Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » SEEMail » S.E.E. PKI: Paper 10 - Guidelines for Agencies Choosing a CA » 3 Contract Issues to be Considered

3 Contract Issues to be Considered

3.1.1 It is recommended that any agency entering a contract for S.E.E. Key services with a CA, considers the following issues in the contract:

3.2 Certificate Policy (CP)

3.2.1 The core component of the S.E.E Key is the Certificate Policy (CP). Both parties should be fully aware of the Certificate Policy's requirements.

3.2.2 The S.E.E. Key CP is governed by the S.E.E. Steering Group.

3.3 Certificate Practice Statement (CPS)

3.3.1 The Certificate Practice Statement (CPS) is written by the CA, and may vary in some ways from the CP. The CA will be able to provide you with a comparison of their CPS with the S.E.E. Key CP. The CPS will probably form the basis of your agreement with the CA, so you should seek to understand it in its entirety.

3.4 Scope of S.E.E. Key

3.4.1 The scope of S.E.E. Key is the authentication of public servants to web based applications, and therefore specifically excludes digital signature, and use outside of government.

3.4.2 Individual S.E.E Key enabled applications authenticating users outside of government may be configured to trust other CAs in addition to the S.E.E. Accredited CAs. For example the health sector applications may be configured to trust both S.E.E. CAs and the HealthCert CA.

3.5 Testing of CA certificates

3.5.1 Prior to accreditation, CAs are required to offer a selection of S.E.E. Key application owners the opportunity to test the proposed certificates with their application. The S.E.E. Key application owner will need to perform this test in a timely manner.

3.5.2 All S.E.E. Key application owners will be informed of newly accredited CAs and asked to configure their application to trust certificates issued from this new CA.

3.6 Withdrawal of CA accreditation

3.6.1 The S.E.E. Steering Group reserves the right to withdraw CA accreditation at any time. This would be an unusual event; typically after dispute resolution had failed. In such a situation, the agency must:

  • Cease purchasing from the CA by a date specified by the S.E.E. Steering Group - the agency must consider this in any bulk purchase or commitment to purchase arrangements.

  • Replace certificates with those from another accredited CA by a date specified by the S.E.E. Steering Group.

  • Remove the CA's certificates from trust lists of S.E.E. Key enabled applications on a date specified by the S.E.E. Steering Group.

3.6.2 Note that migration from one CA to another would be expensive, time consuming and potentially disruptive to business.

3.6.3 Consider who (CA or agency) will bear the costs of S.E.E. Key replacement, revocation, and any initial agency registration charge.

3.6.4 Consider any additional costs for other system re-integration.


[ Previous | Next ]