|Networking government in New Zealand.

Tabs

Site map Access Keys Contact us About this site

You are here: Home » Services » SEEMail » S.E.E. PKI: Key Certificate Policy v1.91 » 4 Operational Requirements

4 Operational Requirements

Within this section:
4.1 -4.3 Application and Issuance of a Certificate
4.4 Certificate Suspension & Revocation
4.5 System Security Audit Procedures
4.6 Records Archival
4.7 Key Changeover
4.8 Compromise and Disaster Recovery
4.9 CA Termination

4.1 -4.3 Application and Issuance of a Certificate

79. The Certification Authority must ensure that all procedures and requirements with respect to an application for a certificate are set out in its CPS.

80. Only authorised Sponsors (i.e. such persons authorised by both the organisation and the CA) may make bulk applications on behalf of prospective Subscribers.

81. CAs, or RAs on their behalf, must ensure that each application for a certificate is accompanied by:

Sponsor authorisation for the certificate to be issued. This will include any use of a departmental identifier in the name or alternate name fields, and authorisation for any requested certificate attributes; and
In the case of a Passport certificate, an acknowledgement by the Subscriber of the terms and conditions governing their use of the keys and certificate.

4.4 Certificate Suspension & Revocation

82. The Subscriber, the Sponsor or the CA may initiate a Certificate revocation.

83. A certificate should be revoked:

if any of the information in the certificate is no longer true; or
if the Subscriber is no longer associated with their Sponsor; or
if the private key or the media holding the private key is lost, stolen or compromised; or
if the Subscriber disregards any of the obligations set out in their agreement with the CA; or
at the request of the Sponsor;

84. The Certification Authority must:

publish the revocation in the appropriate CRL and make it available via OCSP until after the certificate's expiry date.
ensure an up-to-date CRL is issued at least every eight (8) hours every day of the year (including public holidays)
ensure the validity period for OCSP responses does not exceed eight (8) hours
have the capability to update and issue an appropriate CRL immediately, for instance in the case of suspected compromise of a Subscriber's private key

85. The subscriber must notify their CA as soon as possible, If a Subscriber's private key is lost or possibly compromised.

86. The Certification Authority must notify the S.E.E. Steering Group immediately, if a CA certificate-signing key is compromised or possibly compromised.

87. A Relying Party must check all the certificates in the validation chain for authenticity and integrity (by checking the digital signature) and validity (against the CAs OCSP service or the applicable CRLs) BEFORE relying on the certificate. The digital signature of each CRL or OCSP response must be checked as part of this process.

88. The Certification Authority should ensure that all procedures and requirements with respect to the revocation of a certificate are set out in their CPS.

4.5 System Security Audit Procedures

89. The Certification Authority must perform periodic vulnerability assessments, where their system is connected to a shared or public network, to ensure resilience to network attack.

90. The vulnerability assessment should take into account any alerts or irregularities in network traffic noticed in the audit logs.

91. The Certification Authority should:

record all events relating to their security in audit log files
ensure all logs, whether electronic or manual, contain the date and time of the event, and the identity of the entity which caused the event
review their audit logs at least once every working day

4.6 Records Archival

92. No stipulation.

4.7 Key Changeover

93. S.E.E. Key certificates must have an expiry date of no longer than THIRTEEN months after the issue date.

94. A new key pair must be generated for the replacement certificate if the existing key pair has been in use for FOUR years or more (i.e. key lifetime period must be no more than FIVE years).

4.8 Compromise and Disaster Recovery

95. The Certification Authority must

ensure that their CPS, and any Subscriber agreements, contain provisions outlining the means they will use to provide notice of compromise or suspected compromise
have business continuity procedures that outline the steps to be taken in the event of the corruption or loss of computing resources, software and/or data

96. The Certification Authority should have a disaster recovery plan that outlines the steps to be taken to re-establish a secure facility and CA services in the event of a natural or other type of disaster.

4.9 CA Termination

97. The Certification Authority must

notify its Subscribers and the S.E.E. Steering Group immediately in the event that a CA ceases operation or changes ownership .
ensure arrangements are in place to ensure the CA's and Subscriber's keys are protected and available in accordance with this Policy

[ Previous | Next ]