Transcription
Italian Ministry of DefencePublic Key InfrastructureCertificate PolicySignature Certificates CA-CP – Certificate PolicyAuthor:Versione:Document date:No Doc.:Italian Ministry of Defence1.715 June 2022EN-CP–DS01No Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa1 di 61
Certificate PolicySignature Certificates CAFirmato Digitalmente da/Signed by:Carmelo PERGOLIZZISystems TechnicalOperations ManagerCARMELO PERGOLIZZI1 Lgt.In Data/On Date:giovedì 16 giugno 2022 08:28:32Firmato Digitalmente da/Signed by:Gennaro GIANNINOChief AuditorGENNARO GIANNINOLgt.In Data/On Date:giovedì 16 giugno 2022 10:44:56ValidatedbyFirmato Digitalmente da/Signed by:CARMELO SPADAROCarmelo SPADAROSecurity ManagerT.V. (AN)In Data/On Date:giovedì 16 giugno 2022 10:48:12Andrea PERNATechnical andLogistic ServicesManagerFirmato Digitalmente da/Signed by:ANDREA PERNAIn Data/On Date:giovedì 16 giugno 2022 13:48:47Firmato Digitalmente da/Signed by:ApprovedbySergio Antonio SCALESEQualified TrustServices Provider(QTSP)No Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaSERGIO ANTONIO SCALESEIn Data/On Date:giovedì 16 giugno 2022 14:53:50InizialiMinistero DifesaInizialiMinistero della Difesa2 di 61
Table of Contents1INTRODUCTION . 81.1Overview . 81.2Document name and identification . 81.3PKI participants .101.3.11.3.21.3.31.3.41.3.5Certification authorities .10Registration authorities .11Subscribers .11Relying parties .11Other participants .111.4Certificate usage .121.5Policy administration .131.6Definitions and acronyms .142PUBLICATION AND REPOSITORY RESPONSIBILITIES . 172.1Repositories .172.2Publication of certification information .172.3Time or frequency of publication .182.4Access controls on repositories .183IDENTIFICATION AND AUTHENTICATION (I&A) . 193.1Naming .193.2Initial identity validation.213.3Identification and authentication for re-key requests .233.4Identification and authentication for revocation request .234CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS . 254.1Certificate Application .254.2Certificate application processing .254.3Certificate issuance .264.4Certificate acceptance .274.5Key pair and certificate usage .274.6Certificate renewal .274.7Certificate re-key .284.8Certificate modification .284.9Certificate revocation and suspension .284.9.14.9.24.9.34.9.44.9.54.9.6Circumstances for revocation .28Who can request revocation .28Procedure for revocation request .28Revocation request grace period .29CRL issuance frequency (if applicable) .29On-line revocation/status checking availability .30No Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa3 di 61
4.9.7 On-line revocation checking requirements .304.9.8 Other forms of revocation advertisements available .304.9.9 Circumstances for suspension .304.9.10 Who can request suspension.304.9.11 Procedures for suspension request .304.10Certificate status services .314.11End of subscription .324.12Key escrow and recovery .325FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS . 335.1Physical controls .335.2Procedural controls .345.3Personnel controls .345.4Audit logging procedures .355.5Records archival.375.6Key changeover .385.7Compromise and disaster recovery .385.8CA or RA termination .396TECHNICAL SECURITY CONTROLS . 406.1Key pair generation and installation .406.2Private Key Protection and Cryptographic Module Engineering Controls .406.3Other aspects of key pair management .416.4Activation data.426.5Computer security controls .426.6Life cycle technical controls .436.7Network security controls .436.8Time-stamping .437CERTIFICATE, CRL, AND OCSP PROFILES . 447.1Certificate profile.447.2CRL Profile .527.3OCSP profile .538COMPLIANCE AUDIT AND OTHER ASSESSMENTS . 548.1Frequency and circumstances of assessment .548.2Identity/qualifications of assessor .548.3Assessor’s relationship to assessed entity .548.4Topics covered by assessment .548.5Actions taken as a result of deficiency.558.6Communication of results .559OTHER BUSINESS AND LEGAL MATTERS . 569.1Fees .569.2Financial responsibility .56No Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa4 di 61
9.3Confidentiality of business information .569.4Privacy of personal information .579.5Intellectual property rights .589.6Representations and warranties .589.6.19.6.29.6.39.6.49.6.5CA representations and warranties .58RA representations and warranties .58Subscriber representations and warranties .58Relying party representations and warranties .59Representations and warranties of other participants .599.7Disclaimers of warranties .599.8Limitations of liability .599.9Indemnities .599.10Term and termination .609.11Individual notices and communications with participants .609.12Amendments .609.13Dispute resolution provisions .609.14Governing law .609.15Compliance with applicable law .609.16Miscellaneous provisions .619.17Other provisions.61No Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa5 di 61
VersioneSezione1.7All1.6All1.5Section 1.2 – Section3.1 – Section 7.1Section 1.2, Section1.6, Section 7.1Section 4.10, Section6.3.21.4AllDescrizioneDataAddition Specify ofO.I.D. Digital SealElettronic seal releaseoperating modeindicatedReplaced SecurityManagerAddition of O.I.D.Digital Seal ReplacedSecurity ManagerReplaced Head ofTechnical and LogisticServicesAdded informationabout AgID OID forCertificate Policy(agIDcert)Added informationabout certificatestatus beyondcertificate expirationdateThe indication of thecertifier's repositoryhas been modified15 June 202222 November 202106 April 202105 November 2020Added NOTE inparagraph 2.1concerning theredirection in https ofthe URLwww.pki.difesa.itAdded descriptiveNOTES in paragraphs1.3.1 and 3.1 relatingto the change ofname of the Entityand the OU present inthe CA certificateThe contact points ofthe first level helpdesk have beenupdated1.3Section 1.21.2AllAdded note on OIDChange namedepartmentfrom“Comando C4” to“Comando COR”24 June 20209 March 2020Change abbreviationRP with FANo Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa6 di 61
All1.1Section 4.2.1Change ITD with OASpelling correctionChange theabbreviations RDTand RP with ITD andRT1.0No Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della Difesa10 May 201801 June 2017InizialiMinistero DifesaInizialiMinistero della Difesa7 di 61
1INTRODUCTIONThis paper describes the organization set up by the Ministry of Defence/Comando per le Operazioniin Rete in its capacity as trust services provider accredited to the Digital Italy Agency for issuingsignature certificates.Additionally, this document describes the processes required to generate, issue, suspend andrevoke signature certificates.A digital signature certificate is installed on a physical device called Mod. ATE (Carta Multiservizidella Difesa)1. A Mod. ATE comprises the digital certificates and the corresponding key pairsbelonging to the holder.A Mod. ATE is issued in compliance with Decree of the President of the Republic 851/1967, Decreeof the President of the Council of Ministers of 24 May 2010 and Decree of the President of theCouncil of Ministers of 18 January 2016 and is valid as an electronic identity card (Mod. ATe).For data enrolment purposes and in view of issuing digital signature certificates, the PKI Difesa usesthe issuing system of the Modello ATe (Military ID) called Card Management System (RegistrationAuthority-R.A.) and of the relevant local organizations pertaining to the single services (LocalRegistration Authority - L.R.A.).1.1OverviewThis document is the Certificate Policy (CP) of the Ministry of Defence concerning the issuing andmanagement of qualified, remote and automatic signature certificates.The structure and content of this CP depend on RFC 3647 specification.This document illustrates the workings and operational procedures of the certification authoritycalled “Ministry of Defence – Qualified Signature” whereby the Ministry of Defence issues andmanages qualified signature certificates that are used by its own personnel and by personnel ofpublic administration bodies who have signed an agreement with the Ministry of Defense.1.2Document name and identificationThis CP by the eIDAS Signature CA is referred to, in signature certificates, with the following ObjectIdentifier (OID): 1.3.6.1.4.1.14031.2.1.1.201.The OID assigned to the Ministry of Defence is 1.3.6.1.4.1.14031.The OID of the eIDAS Signature CA of the Ministry of Defence - Qualified Signature is1.3.6.1.4.1.14031.2.1.1.Within the CA, the following OIDs have been defined regarding issued certificates.The following table shows both the OIDs of certificates handled by Digital Signatures of the Ministryof Defense accredited in Italy before 1 June 2016. Of the two CAs, the one called “Ministero dellaDifesa - PKI di Firma Qualificata” no longer issues certificates from July 2014 and only executes thelifecycle management of issued certificates (revocation/suspension/reactivation), while the current1 TN: a Defence ID card for both military and civilian personnelNo Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa8 di 61
CA named “Ministero della Difesa - CA di Firma Digitale” performs lifetime emissions andmanagement.Policy OIDs for certificates issued for holders derive from policies published by the ETSI withineIDAS regulations. See section 7.1 for details regarding relevant profiles.DescriptionOIDBasic OID for the Ministry of Defence1.3.6.1.4.1.14031Basis for former old PKI Difesa (CPS)1.3.6.1.4.1.14031.1Policy of the former PKI Difesa as defined 4031.1.1Basis for the new PKI Difesa (CPS)1.3.6.1.4.1.14031.2Policy of the new PKI Difesa as defined 6.1.4.1.14031.2.1OID of the Signature CA certificate1.3.6.1.4.1.14031.2.1.1OID of the OCSP certificate for the Signature CA1.3.6.1.4.1.14031.2.1.1.1OID of the User’s signature certificate with no usage limitation1.3.6.1.4.1.14031.2.1.1.2OID of User’s signature certificate with usage limitation1.3.6.1.4.1.14031.2.1.1.32OID of Test Remote Signature certificate1.3.6.1.4.1.14031.2.1.1.4OID of Remote Signature certificate1.3.6.1.4.1.14031.2.1.1.5OID of Users’ Signature certificate for testing purposes1.3.6.1.4.1.14031.2.1.1.6OID of the Automatic (Remote) Signature certificate1.3.6.1.4.1.14031.2.1.1.8Policy of the new eIDAS PKI as defined in https://pki.difesa.it/tsp1.3.6.1.4.1.14031.2.1OID of CPS for eIDAS signature service in Italian1.3.6.1.4.1.14031.2.1.1.100OID of CP for eIDAS signature service in Italian1.3.6.1.4.1.14031.2.1.1.101OID of the Terms and Condition document for the eIDAS signature servicein Italian1.3.6.1.4.1.14031.2.1.1.102OID of the PKI Disclosure Statement for the eIDAS signature service inItalian and English1.3.6.1.4.1.14031.2.1.1.103OID of CPS for eIDAS signature service in English1.3.6.1.4.1.14031.2.1.1.200OID of CP for eIDAS signature service in English1.3.6.1.4.1.14031.2.1.1.201OID of the Terms and Condition document for the eIDAS signature servicein English1.3.6.1.4.1.14031.2.1.1.202OID of the eIDAS Signature User’s certificate with no usage limitation1.3.6.1.4.1.14031.2.1.1.12OID of the eIDAS signature certificate with usage limitation31.3.6.1.4.1.14031.2.1.1.13OID of the Remote eIDAS Signature certificate for testing Purposes1.3.6.1.4.1.14031.2.1.1.14OID of the Remote Signature certificate1.3.6.1.4.1.14031.2.1.1.152 It should be noted that up to 30 June 2017, OID 1.3.6.1.4.1.14021.2.1.1.3 has been used3 It should be noted that from 1st July 2017 to 22 June 2020, OID 1.3.6.1.4.1.14021.2.1.1.13 has been usedNo Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa9 di 61
DescriptionOIDOID of Users’ eIDAS Signature certificate for testing Purposes1.3.6.1.4.1.14031.2.1.1.16OID of the Automatic (S.G.D.) eIDAS Signature certificate1.3.6.1.4.1.14031.2.1.1.18OID of the Automatic (S.M.D. COR) eIDAS Signature certificate1.3.6.1.4.1.14031.2.1.1.19OID of the certificate of Digital Seal eIDAS1.3.6.1.4.1.14031.2.1.1.23OID of the certificate of Digital Seal AUTOREMOTE eIDAS1.3.6.1.4.1.14031.2.1.1.28In compliance with recommendations contained in [AGID LG11] section 4, i.e. “Linee guidacontenente le Regole Tecniche e Raccomandazioni.”, starting from December 2019, the QTSP isinserting the attribute CertificatePolicies (OID 2.5.29.32) a further PolicyIdentifier element withvalue agIDcert (OID 1.3.76.16.6), which represents “When included into a Rec. ITU-T X.509electronic certificate, it means that all the recommendations issued by the Agency for Digital Italyare fulfilled”.1.3PKI participantsThis section provides introductory information regarding Certification Authorities and relying partiesof the PKI Difesa.1.3.1Certification authoritiesThe Certification Authority is the third, and reliable, party that issues certificates and signs themwith its own private key (CA key). The CA designated to issue signature certificates and managecertificate status is called signature CA.Within this service, the capacity of Signature CA is performed by the Minister of Defence/StatoMaggiore Difesa – Comando per le Operazioni in Rete identified as follows:Legal personSTATO MAGGIORE DELLA DIFESA – COMANDO per le Operazioni inReteAddressVia Stresa 31b00187 ROMELegal RepresentativeCommander of Comando per le Operazioni in ReteTax code97355240587ISO Object Identifier1.3.6.1.4.1.14031General Websitewww.difesa.itCertification Centre Websitehttps://pki.difesa.it/tsp.Email addressinfo pkiff@smd.difesa.itDirectory Serverldap://ldappkiff.difesa.itNo Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa10 di 61
The Commander of the Comando per le Operazioni in Rete is also a Trust Services Provider forDefence.The Certification Authority is a Root-CA that directly issues certificates for holders, it doesn’t issueSubCA certificates and it is not involved in Cross-Certification processes.NOTE – On 9 March 2020, the department in whitch QTSP is located, has changed its name to CORCommand with deed of 4 March 20201.3.2Registration authoritiesThe Registration Authority (RA) is the person, structure, or organization that: Accepts and validates issuance requests, and manages certificates;Registrates the applicant and the organization he/she belongs to;Authorizes the CA to issue the required digital certificate;Provides personnel with the digital certificate and the information required.This activity is carried out for digital signature certificates comprised in the Modello ATe (MilitaryID)/Mod. ATE by the Local Registration Authority (LRA) and by the Card Management System (CMS)of the Ministry of Defence.For automatic signature certificates the Defence Computer Protocol System Manager operates asRA.For remote signature certificates, the PKI Difesa Certification Centre directly carries out RA tasks.1.3.3SubscribersAll Defence personnel and personnel of public administration bodies that have signed a cooperationagreement. For activities, directly or indirectly pertaining to the digital signature services definedin this document, Defence has provided its own employees with a digital signature in view of thejob performed within the activities provided for in this document.End users, namely certificate subscribers will be physical persons who require a certificate and whohold the corresponding private key.1.3.4Relying partiesRelying parties are all subjects relying on information comprised in the certificate to validate thedocuments signed by holders.1.3.5Other participantsPersonnel in charge of administering and supervising the certification service are organized incompliance with Art. 38, par. 1 of the Decree of the President of the Council of Ministers dated 22/2/2013.In particular, the following profiles are established:No Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa11 di 61
Security manager;Certification and Time Validation Service Manager;System Technical Administration ManagerTechnical and Logistic Services Manager;Audits and Inspections Manager.In compliance with the above-mentioned decree, the same subject cannot be tasked to performmore than one function amongts those (art. 38/2, Decree of the President of the Council of Ministersof 22/02/2013).Within the organizational functions of the certification service, the Certification and TimeValidation Manager is also the Head of the PKI Difesa Certification Centre and, as its delegate,reports to the Trust Services Provider as regards the application of current regulations for thecertification process, appropriate operation of technical services and correct management ofservice.The following profiles are also involved in the certification process:1.4 Local Manager, a professional profile employed in the organization that requires thequalified certificates to be issued for the Holder. Data Processing Operator, a professional profile employed in the organization that supportsthe prospective certificate holder in submitting the data required for the certificates to beissued. He/she is in charge of identifying correctly the prospective holder. User (any real or immaterial organization that uses a qualified certificate to check thevalidity of the digital signature or authentication. ECertificate usageThe CA of the Ministry of Defence – eIDAS Digital Signature CA uses its key pair to: Sign issued digital certificates:Sign issued Certification Revocation Lists (CRLs).The holder of the restricted usage signature certificate comprised in the Modello ATe (MilitaryID)/Mod. ATE and remote signature HSM uses its key pair to: Sign a digital document in the formats provided for by current regulations in compliancewith usage limitations defined in the certificate itself.The holder of the unrestricted usage signature certificate comprised in the Modello ATe (MilitaryID)/Mod. ATE and remote signature HSM uses its key pair to: Sign a digital document in the formats provided for by current regulations.The holder of the automatic signature certificate in the automatic signature HSM uses its key pairto: Sign the inception of an IT process within his/her work context.The OCSP certificate of the Qualified Signature CA is used to:No Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa12 di 61
Sign the answers to audit requests regarding the validity status of a signature certificate.Anything other than usage defined in paragraph 1.4 is considered a non-authorized use of thecertificate.Any improper use of certificates issued by the Ministry of Defence on the basis of this CP is notallowed and causes the certificate to be immediately cancelled should the circumstance madeknown.1.5Policy administrationPersonnel of the Certification Centre holds and keeps this document updated. In his/her capacity oflegal representative of the Certification Centre and Trust Services Provider, the Commander of theComando per le Operazioni in Rete approves the document.This CP is written, published and updated by the Certification Centre of the Ministry of Defence/StatoMaggiore Difesa - Comando per le Operazioni in Rete, via Stresa 31b, 00135 Rome.This document is also revised and updatet when changes are made to the organization (for example,for the change of one of the managers) or for changes in the rules of reference.For further information or details concerning this CP, please contact: The email address of the PKI Difesa certification centre info pkiff@smd.difesa.itVia the following link: https://servidesk.difesa.itThe following email address helpdesk@cor.difesa.it 39-06-46914444, for the Comando Comando per le Operazioni in Rete Help Desk, whichwill forward the request to the Certification CentreThis CP and the policies therein are assessed by a Certification Authority (CAB)This CP and the policies therein comply with the policies issued by the Ministry of Defence.This CP was read and validated in its relevant parts by the System Technical Operation Manager,the auditing manager, the security manager, the logistic and technical system manager. It wasapproved by the Comando per le Operazioni in Rete Headquarters Commander as trust servicesprovider for Defence.No Doc.: EN-CP–DS01 - 1.3.6.1.4.1.14031.2.1.1.201 Copyright 2016, Ministero della DifesaInizialiMinistero DifesaInizialiMinistero della Difesa13 di 61
1.6Definitions and acronymsThis paragraph includes a list of definitions of the terms that are used in this document, as well asa list of acronyms and their tal Italy Agency (formerlyrun by DigitPA)CA certificationItalian supervisory bodyCACertification AuthorityBody that issues the certficatesCMDCarta Multiservizi DifesaA smartcard that Defence personnel is provided with as a validelectronic ID that also contains the holder’s certificatesCMSCard Management SystemThe system issues ATe models for Defence personnel and forpersonnel belonging to public adminitration bodies that havesigned a cooperation agreement with Defence.Certificate PolicyA defined set of rules specifying the applicability of acertificate for a specific community and/or class of applicationswith specific security requirements.CPSCertification PracticeStatementA document that explains the practices and operationalprocesses of the CA whereby the Ministry of Defence issuesand manages qualified signature certificates.CRLCertificate Revocation ListThe list of revoked certificatesCSRCertificate Signing RequestCertificate requestDNDistinguished NameDRDisaster RecoveryInfrastructure back-up siteFIPSFederal InformationProcessing StandardShared rules and measures that US government departmentsmust comply withHSMHardware Security ModuleHardware module for safe storage of keys for cryptographicoperationsLDAPLightweight Directory AccessProtocolThe Directory Server where certificates are publishedLRALocal Registration AuthorityLocal body in charge of enrollment procedures. It identifiesand validates the subject requesting a certificateOCSPOn-line Certificate StatusProtocolVerification service for certificate statusOTPOne Time PasswordA password that is only valid for one access or transactionP.A.Public AdministrationPublic Administration BodiesP.D.S.PKI Disclosure StatementA document summing up the main concepts in the CP andCPS.PKIPublic Key InfrastructureEquipment and Personnel tasked to issue certificatesPrivate keyPrivate keyThe secret element of asymmetric cryptography based on keypairsPublic KeyPublic keyThe secret element of asymmetric cryptography based on keypairsRARegistration A
For data enrolment purposes and in view of issuing digital signature certificates, the PKI Difesa uses the issuing system of the Modello ATe (Military ID) called Card Management System (Registration Authority-R.A.) and of the relevant local organizations pertaining to the single services (Local Registration Authority - L.R.A.). 1.1 Overview
