Skip to content.
|Networking government in New Zealand.
You are here: Home » Services » SEEMail » S.E.E. PKI Certificate Policy Version 2.0 » 2 General provisions

2 General provisions

2.1 Obligations

CA and RA Obligations

29. CAs and RAs must operate in accordance with their Certification Practice Statement (CPS), the current version of this Policy, and the laws of New Zealand when issuing and managing the certificates and keys provided to S.E.E Key RAs and Subscribers.

CA Obligations

30. The Certification Authority must

  • Ensure that RAs, Sponsors, Subscribers are aware of their rights and obligations with respect to the operation and management of keys, certificates and cryptographic modules.

  • Ensure any CA public key approved for S.E.E. PKI use is only used to issue certificates compliant with the certificate policies approved for S.E.E. PKI (i.e. the CA must not issue lower assurance certificates with that particular CA key

  • Verify in writing that they comply with this Policy and from time to time conduct compliance audits if requested to do so by the S.E.E. Steering Group. Such compliance audits will be conducted at the CA's cost;

  • Have mechanisms and procedures to ensure that their RAs, Sponsors or End-users, issued with a SEEKEY, have also agreed to abide with this Policy;

  • Have at least one CRL repository associated with them;

  • Make the CRLs and OCSP services they manage available to Subscribers and Relying Parties in accordance with Operational Requirements (Section 4).

  • Provide a web site for Subscriber and Relying Party access to the documents that define their rights and responsibilities.

  • Provide any Sponsor with a list of all certificates issued using its name within one working day of request, including the status of each certificate, the certificate's subjectName, and its expiry date.

  • Ensure that the procedures for the expiration, revocation and re-issuance of their certificates conform to this Policy and are expressly stated in their CPSs and any Subscriber agreements or policies.

  • Ensure that when they revoke a certificate all relevant CRL and OCSP servers are updated and published within one working day of notification.

31. The Certification Authority should provide an OCSP service.

32. The Certification Authority may

  • Create Subscriber key pairs.

  • Issue, recognise or support any number of certificate policies as long as the requirements of one do not affect compliance to the requirements of another, i.e. a CA issuing certificates under this Policy is not limited to only this Policy.

Sponsor Obligations

33. The Sponsor must

  • Ensure that any information submitted to a CA/RA when applying, updating or requesting revocation of a certificate is complete and accurate.

  • Only request BUSINESS CARD and ASSOCIATE certificates with organisation names for which they are authorised to act.

  • Only request BUSINESS CARD certificates with internet domain names (e.g. in email addresses and urls) that are in the control of the organisation name requested.

  • Notify the CA / RA when an End-entity certificate is no longer required or if they suspect private key compromise.

Subscriber Obligations

34. The Subscriber must

  • Ensure that any information submitted to a CA / RA / Sponsor when applying, updating or requesting revocation of a certificate is complete and accurate.

  • Protect their private keys and key tokens (if applicable) in accordance with Section 6, and to take all reasonable measures to prevent their loss, disclosure, modification, or unauthorised use.

  • Notify their Sponsor as soon as possible, if they suspect private key compromise.

2.2 Liability

35. Accreditation of or the issue of certificates by a CA in relation to S.E.E. Key does not permit or authorise under any circumstances the CA to conduct business transactions or otherwise act on behalf of the organisation using the certificates or the New Zealand government.

36. A Relying Party must not assume that a subscriber has any authority to conduct business transactions or otherwise act on behalf of the subscriber's organisation based solely on the fact that the subscriber has a certificate.

37. A Relying Party must consider the differences among Certificate Types, as specified in the SEEKEY Certificate Table, and assign a level of trust consistent with business purpose.

2.3 Financial Responsibility.

38. No stipulation.

2.4 Interpretation and Enforcement

39. New Zealand law must govern certificates issued under this policy.

Dispute Resolution - Escalation, Arbitration

Principles

40. The parties must use their best efforts to resolve any dispute that may arise under the Accreditation Process through good faith negotiations.

41. The parties acknowledge their desire that any irreconcilable dispute or difference shall be resolved by mediation. This is without prejudice to any other right or entitlement that they may have. The rules governing any mediation shall be agreed between the Parties. The Parties agree to the assistance of LEADR (Lawyers involved in Alternative Dispute Resolution) to set the terms of reference for any such mediation and/or to procure mediation at equal cost to the parties or on such other terms as the Parties agree.

Process

42. If an irreconcilable dispute or difference arises between any two parties, either party may seek request that the dispute be submitted for mediation within 14 days by way of written notice by one party to the other.

43. However where an irreconcilable dispute or difference arises between the Applicant and the S.E.E. Manager as a result of an application for Accreditation by a supplier, or from the Accreditation Process, the dispute shall first be referred to the S.E.E. Steering Group for discussion and resolution.

44. If an irreconcilable dispute or difference is not submitted for mediation within 14 days of written notice by one party to the other, or resolved by mediation, either party may by way of 14 days written notice to the other require the matter to be determined by the arbitration of a single arbitrator in accordance with the provisions of the Arbitration Act 1996 (as amended by this Agreement).

The arbitrator shall be appointed by the parties or, failing agreement within five Working Days of such notice, appointed as soon as possible by the President of the New Zealand Law Society at the request of either party. The arbitration shall be conducted as soon as possible at Wellington.

The parties shall continue to perform their obligations as far as possible as if no dispute had arisen pending the final settlement of any matter referred to mediation or arbitration.

Nothing in this section shall preclude either party from taking immediate steps to seek urgent interlocutory relief before a New Zealand Court.

2.5 Fees

45. No stipulation.

2.6 Publication & Repository

46. The Certification Authority must

  • Ensure that all NZ Government Relying Parties have access to current CRLs and OCSP services from the locations and via the protocols specified in its certificates' cRLDistributionPoint and authorityInfoAccess fields

  • Ensure that the CRLs and OCSP services specified in the cRLDistributionPoint and authorityInfoAccess fields in the certificates must specify locations accessible via the Internet over LDAP and/or HTTP.

  • Publish a copy of this Policy and a public version of its CPS on its web site

2.7 Compliance Audit

47. The CA will be required to

  • Provide resource to the accreditation/audit process

  • Pay for all costs incurred in their accreditation/audit

48. The Certification Authority must

  • Notify the S.E.E. Steering Group prior to making any substantive change to their operations that could affect the likelihood of being successfully re-accredited;

  • Provide a full CPS when necessary for the purposes of any audit or accreditation;

Periods of Notice

49. The following periods of notice will apply to the Accreditation/Audit Process.

(a) The S.E.E. Steering Group will give Applicants five (5) working days notice of termination of the Accreditation/Audit Process.

(b) Applicants will give the S.E.E. Steering Group five (5) working days notice of their intention to withdraw from the Accreditation/Audit Process.

(c) The S.E.E. Steering Group will give Applicants and Accredited Suppliers

  • Fourteen (14) days notice of changes or variations to the Accreditation/Audit process

  • Fourteen (14) days notice of changes or variations to its requirements.

(d) Applicants or Accredited Suppliers will give notice by e-mail, to the S.E.E. Steering Group. The period of notice will commence from the time of acceptance of that notice by the S.E.E. Steering Group. Acceptance will be notified by return e-mail to the person(s) who is authorised by the Applicant or Accredited Supplier to act on behalf of their organisation for the purposes of the Accreditation Process.

(e) The S.E.E. Steering Group will give notice by e-mail to the person(s) who is authorised by the Applicant or Accredited Supplier to act on behalf of their organisation for the purposes of the Accreditation Process. The period of notice will commence at the time of dispatch of the e-mail.

The S.E.E. Steering Group reserves the right to amend the Accreditation or Audit Process, its requirements and/or this Document and to make any changes whatsoever, including cancelling the Accreditation Process and the S.E.E project itself. Applicants and Accredited Suppliers will be notified of any changes to the requirements in accordance with the notice provisions detailed in this document.

Accreditation

50. The Certification Authority must have been accredited by the S.E.E. Steering Group, BEFORE they can issue any S.E.E. PKI certificate.

51. The Certification Authority is eligible for accreditation if they provide a statement of compliance with this Certificate Policy and has either

  • undergone an independent audit (evidence of audit) deemed acceptable by the S.E.E. Steering Group; or

  • been accredited to another scheme approved by the S.E.E. Steering Group (third party accreditation); or

  • been accredited to another scheme approved by the S.E.E. Steering Group, and the differences between that scheme's CP and the S.E.E. CP has undergone an independent audit (audit to S.E.E. PKI CP)

52. At the time of application for accreditation, the Certificate Authority must provide the S.E.E. Steering group

  • A copy of the CA's most recent audited annual report

  • The CA's proposed Certificate Practice Statement (CPS)

  • A formal comparison of the CPS with the S.E.E. Key CP (this document)

  • A letter indicating whether the proposed CA matches the requirements of the S.E.E. Key CP, indicating any potentially controversial areas of compliance

  • Any certificate of accreditation from another body

  • Access to relevant audit reports of CA operations

  • Access to CA operations centres where requested

53. The S.E.E. Steering Group reserves the right to accept or decline any application for accreditation received.

54. The formal comparison of the CPS with the S.E.E. Key CP must

  • Compare the documents on a paragraph-by-paragraph basis

  • Mark each paragraph with either "Pass" or "Fail" in each case.

  • For each paragraph where your proposal satisfies S.E.E. Key needs but there is not an accurate match of policies between the CP and CPS, complete the sentence "Meets because..."

  • Mark each paragraph as to whether compliance has been audited by an independent auditor.

55. During the accreditation process the Certificate Authority must make available on request CRL, OCSP services and FOUR (4) digital certificates, to each of up to FIVE (5) S.E.E. application owners selected by the S.E.E. Steering Group to test the proposed certificates with their applications.

56. The S.E.E. Steering Group may accredit the CA, on completion of the accreditation process, and verification that the CA satisfies other local conditions. Accreditation will be at the discretion of the S.E.E. Steering Group and may be withdrawn at any time.

Withdrawal of accreditation

57. In the event that the S.E.E. Manager is considering withdrawal of S.E.E. Key accreditation, the following process will be used.

58. The S.E.E. Manager will send the Certification Authority an email notice that they intend to recommend withdrawal of S.E.E. Key accreditation.

59. The e-mail will include

  • The reason for the withdrawal of accreditation;

  • The withdrawal of accreditation process;

  • The contact details of the S.E.E. Steering Group chair;

  • The contact details of the S.E.E. Manager.

60. The Certification Authority will have 14 days to resolve the matter to the satisfaction of the S.E.E. Manager.

61. If after 14 days, the S.E.E. Manager still considers withdrawal of S.E.E. Key accreditation necessary, the S.E.E. Manager will recommend to the S.E.E. Steering Group that accreditation should be withdrawn.

62. The S.E.E. Manager will invite the Certification Authority to present any counter argument to the S.E.E. Steering Group. The CA will be required to present its case in writing within 7 days of the invitation. The CA may also request to be heard orally by the S.E.E. Steering Group.

63. The S.E.E. Steering Group's decision will be final.

64. In the event that accreditation is withdrawn

  • The Certification Authority must offer Sponsors, or in the case of PASSPORT certificates, the Individual, the choice of either the destruction or the return of all backed up or escrowed private keys managed by the CA. All costs associated with return or destruction of private keys will be met by the CA.

  • The Certification Authority must continue to provide certificate status checking, and certificate revocation services as per this document, for a period of one year unless agreed otherwise between the S.E.E. Manager and the CA.

  • The Certification Authority must not continue to sell or issue S.E.E. branded certificates.

Audit

65. The Certification Authority must demonstrate a commitment to ongoing audit of CA operations.

66. The results of the audit must be provided to the S.E.E. Steering Group as soon as practicable and at no cost.

67. The S.E.E. Steering Group may require that the Certification Authority be audited

  • Prior to initial approval by the S.E.E. Steering Group;

  • Upon breach of any part of the S.E.E. Certificate Policy

2.8 Confidentiality of Information

68. Private keys must be protected in accordance with Technical Security Controls (Section 6)

69. The Subscriber must protect his or her private key from disclosure to any other party, unless required by law.

70. No party shall make backups of a Subscriber or Sponsor's private keys without the prior consent of the Subscriber or Sponsor. Backups of private keys shall not be made available to any party other than the Subscriber or Sponsor without the prior consent of the Subscriber or Sponsor, unless required by law.

71. The Certification Authority must ensure

  • Information collected is only be used for digital certificate management purposes;

  • It complies with the Privacy Act of New Zealand 1993.

2.9 Intellectual Property Rights

72. No stipulation.


[ Previous | Next ]