP delivers its services.

The Audit work aims to ensure that the work of QTSP is in accordance with the regulation and IDAs [1], and compliance to the applicable national laws and specifications of services set out in

this CP and CPS, The Audit work conforms to the following reference documents:

• REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE

Council of July 23, 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC [1];

• ETSI EN 319 403 V 2.2.2 (2015-08) Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment-Requirements for conformity assessment bodies assessing Trust

Service Providers; [11] • ETSI EN 319 401 V 2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);General Policy

Requirements for Trust Service Providers [10]

• ETSI EN 319 411-1 V 1.1.1 (2016-02); Electronic Signatures and Infrastructures(ESI); Policy and security requirements for Trust Service Providers issuingcertificates; Part 1:

General requirements [12] • ETSI EN 319 411-2 v 2.1.1 (2016-02); Electronic Signatures and Infrastructures(ESI); Policy

and security requirements for Trust Service Providers issuingcertificates; Part 2: Requirements

for trust service providers issuing qualified certificates EU; [13]

The result of the Audit is confidential and can only be accessed by authorized persons.

8.1 FREQUENCIES OR ASSESSMENT REQUIREMENTS

The QTSP compliance audit activity is conducted on a biennial basis with annual surveillance.

8.2 IDENTITY/QUALIFICATION OF ASSESSOR

The assessor must have conformity certification of trust service providers and the services they

provide in the face of Regulation (EU) 910/2014. The unique body of accreditation of attestatori of conformity for Italy is Accredia.

8.3 INDIPENDENCE OF THE ASSESSOR

The QTSP guarantees that the person/company performing the assessment is:

• Independent of the property and management of the QTSP

• Has no business relationship with the QTSP

8.4 TOPICS COVERED BY THE ASSESSMENT

The audit activity is carried out on the following areas:

• Compliance with existing standards;


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

• Compliance with technical standards;

• Compliance with CP and CPS;

• Adequacy of covered processes;

• Documentation;

• Physical security;

• Adequacy of staff;

• IT security;

• Compliance with roles on data protection;

8.5 ACTIONS TAKEN IN THE EVENT OF non-COMPLIANCE

The auditor shall compile a report on the basis of the checks carried out. Any non-compliance can

be handled as follows:

• Suggestions on modifications to be considered;

• Derogations which constitute a mandatory warning.

8.6 COMMUNICATING THE RESULT

The Auditor reports the outcome of the AgID report certifying / confirming the status of QTSP through the issuance of the Certificate of Conformity for Qualified Trustees. The QTSP TSA

Certificate X.509 is published in the Lists of Qualified Trust Services Providers..


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

9 LEGAL ECONOMIC ASPECTS

9.1 RATES

The digital signature service is provided by Lottomatica S.p.A a free of charge, and is exclusively

linked to the contracting of customers belonging to the various sales channels. Therefore the

application of tariffs is not foreseen.

9.2 FINANCIAL LIABILITIES

Lottomatica S.p.A. is responsible for the provision of services related to the activity of the QTSP. For the purposes of qualification and accreditation, in compliance with art 29 of the CAD [35]

paragraph 3a, Lottomatica S.p.A. Has a share capital of Euro 65,050,000.00.

9.2.1 Insurance coverage

Lottomatica S.p.A. Has entered into an insurance policy to guarantee a compensation limit of €

5,000,000, 00.

9.3 CONFIDENTIALITY OF BUSINESS INFORMATION

The Digital Signature service is provided free of charge by Lottomatica S.p.A. and is solely linked to

the contractualisation of customers belonging to the various sales channels. No tariffs are therefore

foreseen.

9.4 PRIVACY OF PERSONAL INFORMATION

In view of the great importance attached to the subject of personal data processing within

Lottomatica S.p.A., an internal organizational and regulatory system is in place to ensure that all

personal data processing takes place in compliance with the applicable legal provisions and the

principles of fairness And the legality stated in the code of ethics. The range of measures envisaged

and implemented by the implemented system also incorporates the minimum measures provided by

the Personal Data Protection Code, DL 196/03 [34].

This system is characterized by some important elements, among which the following are:

Employees who received the appointment of employees in accordance with art. 30 of

Legislative Decree No. 196/03 [34], have received detailed instructions on the modalities

and security measures to be taken to deal with personal data;

The processing of personal data is under the supervision of those responsible for the

treatment, who are also formally appointed, who have in turn received the necessary

instructions and operating instructions;

Appropriate business functions have the task of defining the information security policies

and, with the help of internal audit functions, to verify that they are effectively applied;


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

The policy system is based on the correct classification of assets. With the help of risk

assessment tools, the most appropriate security measures are identified for the protection

of individual assets, the definition of controls and the application of the most appropriate

monitoring and verification systems;

The protection of personal data is not an independent process, but is fully integrated into

the current management of corporate asset security;

Physical security and safeguarding of the company's material assets and security and crisis

management policy are defined by taking into account the principles of personal data

protection and the need to protect such data as laid down by law.

As part of the company's security policies, technical and organizational solutions have been

developed to protect the data transmitted and stored on the network and corporate systems,

including, but not limited to, the following:

Continuous virus protection;

hardening of the systems used;

Software distribution for the automatic update of security patches on corporate systems;

Tool and methodologies for vulnerability assessment and risk analysis;

Computer protection and corporate network access points (eg Access Control,

Authentication Credentials, etc.);

Partitioning and protecting internal networks;

Monitoring the network and systems for preventing and contrasting security incidents.

9.4.1 Data protection mode

This chapter of the CP is intended to illustrate the procedures and methods of operation adopted by

QTSP for the processing of personal data, in carrying out its certification activities. The personal data relating to the applicant, the holder of the registration certificates, to

the interested party and anyone accessing the service will be processed, storedand protected

by QTSP as provided by Legislative Decree n. 196 of June 30, 2003 [34] and subsequent provisions issued by the authority for the protection of personal data.

The terminology that appears in this chapter corresponds to that adopted by the DL 196/03 [34]. In particular:

a) Holder means a natural person, a legal person, a public administration and any other body, association or body to which decisions are made regarding the purposes and the means of

processing personal data, including the security profile ( The QTSP);

b) Responsible means the natural person, the legal person, the public administration and any other body, association or body authorized by the holder to process personal data;

c) For Officer means the natural person authorized to carry out processing operations by the holder or by the person in charge;

d) Interested means the natural person, legal person, entity or association to which the personal

data (ie the applicant for registration, the certificate holder, the third party concerned or anyone who accesses the service);

In particular, the QTSP:

• Appoint, where appropriate, a Data Controller Manager within his / her own business organization


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

by communicating it analytically and in writing to the tasks he / she must perform, pursuant to Art. 29 of DL 196/03 [34]. Specifically, if designated, the person responsible for the treatment:

o It is identified among persons who, by experience, capacity and reliability, provide the

appropriate guarantee of full compliance with applicable treatment provisions, including the safety profile (paragraph 2);

o Observe the instructions given by the Owner, who, also through periodic verifications, monitors compliance with the processing provisions and instructions (paragraph 5).

• Identify and appoint the Data Processing Officers (that is, the Identity Agents and how many others will handle the data related to the service), operating under the direct authority of the

Service Manager, following the instructions given in accordance with Art. . 30 of DL 196/03 [34];

• Appointment of external Data Processing Officers by analytically specifying the tasks in writing and also by regular checks to check compliance with legal provisions and instructions.

Definition and identification of “personal data”

According to Art. 1, paragraph 2, lett. B) of Legislative Decree No. 196/03 [34], personal data shall

mean "any information relating to a natural person, legal person, entity or association, identified or

identifiable, including by reference to any other information, including a personal identification number "; Therefore the personal identification numbers provided by the QTSP, the pointers and

the PINs are also personal data. Personal data may also be those relating to the user, or to any third parties and content in the

information fields on the forms and archives - electronic or printed - of registration, revocation,

exchange of data and certificates, of To the relevant chapters of the relevant CPS. In order to ensure proper treatment, the security measures prepared by the QTSP and analytically described in

the Safety Plan are carried out in accordance with DL 196/03 [34].

Protection and rights of interested parties

Regarding the processing of personal data, QTSP guarantees the protection of the interested parties in accordance with the DL 196/03 [34]. In particular:

• Interested parties are provided with the necessary information in accordance with art. 13 (such as the holder, the modalities and purposes of the processing, the scope of

communication and dissemination, and the rights of access to your data in accordance with article 7);

• Interested parties are requested, where necessary, written consent to the processing of their personal data.

Application of the code for the protection of personal data

General requirements

From a general point of view, the QTSP:

• Provides, retains, and updates, in the scope of certification activities, a Certificate Register, and a

Registry of Data Sheets containing personal data, embedded in the Data Holder's databases and

used in the management of all stages of the certification activity.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

In particular, the Registry of Cartacei Archives consists of copies of the documentation obtained

during the identification of the RAO subscribers and the Internal Use subscribers. This register is

kept in a safe located in the area of the CTO Italy function, which is accessible to a limited number

of Lottomatic employees authorized to do so. The safe key is kept at the Guardian's Office (present

h24) located inside the Via Boario 56 building. To get the access key to the safe you need to be

included in the list of authorized personnel and the outlet In charge and delivery of the key.

As far as the Certificate Register is concerned, it is an internal function of the RA and not publicly

displayed, containing all certificates issued. The Web-accessible interface (https) requires access

credentials, and applies role-based policies that enable the operator to access the required data,

providing search functions to facilitate the need. Certificates are physically stored on a media

database, located within the CEDs where the QTSP infrastructure is hosted, accessed only by

authorized personnel.

Technical and organizational requirements

From the technical point of view, the QTSP, (the person responsible if appointed) through its appointees, shall take the appropriate measures in relation to the registration, processing,

preservation, protection of personal data, cancellation/destruction, in accordance with the

modalities indicated below.

1. Registration

• It guarantees the preservation of the technical data relating to the structure and format of

the computer and paper archives containing personal data and their physical location; • Supervises the organization and classification in a unique way of the archives, as well as

of their backup copies, taking care to minimise copies, total or partial, of each file according to the modalities described in the plan for the safety of the QTSP. In this regard, it is stated

that, in the event of events that would compromise the operational capacity of the QTSP at

the main place of business, an operational plan is defined that guarantees the availability of the certificate register and the functionality of revocation of valid certificates;

• Supervises the organization and classification of the registration forms in a unique way, acceptance, request revocation, change of data and any other document containing

personal information, taking care to minimize copies, total or partial, of each file according

to the modalities described in the plan for the safety of the QTSP.

2. Processing

• Checks that the processing of the aforementioned archives and of the personal data

contained therein is carried out exclusively for the purposes indicated in the informative

given pursuant to art. 13 of DL 196/03 [34];


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

• Verifies, depending on the type of processing, the output formats and the final destination

of the data in order to ensure its protection, as provided in the following;

• Detects the eventual generation of new archives within the processing phases, supervising

their classification

3. Conservation

• Supervises the classification of any archives – and the data contained therein – subject to

pure and simple preservation (historical and/or backup archives), reporting the duration of

the preservation (including initial and final date), the nature of the support and the place of

preservation;

• Ensure that all archives belonging to temporarily blocked or suspended procedures are

processed as personal data storage archives;

• Verifies that the procedures for the preservation of all documents used within the

certification activity are consistent with the protection of personal data.

4. Deletion/Destruction

• Check the registration – possibly in an automated manner – of the deletion/destruction of

individual personal data from the archives, by bringing back the type of data, the archive

concerned, the date of cancellation/destruction, and the origin of the deletion/destruction

(at the request of the interested party, procedural, accidental, etc.);

• Verifies the registration of the deletion/destruction of entire archives, in accordance with

the procedures set out in the previous paragraph and in accordance with the provisions of

DL 196/03 [34], in addition to the updating of the Register of computer and paper archives.

5. Protection

• Protects the confidentiality of personal data by establishing the modalities of access to the

computer and paper archives by the qualified entities belonging to the organization of the QTSP. In

particular:

classifies the persons empowered to access them according to their duties. In particular, it

is stated that the QTSP has defined and implements specific policies for the management

of authentication credentials and for the construction and use of passwords;

Records the data protection modalities, both as regards the logical security of computer

files (security software, processing log generation mode, etc.) and physical (local

supervision, document archiving, security copy management);

ensures the confidentiality of the personal data contained in the different output formats of

the processing phases (paper, on terminal, etc.) by establishing the necessary operating

modes, both manual and automated;

supervises the internal circulation of information contained in printouts (printouts) or other

media;


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

ensures the distribution of output on terminal in accordance with the user profiles

designated by the security officer.

• Protects the integrity of the data individually considered and the archives as a whole, during

all phases of treatment, establishing the necessary operational modalities, both manual and

automated;

• Guarantees the availability of the data, so that the holder can fulfil the requests for

consultation/verification by the interested parties under the current legislation.

Further processing of data, beyond that provided for by DL 196/03 [34], may be envisaged at

contractual level between the QTSP and the public or private organisation requiring the issuance of

several certificates, on behalf of subscribers to her. In this case, these agreements are reported

within the contract of purchase of the certificates by the organization itself.

Release of personal circumstances

Without prejudice to the right of the person concerned to request and obtain from the QTSP information concerning his personal data, as provided by art. 7 of DL 196/03 [34], the QTSP, in

carrying out its certification activities, can carry out operations of communication and dissemination

of personal data. In particular:

• Personal data may be communicated to the judicial authority, in accordance with the provisions of the current legislation;

• Particular contractual agreements may provide for further recipients and forms of communication than those provided for in the legislation in force. However, these

communications will be carried out in compliance with current legislation;

9.5 INTELLECTUAL PROPERTY RIGHTS

This CP is owned by Lottomatica S.p.A. Which reserves all rights to it. In relation to the ownership of other data and information the applicable laws apply.

9.6 DECLARATIONS AND WARRANTIES

9.6.1 Statements and warranties of the CA

The QTSP is responsible for the obligations contained in this CP, its CPS and the contractually

supplied services to the subscribers.

The QTSP is responsible for: • For compliance with the procedures stated in this CP, and described in the CPS;

• To cover damages resulting from non-compliance with the terms and conditions of the

service accepted by the Subscriber, through the covers specified in this CP.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

The QTSP is not responsible for: • To cover damages resulting from non-compliance by the Subscriber of what is contained

in the terms and conditions of the service accepted by it.

In the nature and limitations of use of the qualified electronic signature service, QTSP is launching a

plan to improve the accessibility of the service for disabled people through Web content accessibility

solutions.

The QTSP is responsible for the obligations referred to in Art. 32 of the CAD (Obligations of the

Qualified Holder and Qualified Electronic Services Provider).

9.6.2 Declarations and guarantees of RA

The QTSP through the services provided by RA, is responsible for compliance with the requirements

contained in this CP, in the relevant CPS. In detail refer to the CAP. 9.6.2 of the CPS.

9.6.3 Declatations and warranties of the subscriber

Subscriber representations and warranties are specified in its CPS.

9.7 WARRANTY STATEMENTS

The QTSP as follows: related responsibilities excludes

• Subscribers who do not comply with what is contained in the terms and conditions of use of the service;

• failure to provide information or reporting requirements due to problems associated with the availability of the Internet, or part thereof;

• vulnerability or errors associated with the cryptographic algorithms used for regulatory compliance.

9.8 LIABILITY LIMIT

Lottomatica will in no way be liable for the following:

• damages of any kind, direct and / or indirect, or prejudice caused by anyone caused by:

(A) incomplete, false or incorrect information by the proprietor of the information for which the

Certification Authority has not stated or is otherwise required to carry out specific checks and

verifications;

B) tampering or service interventions made by the Owner or by third parties not authorized by the

Certification Authority;

C) impossibility to use the Service determined by a total or partial interruption of call termination or

data transmission provided by telecommunications operators solely for facts not attributable to the

Certification Authority;

D) erroneous use of identification codes by the Owner;


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

E) Delays, interruptions, errors or malfunctions of the Service attributable to the Certification

Authority or arising out of the incorrect use of the Service by the Owner;

F) the use of the Service outside of current regulatory requirements;

G) failure to disclose information that the Owner should have communicated to the Certification

Authority and / or to the Custodian under the terms of the Contract;

H) breach of obligations that, under the provisions of this document or the law in force, are borne

by the Owner;

• damages of any kind, whether direct or indirect, or prejudiced by anyone who suffered, insofar as

they could have been avoided or restricted by the Owners through the proper use of the Service.

Except as provided for by applicable law, Lottomatica will in no case be liable for direct and / or

indirect damages and / or damages (including, but not limited to, loss of profit, loss of productivity,

overheads, lost earnings, loss of information and any other economic loss) suffered by the Owner

following and / or during the use of the Service due to malfunction of the Service not attributable to

Lottomatica.

Notwithstanding the foregoing, Lottomatica's overall liability is limited to compensation for direct

and / or indirect damages and / or consequential damages in cases of guilty, gross negligence or

negligence, within the limits set forth in clauses 9.2 and 9.2.1.

9.9 ALLOWANCES

The coverage of allowances associated with damages to all parties (holders, third parties concerned,

recipients) is guaranteed in this CP to the extent specified in chapter 9.2.1.

9.10 SERVICE LIFE AND TERMINATION

9.10.1 Duration

The service life is aligned at the end of the duration of the certificates issued by the QTSP (Ref.

6.3.2)

9.10.2 Resolution

In the event of a breach of only one of the obligations incumbent upon the Owner, the Service

Agreement will automatically be resolved for the purposes and for the purposes referred to in art.

1456 c.c., with simultaneous revocation of the certificates issued, without prejudice to any eventual

reparation in respect of those responsible for the violations. The Service Agreement will also be

automatically resolved in all cases of revocation of the certificate. The QTSP has the right to

withdraw at any time from the Service Agreement by giving notice to the Holder with a notice of 10

(ten) days and, consequently, to revoke issued certificates.


Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

9.10.3 Effects of cessation

The term "termination" means the process by which the QTSP ceases its activity as a qualified trust

service provider.

The QTSP publishes in the CPS the details of the information connected with the termination procedures, as a result of which the CA certificate is revoked along with all valid certificates at that

time.

9.11 NOTIFICATIONS AND COMMUNICATIONS WITH USERS

The QTSP communicates with its subscribers using:

• For general communication, through the Certification Portal;

• For important communications, Through the Certification Portal;

Through email addressed to subscribers;

All personal notifications shall be notified personally to subscribers through personal

email, confirmed by the owner at the time of registration.

9.12 CHANGES TO THE CP

QTSP reserves the right to modify the terms included in this CP in the event of:

• Modification of standards;

• Changes to security requirements;

• various and eventual; In exceptional cases, any changes can be taken with immediate effect.

9.12.1 Procedures for the dissemination of CP

The QTSP reviews the present CP on an annual basis. The revised document is associated with a new version, and changes the effective taking

into account any processes associated with approving it.

The approved document is published on the Cerificate portal of 14 days before the actual Certification effective date. The new document, as amended, is also sent to the

supervisory body, for Italy, the AgID. The QTSP can accept comments associated with what is published, through the email address:

[email protected]



Title

QTSP



Revision 1.0

Date 27/04/2017


di 74

9.12.2 Notification and timing mechanism

The QTSP notifies interested parties of the publication of the new version of the document, as

specified in Chap. 9.12.1.

9.12.3 Circumstancs under which it is necessary to change OID

The QTSP releases a new version in the case of integration of the OID specified in this CP.

9.13 DISPUTE RESOLUTION

The QTSP aims at a peaceful and negotiated settlement of disputes arising from the provision of its

services.

9.14 GOVERNMENT LAWS

The QTSP operates at all times in accordance with the Italian and European laws on the subject.

9.15 COMPLIANCE WITH LAWS IN FORCE

This CP complies with the following applicable laws:

• REGULATION (EU) No 910/2014 of the European Parliament and of the Council COUNCIL OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services in electronic commerce and repealing Directive

1999/93 / EC [1];

• DPCM 22 February 2013 [33];

• ETSI EN 319 401 V2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers [10];


Title

QTSP



Revision 1.0

Date 27/04/2017


Pagina 73 di 74

This document, in paper format, is to be considered unchecked unless there is the signature of the

person who approves and issues the document.

10 REFERENCES

[1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July

2014 on electronic identification and trust services for electronic transactions in the internal market

and repealing Directive 1999/93/EC .

[10] ETSI EN 319 401 V2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);

General Policy Requirements for Trust Service Providers.

[11] ETSI EN 319 403 V2.2.2 (2015-08) Electronic Signatures and Infrastructures (ESI); Trust

Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing

Trust Service Providers;.

[12] ETSI EN 319 411-1 V1.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);

Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General

requirements .

[13] ETSI EN 319 411-2 v2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI);

Policy and security requirements for Trust Service Providers issuing certificates; Part 2:

Requirements for trust service providers issuing EU qualified certificates; (Replaces ETSI TS 101

456).


Certificate Profiles; Part 1: Overview and common data structures.


Certificate Profiles; Part 2: Certificate profile for certificates issued to natural persons; (Replaces

ETSI TS 102 280).


Certificate Profiles; Part 3: Certificate profile for certificates issued to legal persons (Replaces ETSI

TS 101 861).


Certificate Profiles; Part 4: Certificate profile for web site certificates.


Certificate Profiles; Part 5: QCStatements.

[19] ETSI TS 119 312 V1.1.1 (2014-11); Electronic Signatures and Infrastructures (ESI);

Cryptographic Suites.

[20] ISO/IEC 15408-2002 "Information Technology - Methods and Means of a Security

Evaluation Criteria for IT Security" .

[21] ISO/IEC 19790:2012: "Information technology – Security techniques – Security

requirements for cryptographic modules".

[22] IETF RFC 2560: X.509 Internet Public Key Infrastructure - Online Certificate Status

Protocol (OCSP), June 1999.

[23] IETF RFC 3647: Internet X.509 Public Key Infrastructure - Certificate Policy and

Certification Practices Framework, November 2003.

[24] IETF RFC 4043: Internet X.509 Public Key Infrastructure - Permanent Identifier, May

2005.

[25] IETF RFC 5280: Internet X.509 Public Key Infrastructure - Certificate and Certificate

Revocation List (CRL) Profile, May 2008.

[26] IETF RFC 6818: Updates to the Internet X.509 Public Key Infrastructure - Certificate and

Certificate Revocation List (CRL) Profile, January 2013.

[27] IETF RFC 6960: X.509 Internet Public Key Infrastructure - Online Certificate Status

Protocol (OCSP), June 2013.


Title

QTSP



Revision 1.0

Date 27/04/2017


Pagina 74 di 74

[28] ITU X.509 Information technology - Open Systems Interconnection - The Directory:

Publickey and attribute certificate frameworks.

[29] FIPS PUB 140-2 (2001 May 25): Security Requirements for Cryptographic Modules.

[30] Common Criteria for Information Technology Security Evaluation, Part 1 - 3.

[31] CEN Workgroup Agreement CWA 14167-2: Cryptographic module for CSP signing

operations with backup - Protection profile - CMCSOB PP.

[32] CEN CWA 14169: Secure Signature-creation devices "EAL 4 +", March 2004.

[33] DPCM 22 February 2013-Technical rules on the generation, enforcement and verification of advanced, qualified and digital electronic signatures

[34] Code for the protection of Personal data, Decree Law 196/03.

[35] Digital Administration Code (CAD) DL N. 82 7 March 2005, and subsequent amendments

(DL 179/2016)

qtsp qualified certification services certificate … cps firma...5.4.8 vulnerability assessment 44...

Documents