3 Identification and Authentication

3.1 Initial Registration

57. Business Card and Associate Card certificates must include an Organisation name in the Distinguished Name

58. The CA must get authorisation from the organisation to produce each certificate it produces with that organisation's name in the Distinguished Name. Authorisation shall be from the chief executive or a company director, or a Sponsor explicitly delegated by them for the management of digital certificates issued under the organisation's name.

59. The CA's registration process must be sufficiently rigorous that:

for Business Card style certificates,

• an individual can be issued with a S.E.E. Key only in the name by which they are usually called within the Sponsor's organisation. For devices, the certificate must include the name of the device administrator, the business unit, or the primary business function the device is used for;

• the S.E.E. Key may only be stamped with the name of the organisation which employs or manages the End-entity identified in the certificate; and

• the email address in the certificate uses an Internet domain registered to the organisation.

for Associate Card style certificates,

• an individual can be issued with a S.E.E. Key only in the name by which they are known to the Sponsor's organisation. For devices, the certificate must include the name of the device administrator, the business unit, or the primary business function the device is used for;

• the S.E.E. Key may only be stamped with the name of the Sponsor's organisation

• the email address is reliable and approved by the individual, e.g. this should be testing by sending an email to the address, and requesting a reply confirming the validity of the application.

for Passport style certificates

• the registration process must be at least as rigorous as the Australian GateKeeper Project 100 point system

• the email address is reliable and approved by the individual, e.g. this should be testing by sending an email to the address, and requesting a reply confirming the validity of the application.

60. Each PKI Entity (e.g. CA, RA, Subscriber or device) must have a clearly distinguishable and unique Distinguished Name (DN) in the certificate subjectName field as defined in the IETF PKIX Certificate and CRL Profile.

61. End-entity DN's must:

• be in the form of an X.501 or UTF-8 PRINTABLESTRING.

• either have an association with the authenticated name of the Subscriber or reflect the organisation or organisational unit

• be unique for all End-Entities of a CA.

62. Additional numbers or letters may be appended to the commonName to ensure the Relative DN's uniqueness.

63. The DN should include an e-mail address.

64. The Subscriber's commonName field should reflect their preferred name e.g., Les Battersby, rather than Lesley Battersby or, in the case of a server certificate, its DNS address, rather than IP address.

65. The DN structure for a Business Card certificate shall be

C=country, S=state, L=location, O=organisation, OU=optional organisation unit, CN=common name, E=e-mail address

Recommended DN structure	Business Card DN for Andy Bucket in the Ministry of Water	Business Card DN for the Ministry of Water's Web site
C=country S=state L=location O=organisation OU=organisation unit (optional) CN=common name E=e-mail address	C=NZ S=- L=- O=Ministry of Water OU=Drains CN=Andy Bucket E=andy.bucket@minwater.govt.nz	C=NZ S=- L=- O=Ministry of Water OU=Drains CN=www.minwater.govt.nz E=itsupport@minwater.govt.nz

66. and certificates differ from the Business Card style certificate only in the ORGANISATION (O=) field of the Distinguished Name.

67. For Passport certificates the Organisation field must be left blank.

68. For Associate Card certificates, the Organisation field must contain mutually agreed text significantly differentiating the certificate from a Business Card certificate. The recommended text is "Associate registered by " <agency name> e.g., O=Associate registered by The Treasury. In this example, Sponsor authorisation by The Treasury would be required before this Associate Card certificate could be issued.

69. The CA must not require any additional fields.

70. The CA and the agency may, include additional fields in the DN, at their joint discretion.

71. Where an alternative type of name form is required in the certificate the SUBJECTALTERNATENAME field may also be used. This usage must be in accordance with PKIX Part 1.

72. Respective identities must be confirmed prior to the exchange of a public or private key or the issuance of a certificate.

• For Passport style certificates, the Certification Authority/RA and the Subscriber must confirm their respective identities

• For Business Card and Associate Card style certificates, the Certification Authority/RA and the Sponsor must confirm their respective identities.

73. The appropriate mechanisms for confirming respective identities are either

• in person,

• through the use of a shared secret (e.g., secret key or password), or

• through the use of pre-positioned asymmetric key pairs,

74. The key transfer protocol described in the PKIX Certificate Management Protocol is suitable for the above tasks.

3.2 Authentication for Routine Rekey

75. The Certification Authority or RA must authenticate all requests by Subscribers and Sponsors for issuance of new certificates and key pairs, and subsequent responses.

76. This authentication may be done by an online method in accordance with the PKIX Certificate Management Protocol where the Entity is authenticated using its current key pair.

3.3 Rekey after Revocation

The Certification Authority or RA must re-authenticate the entity in the same manner as for initial registration when there is a known or suspected compromise of an entity's private key.

77. The Certification Authority/RA must verify any change in the information contained in a certificate - via the Sponsor where applicable - before an updated certificate is issued.

3.4 Revocation Request

No stipulation.

[ Previous | Next ]