Transcription
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.0FRCS VMS PKICERTIFICATE POLICY/CERTIFICATION PRACTICE STATEMENTOIDs: Effective Date: 27 Dec 2017Version: 1.0Page 1 of 40
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.0Important Note About this DocumentThis is the Certificate Policy/Certification Practice Statement (CP/CPS) of FRCS VMS Public KeyInfrastructure (FRCS VMS PKI). It contains an overview of the practices and procedures that FRCSVMS PKI employs as a Certification Authority (CA). This document is not intended to createcontractual relationships between FRCS and any other person. This document is intended for useonly in connection with FRCS and its business. This version of the CP/CPS has been approved for useby the FRCS VMS Policy Management Authority (PMA) and is subject to amendment and change inaccordance with the policies and guidelines adopted, from time to time, by the PMA and asotherwise set out herein. The date on which this version of the CP/CPS becomes effective isindicated on this CP/CPS. The most recent effective copy of this CP/CPS supersedes all previousversions. No provision is made for different versions of this CP/CPS to remain in effect at the sametime.Contact Information:Revenue & Customs Services ComplexLot 1 Corner of Queen Elizabeth Drive & Ratu Sukuna Road, ersion Control:AuthorFRCS VMS PMADate12/27/2017Version1.0CommentInitial versionPage 2 of 40
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.0Table of Contents1INTRODUCTION . 101.1Overview . 101.2Document Name, Identification and Applicability . 101.3Public Key Infrastructure Participants . 10Certification Authorities. 11Registration Authorities and Their Obligations. 12Certificate Holders . 12Relying Parties . 13Other Participants . 131.4Certificate Usage . 13Appropriate Certificate Usage . 13Prohibited Certificate Usage . 14Organization Administering the CP/CPS . 14Contact Person . 14Person Determining the CP/CPS Suitability . 14CP/CPS Approval Procedures . 141.523Definitions and Acronyms . 14PUBLICATION AND REPOSITORY RESPONSIBILITIES . 152.1Repositories . 152.2Publication of Certificate Information . 152.3Time or Frequency of Publication . 152.4Access Controls on Repositories . 15IDENTIFICATION AND AUTHENTICATION. 153.1Naming . 15Types of Names . 15Need for Names to be Meaningful . 16Pseudonymous Certificate Holders . 16Rules for Interpreting Various Name Forms . 16Uniqueness of Names . 16Recognition, Authentication, and Role of Trademarks . 163.2Initial Identity Validation. 16Method to Prove Possession of Private Key . 16Authentication of Organization Identity . 16Page 3 of 40
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.0Authentication of Individual Identity . 17Non-Verified Certificate Holder Information . 17Validation of Authority. 17Criteria for Interoperation . 173.3Identification and Authentication for Renewal Requests . 17Identification and Authentication for Routine Re-Key. 17Identification and Authentication for Re-Key After Revocation . 173.4Identification and Authentication for Revocation Requests. 17Issuing Certification Authority . 17Registration Authority. 17Certificate Holder . 174CERTIFICATE LIFE-CYCLE OPERATION REQUIREMENTS . 184.1Certificate Application . 18Who Can Submit A Certificate Application . 18Enrolment Process and Responsibilities . 184.2Certificate Application Processing . 19Performing Identification and Authentication Functions . 19Approval or Rejection of Certificate Applications. 19Time to Process Certificate Applications . 194.3Certificate Issuing . 19Certification Authority Actions During Certificate Issuing . 19Notification to Applicant Certificate Holder . 194.4Certificate Acceptance . 19Notice of Acceptance . 19Conduct Constituting Certificate Acceptance . 19Publication of The Certificate by The Certification Authority . 19Notification of Certificate Issuing by the Certification Authority to Other Entities. 194.5Key Pair and Certificate Usage . 20Certificate Holder Private Key and Certificate Usage . 20Relying Party Public Key and Certificate Usage . 204.6Certificate Renewal . 204.7Certificate Re-Key. 20Circumstance for Certificate Re-Key . 20Who May Request Re-Key. 20Processing Certificate Re-Key Request . 20Notification of New Certificate Issuing to Certificate Holder . 20Page 4 of 40
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.0Conduct Constituting Acceptance of a Re-Key Certificate . 20Notification of Certificate Re-Key by The Certification Authority to Other Entities . 204.8Certificate Modification . 204.9Certificate Revocation and Suspension . 21Circumstances for Revocation . 21Who Can Request Revocation. 21Procedure for Revocation Request . 21Revocation Request Grace Period. 22Time Within Which the Certification Authority Must Process the Revocation Request22Revocation Checking Requirement for Relying Parties. 22Certificate Revocation List Issuing Frequency . 22Maximum Latency for Certificate Revocation List . 22On-Line Revocation/Status Checking Availability . 22On-Line Revocation Checking Requirement . 22Other Forms of Revocation Advertisements Available . 22Special Requirements in Relation to Key Compromise . 22Circumstances for Suspension . 22Who Can Request Suspension . 22Procedure for Suspension Request . 22Limits on Suspension Period . 224.10Certificate Status Services. 22Operational Characteristics. 22Service Availability . 2354.11End of Subscription . 234.12Key Archival and Recovery . 23FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS . 235.1Physical Controls . 23Site Location and construction . 23Physical Access . 23Power and Air-Conditioning . 23Water Exposures . 23Fire Prevention and Protection . 23Media Storage . 23Waste Disposal . 23Off-Site Backup. 24Page 5 of 40
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.05.2Procedural Controls . 24Trusted Roles. 24Number of Persons Required Per Task . 24Identification and Authentication for Each Role. 24Roles Requiring Separation of Duties . 255.3Personnel Controls . 25Qualifications, Experience, and Clearance Requirements . 25Background Check Procedures . 25Training Requirements . 25Retraining Frequency and Requirements . 25Job Rotation Frequency and Sequence . 25Sanctions for Unauthorized Actions . 25Independent Contractor Requirements. 25Documentation Supplied to Personnel . 255.4Audit Logging Procedures . 25Types of Events Recorded . 25Frequency of Processing Log . 26Retention Period for Audit Log . 26Protection of Audit Log . 26Audit Log Backup Procedures . 26Audit Collection System . 26Notification to Event-Causing Subject . 26Vulnerability Assessment . 265.5Records Archival. 26Types of Records Archived . 26Retention Period for Archive . 26Protection of Archive . 26Archive Backup Procedures . 26Requirements for Time-Stamping of Records. 26Archive Collection System . 26Procedures to Obtain and Verify Archive Information . 265.6Key Changeover . 275.7Compromise and Disaster Recovery . 27Disaster Recovery plan . 27Key compromise plan. 275.8Certification Authority and/or Registration Authority Termination . 27Page 6 of 40
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.06TECHNICAL SECURITY CONTROLS . 276.1Key Pair Generation and Installation . 27Key Pair Generation . 27Private Key Delivery to Certificate Holder . 27Public Key Delivery to Certificate Issuer . 28Certification Authority Public Key to Relying Parties . 28Key Sizes . 28Public Key Parameters Generation and Quality Checking . 28Key Usage Purposes (As Per X.509 V3 Key Usage Field) . 286.2Private Key Protection and Cryptographic Module Engineering Controls. 28Cryptographic Module Standards and Controls. 28Private Key (N Out Of M) Multi-Person Control. 28Private Key Escrow . 28Private Key Backup . 28Private Key Archive . 28Private Key Transfer into or from a Cryptographic Module . 29Private Key Storage on Cryptographic Module . 29Method of Activating Private Key . 29Method of Deactivating Private Key . 29Method of Destroying Private Key . 29Cryptographic Module Rating . 296.3Other Aspects of Key Pair Management . 29Public Key Archival . 29Certificate Operational Periods and Key Pair Usage Periods . 296.4Activation Data. 30Activation Data Generation and Installation . 30Activation Data Protection . 30Other Aspects of Activation Data. 3076.5Computer Security Controls . 306.6Life Cycle Technical Controls. 306.7Network Security Controls . 306.8Time-Stamping . 30CERTIFICATE, CRL, AND OCSP PROFILES . 307.1Certificate Profile . 30Basic Certificate Contents . 31Certificate Extensions. 31Page 7 of 40
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.0Algorithm Object Identifiers . 32Name Forms . 32Name Constraints. 32CP/CPS Object Identifier . 32Usage of Policy Constraints Extension . 32Policy Qualifiers Syntax and Semantics. 32Processing Semantics for The Critical Certificate Policies Extension . 337.2Certificate Revocation List Profile . 33Root CA CRL. 33Issuing CA CRL . 337.389Online Certificate Status Protocol Profile . 35COMPLIANCE AUDIT AND OTHER ASSESSMENTS . 358.1Frequency, Circumstance and Standards of Assessment . 358.2Identity and Qualifications of Assessor. 358.3Assessor’s Relationship to Assessed Entity . 358.4Topics Covered by Assessment . 358.5Actions Taken as A Result of Deficiency . 358.6Publication of Audit Results . 35OTHER BUSINESS AND LEGAL MATTERS . 359.1Fees . 359.2Financial Responsibilities . 359.3Confidentiality of Business Information . 359.4Privacy of Personal Information. 359.5Intellectual Property Rights . 369.6Representations and Warranties . 369.7Disclaimers of Warranties . 369.8Liability and Limitations of Liability. 369.9Indemnities . 369.10Term and Termination . 369.11Individual Notices and Communications with Participants . 369.12Amendments. 369.13Dispute Resolution Provisions . 369.14Governing Law . 369.15Compliance with Applicable Law . 369.16Miscellaneous Provisions . 369.17Other Provisions. 36Page 8 of 40
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.010APPENDIX A . 3710.1Digital Certificate Type 3.1 . 3710.2Digital Certificate Type 3.2 . 3710.3Digital Certificate Type 3.3 . 3710.4Digital Certificate Type 3.4 . 3710.5Digital Certificate Type 3.5 . 3710.6Digital Certificate Type 3.6 . 371111.1APPENDIX B . 38Definitions and Acronyms . 38Page 9 of 40
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.01 INTRODUCTION1.1 OverviewThis FRCS VMS CP/CPS sets out the policies, processes and procedures followed in the generation,issue, use and management of Key Pairs and Digital Certificates. It also describes the roles,responsibilities and relationships of Participants within the FRCS VMS PKI.FRCS VMS PKI is support process for FRCS Vat Monitoring System (VMS) and it usage is limited toFRCS VMS requirements regarding Digital Certificates usage. FRCS VMS PKI is managed by thirdparty, company Data Tech International (DTI), but operated by FRCS VMS (outsourced services).The structure of this CP/CPS is based on the RFC 3647 Certificate Policy and Certification PracticesFramework but does not seek to adhere to or follow it exactly.This CP/CPS undergoes a regular revi
FRCS VMS PKI - Certificate Policy/Certification Practice Statement Version 1.0 Page 2 of 40 Important Note About this Document This is the Certificate Policy/Certification Practice Statement (CP/CPS) of FRCS VMS Public Key Infrastructure (FRCS VMS PKI). It contains an overview of the practices and procedures that FRCS
