Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » SEEMail » S.E.E. PKI Certificate Policy Version 2.0 » 1 Introduction

1 Introduction

1.1 Overview

1. This Policy defines the requirements for the management of cryptographic public key pairs and X.509 public key certificates used by the New Zealand Government to:

  • Access computer systems classified up to SENSITIVE;

  • Authenticate individuals and devices;

  • Provide authentication of roles and proof of membership;

  • Provide authentication by proxy.

2. This policy defines security practices and mechanisms appropriate for certificates and keys used to identify and authenticate entities passing, holding, processing or accessing information classified up to and including SENSITIVE or RESTRICTED. It is not suitable for use with information classified CONFIDENTIAL and above, without additional measures.

3. This Policy is intended to support applications such as single sign-on, virtual private networks and remote access. It does not specifically consider the requirements for certificates and keys used for encryption (privacy and confidentiality services) or for digital signatures (i.e., proof after the fact or by a third person). It does not exclude the use of certificates and keys for such purposes.

4. This Policy is a deliverable of the State Services Commission's E-government initiative, associated with the Secure Electronic Environment (S.E.E.) project, http://www.see.govt.nz/. The management authority for the S.E.E project is the S.E.E. Steering Group. As such, the S.E.E. Steering Group is the controlling authority for this document.

5. This Policy is written to comply with Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527), http://www.ietf.org/rfc/rfc2527.txt. The terms "must", "should" and "may" are interpreted as set out in RFC 2119, http://www.ietf.org/rfc/rfc2119.txt.

1.2 Identification

6. The alphanumeric Object Identifier (OID) of this Policy is SEEKEY_1_0.

7. The full numeric OID is 2.16.554.101.2.1.1.

8. Certificates issued under this policy will be termed "SEEKEY Certificates".

9. This policy will be referred to as the "S.E.E. Key Certificate Policy" or "S.E.E. Key CP".

1.3 Community and Applicability

1.3.1 Certification authorities

10. The definition of a Certification Authority (CA) under this Policy is a party that will

  • Create and sign digital certificates binding Subscribers with the public component of their asymmetric cryptographic key pairs;

  • Promulgate certificate status through Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP); and

  • Enforce the requirements of the Certificate Policy within the entities it has issued certificates for (i.e., CA staff, Registration Authorities, Sponsors and Subscribers).

11. The CA is responsible for either supplying or confirming an individual's requirement for, and the attribute details in, a PASSPORT certificate, as specified in the SEEKEY Certificate Table.

1.3.2 Registration Agents

12. A Registration Agent (RA) is responsible for administration of Subscribers on behalf of a CA. The RA is an agent of the CA.

13. An RA may act as an agent for more than one CA or public key infrastructure.

1.3.3 End entities

14. Sponsor - This policy introduces the concept of a Sponsor. The Sponsor is responsible for either supplying or confirming an individual's requirement for, and the attribute details in, a BUSINESS CARD, ASSOCIATE or ANONYMOUS certificate, as specified in the SEEKEY Certificate Table.

15. The Sponsor will typically be a department or public servant that has nominated an individual or organisation to be issued.

16. The Sponsor is responsible for informing the CA or RA if the department's relationship with the Subscriber is terminated or changed such that the certificate should be revoked or updated.

17. The same person or group as the RA role may perform the Sponsor role.

18. End users - This policy is for the authentication of employees of government departments and agencies, and device authentication, within the New Zealand Government, not the general public or private business.

1.3.4 Applicability

19. Certificates can be characterised into Certificate Types, by combining three specific but extensible sets of attributes. Square brackets indicate an optional attribute

  1. Certificate class, (cATTRIBUTE): PASSPORT or BUSINESS CARD or ASSOCIATE or ANONYMOUS

  2. Certificate storage (sATTRIBUTE): SMART-TOKEN, PROXY

  3. Certificate purpose (pATTRIBUTE): ACCESS or (ID, [SIGN,] ENCRYPT)

20. This Policy allows several Certificate Types, as specified in the SEEKEY Certificate Table, typically used for ACCESS or ID. An ID certificate may also include SIGN and/or ENCRYPT functionality.

21. Note that in the context of this document, the term Certificate Types is used to differentiate among certificates used for slightly different purposes and which have different rules around their use, issuance and reliance; they are thus formally different certificates and will have different Policy OIDs, but are governed by the same Certificate Policy.

22. The S.E.E. Steering Group may accredit a CA for one or more of these Certificate Types.

23. Identity certificates, have several sub-uses, which provide proof of identity for

  • Individual (person)

  • Device (machine)

  • Role (person(s) in a role)

  • Membership (person has eligibility)

  • Proxy (machine acting for a person)

24. Access certificates act similar to a physical key. They also have several sub-types

  • Access to a resource

  • Anonymous access

25. Possession of an "access to a resource" certificate, acts like a physical key, the user can access a resource, such as an encrypted laptop.

26. An "anonymous access" certificate is similar to "access to a resource", but has little or no identifying information - the equivalent of an unlabelled key - it provides access, but anyone finding it, must know where to present it, to be given access.

27. The SEEKEY Certificate Table defines the variations differentiated by the Certificate Alphanumeric OID, the Certificate Numeric OID and the Certificate subjectName Distinguished Name (DN) conventions.

1.4 Contact Details

28. The contact person is the S.E.E. Project Manager, who can be contacted at seemail@ssc.govt.nz.


[ Previous | Next ]