Transcription
Federal Department of Finance FDFFederal Office of Information Technology, Systems andTelecommunication FOITTSwiss Government PKINOT CLASSIFIEDSwiss Government PKI - Root CA I - CP CPSENCertificate Policy and Certification Practice Statement of the Swiss Government Root CA IDocument OID : 2.16.756.1.17.3.1.0V3.0, 05.01.2021Classification *Status **Not classifiedFreigegebenProject NameSwiss Government Root CA IAuftraggeberPKI DirectorAuthorsContributorsJürgen Weber, Daniel Stich, Cornelia EnkeCornelia EnkeReviewersPKI Management BoardApproved byPKI Management BoardDistributionDoc IDShort DescriptionLibrarySubscribers, Swiss Government PKI Employees, Audi-tors, Third Partieshttps://www.pki.admin.ch/cps/2 16 756 1 17 3 1 0.pdf0038-RV-CP-CPS Root CA I (2.16 756 1 17 3 1 0).docxCertificate Policy and Certification Practice Statement of the Swiss GovernmentRoot CA ICertified PKI* Nicht klassifiziert - Not classified, Intern - Internal, Vertraulich - Confidential** In Arbeit - In Progress, In Prüfung - Being Reviewed , Freigegeben - Released, Abgeschlossen - Closed
Swiss Government PKI - Root CA I - CP CPS ENNOT CLASSIFIEDChange HistoryDateVersionAuthorDescription2012/12/202.0J. WeberApproved2013/03/062.1J. WeberUpdates and precisions2016/12/192.2D. StichFormal adjustments, consolidation with otherCP/CPS. Inclusion of Regulated Certificates, especially Electronic Seal (Behördenzertifikat)2018/02/022.3A.ClercInduction review findings2018/02/222.4D. Stich, R. DietschiImplementation of risk findings2018/06/202.5D. Stichfinalization prior to approval2018/09/172.6C.Enkereview prior to approval2018/10/252.7C.EnkeAdjustment Chapter 1.5.5new sketch PKI participantdocumentation of decommissioning of the issuingCAs for Class A certificates2019/05/152.8D.StichAdding of Identification of Ausweis F2019/08/162.9C.EnkeAnnual reviewAdding new CA Hirarchy for the issuance of qualified and regulated certificatesAdded E-Mail address for complaints2020/03/302.91C.EnkeChapter 4.1.1 – adding Administrative unit to applyfor a subscriber certificate (during recruitment process)2021/01/053.0C.EnkeAnnual ReviewDocumentation Decommissioning of Qualified CA01Update of several renewed ETSI standardsAddition of CISCorrected description of the PIN Reset UserExplanation to expired certs on CRLUpdate on CRL and OCSP publication intervalNew issuing CAs EnhancedCA03 EnhancedCA04 er 1Digital signiert von vonNiederhaeusern Michael N3LBI8Bern, 2021-03-12 (mit Zeitstempel)PKI Service&DesignMichael von NiederhäusernStatus:Version:FreigegebenV3.0, 05.01.2021Signer 2Signaturerklärung: Felix BrönnimannLeiter PS-BFS-BFODigital signiert von Broennimann Felix 6IM8RZ2021-03-15 (mit Zeitstempel)PKI OperationsFelix Brönnimann2/75
Swiss Government PKI - Root CA I - CP CPS ENNOT CLASSIFIEDReferencesIdentifier[1]Title, SourceMinutes of Swiss Government Root CA I root ceremonyVersion: 1.0, Date: 15.02.2011Source: Swiss Government PKI internal document1[2]SR 943.03 Bundesgesetz über Zertifizierungsdienste im Bereich der elektronischen Signaturund anderer Anwendungen digitaler Zertifikate vom 18.03.2016(Federal law on the certification services supporting electronic signatures and other applications of digital certificates ZertES)Version: 18.03.2016, Status: in force since 01.01.2017Source : http://www.admin.ch/ch/d/sr/c943 03.html[3]SR 943.032 Verordnung über Zertifizierungsdienste im Bereich der elektronischen Signaturund anderer Anwendungen digitaler Zertifikate vom 23.11.2016(Regulation on certification services supporting electronic signatures and other applications ofdigital certificates VZertES)Version: 23.11.2016, Status: in force since 01.01.2017Source: http://www.admin.ch/ch/d/sr/c943 032.html[4]SR 943.032.1 Verordnung des BAKOM über Zertifizierungsdienste im Bereich der elektronischen Signatur und anderer Anwendungen digitaler Zertifikate vom 23.11.2016(Ordinance of OFCOM for certification services supporting electronic signatures and other applications of digital certificates)Version: 23.11.2016, Status: in force since 01.01.2017Source: /20162169/index.html[5]SR 172.010.59 Verordnung über Identitätsverwaltungs-Systeme und Verzeichnisdienste desBundesvom 19. Oktober 2016 (Stand am 1. Januar 2019)Source: /20161261/index.html[6]Ordinance on Security Checks for Persons (OSCP) of 04.03.2011Version: 01.09.2017, Status: in force since 01.01.2017Source: /20092321/index.html[7]SR 170.32 Federal Act on the Responsibility of the Swiss Confederation, the Members of its Official Bodies and their Officers of 14.03.1958Version: 05.12.2011, Status: in force since 01.01.1959Source : /19580024/index.html[8]SR 172.010 Federal law on the Organization of Government and Administration (RVOG) of21.03.1997Version: 30.05.2017, Status: in force since 01.10.1997Source : http://www.admin.ch/ch/d/sr/c172 010.html[9]SR 172.215.1 Regulation on the Organization of the Federal Department of Finances (OV-EFD)of 17.02.2010Version: 01.10.2016, Status: in force since 01.03.2010Source : http://www.admin.ch/ch/d/sr/c172 215 1.html[10]SR 235.1 Federal Act on Data Protection (FADP) of 19.06.1992Version: 01.01.2014, Status: in force since 01.07.1993Source : /19920153/index.html[11]SR 235.11 Ordinance to the Federal Act on Data Protection of 14.06.1993Version: 16.10.2012, Status: in force since 01.07.1993Source : /19930159/index.html1The document referenced is not available in the public domain, but is ready to be consulted by auditing bodies onsite.Status:Version:FreigegebenV3.0, 05.01.20213/75
Swiss Government PKI - Root CA I - CP CPS ENIdentifier[12]NOT CLASSIFIEDTitle, SourceFrame contract between Subscriber and FOITT(Swiss Government PKI as organizational unit of FOITT automatically honors such contracts)Version, Date : Frame contracts are individually entered between FOITT and customerSource: Swiss Government PKI internal document1[14]Swiss Government PKI security policy(0027-RV-SG-PKI Betriebliche Sicherheitsprinzipien)Version : 2.4.1, Date : 18.12.2020Source: Swiss Government PKI internal document1[15]Swiss Government PKI manual on operation and organizationChapter 3.2(Betriebshandbuch (BHB) / Organisationshandbuch (OHB) Certified PKI)Version : 0.9, Date : 19.01.2016Source: Swiss Government PKI internal document1[16]Administration der SG-PKI LRA-Officer und RIO(0100-RV-SGPKI-Administration der LRAOs und RIOs )Version 1.2 vom 17.01.2017Source: Swiss Government PKI internal document1[17]Swiss Government PKI Registrierrichtlinien Klasse B(0002-RV-Swiss Government PKI Registrierrichtlinien Klasse B LRA-d)Version 6.0 vom 26.02.2020Source: Swiss Government PKI internal document1[18]Benutzervereinbarung und Nutzungsbedingungen Klasse B(0092-RV-Terms and Conditions Class B.docx)Version 1.1 vom 31.03.2017Source: Swiss Government PKI internal document1[19]Guidelines zu Klasse B Zertifikaten der Swiss Government PKI(0093-RV-Guidelines Class B.docx)Version 1.0 vom 09.03.2017Source: Swiss Government PKI internal document1[20]Verification of the applicant’s identity class B(Überprüfung Identität Antragsteller Klasse B)(0003-RV-Überprüfung Identität Antragsteller Klasse B)Version 1.2 vom 14.11.2017Source: Swiss Government PKI internal document1[21]European REGULATION (EU) No 910/2014 on electronic identification and trust services on 23 July 2014Source: ulation-regulation-eu-ndeg9102014[22]ETSI EN 319 401: General policy requirements for trust service providers(replaces TS 101 456 v1.4.3: Electronic Signatures and Infrastructures (ESI) – Certificate Policyand Certification Practices Framework)Version: V2.2.1, Status: published 2018-04Source : https://www.etsi.org/deliver/etsi en/319400 319499/319401/02.02.01 60/en 319401v020201p.pdf[23]ETSI EN 319 422: Electronic Signatures and Infrastructures (ESI);Time-stamping protocol andtime-stamp token profiles(replaces TS 101 861 v1.3.1: Time Stamping Profile)Version: V1.1.1, Status: published 2016-03Source: http://www.etsi.org/deliver/etsi en/319400 319499/319422/01.01.01 60/en 319422v010101p.pdfStatus:Version:FreigegebenV3.0, 05.01.20214/75
Swiss Government PKI - Root CA I - CP CPS ENIdentifier[24]NOT CLASSIFIEDTitle, SourceETSI EN 319 412-1: Electronic Signatures and Infrastructures (ESI);Certificate profiles;Part 1 Overview and common data structures(replaces TS 101 862 v1.3.3: Qualified Certificate Profile)Version: V1.4.1, Status: published 07/2020Source: https://www.etsi.org/deliver/etsi ts/119400 119499/11941201/01.04.01 60/ts 11941201v010401p.pdf[25]ETSI EN 319 412-2: Electronic Signatures and Infrastructures (ESI);Certificate profiles;Part 2: Certificate profile for certificates issued to natural personsVersion: V2.2.1, Status: published 07/2020Source: https://www.etsi.org/deliver/etsi en/319400 319499/31941202/02.02.01 60/en 31941202v020201p.pdf[26]ETSI EN 319 412-3: Electronic Signatures and Infrastructures (ESI);Certificate profiles;Part 3: Certificate profile for certificates issued to legal personsVersion: V1.2.1, Status: published 07/2020Source: https://www.etsi.org/deliver/etsi en/319400 319499/31941203/01.02.01 60/en 31941203v010201p.pdf[27]ETSI EN 319 412-4: Electronic Signatures and Infrastructures (ESI);Certificate profiles;Part 4: Certificate profile for web site certificatesVersion: V1.1.1, Status: published 26.02.2016Source: http://www.etsi.org/deliver/etsi en/319400 319499/31941204/01.01.01 60/en 31941204v010101p.pdf[28]IETF RFC 3647: Internet X.509 Public Key Infrastructure – Certificate Policy and CertificationPractices FrameworkVersion: 2003, Status: published November 2003Source: https://tools.ietf.org/pdf/rfc3647.pdf[29]IETF RFC 5280 (May 2008): Internet X.509 Public Key Infrastructure Certificate and CertificateRevocation List (CRL) ProfileVersion: 2008, Status: May 2008Source: https://tools.ietf.org/pdf/rfc5280.pdf[30]Company Identification Number (CIN) - Unternehmens-Identifikationsnummer (UID)Source: https://www.uid.admin.ch/Search.aspx[31]Swiss Accreditation Service SASSource: https://www.sas.admin.ch/sas/en/home.html[32]ITU-T recommendation T.50Source: id 2570[33]Swiss Government CA Layout and Policies0040-RV-CA Layout and Policies.docxSource : telekommunikation/swiss swiss :FreigegebenV3.0, 05.01.20215/75
Swiss Government PKI - Root CA I - CP CPS ENNOT CLASSIFIEDTable of Contents1Introduction . 141.11.1.2Subscriber Certificates issued under this CP/CPS . 161.3PKI participants . 171.61.3.1Certification authorities . 171.3.2Registration authorities . 221.3.3Subscribers . 241.3.4Relying parties . 251.3.5Other participants . 25Certificate Usage . 251.4.1Appropriate certificate uses . 251.4.2Prohibited certificate uses . 26Policy administration . 261.5.1Organization administering the document . 261.5.2Contact person . 261.5.3PKI Service & Design . 261.5.4Person determining CPS suitability for the policy . 261.5.5CPS approval procedures . 27Definitions and acronyms . 271.6.1Definitions . 271.6.2Acronyms . 311.6.3Abbreviations . 331.6.4Notation . 331.6.5Conventions . 33Publication and Repository Responsibilities . 342.1Repositories . 342.2Publication of certification information . 342.3Time or frequency of publication . 342.4Access controls on repositories . 35Identification and Authentication . 363.1Status:Version:SG-PKI . 14Document name and identification . 161.531.1.11.21.42Overview . 14Naming . 363.1.1Types of names . 363.1.2Need for names to be meaningful . 37FreigegebenV3.0, 05.01.20216/75
Swiss Government PKI - Root CA I - CP CPS EN3.23.33.1.3Anonymity or pseudonymity of subscribers . 373.1.4Rules for interpreting various name forms . 373.1.5Uniqueness of names . 373.1.6Recognition, authentication, and role of trademarks . 37Initial identity validation . 383.2.1Method to prove possession of private key . 383.2.2Authentication of individual identity . 383.2.3Non-verified subscriber information . 393.2.4Validation of authority . 393.2.5Criteria for interoperation . 39Identification and authentication for re-key requests . 393.3.13.44Identification and authentication for re-key after revocation . 39Identification and authentication for revocation request . 40Certificate Life-Cycle Operational Requirements . 414.14.24.34.44.5Status:Version:NOT CLASSIFIEDCertificate application. 414.1.1Who can submit a certificate application . 414.1.2Enrollment process and responsibilities . 42Certificate application processing . 444.2.1Performing identification and authentication functions . 444.2.2Approval or rejection of certificate applications . 444.2.3Time to process certificate applications . 44Certificate issuance . 444.3.1CA actions during certificate issuance . 444.3.2Notification to subscriber by the CA of issuance of certificate . 44Certificate acceptance . 454.4.1Conduct constituting certificate acceptance . 454.4.2Publication of the certificate by the CA. 454.4.3Notification of certificate issuance by the CA to other entities . 45Key pair and certificate security rules . 454.5.1Subscriber private key and certificate usage . 454.5.2Relying party public key and certificate usage . 454.6Certificate renewal . 464.7Certificate re-key . 464.7.1Circumstance for certificate re-key . 464.7.2Who MAY request certification of a new public key . 464.7.3Processing certificate re-keying requests . 46FreigegebenV3.0, 05.01.20217/75
Swiss Government PKI - Root CA I - CP CPS ENNOT CLASSIFIED4.7.4Notification of new certificate issuance to subscriber . 464.7.5Conduct constituting acceptance of a re-keyed certificate . 464.7.6Publication of the re-keyed certificate by the CA . 464.7.7Notification of certificate issuance by the CA to other entities . 464.8Certificate modification. 474.9Certificate revocation and suspension . 474.9.1Circumstances for revocation . 474.9.2Who can request revocation . 484.9.3Procedure for revocation request . 484.9.4Revocation request grace period . 484.9.5Time within which CA must process the revocation request . 494.9.6Revocation checking requirement for relying parties . 494.9.7CRL issuance frequency . 494.9.8Maximum latency for CRLs . 494.9.9On-line revocation/status checking availability . 494.9.10On-line revocation checking requirements . 494.9.11Other forms of revocation advertisements available . 494.9.12Special requirements re-key compromise . 494.9.13Circumstances for suspension . 504.9.14Who can request suspension . 504.9.15Procedure for suspension request . 504.9.16Limits on suspension period . 504.10 Certificate status services . 504.10.1Operational characteristics . 504.10.2Service availability . 504.10.3Operational features . 504.11 End of subscription . 504.12 Key escrow and recovery . 505Key escrow and recovery policy and practices . 514.12.2Session key encapsulation and recovery policy and practices . 51Facility, Management, and Operational Controls . 525.1Status:Version:4.12.1Physical Controls . 525.1.1Site location and construction . 525.1.2Physical access . 525.1.3Power and air conditioning . 525.1.4Water exposures . 52FreigegebenV3.0, 05.01.20218/75
Swiss Government PKI - Root CA I - CP CPS EN5.25.35.45.5Status:Version:NOT CLASSIFIED5.1.5Fire prevention and protection . 525.1.6Media storage . 525.1.7Waste disposal . 525.1.8Off-site backup . 52Procedural Controls . 535.2.1Trusted roles . 535.2.2Number of persons required per task . 545.2.3Identification and authentication for each role . 545.2.4Roles requiring separation of duties . 54Personnel Controls . 545.3.1Qualifications, experience and clearance requirements . 545.3.2Background check procedures . 555.3.3Training requirements . 555.3.4Retraining frequency and requirements . 555.3.5Job rotation frequency and sequence . 555.3.6Sanctions for unauthorized actions . 555.3.7Independent contractor requirements . 555.3.8Documentation supplied to personnel . 55Audit Logging Procedures . 565.4.1Types of events recorded . 565.4.2Frequency of processing log . 565.4.3Retention period for audit log . 565.4.4Protection of audit log . 565.4.5Audit log backup procedures . 565.4.6Audit collection system . 565.4.7Notification to event-causing subject . 565.4.8Vulnerability assessments . 56Records Archival . 575.5.1Types of records archived . 575.5.2Retention period for archive . 575.5.3Protection of archive . 575.5.4Archive backup procedures . 575.5.5Requirements for time-stamping of records . 575.5.6Archive collection system . 575.5.7Procedures to obtain and verify archive information . 575.6Key Changeover . 575.7Compromise and Disaster Recovery . 58FreigegebenV3.0, 05.01.20219/75
Swiss Government PKI - Root CA I - CP CPS EN5.865.7.1Incident and compromise handling procedures . 585.7.2Recovery procedures if Computer resources, software and/or data arecorrupted . 585.7.3Entity private key compromise procedures . 585.7.4Business continuity capabilities after a disaster . 58CA or RA termination . 585.8.1Termination of SG-PKI . 585.8.2Termination of a LRA. 59Technical Security Controls. 606.16.26.36.46.5Status:Version:NOT CLASSIFIEDKey pair generation and installation . 606.1.1Key pair generation . 606.1.2Private key delivery to subscriber . 606.1.3Public key delivery to certificate issuer. 606.1.4CA public key delivery to relying parties . 616.1.5Key sizes . 616.1.6Public key parameters generation and quality checking .
Swiss Government PKI - Root CA I . Certificate Policy and Certification Practice Statementof the Swiss Go v-ernment Root CA I . Document OID : 2.16.756.1.17.3.1. . . 4.12 Key escrow and recovery. 32 4.12.1 Key escrow and recovery policy and practices .
