Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » SEEMail » SEE PKI » S.E.E. PKI - RFP templates

S.E.E. PKI - RFP templates

CA Accreditation Guide

Advice to Certification Authorities seeking S.E.E. Key Accreditation:

  1. Note that S.E.E. Key accreditation will grant you the right to sell S.E.E. Key branded certificates to New Zealand government agencies.
  2. Please read the S.E.E. Key Certificate Policy (CP) to bring yourself up to speed with the S.E.E. Key requirements. If you have time, read the suite of documents at http://see.govt.nz/pki/
  3. Determine if you will propose the use of one of your existing CAs to meet the S.E.E. Key needs or whether you will propose a new CA.
  4. Discuss your intentions with the S.E.E. Project Manager, and indicate any limitations in your ability to meet the S.E.E. Key requirements. Note that the CP is not negotiable in ways that would make the S.E.E. less secure; but that CAs more than satisfying our requirements should be acceptable.
  5. Provide the following to the S.E.E. Project Manager:
    • Your company's most recent audited annual report
    • The Certificate Practice Statement (CPS) for the proposed CA
    • A formal comparison of the CPS with the S.E.E. Key CP
    • A letter indicating whether, in your opinion, the proposed CA matches the requirements of the S.E.E. Key CP. Indicate any potentially controversial areas for compliance
    • Any certificate of accreditation from another body
    • Access to relevant audit reports of CA operations
  6. The following are the requirements of the formal comparison of the CPS and the S.E.E. Key CP:
    • Compare on a paragraph-by-paragraph basis
    • Mark each paragraph with either "Pass" or "Fail" in each case.
    • For each paragraph where your proposal satisfies S.E.E. Key needs but there is not an accurate match of policies between the CP and CPS, complete the sentence "Meets because…"
    • Mark each paragraph as to whether compliance has been audited by an independent auditor.
  7. The S.E.E. Project Manager, in consultation with you, and other parties as required, shall determine whether your proposal meets S.E.E. requirements.
  8. The S.E.E. Project Manager and other accreditation personnel may require a site visit of the CA operations.
  9. Note that the CA may be required to have themselves audited by a third party auditor, and that the CA may be required to pay for this audit.
  10. Note that the S.E.E. Project Manager may change the requirements, or make new requirements during this process, for any reason.
  11. Before final accreditation, you will need to make available digital certificates, CRL, and OCSP services, to S.E.E. application owners to test the proposed certificates with their applications.

Example formal comparison of CA CPS with S.E.E. Key CP

23. Certificates issued under this policy are governed by New Zealand law.
Excerpt from CPS here
Pass

48. CAs must ensure that they issue up to date CRLs at least every eight (8) hours. The CA must also have the capability to update and issue its CRL(s) immediately, for instance in the case of suspected compromise of a Subscriber's private key.
Not currently specified in CPS
Meets because if accepted, we will provide this service and specify this in our CPS

69. Subscriber key pairs must be 1024 bit RSA. CAs' keys may be 1024 bit or 2048 bit RSA.
53 Certificates will only be issued for requests with 1024 bit or 2048 bit RSA public keys.
 Pass for subscriber certificates
Meets because the CA certificate uses a 2048 bit RSA key although this is not specified specifically in our CPS.

72. Each Entity must physically protect their private keys from disclosure and tampering. Subscribers' private keys must be stored and processed in hardware cryptomodules (e.g. a smartcard, PC card, USB token, etc) and the cryptomodule must be protected from theft or misuse to a similar level to a driver's licence or credit card.
191 Excerpt from CPS paragraph 191 on
 Pass, specified in CPS paragraph 191 (section 6.8) instead of this section

87. All certificates must be X.509 Version 3 in accordance with the PKIX Certificate and CRL Profile. The PKI End-Entity software must support all the base (non-extension) X.509 fields as well as the certificate extensions identified in section 4.2.2 of the PKIX certificate profile. The CRL Distribution Point (CDP) defined in each certificate must specify the location of the CRL and the protocol used to address and obtain it (either HTTP or LDAP). The Authority Information Access field should specify an OCSP service and this service should be accessible using HTTP or HTTPS.
Excerpt from CPS here
 Meets because although the CPS does not currently discuss the protocol used to access the CRL, all certificates issued since September 2000 (all currently valid certificates) have a CDP specifying an HTTP url. If our proposal is accepted we will update the CPS to specify that an HTTP or LDAP CDP will be inserted in all certificates.