Skip to content.

|Networking government in New Zealand.

Tabs

Site map Access Keys Contact us About this site

You are here: Home » Services » SEEMail » S.E.E. PKI Certificate Policy Version 2.0 » 3 Identification & authentication

3 Identification & authentication

Within this section:
3.1 Initial Registration
3.2 Authentication for Routine Rekey
3.3 Rekey after Revocation
3.4 Revocation Request

3.1 Initial Registration

3.1.1 Types of names

No stipulation.

3.1.2 Need for names to be meaningful

No stipulation.

3.1.3 Rules for interpreting various name forms

No stipulation.

3.1.4 Uniqueness of names

73. The Certification Authority processes must be such that the existence of the keyword SEEKEY in the CN is proof that the certificate was issued under the S.E.E. Key Certificate Policy. Note this gives the CA flexibility to produce other certificates using the same CA root key.

3.1.5 Name claim dispute resolution procedure

No stipulation.

3.1.6 Recognition, authentication and role of trademarks

No stipulation.

3.1.7 Method to prove possession of private key

No stipulation.

3.1.8 Authentication of organization identity

74. The CA must get authorisation from the organisation to produce each certificate it produces with that organisation's name in the Distinguished Name. Authorisation shall be from the chief executive or a company director, or a Sponsor explicitly delegated by them for the management of digital certificates issued under the organisation's name.

3.1.9 Authentication of individual identity

75. Respective identities must be confirmed prior to the exchange of a public or private key or the issuance of a certificate.

For PASSPORT certificates, the Certification Authority or RA and the Subscriber must confirm their respective identities
For BUSINESS CARD and ASSOCIATE certificates, the Certification Authority or RA and the Sponsor must confirm their respective identities.

76. The appropriate mechanisms for confirming respective identities are either

In person,
Through the use of a shared secret (e.g., secret key or password), or
Through the use of pre-positioned asymmetric key pairs,

77. The key transfer protocol described in the PKIX Certificate Management Protocol is suitable for the above tasks.

3.2 Authentication for Routine Rekey

78. The Certification Authority or RA must authenticate all requests by Subscribers and Sponsors for issuance of new certificates and key pairs, and subsequent responses.

79. This authentication may be done by an online method in accordance with the PKIX Certificate Management Protocol where the Entity is authenticated using its current key pair.

3.3 Rekey after Revocation

The Certification Authority or RA must re-authenticate the entity in the same manner as for initial registration when there is a known or suspected compromise of an entity's private key.

80. The Certification Authority or RA must verify any change in the information contained in a certificate - via the Sponsor where applicable - before an updated certificate is issued.

3.4 Revocation Request

81. No stipulation.

[ Previous | Next ]