Professional Documents
Culture Documents
Política de Certificación y Declaración de Practicas de Certificación Autoridad de Firma Pais
Política de Certificación y Declaración de Practicas de Certificación Autoridad de Firma Pais
1/47
CPS_2_16_756_1_17_3_62_1.docx
Certiricate PoIicy and Cerlification Praclice Statemerit of the Sw‘ss Country Signing CA (Swiss CSCA)
Roles
Reviewer Markus Waldner, Federal Office of Police, fedpol
Aritonjo Alessio, FOITT
Authorisation
Signed by:
Digital signature
Digital signature
Roman Vanek
Digital signiert von
/ / / /
/ Vanek Roman NEPMQP
2018-10-05 (mit
/
. «‘ Zeitstempel)
a9e2ot47
Version History
Date Version Author Remarks
30.12.2015 2.0 Arnaldo Cremisini, First Release of Version 2
fedpol
26.01.2016 2.1 Arnaldo Cremisini, Revision based on comments from fedpol and FOITT
fedpol
21.03.2016 2.2 Arnaldo Cremisini Revision based on notes from fedpol
fedpol
19.04.2016 2.3 Arnaldo Cremisini Editorial revision
fedpol
11.05.2016 2.4 Arnaldo Cremisini Revision based on reviewer’s notes
fedpol
19.08.2016 2.5 Antonio Alessio Revision of chapter 8
FOITT
26.09.2018 2.6 Arnaldo Cremisini, Revision based on reviewer’s notes
fedpol
01.10.2018 2.7 Arnaldo Cremisini, Editorial revision
fedpol
Page 3 of 47
Table of Contents
Certificate Policy (CP) and Certification Practice Statement (CPS) of the Swiss
Country Signing CA (Swiss CSCA)_________________________________________ 1
1 Introduction __________________________________________________________ 9
1.1 Overview _______________________________________________________________ 9
1.2 Definitions and Acronyms _______________________________________________ 9
1.3 Document Name and Identification ______________________________________ 11
1.4 PKI Participants ________________________________________________________ 11
1.4.1 Certification Authority _________________________________________________________ 12
1.4.2 Subscribers _________________________________________________________________ 12
1.4.3 Relying Parties ______________________________________________________________ 12
1.4.4 Other Participants ____________________________________________________________ 12
1.5 Certificate Usage _______________________________________________________ 12
1.5.1 Appropriate Certificate Uses ___________________________________________________ 12
1.5.2 Prohibited Certificate Uses ____________________________________________________ 13
1.6 Policy Administration ___________________________________________________ 13
1.6.1 Organization Administering the Document _______________________________________ 13
1.6.2 Contact Person ______________________________________________________________ 13
1.6.3 Person Determining CPS Suitability for the Policy ________________________________ 13
1.6.4 CPS approval procedures _____________________________________________________ 14
2 PUBLICATION AND REPOSITORY RESPONSIBILITIES _________________ 15
2.1 Repositories ___________________________________________________________ 15
2.2 Publication of Certification Information __________________________________ 15
2.3 Time or Frequency of Publication ________________________________________ 15
2.4 Access Controls on Repositories ________________________________________ 15
3 Identification and Authentication______________________________________ 16
3.1 Naming ________________________________________________________________ 16
3.1.1 Types of Names _____________________________________________________________ 16
3.1.2 Need for Names to be Meaningful ______________________________________________ 16
3.1.3 Anonymity or Pseudonymity of Subscribers ______________________________________ 16
3.1.4 Rules for Interpreting Various Name Forms ______________________________________ 17
3.1.5 Uniqueness of Names ________________________________________________________ 17
3.1.6 Recognition, Authentication, and Role of Trademarks _____________________________ 17
3.2 Initial Identity Validation ________________________________________________ 17
3.2.1 Method to Prove Possession of Private Key______________________________________ 17
3.2.2 Authentication of Organization Identity __________________________________________ 17
3.2.3 Authentication of Individual Identity _____________________________________________ 17
3.2.4 Non-Verified Subscriber Information ____________________________________________ 17
3.2.5 Validation of Authority ________________________________________________________ 17
3.2.6 Criteria for Interoperation ______________________________________________________ 18
3.3 Identification and Authentication for Re-Key Requests ____________________ 18
3.3.1 Identification and Authentication for Routine Re-Key ______________________________ 18
3.3.2 Identification and Authentication for Re-Key after Revocation_______________________ 18
Page 4 of 47
Page 5 of 47
Page 7 of 47
Page 8 of 47
1 Introduction
1.1 Overview
This document defines the Certificate Policy (CP) and Certification Practice
Statement (CPS) governing the procedural and operational requirements, which the
Swiss CSCA and its Subscribers must adhere to, when issuing and managing
digitally signed objects.
This CP/CPS is based on the “Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework”, [RFC3647] and takes further into
account the ICAO Publications and Requirements [Doc9303].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are
used according to [RFC 2119] and are written in capital letters.
Acronym Definition
CA Certification Authority is an entity that issues digital
certificates.
CP Certificate Policy is a document, which aims to state, what
are the different actors of a public key infrastructure (PKI),
their roles and their duties.
CPS Certification Practice Statement is a document from a
Certificate Authority, which describes their practice for
issuing and managing public key certificates.
CRL Certificate Revocation List is a list of certificates (or more
specifically, a list of serial numbers for certificates)), that
have been revoked, and therefore, entities presenting those
(revoked) certificates should no longer be trusted.
CSCA Country Signing Certification Authority as defined in
[Doc9303].
DN Distinguished Name (name of certificate holder (Subject
DN) or certificate issuer (Issuer DN).
DS Document Signer defined according to [Doc9303].
EC Elliptic Curve is an algebraic structure used for
cryptographic purposes.
Page 9 of 47
Acronym Definition
eMRTD Electronic Machine Readable Travel Document (e.g.
ePassport)
fedpol Federal Office of Police of the Swiss Federal Department of
Justice and Police.
FIPS Federal Information Processing Standards (publication).
Standard published by NIST.
FOITT Federal Office of Information Technology, Systems and
Telecommunication.
HSM A hardware security module (HSM) is a physical computing
device that safeguards and manages digital keys for strong
authentication and provides crypto processing.
ICAO International Civil Aviation Organization
ICAO PKD Service A service provided by ICAO to the service participants, to
publish subscriber’s certificates or generated objects such
as CRL, Master-Lists, etc.
Inspection System An Inspection System is both an organisation as well as an
IT-system responsible for the verification of documents. For
eMRTDs, it requires the information of the CSCA
certificates to verify the digital content stored in the
eMRTDs; therefore it is a relying party of the CSCA.
Master-List A signed binary object, as specified by [DOC9303] and
containing a list of CSCA certificates.
ML-Signer The Master-List Signer is the entity responsible for the
issuance and hence the signature of the Master-List
National PKI The National PKI Coordinator is responsible for all issues
Coordinator related to the Swiss CSCA and coordinates the Swiss
CSCA relations with foreign countries and international
organisations.
NIST U.S. Department of Commerce / National Institute of
Standards and Technology Is the federal technology
agency that works with industry to develop and apply
technology, measurements, and standards.
PKI A public key infrastructure (PKI) is a set of hardware,
software, people, policies, and procedures needed to
create, manage, distribute, use, store, and revoke digital
certificates and manage public-key encryption.
SEM State Secretariat for Migration of the Swiss Federal
Department of Justice and Police.
SPOC Swiss Single Point of Contact for the eMRTD PKI/PKD.
SPOC TLS SPOC Transport Layer Security are cryptographic protocols
that provide communications security over a computer
network.
Swiss eDoc PKD Swiss National Public-Key Directory. Where, in the context
of the adoption of biometric eMRTDs and Residence
Permits, all required information will be accessible to
Page 10 of 47
Acronym Definition
national participants only. It is also responsible for the
international distribution of the Swiss CSCA public objects.
Swiss Federal …..
Repository
Swiss Government Is the Swiss Organisation in charge of the Swiss PKI,
PKI moreover it is responsible for operating the Swiss CSCA
and for the publication of the Swiss CSCA public entities,
such as certificates, CRL, etc.
TLS Transport Layer Security is a cryptographic protocol
designed to provide communications security over a
computer network.
Table 1: Acronyms
PKI Participants
Identifier CA Subscriber Relying Party
CSCA
DS
ML-Signer
SPOC TLS
Server
SPOC TLS
Client
Inspection
Systems
Organisations,
e.g. ICAO, EU,
Cantones, etc.
Swiss Gov PKI,
Swiss eDoc PKD
Page 11 of 47
1.4.2 Subscribers
The Swiss CSCA issues certificates to the following subscribers only:
DS: the Document Signer digitally signs data to be stored either on a Swiss
eMRTD or on a Swiss Residence Permit.
ML-Signer: the Swiss Master List Signer is the entity that digitally signs a list
of CSCA certificates (Domestic and Foreign) generated by the Swiss eDoc
PKD according to the rules defined by ICAO [Doc9303].
SPOC TLS Server (Single Point of Contact – Transport security Layer Server
side): authenticates the Swiss SPOC toward a foreign SPOC Client. It is the
entity responsible for the secure connection with a foreign SPOC Client.
SPOC TLS Client (Single Point of Contact – Transport security Layer Client
side): it authenticates the Swiss SPOC toward a foreign SPOC Server. It is
the entity responsible for the secure connection with a foreign SPOC Server.
The Swiss CSCA SHALL further generate and SHALL issue the Swiss CSCA CRL.
The Swiss CSCA MAY verify the signature of its issued objects.
The Swiss Document Signer (DS) SHALL sign the digital content of the Swiss
eMRTD and Residence Permit according to [Doc 9303]
The Swiss Document Signer (DS) MAY verify the digital content as stored in the
Swiss eMRTD and Residence Permit.
The Swiss Master-List Signer (ML-Signer) SHALL sign the Swiss Master-List
generated by the Swiss eDoc PKD according to the rules defined by ICAO
[Doc9303].
The Swiss Master-List Signer (ML-Signer) MAY verify the Swiss Master-List.
The Swiss SPOC TLS Server and Client SHALL authenticate and guarantee the
Swiss SPOC toward foreign SPOC according to the rules defined by [EUCCP] and
[CSN369791].
Page 13 of 47
Page 14 of 47
Further the Swiss CSCA CRL SHALL be accessed through the http protocol on
http://www.pki.admin.ch/crl/csca-switzerland-2.crl
Page 15 of 47
3.1 Naming
3.1.1 Types of Names
The Swiss CSCA SHALL have following Distinguished Name:
DN:
C=CH, O=Admin, OU=Services, OU=Certification Authorities,
CN=csca-switzerland-2
The Swiss CSCA SHALL only generate and SHALL sign Subscriber’s Certificates
and Certificate Requests identified by the following Distinguished Names (DN)
o DS (Document Signer eMRTD)
DN :
C=CH, O=Admin, OU=Services, OU=DS, OU=PP, CN=<common-name>
where
<common-name> :== « PS3 » <2 digit number>, uniquely identifying the
Document Signer
DS
The Swiss Government PKI personnel together with an authorised
representative of the DS owner (as defined in Table 3: Certificate owners)
SHALL generate a Public Key and a Private Key, together with a Certificate
Signing Request (CSR) for the Public Key to be certified. The CSR SHALL
be signed by the Private Key.
Page 17 of 47
Page 18 of 47
Page 19 of 47
4.3.2 Notification to Subscriber and Relying Parties by the Swiss CSCA of Issuance
of Certificate
The Swiss CSCA Certificate Issuance SHALL be notified to Swiss CSCA
Subscribers and the national Relying Parties.
The Swiss CSCA Certificate Issuance SHALL be notified to the EU Commission and
the ICAO PKD Service.
The Swiss CSCA Certificate Issuance MAY be notified to non-national Relying
Parties according to a non-exhaustive list maintained by the Swiss eDoc PKD.
The Swiss CSCA Subscriber’s Certificate Issuance MAY be notified to Relying
Parties according to a non-exhaustive list maintained by the Swiss eDoc PKD.
Page 21 of 47
Page 22 of 47
Page 23 of 47
Page 24 of 47
Page 25 of 47
Page 26 of 47
The Swiss CSCA MAY end the subscription of any Swiss CSCA Subscriber
Certificate by:
Not renewing the certificate after its expiration
Revoking the certificate prior to the certificate expiration.
Page 27 of 47
Page 28 of 47
Furthermore, the areas (housing the Swiss CSCA and the DS components) shall be
equipped with smoke sensors; latter SHALL be directly linked to the building’s
security control centre.
In the event of a fire alarm, the aforementioned equipment SHALL be automatically
shut down and the power supply SHALL be cut off.
Page 29 of 47
o Operating Team
The Operating Team is responsible for running all services delivered
by the Swiss Government PKI. In particular, its tasks are maintaining
support contracts with suppliers; ensuring the availability of the
certification infrastructure and co-ordinating Swiss Government PKI
operations.
The Operating Team also maintains the applications and the network
supporting registration, issuance and revocation for/of certificates and
other services provided by Swiss Government PKI.
The Swiss Government PKI and Swiss CSCA Personnel SHALL be trained to fulfil
the requirements of section 5.3.1 “Qualifications, Experience, and Clearance
Requirements”, of this CP/CPS.
Page 31 of 47
Page 32 of 47
Page 33 of 47
In case of a Swiss CSCA Subscriber Key Compromise, the Swiss CSCA SHALL
undertake following actions:
Revoke the concerned Swiss CSCA Subscriber’s Certificate and immediately
issue a new Swiss CSCA CRL,
Issue a new Swiss CSCA Subscriber Certificate and
Notify ALL Swiss CSCA Subscribers and National Relying Parties of the
Compromise and Issuance of the new certificate.
Page 34 of 47
6.1.7 Key Usage Purposes (as per [Doc9303] key usage field)
The Key Usage Purposes of the CSCA Self-signed and Link Certificates, DS
Certificate and ML-Signer Certificate SHALL comply with [Doc9303].
The Key Usage Purposes of the SPOC TLS Server and Client Certificates SHALL
comply with [CSN369791].
Page 36 of 47
Page 38 of 47
The Private Key Validity period for the SPOC TLS Server is set to: 365 days
Tsbl(DS) = 50 days
Page 39 of 47
CSCA Link:
The Validity Period of the Swiss CSCA Link Certificate SHALL be by the
following formula:
Tval(CSCA-L) = Tkpri(CSCA-L)
DS:
The Validity Period of all the Swiss DS Certificate SHALL be computed
through the following formula:
ML-Signer:
The Validity Period of the Swiss ML-Signer Certificate SHALL be computed
through the following formula:
Tval(SPOC-TLS) = Tkpri(SPOC-TLS)
Page 40 of 47
6.8 Time-Stamping
The Swiss Government PKI SHALL provide an independent and reliable Time-
Server. This Time-Server SHALL be applied for ALL activities related to the Swiss
CSCA (i.e. issuing of certificates and CRLs, logs entries, etc.).
Page 41 of 47
Page 42 of 47
Page 43 of 47
Page 44 of 47
9.1.2 Termination
The Swiss CSCA Certificate Policy and Certification Practice Statement (i.e. this
document), SHALL be valid until
it is either replaced by a newer revised version or
the Swiss CSCA is forced to perform a Swiss CSCA renewal.
In case of a Swiss CSCA renewal, this CP/CPS SHALL remain valid at least until
the last certificate issued by the Swiss CSCA is valid.
9.3 Amendments
The National PKI Coordinator MAY revise this CP/CPS. Minor modifications,
reviews, amendments or changes MAY be enacted at ANY time at the discretion of
the National PKI Coordinator.
Page 45 of 47
Page 46 of 47
10 References
References
Identifier Title
Doc9303 Doc 9303, Machine Readable Travel Documents, Seventh Edition, 2015, Part 12:
Public Key Infrastructure for MRTDs.
CSN369791 Information technology – Country Verifying Certification Authority Key Management
Protocol for SPOC, ČSN 36 9791.
EUCCP COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL
INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY
EU MEMBER STATES, BSI TR-03139, V 2.10, 27 May 2013
SR1431 SR 143.1, Bundesgesetz vom 22. Juni 2001 über die Ausweise für Schweizer
Staatsangehörige (Ausweisgesetz, AwG)
SR17032 SR 170.32, Bundesgesetz vom 14. März 1958 über die Verantwortlichkeit des
Bundes sowie seiner Behördenmitglieder und Beamten (Verantwortlichkeitsgesetz,
VG)
PSPV Verordnung über die Personensicherheitsprüfungen, vom 4. März 2011 (Stand am
1. Januar 2015)
RFC2119 Key words for use in RFCs to Indicate Requirement Levels
RFC3647 Internet X.509 Public Key Infrastructure Certificate Policy and Certification
Practices Framework
FIPS186-4 NIST, Digital Signature Standard (DSS), July 2013
FIPS140-2 NIST, SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES, May
25, 2001
ISO15408 ISO/IEC 15408, Information technology – Security techniques – Evaluation criteria
for IT security
OPMAN EPASS PKI Betriebshandbuch
(confidential)
OPMAN1 DVI ISMS PKI Prozesse eDokumente
(confidential)
OPMAN2 Swiss Government PKI’s operating manual ‘Periodic Monitoring or Functions and
Activities’
(confidential)
OPMAN3 DVI ISMS Incident Management Process
(confidential)
OPMAN4 EDOC Handling PKI Credential
(confidential)
Table 5: References
Page 47 of 47