ETSI 101 456-3

PDF In response to ETSI 101 456 sub section 7.4.10 important records are protected from loss, destruction and falsification. Some records may need to be securely retained to meet statutory requirements, as well as to support essential business activities and the Digi-CA™ ensures that the requirements of the European data protection Directive, as implemented through national legislation, are met. Appropriate technical and organizational measures are taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and the information that users contribute to the Digi-CA™ are completely protected from disclosure without the user's agreement, a court order or other legal authorization.

In response to ETSI 101 456 sub section 7.4.11 the Digi-CA™ ensures that all relevant information concerning a qualified certificate is recorded for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. The confidentiality and integrity of current and archived records concerning qualified certificates are maintained and records concerning qualified certificates are completely and confidentially archived in accordance with disclosed business practices. Records concerning qualified certificates are made available if required for the purposes of providing evidence of certification for the purpose of legal proceedings. The subject, and within the constraints of data protection requirements the subscriber, have access to registration and other information relating to the subject. The precise time of significant Digi-CA™ environmental, key management and certificate management events are recorded and records concerning qualified certificates are held for a period of time as appropriate for providing necessary legal evidence in support of electronic signatures.

The events are logged in a way that they cannot be easily deleted or destroyed (except for transfer to long term media) within the period of time that they are required to be held and the Digi-CA™ documents the specific events and data to be logged. The Digi-CA™ ensures all events relating to registration including requests for certificate re-key or renewal, are logged. The Digi-CA™ ensures that all registration information is recorded such as type of document(s) presented by the applicant to support registration, record of unique identification data, numbers, or a combination thereof (e.g. applicant's drivers license number) of identification documents, if applicable, storage location of copies of applications and identification documents, including the signed subscriber agreement, any specific choices in the subscriber agreement (e.g. consent to publication of certificate), identity of entity accepting the application, method used to validate identification documents, if any and name of receiving Digi-CA™ and/or submitting Registration Authority, if applicable.

The Digi-CA™ ensures that privacy of subject information is maintained. The Digi-CA™ log all events relating to the life cycle of Digi-CA™ keys, the life cycle of certificates, the life cycle of keys managed by the Digi-CA™, including any subject keys generated by the Digi-CA™, the preparation of SSCDs. and ensures that all requests and reports relating to revocation, as well as the resulting action, are logged.

In response to ETSI 101 456 sub section 7.5 policies and procedures under which the Digi-CA™ operates are non-discriminatory. The Digi-CA™ makes its services accessible to all applicants whose activities fall within its declared field of operation. The Digi-CA™ is a legal entity according to national law and has a system or systems for quality and information security management appropriate for the certification services it is providing. The Digi-CA™ has adequate arrangements to cover liabilities arising from its operations and/or activities and financial stability and resources required to operate in conformity with this policy. The Digi-CA™ employs a sufficient number of personnel having the necessary education, training, technical knowledge and experience relating to the type, range and volume of work necessary to provide certification services. The Digi-CA™ has policies and procedures for the resolution of complaints and disputes received from customers or other parties about the provisioning of electronic trust services or any other related matters and a properly documented agreement and contractual relationship in place where the provisioning of services involves subcontracting, outsourcing or other third party arrangements. The parts of the Digi-CA™ concerned with certificate generation and revocation management are independent of other organizations for its decisions relating to the establishing, provisioning and maintaining and suspending of services; in particular its senior executive, senior staff and staff in trusted roles, must be free from any commercial, financial and other pressures which might adversely influence trust in the services it provides. The parts of the Digi-CA™ concerned with certificate generation and revocation management have a documented structure which safeguards impartiality of operations.

In response to ETSI 101 456 sub section 8.1, the Digi-CAST3™ Team will help you ensure that:

    a) There shall be a body (e.g. a policy management authority) with final authority and responsibility for specifying and approving the qualified certificate policy.

    b) A risk assessment is carried out to evaluate business requirements and determine the security requirements to be included in the qualified certificate policy for all the areas identified above.

    c) All the Certificate Policy documents are approved and modified in accordance with a defined review process, including responsibilities for maintaining the qualified certificate policy.

    d) A defined review process exists to ensure that the qualified certificate policies are supported by the Digi-Certificate Practice Statement™.

    e) The Digi-CA™ Xg Trust Centre makes available the qualified certificate policies supported by the Digi-CA™ to all appropriate subscribers and relying parties.

    f) Revisions to qualified certificate policies supported by the Digi-CA™ are made available to subscribers and relying parties.

    g) The qualified certificate policy incorporates all the requirements of Clauses 6 and in particular:

    h) That the Digi-CA™ Xg Trust Centre is responsible for conformance with the procedures prescribed in this policy, even when the CA functionality is undertaken by sub-contractors.

    i) The CA shall provide all its certification services consistent with its certification practice statement.

    j) That the subscriber submits accurate and complete information in accordance with the requirements of the ETSI 101 456 policy, particularly with regards to registration and that the subscriber only uses the key pair for electronic signatures in accordance with any other limitations notified to the subscriber. That the subscriber exercises reasonable care to avoid unauthorized use of the subject's Private Key and if they participate in generating these keys using the Process Method that the algorithm used is recognized as being fit for the purposes of qualified electronic signatures and that the key length and algorithm are recognized as being fit for the purposes of qualified electronic signatures.

    k) The Digi-CA™ can show that only the subject holds the Private Key once delivered to the subject and that if the Certificate Policy requires use of an SSCD (i.e. QCP public + SSCD), the Digi-CA™ will only use the certificate with electronic signatures created using such a device.

    l) If the Digi-CA™ is not required to issue qualified certificates and if the certificate is issued by the CA under the Certificate Policy for QCP public + SSCD and the subject's keys are generated under control of the subscriber, the Digi-CA™ will generate the subject's keys within the SSCD to be used for signing.

    m) The Digi-CA™ Administrator will also ensure that subscribers will notify them without any reasonable delay, if any of the following occur up to the end of the validity period indicated in the certificate:

    n) the subject's Private Key has been lost, stolen, potentially compromised; or

    o) control over the subjects Private Key has been lost due compromise of activation data (e.g. PIN code) or other reasons; and/or

    p) inaccuracy or changes to the certificate content, as notified to the subscriber.

    q) and should any of the above occur, the use of the subject's Private Key is immediately and permanently discontinued.

    r) the Digi-CA™ unique OID is obtained for the Certificate Policy of the form required in ITU-T Recommendation X.509 [3].
    In response to ETSI 101 456 sub section 8.3, the Digi-CAST3™ will advise whether your Certificate Policy requires the use of SSCD and the ways in which the specific policy adds to or further constrains the requirements of the qualified certificate policy as defined in ETSI 101 456.

In response to ETSI 101 456 sub section 8.3, the Digi-CAST3™ will ensure you only claim conformance to the standard and the applicable qualified certificate policy by ensuring you adhere to the standard as a whole.