Transcription
CERTIFICATION PRACTICESTATEMENT (CPS)OID: 2.16.356.100.1.8.2Published byeMudhra Limited3rd Floor, Sai Arcade, Outer Ring Road, DevarabeesanahalliBengaluru - 560103, Karnataka, IndiaEmail: info@e-mudhra.com Website: www.e-mudhra.comTypePUBLICDate of Publication13-March-2019Version No4.0.0 Copyright, eMudhra Limited. All rights reserved.PRABHATKUMARDigitally signed byPRABHAT KUMARReason: I havereviewed thisdocumentDate: 2019.03.1311:11:12
Certificate Practice Statement (CPS)Version 4.0.0CERTIFICATION PRACTICE STATEMENTDocument NameReleaseStatusIssue DateeMudhra Limited www.e-mudhra.comCPS of eMudhra CAVersion 4.0.0Release13-March-20192
Certificate Practice Statement (CPS)Version 4.0.0DEFINITIONSThe following definitions are to be used while reading this CPS. Unless otherwise specified, the word“CA” used throughout this document refers to eMudhra CA, likewise CPS means CPS of eMudhra CA.Words and expressions used herein and not defined but defined in the Information Technology Act,2000 and subsequent amendments, hereafter referred to as the ACT shall have the meaningrespectively assigned to them in the Act.The following terms bear the meanings assigned to them hereunder and such definitions areapplicable to both the singular and plural forms of such terms:“Act” means Information Technology IT Act, 2000"IT Act" Information Technology IT Act, 2000, its amendments, Rules thereunder, Regulations andGuidelines Issued by CCA“ASP” or “Application Service Provider” is an organization or an entity using Electronic Signature aspart of their application to facilitate the user for requesting issuance and electronically sign thecontent through any empanelled ESP.“Auditor" means any accredited computer security professional or agency recognized and engagedby CCA for conducting audit of operation of CA;“CA” refers to eMudhra CA, a Certifying Authority, licensed by Controller of Certifying Authorities(CCA), Govt. of India under provisions of IT Act, and includes CA Infrastructure issuing DigitalSignature Certificates & also for providing Trust services such as TS, OSCP & CRL“CA Infrastructure” The architecture, organization, techniques, practices, and procedures thatcollectively support the implementation and operation of the CA. It includes a set of policies,processes, server platforms, software and work stations, used for the purpose of administeringDigital Signature Certificates and keys."CA Verification Officer" means trusted person involved in identity and address verification of DSCapplicant and according approval for issuance of DSC."Certification Practice Statement or CPS" means a statement issued by a CA and approved by CCAto specify the practices that the CA employs in issuing Digital Signature Certificates;“Certificate”—A Digital Signature Certificate issued by CA.“Certificate Issuance”—The actions performed by a CA in creating a Digital Signature Certificate andnotifying the Digital Signature Certificate applicant (anticipated to become a subscriber) listed in theDigital Signature Certificate of its contents.eMudhra Limited www.e-mudhra.com3
Certificate Practice Statement (CPS)Version 4.0.0“Certificate Policy”—The India PKI Certificate Policy laid down by CCA and followed by CA addressesall aspects associated with the CA’s generation, production, distribution, accounting, compromiserecovery and administration of Digital Signature Certificates.Certificate Revocation List (CRL)—A periodically (or exigently) issued list, digitally signed by aCertifying Authority, of identified Digital Signature Certificates that have been suspended or revokedprior to their expiration dates.“Controller” or “CCA” means the Controller of Certifying Authorities appointed as per Section 17subsection (1) of the Act.Crypto Token/Smart Card—a hardware cryptographic device used for generating and storing user’sprivate key(s) and containing a public key certificate, and, optionally, a cache of other certificates,including all certificates in the user's certification chain."Digital Signature" means authentication of any electronic record by a subscriber by means of anelectronic method or procedure in accordance with the provisions of section 3 of IT Act;“Digital Signature Certificate Applicant” or “DSC Applicant” —A person that requests the issuance ofa Digital Signature Certificate by a Certifying Authority.“Digital Signature Certificate Application” or “DSC Application” —A request from a Digital SignatureCertificate applicant to a CA for the issuance of a Digital Signature CertificateDigital Signature Certificate—Means a Digital Signature Certificate issued under sub-section (4) ofsection 35 of the Information Technology Act, 2000.“ESP” or “eSign Service Provider” is a Trusted Third Party as per definition in Second Schedule ofInformation Technology Act to provide eSign service. ESP is operated within CA Infrastructure &empanelled by CCA to provide Online Electronic Signature Service.Organization—an entity with which a user is affiliated. An organization may also be a user.“Private Key" means the key of a key pair used to create a digital signature;"Public Key" means the key of a key pair used to verify a digital signature and listed in the DigitalSignature Certificate;“Registration Authority” or “RA” is an entity engaged by CA to collect DSC Application Forms (alongwith supporting documents) and to facilitate verification of applicant’s credentials“Relying Party” is a recipient who acts in reliance on a certificate and digital signature.eMudhra Limited www.e-mudhra.com4
Certificate Practice Statement (CPS)Version 4.0.0“Relying Party Agreement” Terms and conditions published by CA for the acceptance of certificateissued or facilitated the digital signature creation."Subscriber Identity Verification method" means the method used for the verification of theinformation (submitted by subscriber) that is required to be included in the Digital SignatureCertificate issued to the subscriber in accordance with CPS. CA follows the Identity VerificationGuidelines laid down by Controller.Subscriber— a person in whose name the Digital Signature Certificate is issued by CA.Time Stamping Service: A service provided by CA to its subscribers to indicate the correct date andtime of an action, and identity of the person or device that sent or received the time stamp.Subscriber Agreement— the agreement executed between a subscriber and CA for the provision ofdesignated public certification services in accordance with this Certification Practice StatementTime Stamp—a notation that indicates (at least) the correct date and time of an action, and identityof the person or device that sent or received the time stamp."Trusted Person" means any person who has:I.Direct responsibilities for the day-to-day operations, security and performance of thosebusiness activities that are regulated under the Act or Rules in respect of a CA, orII.Duties directly involving the issuance, renewal, suspension, revocation of Digital SignatureCertificates (including the identification of any person requesting a Digital SignatureCertificate from a licensed Certifying Authority), creation of private keys or administration ofCA’s computing facilities.eMudhra Limited www.e-mudhra.com5
Certificate Practice Statement (CPS)Version 4.0.0Table of Contents1.Introduction . 131.1. Overview of CPS . 131.2 Identification . 141.3. PKI Participants . 141.3.1. PKI Authorities . 141.3.2. PKI Services . 151.3.3. Registration Authority (RA) and Organisational Registration Authority (ORA) . 171.3.4. Subscribers . 171.3.5. Relying Parties . 171.3.6. Applicability. 171.4. Certificate Usage . 191.4.1. Appropriate Certificate Uses. 191.4.2. Prohibited Certificate Uses . 191.5. Policy Administration . 191.5.1. Organization administering the document . 191.5.2. Contact Person . 191.5.3. Person Determining Certification Practice Statement Suitability for the Policy . 191.5.4. CPS Approval Procedures . 191.5.5. Waivers . 202.Publication & PKI Repository Responsibilities . 212.1. PKI Repositories . 212.1.1. Repository Obligations . 212.2. Publication of Certificate Information . 212.2.1. Publication of CA Information. 212.2.2. Interoperability . 212.3. Publication of Certificate Information .2.4. Access Controls on PKI Repositories . 213.Identification & Authentication . 223.1. Naming . 223.1.1. Types of Names . 223.1.2. Need for Names to be Meaningful . 223.1.3. Anonymity of Subscribers . 223.1.4. Rules for Interpreting Various Name Forms . 223.1.5. Uniqueness of Names . 22eMudhra Limited www.e-mudhra.com6
Certificate Practice Statement (CPS)Version 4.0.03.1.6. Recognition, Authentication & Role of Trademarks . 223.1.7. Name Claim Dispute Resolution Procedure . 233.2. Initial Identity Validation. 233.2.1. Method to Prove Possession of Private Key . 233.2.2. Authentication of Organization user Identity . 233.2.3. Authentication of Individual Identity . 233.2.4. Non-verified Subscriber Information . 243.2.5. Validation of Authority. 243.2.6. Criteria for Interoperation . 243.3. Identification and Authentication for Re-Key Requests . 243.3.1. Identification and Authentication for Routine Re-key . 243.3.2. Identification and Authentication for Re-key after Revocation. 253.4. Identification and Authentication for Revocation Request . 254.Certificate Life-Cycle Operational Requirements . 254.1. Certificate requests . 254.1.1. Submission of Certificate Application . 264.1.2. Enrolment Process and Responsibilities . 264.2. Certificate Application Processing . 264.2.1. Performing Identification and Authentication Functions . 264.2.2. Approval or Rejection of Certificate Applications . 264.3. Certificate Issuance . 264.3.1. CA Actions during Certificate Issuance . 274.3.2. Notification to Subscriber of Certificate Issuance . 274.4. Certificate Acceptance . 274.4.1. Conduct Constituting Certificate Acceptance . 274.4.2. Publication of the Certificate by the CA. 274.4.3. Notification of Certificate Issuance by the CA to Other Entities. 274.5. Key Pair and Certificate Usage . 274.5.1. Subscriber Private Key and Certificate Usage . 274.5.2. Relying Party Public Key and Certificate Usage . 284.6. Certificate Renewal . 284.6.1. Circumstance for Certificate Renewal . 284.6.2. Who may Request Renewal . 284.6.3. Processing Certificate Renewal Requests . 284.6.4. Notification of New Certificate Issuance to Subscriber . 284.6.5. Conduct Constituting Acceptance of a Renewal Certificate . 294.6.6. Publication of the Renewal Certificate by the CA . 29eMudhra Limited www.e-mudhra.com7
Certificate Practice Statement (CPS)Version 4.0.04.6.7. Notification of Certificate Issuance by the CA to Other Entities. 294.7. Certificate Re-Key. 294.7.1. Circumstance for Certificate Re-key . 294.7.2. Who may Request Certification of a New Public Key . 294.7.3. Processing Certificate Re-keying Requests . 294.7.4. Notification of New Certificate Issuance to Subscriber . 294.7.5. Conduct Constituting Acceptance of a Re-keyed Certificate . 304.7.6. Publication of the Re-keyed Certificate by the CA . 304.7.7. Notification of Certificate Issuance by the CA to Other Entities. 304.8. Certificate Modification . 304.9. Certificate Revocation and Suspension . 304.9.1. Circumstance for Revocation of a Certificate . 304.9.2. Who Can Request Revocation of a Certificate . 314.9.3. Procedure for Revocation Request . 314.9.4. Revocation Request Grace Period . 314.9.5. Time within which CA must Process the Revocation Request . 314.9.6. Revocation Checking Requirements for Relying Parties . 314.9.7. CRL Issuance Frequency . 314.9.8. Maximum Latency for CRLs. 324.9.9. Online Revocation Checking Availability . 324.9.10. Online Revocation Checking Requirements . 324.9.11. Other Forms of Revocation Advertisements Available . 324.9.12. Circumstances for Suspension . 324.9.13. Who can Request Suspension . 324.9.14. Procedure for Suspension Request . 334.9.15. Limits on Suspension Period . 334.10. Certificate Status Services. 334.10.1. Operational Characteristics . 334.10.2. Service Availability . 334.10.3. Optional Features . 334.11. End of Subscription . 334.12. Key Escrow and Recovery . 334.12.1. Key Escrow and Recovery Policy and Practices. 345.Facility Management & Operational Controls . 355.1. Physical Controls . 355.1.1. Site Location & Construction . 355.1.2. Physical Access . 36eMudhra Limited www.e-mudhra.com8
Certificate Practice Statement (CPS)Version 4.0.05.1.3. Power and Air Conditioning . 365.1.4. Water Exposures . 365.1.5. Fire Prevention & Protection . 365.1.6. Media Storage . 365.1.7. Waste Disposal . 365.1.8. Off-Site backup. 375.2. Procedural Controls . 375.2.1. Trusted Roles . 375.2.2. Number of Persons Required per Task . 385.2.3. Identification and Authentication for Each Role. 395.2.4. Roles Requiring Separation of Duties . 395.3. Personnel Controls . 395.3.1. Qualifications, Experience, and Clearance Requirements . 395.3.2. Background Check Procedures . 405.3.3. Training Requirements . 405.3.4. Retraining Frequency and Requirements . 405.3.5. Job Rotation Frequency and Sequence . 405.3.6. Sanctions for Unauthorized Actions . 405.3.7. Documentation Supplied To Personnel . 415.4. Audit Logging Procedures . 415.4.1. Types of Events Recorded . 415.4.2. Frequency of Processing Audit Logs . 445.4.3. Retention Period for Audit Logs. 455.4.4. Protection of Audit Logs . 455.4.5. Audit Log Backup Procedures . 455.4.6. Audit Collection System (internal vs. external). 455.4.7. Notification to Event-Causing Subject . 455.4.8. Vulnerability Assessments . 455.5. Records Archival. 465.5.1. Types of Records Archived . 465.5.2. Retention Period for Archive . 465.5.3. Protection of Archive . 465.5.4. Archive Backup Procedures . 475.5.5. Requirements for Time-Stamping of Records. 475.5.6. Archive Collection System (internal or external) . 475.5.7. Procedures to Obtain & Verify Archive Information . 475.6. Key Changeover . 47eMudhra Limited www.e-mudhra.com9
Certificate Practice Statement (CPS)Version 4.0.05.7. Compromise and Disaster Recovery . 485.7.1. Incident and Compromise Handling Procedures . 485.7.2. Computing Resources, Software, and/or Data are corrupted . 485.7.3. Private Key Compromise Procedures. 485.7.4. Business Continuity Capabilities after a Disaster . 495.8. CA Termination . 496.Technical Security Controls . 506.1. Key Pair Generation and Installation . 506.1.1. Key Pair Generation . 506.1.2. Private Key Delivery to Subscriber . 506.1.3. Public Key Delivery to Certificate Issuer .
processes, server platforms, software and work stations, used for the purpose of administering Digital Signature Certificates and keys. "CA Verification Officer" means trusted person involved in identity and address verification of DSC applicant and according approval for issuance of DSC.
