1 Introduction

1. This policy statement defines the requirements for the management of cryptographic public key pairs and X.509 public key certificates used for user or device authentication within the New Zealand Government. Excluded from this document are the requirements for certificates and keys used for encryption (privacy and confidentiality services) or for digital signatures (i.e., proof after the fact or by a third person). This policy is also specifically aimed at the authentication of government employees of government departments and agencies, not of the general public or private business.

1.1 Overview

2. The management authority for the S.E.E Key public key infrastructure is the S.E.E. Steering Group (SG). As such, the S.E.E. Steering Group is the controlling authority for this document.

3. This Policy is for key pairs and certificates that support authentication services such as single sign-on, virtual private networks and remote access. The security practices and mechanisms defined in it are appropriate for certificates and keys used to identify and authenticate entities passing, holding, processing or accessing information classified up to and including SENSITIVE or RESTRICTED. Without additional measures it is not suitable for use with information classified CONFIDENTIAL and above.

1.2 Identification

4. The alphanumeric Object Identifier (OID) of the Policy is SEEKey_1_0. The full numeric OID is 2.16.554.101.2.1.1.

The policy is further specified by adding a suffix of Passport (.1) for Passport certificates, BusinessCard (.2) for Business Card certificates or AssociateCard (.3) for Associate Card certificates.

For example, the OID for a Business Card style certificate is BusinessCard, and the full numeric OID is = JointISO(2).Country(16).NZ(554).Govt(101).SSC(2).CertificatePolicy(1).SEEKey_1_0(1).BusinessCard(2)

These OIDs are not formally registered.

1.3 Community and Applicability

5. The definition of a Certification Authority (CA) under this Policy is a party that will:

1. create and sign digital certificates binding Subscribers with the public component of their asymmetric cryptographic key pairs;

2. promulgate certificate status through Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP); and

3. enforce the requirements of the Certificate Policy within the entities it has issued certificates for (i.e., CA staff, Registration Authorities, and Subscribers).

6. This Policy covers three variations of authentication certificates, Business Card, Passport, and Associate Card:

• Business Card certificates are tied to a specific sponsoring agency and/or role and include those details in the DN. The certificate implies that the individual represents the named organisation.

• Passport certificates are based on the individual's identity and do not include organisational descriptors.

• Associate Card certificates reflect an external individual's relationship with a S.E.E Agency without implying they represent the agency in any way.

The three variations are differentiated by the certificate subjectName Distinguished Name (DN) conventions defined in Section 3.1 as well as by Policy OID as defined in Section 1.2.

The S.E.E. Steering Group may accredit a CA for one or more of these certificate variations.

7. The Certification Authority must:

• ensure any CA public key approved for S.E.E. PKI use is only used to issue certificates under the certificate policies approved for S.E.E. PKI (i.e. the CA must not issue lower assurance certificates with that particular CA key). The exception to this rule is if the organisation name in the O field of the DN is prefixed with a mutually agreed string, e.g. "Associate registered by " to support Associate Card style certificates (see section 3 below).

• have at least one CRL repository associated with them;

• provide a web site for Subscriber and Relying Party access to the documents that define their rights and responsibilities.

8. The CA should provide an OCSP service.

9. The Certification Authority may

• create Subscriber key pairs.

• issue, recognise or support any number of certificate policies as long as the requirements of one do not affect compliance to the requirements of another, i.e. a CA issuing certificates under this Policy is not limited to only this Policy.

10. Registration Agents (RAs) - also called a Local Registration Authorities (LRAs) or Organisation RAs (ORAs) - are responsible for administration of Subscribers on behalf of a CA. The RA is an agent of the CA. An RA may act as an agent for more than one CA or public key infrastructure.

11. Certificates must only be issued after authorisation from an authorised Sponsor.

12. The Sponsor must have the right to authorise certificates under that domain and organisation name (e.g @ssc.govt.nz and O=State Service Commission), as an agent of the department or agency.

13. The Sponsor role may be performed by the same person or group as the RA role.

1.4 Contact Details

The S.E.E. PKI Project Team developed this document as part of the State Services Commission's E-government initiative. The policy management authority is the S.E.E. Steering Group. The contact person is the S.E.E. Project Manager, who can be contacted at pki@security.govt.nz.